Network switches offer different levels of port security features. Refer to the switch documentation to learn how to do the following:
Use authentication, authorization, and accounting features for local and remote access to the switch.
Change every password on network switches that might have multiple user accounts and passwords by default.
Manage switches out-of-band (separated from data traffic). If out-of-band management is not feasible, then dedicate a separate virtual local area network (VLAN) number for in-band management.
Use the port mirroring capability of the network switch for intrusion detection system (IDS) access.
Maintain a switch configuration file off-line and limit access only to authorized administrators. The configuration file should contain descriptive comments for each setting.
Implement port security to limit access based upon MAC addresses. Disable auto-trunking on all ports.
Use these port security features if they are available on your switch:
MAC Locking– Involves associating a Media Access Control (MAC) address of one or more connected devices to a physical port on a switch. If you lock a switch port to a particular MAC address, superusers cannot create backdoors into your network with rogue access points.
MAC Lockout– Disables a specified MAC address from connecting to a switch.
MAC Learning– Uses the knowledge about each switch port's direct connections so that the network switch can set security based on current connections.