Summary


In this chapter, you have learned how to secure your switch infrastructure. Securing your switch infrastructure comprises the following key components:

  • Securing management access to the switch

  • Securing network access

  • Implementing traffic filtering

The first step you should take is to secure management access to the switch. Because the switch has substantial control over the network and how traffic is directed, you must ensure it is secure, as secure as possible. Securing management access consists of the following:

  • Configuring banners, lockout parameters, and session timeouts

  • Configuring user-level authentication and privilege levels

  • Using secure protocols such as SSH and SNMPv3 to protect against eavesdropping

Once you have secured your switch, you can place it on your network and implement security features for connecting devices. Port security and 802.1x allow the switch to control access to ports for hosts based upon parameters such as MAC address or a login name and password. The following methods are available for implementing port security:

  • Standard port security All port security is configured locally on the switch and is based upon a list of secure MAC addresses for the interface.

  • 802.1x security Port access is controlled via the use of the IEEE 802.1x standard. The 802.1x standard allows for switch access to be controlled independently of hardware (MAC address) on a per-user basis. 802.1x uses RADIUS to provide centralized authentication and authorization.

Finally, Cisco Catalyst switches include traffic filtering features that allow you to filter traffic based upon Layer 2, 3, and 4 criteria. From a protocol perspective, you can specify that a port forwards only IP, IPX, or AppleTalk/DEC traffic, allowing you to eliminate unnecessary protocols where they are not required. For a more finely grained approach, Catalyst 6000/6500 switches have a VLAN access control list (VACL) feature that filters IP, IPX, or Ethernet traffic at wire speed (requires PFC, PFC2, or PFC3) for an entire VLAN.




CCNP Self-Study CCNP Practical Studies. Switching
CCNP(R) Practical Studies: Switching (CCNP Self-Study)
ISBN: 1587200600
EAN: 2147483647
Year: 2002
Pages: 135
Authors: Justin Menga

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net