∙After you enable port security on any switch port, any static or dynamic CAM entries associated with the port are cleared, and any currently configured permanent CAM entries are treated as secure MAC addresses.
∙Not all Cisco switches support port security. Check Cisco Connection Online (CCO) at http://www.cisco.com/ to see if your hardware and IOS version support port security.
The default settings of a switch allow all MAC addresses to access all ports on the switch. If you enable port security, immediately only those MAC addresses explicitly identified will be able to send data to the switch ports. You can configure ports with a static MAC address assignment or a dynamic MAC address assignment.
Static MAC Assignment vs. Dynamic MAC Assignment
Dynamic MAC address assignment allows the administrator to do basically nothing. Once port security is enabled, the first interface to broadcast its MAC address on the port becomes the port’s secure MAC address. If another machine broadcasts a frame over the physical wire to the switch port with another MAC address, the port will automatically go into a locked−down, disabled mode.
Static MAC address assignment requires the network administrator to physically assign a MAC address to a port. This is the most secure way of creating the secure source address list, but it requires a lot of time and effort to manage. For smaller networks, this might be a good solution; but in bigger networks, it is not easily implemented.
VLAN Management
When you first provide the switch with an IOS, all the ports on the switch are assigned to VLAN1. In a typical environment, VLAN1 is also kept as the management VLAN. As a result, if the ports were not configured or were reset to their defaults, then anyone entering the network on VLAN1 would be in the management VLAN. Cisco recommends that the management VLAN be moved to a VLAN other than the default VLAN1 to prevent this type of problem.
Creating a Standard Access List
Here is the command used when creating an IP standard access list:
access−list access list number {permit|deny} source {source−mask}
As an example of creating an access list, let’s say you want to allow an advertising company to FTP marketing material to your sales office. However, you do not want the whole world to have access to your FTP server.
To create the access list, perform the following steps:
1.Because the access list will be read in order, you first need to permit the addresses that can access the FTP server. FTP uses ports 20 and 21, so it should be configured like this:
HSNRSM(config)# access−list 100 permit tcp 192.5.5.0 0.0.0.255 any eq 20
HSNRSM(config)# access−list 100 permit tcp 192.5.5.0 0.0.0.255 any eq 21
2. The following commands will deny all the other traffic on ports 20 and 21:
263
HSNRSM(config)# access−list 100 deny tcp any any eq 20
HSNRSM(config)# access−list 100 deny tcp any any eq 21
3.Because the access list has an implied “deny all” at the end, you need to apply a rule that any other traffic can pass through. The ip indicates that all IP protocols are being identified:
HSNRSM(config)# access−list 100 permit ip any any
You do not want to apply the access list to an outbound interface, because then the FTP packets would span the switch fabric and use up bandwidth and processing power. You want to apply the access list immediately to the inbound interface to the company’s Distribution layer switch.
To apply the access lists to an interface, follow these steps:
1.Access the interface to be configured. In this case, from Global Configuration mode, use the following command:
interface fastethernet0/0
2.Apply the access list to the interface to block access to inbound packets using the following command:
ip access−group 100 in
Unless the packets for FTP are coming from the advertising company, no one else will be able to access your FTP server.
Related solutions: |
Found on page: |
Opening a Session on an Internal Route Processor |
381 |
Entering Configuration Mode on an RSM |
381 |
Creating an Extended Access List
Creating an extended access list is very similar to creating a standard access list, but the options are more complex and can become quite lengthy. We suggest writing out your extended access list beforehand and then implementing it. Here’s the syntax an Extended Access List can require for configuration:
access−list access−list−number {deny|permit} {protocol type} source−address source−wildcard destination−address destination−wildcard [protocol specific options|operator] [log]
Let’s step through creating an extended access list that can be applied to an interface and deny any host on network 172.16.10.0 from going to any host on network 172.15.10.0. It will also deny ports 80, 23, 21, and 20. This will effectively disallow any access to World Wide Web services, Telnet, and FTP. Let’s look at all the options:
1. For an extended access list we must identify an access list number between 100 and 199:
CoriolisRSM1(config)#access−list 199 |
? |
|||
deny |
Specify packets |
to reject |
|
|
dynamic |
Specify |
a DYNAMIC list of PERMITs or DENYs |
||
permit |
Specify |
packets |
to forward |
|
2.We must then choose who to deny. We are using TCP instead of IP so we can just identify the ports we want to deny. The first IP address identifies the network. The 0.0.0 identifies that the first three octets must be the same and the .255 identifies all the hosts in the last octet:
CoriolisRSM1(config)#access−list 199 deny tcp |
172.16.10.0 0.0.0.255 ? |
|||
A.B.C.D |
Destination address |
|
||
any |
Any destination host |
|
||
eq |
Match only |
packets |
on a given port |
number |
gt |
Match only |
packets |
with a greater port number |
|
264
host |
A single destination host |
||
lt |
Match only packets with a lower port number |
||
neq |
Match only |
packets |
not on a given port number |
range |
Match only |
packets |
in the range of port numbers |
3. Now do the same for the destination address identifying the destination of 172.15.10.0:
CoriolisRSM1(config)# access−list |
199 deny tcp 172.16.10.0 0.0.0.255 |
|
172.15.10.0 0.0.0.255 ? |
|
|
ack |
Match on the ACK bit |
|
eq |
Match only packets on a given port number |
|
established |
Match established connections |
|
fin |
Match on the FIN bit |
|
gt |
Match only packets with a greater port number |
|
log |
Log matches against this entry |
|
log−input |
Log matches against this entry, including input interface |
|
lt |
Match only packets with a lower port number |
|
neq |
Match only packets not on a given port number |
|
precedence |
Match packets with given precedence value |
|
psh |
Match on the PSH bit |
|
range |
Match only packets in the range of port numbers |
|
rst |
Match on the RST bit |
|
syn |
Match on the SYN bit |
|
tos |
Match packets with given TOS value |
|
urg |
Match on the URG bit |
|
4.Now enter “eq” for equal to, and then identify the port numbers. Use a separate statement for each port number:
CoriolisRSM1(config)# access−list 199 deny tcp 172.16.10.0 0.0.0.255 172.15.10.0 0.0.0.255 eq 80
CoriolisRSM1(config)# access−list 199 deny tcp 172.16.10.0 0.0.0.255 172.15.10.0 0.0.0.255 eq 23
CoriolisRSM1(config)# access−list 199 deny tcp 172.16.10.0 0.0.0.255 172.15.10.0 0.0.0.255 eq 21
CoriolisRSM1(config)# access−list 199 deny tcp 172.16.10.0 0.0.0.255
172.15.10.00.0.0.255 eq 20
5.Now we have to identify addresses to permit or we will have effectively shut down the interface. Remember, there is an implicit “deny all” at the end of any access list:
CoriolisRSM1(config)#access−list |
199 permit ? |
|
<0−255> |
An IP protocol number |
|
ahp |
Authentication Header Protocol |
|
eigrp |
Cisco’s EIGRP routing protocol |
|
esp |
Encapsulation Security Payload |
|
gre |
Cisco’s GRE tunneling |
|
icmp |
Internet Control Message Protocol |
|
igmp |
Internet Gateway Message Protocol |
|
igrp |
Cisco’s IGRP routing protocol |
|
Ip |
Any Internet Protocol |
|
Ipinip |
IP in IP tunneling |
|
nos |
KA9Q NOS compatible IP over IP tunneling |
|
ospf |
OSPF routing protocol |
|
pcp |
Payload Compression Protocol |
|
pim |
Protocol Independent Multicast |
|
tcp |
Transmission Control Protocol |
|
udp |
User Datagram Protocol |
|
6.We have to use the ip syntax, which means all IP protocols. If we only used the tcp syntax, we would only permit TCP ports:
CoriolisRSM1(config)#access−list 199 permit ip ?
A.B.C.D Source address
any |
Any source host |
host |
A single source host |
7.Since we want to identify everything else that can pass through the interface, we need to use the any syntax and identify the source address. You can identify a single host by using the host syntax followed by the IP address:
265
CoriolisRSM1(config)#access−list 199 permit ip any ?
A.B.C.D |
Destination address |
any |
Any destination host |
host |
A single destination host |
8. Just as in Step 7, we need to identify the destination addresses to permit:
CoriolisRSM1(config)#access−list 199 permit ip any any
CoriolisRSM1(config)#
You’re not quite done yet. Even though you just created an access list, it still has to be applied to an interface before it will function.
Applying Access Lists Using access−class
Let’s create an access list that allows Telnet access to the switch from the IP address 192.151.52.19 (this is the IP address of the only PC that will be used to Telnet into your switch). To do this, use the following command:
CAT5KRSM(config)# access−list 5 permit 192.151.52.19
Next, you need to enter Line Configuration mode for all five VTY lines with the following command:
CAT5KRSM (config)# line vty 0 4
CAT5KRSM (config−line)#
Finally, use the access−class command to apply the access list to an inbound interface with the following command:
CAT5KRSM(config−line)# access−class 5 in
Applying Access Lists Using distribute−list
To apply an access list using the distribute−list command, you need to have created a standard access list. Once your access list is configured, you can apply it to an inbound or outbound interface. Here is the syntax when using the distribute−list command to apply an access list to an outbound interface:
distribute−list {access−list number|name} out
[interface name|routing process|autonomous system number]
Let’s say you have an access list that will allow network traffic from network 192.1.1.0 but denies traffic from interface 192.2.1.0. Do not forget that an implied “deny all” is attached to the access list:
access−list 1 permit 192.1.1.0 0.0.0.255
To use a distribution−list command you must also specify a routing protocol to use. In this case we will use OSPF:
router ospf 1
To apply the access list using the distribute−list command, you must attach the access list to the outbound interface you wish to filter. Let’s say for this example it is Fast Ethernet port 0/0. Here is what you command might look like:
distribute−list 1 out fastethernet0/0
266