Cisco Basics: Port Security

Port Security is a feature of Cisco Catalyst switches which restricts the number of MAC addresses per port. The intention is to prevent users plugging in unmanaged switches to extend the network by sharing a single port. Whilst not a perfect solution as MAC addresses can be spoofed, it deters the average user.

When a device is connected to a switch port the Ethernet frame is examined and the source MAC address is recorded. If a second source MAC address is detected the switch will shut down the port to prevent multiple devices accessing the network.

Port security is enabled on a per-port basis, usually on all access ports. Enabling port security with the default options takes a single command:

Switch(config)# int fa0/1
Switch(config-if)# switchport port-security

Continue reading Cisco Basics: Port Security

How To – Enable Wake On LAN using a Cisco router

Wake On LAN is an Ethernet standard that allows for a device to be powered on when receiving a specially crafted “magic packet”. The “magic packet” is a broadcast frame consisting of 6 bytes of 255 (FF FF FF FF FF FF) followed by sixteen repetitions of the 48-bit MAC address. Turned off computers receiving the broadcast don’t actually process the message up the protocol stack, they are just looking out for a matching 102-byte string.

Because of this we can use a UDP datagram to remotely wake up a computer from somewhere else on a routed network. Here’s how you can achieve this using Cisco IOS.

The first thing we need to do is setup a static NAT entry for the UDP port we wish to use (usually 7 or 9), so that our “magic packet” is forwarded from our external interface to the host we want to power on. In the below example the IP address of the system we’re going to wake up is and the external interface is ATM0.1:

ip nat inside source static udp 7 int ATM0.1 7

Next up we need to create an access-list that will contain the IP addresses of systems we’ll be sending the Wake On LAN message from:

access-list 10 permit host

Finally we need to enable “directed broadcasts”. This enables packets sent to the subnet broadcast address to be sent from hosts that are not part of that subnet. Again, in the below example our external interface is ATM0.1:

int ATM0.1
ip directed-broadcast 10

You’ll then need to enable Wake on LAN on the device itself. Once that’s done you can use online services or free applications to wake your device.

Legally obtain Cisco IOS updates for free

Lets say you have a Cisco router that’s running an out of date IOS version and want to get a more recent image. It’s safe to say you’ll want to avoid resorting to piracy, Perhaps you don’t want to spend the money on a SMARTnet subscription. There’s a way to legally obtain an updated version that many people over look, security updates.

As it stands, CISCO’s security vulnerability policy states that (emphasis mine):

As a special customer service, and to improve the overall security of the Internet, Cisco may offer customers free of charge software updates to address security problems. If Cisco has offered a free software update to address a specific issue, noncontract customers who are eligible for the update may obtain it by contacting the Cisco TAC using any of the means described in the Contact Summary section of this document. To verify their entitlement, individuals who contact the TAC should have available the URL of the Cisco document that is offering the update.

Great! So we can probably get free updates if they fix a security issue, so what next? Head over to a handy on-line Cisco tool to identify what vulnerabilities are present in the version of IOS you’re running. Paste in the output of the “show ver” command and you’ll be presented with a list of vulnerabilities affecting your device.

Providing sh ver output to software checker

With that information, send TAC Support an e-mail including the output of the “show ver” command and the list of vulnerabilities and you will be sent a one-off link to obtain the latest IOS image for your device, free of charge.