Category Archives: CCIE Security

Port Security Basics



Catalyst switch port security is so often recommended. This is because of a couple of important points:

  • There are many attacks that are simple to carry out at Layer 2.
  • There tends to be a gross lack of security at Layer 2.
  • Port Security can guard against so many different types of attacks. Just a few to mention are MAC flooding, MAC spoofing, and rouge DHCP and APs.

There are often two main points that are confusing for engineers about this feature, however.

1.What is Sticky Learning and how does it work?

2.What is the difference between the different violation modes and how can I remember them?

Port Security Sticky Learning:

Sticky learning is a convenient way to set static MAC address mappings for MAC addresses that you allow on your network. What you do is confirm that the correct devices are connected to the appropriate switch ports. You then turn on sticky learning and the port security feature itself, for example:

switchport port-security maximum 2
switchport port-security mac-address sticky
switchport port-security

Now what happens is the 2 MAC addresses for the two devices you trust (perhaps an IP Phone and a PC) are dynamically learned by the switch. The switch automatically writes static port security entries in the running configuration for those two devices. All you have to do is save the running configuration, and poof, you are now configured with the powerful static MAC port security feature.

Please note that it is easy to forget to actually turn on port security after setting the parameters. This is what the third line is doing in the configuration above. Always use your show port-security commands to confirm you remembered this important step of the process!

This post continues – be sure to click Read More below!

E-Book Deal of the Day!icon

Continue reading Port Security Basics

RIP v2 Authentication

I know, I know – we all love RIP. And we are especially excited about the authentication capabilities that show up in Version 2 of the protocol. OK, the sarcasm is obvious. For our CCIE Security written, let’s make sure we are aware of the two options that are available and how to configure them.

Your options are clear text and MD5. You would never use clear text in real life of course, but we need to know it is an option in our written exam. Let’s look at the configuration of clear text. Notice that I am leaving out all of the commands you would use to enable RIP between our devices, we just want to focus on the authentication configuration here. By the way, I used GNS3 for this practice. Classic case where it comes in handy here – two simple routers over a serial connection. No need for something more robust like VIRL:

R2(config)#key chain RIPKEYS
R2(config-keychain)#key 1       
R2(config-keychain-key)#key-string CISCO
R2(config)#int s0/0
R2(config-if)#ip rip authentication key chain RIPKEYS

Very easy – and to do MD5, as you will see, we just add one more command under the interface. Verification is the trickier business since we do not have neighborships to crash in order to verify. I like to use debug ip rip here.  Continue reading RIP v2 Authentication