Tuesday, February 16, 2010

Port Security Configuration On Cisco Switches

Port Security can be configured on Cisco switches to limit number of Hosts as well as which MAC address is allowed on a specific interface. If the security violation occurs on port, port may automatically shutdown. Two ways are there for securing MAC addresses:

1> Static Secure MAC addresses

We can manually specify which MAC is secure by switchport port-security macaddress
mac-address interface configuration command.
Example:
switch(config-if)# switchport port-security mac-address mac-address

2> Dynamic (sticky) Secure MAC addresses

If we enable sticky address learning on a switchport, then the address which switch learns on that port, automatically gets added to mac-address-table and becomes part of running-configuration. if we save the running-configuration these sticky Mac addresses will become permanently Secure Mac-addresses.

Example:
switch(config-if)# switchport port-security mac-address sticky

Some characteristics of sticky mac-addresses

1- If we disable sticky learning by no switchport port-security mac-address sticky command, mac-addresses will be removed from running-configuration but still appear in mac-address table as static secure mac-address.

2- If we disable port-security by no switchport port-security command, mac-addresses will removed from mac-address table but still appear in running-configuration.

Three violation modes[ states of ports when security violation occurs]:

1. Protect- Port will not be shutdown but unknown mac-address will be dropped,
no SNMP trap sent.
2. Restrict- Port will not shutdown but unknown mac-address will be dropped,
SNMP trap sent.
3. Shutdown- Port will shutdown and SNMP trap sent.

Port-Security Default Settings:

  • Port Security Disabled on port
  • Max. secure mac-addresses = 1
  • Violation Mode Shutdown
  • Sticky Address Learning Disabled

To show port-security status:

switch# show port-security interface interface_name

Steps for Configuring Port Security:

Description Command

Select switchport : switch(config)#int fa0/1

Sets the port mode as access: switch(config-if)#switchport mode access

Enable port-security: switch(config-if)#switchport port-security

Sets max. secure mac-address: switch(config-if)#switchport port-security maximum 10

Enable sticky learning: switch(config-if)#switchport port-security mac-address sticky

Return to priviledge EXEC mode: switch(config-if)#end

Verification Commands:

To show secure mac-addresses: switch# show port-security address

To show mac-addresses-table: switch# show mac-address-table

To show brief details of port-security: switch# show port-security

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)