Network switches offer different levels of port security features. Refer to the switch documentation to learn how to do the following:

• Use authentication, authorization, and accounting features for local and remote access to the switch.

• Change every password on network switches that might have multiple user accounts and default passwords.

• Manage switches out-of-band (separated from data traffic). If out-of-band management is not feasible, then dedicate a separate virtual local area network (VLAN) number for in-band management.

• Use port mirroring capability of the switch for intrusion detection system (IDS) access.

• Maintain a switch configuration file off-line and limit access only to authorized administrators. The configuration file should contain descriptive comments for each setting.

• Implement port security to limit access based upon MAC addresses. Disable auto-trunking on all ports.

• Use these port security features if they are available on your switch:

  • MAC Locking – Involves associating a Media Access Control (MAC) address of one or more connected devices to a physical port on a switch. If you lock a switch port to a particular MAC address, superusers cannot create "backdoors" into your network with rogue access points.

  • MAC Lockout – Disables a specified MAC address from connecting to a switch.

  • MAC Learning – Uses the knowledge about each switch port's direct connections so that the network switch can set security based on current connections.