Shutdown unused ports
Exam: Cisco 200-120 - Interconnecting Cisco Networking Devices: Accelerated (CCNAX)
A major topic under the section “Network device security” is that of “shutdown unused ports”. We will discuss this chapter in details now from the point of the CCNA exam preparation. Having unused switch ports is the biggest challenge in any network. A person who wants to attack your network can do so easily using these unused ports and switches. This can be a huge threat to the network that you are using. What you need to do in order to avoid this is to shut these unused ports that exist in your network. This is a fundamental networking topic and you must have a good idea of the same.
ErrDisable recovery – The ErrDisable is a feature that is used mostly on catalyst switches. One must remember that the way the ErrDisable feature is implemented clearly differs from one software platform to the other. Under this topic we will mostly look at the ErrDisable that works on switches. First let us understand what the ErrDisable function is all about. Well it is a situation the switch finds an error on the port. The software does not understand how to manage the situation and it shuts the port down. The port is thus disabled by the switch operating software. The traffic into and out of the port completely comes to a halt at this stage. Thereby the port LED becomes orange in colour.
This function is useful because of two reasons:
- It helps the administrator to understand if there is a problem in the port.
- This also helps to ensure that the other ports in the module do not fail.
There can be many reasons for the errDisable state and they are as follows:
- A wrong configuration in the port
- A bad network interface card can also cause problem
- A cable that is not in the proper specification
You must understand how the port must be recovered from the errdisable state and that is exactly what we will be discussing now. First of all you will have to identify what the actual problem is. After this you will have to enable the port. This is also reffered to reenable the port. One must keep in mind that for the etherchannel to work all the ports must have similar configuration. You must read the error message well to understand why the ErrDisable state actually came up. You may also need to reenable the ports manually in order to ensure that the network is out of the ErrDisable state.
Using the cat6knative(Config)#errdisable recovery cause bpduguard command you will get the general reasons for this state of the network. The ErrDisable recovery interval can be three to four hundred seconds. You can also use a lot of verify and trouble shoot options to solve the errDisable situation.
Assign unused ports to an unused VLAN
VLAN hopping can be done easily. In order to make the network more secured the administrator must ensure that VLAN hopping is stopped. One can do so by assigning the unused ports to the unused VLAN. If one gets access to the VLAN they can get hold of the traffic too this can be dangerous. The VLAN hopping can be done by switch spoofing and double tagging. In this the attacking host will imitate a trunking switch. This is when the traffic will be available to attacking host. This can be avoided when the interface is used to negotiate the trunk. This can be avoided by using this method that is under discussion here.
- First of all you must ensure that that the ports are not set to negotiate the trucks automatically.
- You must also ensure that the ports which are not actually meant to be trunks are clearly configured as the access ports.
This will ensure that the unused ports are assigned to the unused VLAN and reduce VLAN hopping to a great extent. The switch if receives untagged frames they are belived to be the part of the VLAN by default. This is a very important aspect of networking that an administrator must be aware of. Do try to spend some time on understanding this section.
Putting native VLAN to other than VLAN 1
The native VLAN is used for the management of all the interfaces of the switches and routers. It is an untagged VLAN. The management VLAN and the native VLAN can be the same too. The native VLAN can control traffic and the management VLAN is used only to access the devices. The management VLAN can also receive untagged traffic. It is the switch that can decide if this untagged traffic must be forwarded to the native VLAN or not. Tagging the native VLAN can make the network a little more secured. Native is more to do with the trunk and not with the switch. Only one Native VLAN can be set in one port. A switch with multiple ports cannot have a number of VLANs associated with it. The double tagging can be used only when the native VLAN is used. To avoid this VLAN hopping one can use the method of “putting native VLAN to other than VLAN 1”.The VLAN 1 is not a good choice in all situations. This can be done by following the enclosed steps:
- There should not be any default VLAN set. Other than the VLAN1 others can be assigned.
- The native VLAN must be changed to an unused VLAN ID.
- Try to tag the native VLAN to all the trunk ports.
Applying this is like applying a three layer tagging that can make the hopping of VLAN almost impossible. This is very often used in networking to provide the extra security that is needed. You must try to understand this aspect in details.
This is all that you must know about how to shutdown unused ports. Do prepare each of the aspects seriously and give them enough time. You must know this aspect of networking in order to get a proper score.
Related IT Guides
- Configure and verify NTP as a client
- Configure and verify trunking on Cisco switches
- Describe the operation and necessity of using private and public IP addresses for IPv4 addressing
- Determine the technology and media access control method for Ethernet networks
- Identify basic switching concepts and the operation of Cisco switches
- Recognize High availability (FHRP)
- Troubleshoot and resolve interVLAN routing problems
- Troubleshoot and resolve routing issues
- Troubleshoot and resolve spanning tree operation issues
- Troubleshoot and resolve trunking problems on Cisco switches
- Troubleshoot and resolve VLAN problems