Privilege level 0 is a special level that allows the user to use a more specific defined set of commands. As an
example, you could allow a certain user to use only the show arp command. This command is useful when a
third party is using a sniffer on your network and needs to match a MAC address to an IP address and vice
versa.
Configuring Banner Messages
You have probably messed around on a non−production router or switch and placed your own saying or name
in a banner. In a production environment, your switch or router greets potential threats to your network with a
banner message.
Tip Although this task seems miniscule, it is very important to your security. Many times, a hacker has
gotten away with his crime and a district attorney has decided not to pursue hacking charges,
because the greeting welcomed intruders into the network. Never use the word welcome in your
banner messages!
Physical Device Security
Physical access to all devices on your network should be included in your access policy. Because of all types
of vulnerabilities and back doors that might be available, protecting the physical access of a machine on your
network is extremely important. Any one person with physical access and the correct knowledge can easily
apply known techniques on a given device and gain access. Therefore, it is important to have some physical
barrier between your devices and the average user. In addition, passwords should be applied to all access
points that are open via the network.
Note A proper physical environment allows for locking the room where devices are kept, locking
device racks, and securing backup power sources and physical links. You should also verify
that passwords are applied at all levels, and you should disable unused or unnecessary ports
(including AUX ports) on your network.
Tip Make sure that your room provides for proper ventilation and temperature controls while
providing the listed security.
Port Security
The Cisco IOS provides a feature called port security that lets you limit the MAC addresses that are allowed
to use the ports on a switch. MAC addresses come pre−configured on a Network Interface Card (NIC), and
because of applied industry−wide standards, no two NIC cards have the same MAC address. By configuring
certain MAC addresses to use a switch port, you greatly increase control over which PCs can access the
switch.
Here is how port security works: When a port on the switch receives data frames, it will compare the source
MAC address to the secure source address learned by the switch. If a port receives data from a MAC address
that has not yet been previously identified, the switch will lock that port and mark the port as disabled. A light
on that port will then turn orange, indicating that the port has been disabled.
Note A trap link down message will automatically be sent to the SNMP manager if SNMP has been
configured.
You should know a few things before trying to apply port security:
Do not apply port security to trunk links, because they carry data from multiple VLANs and MAC
addresses.
Port security cannot be enabled on a Switched Port Analyzer (SPAN) source or destination port.You cannot configure dynamic or static Content Addressable Memory (CAM) entries on a secure
port.
262