If

Attacker

Attacker

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v2.0-1-i

You can use the port security feature to restrict input to an interface by limiting and identifying the MAC addresses of the stations allowed to access the port. When you assign secure MAC addresses to a secure port, the port does not forward packets with source addresses outside the group of defined addresses.

Port security allows you to specify MAC addresses for each port or to permit a limited number of MAC addresses. When a secure port receives a packet, the source MAC address of the packet is compared to the list of secure source addresses that were manually configured or autoconfigured (learned) on the port. If a MAC address of a device attached to the port differs from the list of secure addresses, the port either shuts down permanently (default mode) or drops incoming packets from the insecure host. The behavior of the port depends on how you configure it to respond to a security violator.

Cisco recommends that you configure the port security feature to issue a shutdown instead of dropping packets from insecure hosts through the restrict option. The restrict option may fail under the load of an attack, and the port will be disabled anyway.

Securing Networks with Cisco Routers and Switches (SNRS) v2.0

1-14

0 0

Post a comment