[Security] Cisco Switch — Disable a network port if a switch is used

We are considering disabling a user’s ability to connect a third party switch to the Ethernet jack in order to allow multiple machines to connect. This will be particularly useful in conference rooms where there are enough ports for the computers already there.

Swtich: 3560

Connect to switch and configure desired interface:

CISCO_3560_48P>en
CISCO_3560_48P#config t
CISCO_3560_48P(config)#interface Gi0/3

The following will configure port security, preventing multiple computers from obtaining IPs via a third party switch:

CISCO_3560_48P(config-if)# switchport mode access
CISCO_3560_48P(config-if)# switchport port-security
CISCO_3560_48P(config-if)# switchport port-security maximum 1
CISCO_3560_48P(config-if)# switchport port-security violation restrict
CISCO_3560_48P(config-if)# switchport port-security aging time 2
CISCO_3560_48P(config-if)# switchport port-security aging type inactivity
CISCO_3560_48P(config-if)# spanning-tree portfast
CISCO_3560_48P(config-if)# spanning-tree bpduguard enable

For additional information on how to make the above a macro to simplify configuring multiple switch ports the same way, have a look at:

http://www.cisco.org.lv/en/US/docs/switches/lan/catalyst3560/software/release/12.2_25_see/command/reference/cli1.html

Advertisements
This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s