Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
431
Views
0
Helpful
2
Replies

Which ports need Port Security?

JoshGarmonCiscoCCNA
Level 1
Level 1

‎11-14-2015 01:21 AM - edited ‎03-08-2019 02:42 AM

When it comes Switch Port Security...

1.) Do you apply it on the currently UN-used ports? Which ones? All of them?

2.) Does your employer determine what they want the ports to do if there is an issue?

Labels:
0 Helpful
2 Replies 2

niko
Level 1
Level 1

‎11-14-2015 01:59 AM

Hi,

Good and safe practice is to shut down currently unused ports - that way noone will be able to plug in without you knowing it, but it leads to overhead in case changes have to made often. If plugging in is ok - port security can be used to limit usage for one MAC address for data and one MAC address for voice VLAN, for example. Everything else can be denied. BPDUGuard on. This should be even used on existing ports.

Security guidelines should be created together with management and IT security staff, so in case of questions there would be always place to look - basically like a guide to follow, which will include not only user ports, but general guidelines, BYOD policy, server side security measures, access control mechanisms, etc.

But in the end I would say it all depends on your infrastructure, network and company.

0 Helpful

Masoud Pourshabanian
VIP Alumni
VIP Alumni

‎11-14-2015 05:30 AM

Hello,

I agree with Niko answer. I am adding more information. Port security is used to provide prevention of unauthorized access to the switch. It is usually implemented on Access port where network users get connected. It is better to activate it on both active an unused ports. As Niko said, you need to shut all unused port and assign them to an unused seperated VLAN.

There are several ways to implement port security. Some of them are more secure but have more overhead.

The easiest way is implemention of mac-address security. It shuts the port(if action is shut)  if an authorized device connects to the network.

Another mechanism is Dot1x which uses username and password to authenticate users. This one is more secure, but needs more configuration and if the network is large, network administrator has problem dealing with users almost everyday.

Could you explain your second question more? By employer, you mean your boss or your employee?

As for your second question, if any port is shut by violation, network administrator will be informed so he/she can investigate the issue and reactivate the port.

Hope it helps,

Masoud

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card