Switch port security restricts the number of mac-addresses that are able to send or receive packets. Any incoming packet from other device is discarded by the switch.
If the maximum number of secure mac-addresses has been reached, a security violation occurs when a device with a different mac address tries to attach to that port.
The command to configure number of mac-addresses is:
switchport port-security maximum
The maximum number of secure mac-addresses allowed is 132.
Types of secure mac-addresses:
1. Static secure mac-address: Configured manually using the switchport port-security mac-address
2. Dynamic secure mac-address: These are dynamically learned by the switch and stored in the dynamic mac-address table. These are removed when the switch restarts. Only command required for this type is switchport port-security. The default behaviour is to allow only one mac-address and shutdown for violation.
3. Sticky secure mac-address: Like dynamic secure mac-address they are learned dynamically but are saved in running configuration. For eg: If the maximum is 1, the learn hardware to connect to the switch is the secure device and the switch learns the mac- address and saves it to the running configuration. Since, the mac-addresses are saved in running config, the mac-addresses remain intact if the config is saved to startup-config.
Depending on the action you want a switch to take when a security violation occurs, you can configure the behavior of a switch port to one of the following:
Protect – when the maximum number of secure MAC addresses has been reached, packets from devices with unknown source addresses are dropped until you remove the necessary number of secure MAC addresses from the table. In this mode, you are not notified when a security violation occurs.Shutdown
Restrict – is identical with protect mode, but notifies you when a security violation occurs. Specifically, a SNMP trap is sent, a syslog message is logged and the violation counter increments.
Shutdown – this is the default behavior on a switch. In this mode, the switch ports shuts down when the violation occurs. Also, a SNMP trap is sent and the message is logged. You can enable the port again with the no shutdown interface configuration command.
CLI Commands:
For dynamic:
Switch(config)#interface FastEthernet 0/1
Switch(config-if)#switchport mode access
Switch(config-if)#switchport port-security
For Sticky:
Switch(config)#interface FastEthernet 0/1
Switch(config-if)#switchport mode access
Switch(config-if)#switchport port-security
Switch(config)if)#switchport port-security maximum 10
Switch(config-if)#switchport port-security mac-address sticky
Switch(config-if)#switchport port-security violation restrict
To see all port security configuration for the switch port use this command:
show port-security int fa0/1
If the maximum number of secure mac-addresses has been reached, a security violation occurs when a device with a different mac address tries to attach to that port.
The command to configure number of mac-addresses is:
switchport port-security maximum
The maximum number of secure mac-addresses allowed is 132.
Types of secure mac-addresses:
1. Static secure mac-address: Configured manually using the switchport port-security mac-address
2. Dynamic secure mac-address: These are dynamically learned by the switch and stored in the dynamic mac-address table. These are removed when the switch restarts. Only command required for this type is switchport port-security. The default behaviour is to allow only one mac-address and shutdown for violation.
3. Sticky secure mac-address: Like dynamic secure mac-address they are learned dynamically but are saved in running configuration. For eg: If the maximum is 1, the learn hardware to connect to the switch is the secure device and the switch learns the mac- address and saves it to the running configuration. Since, the mac-addresses are saved in running config, the mac-addresses remain intact if the config is saved to startup-config.
Depending on the action you want a switch to take when a security violation occurs, you can configure the behavior of a switch port to one of the following:
Protect – when the maximum number of secure MAC addresses has been reached, packets from devices with unknown source addresses are dropped until you remove the necessary number of secure MAC addresses from the table. In this mode, you are not notified when a security violation occurs.Shutdown
Restrict – is identical with protect mode, but notifies you when a security violation occurs. Specifically, a SNMP trap is sent, a syslog message is logged and the violation counter increments.
Shutdown – this is the default behavior on a switch. In this mode, the switch ports shuts down when the violation occurs. Also, a SNMP trap is sent and the message is logged. You can enable the port again with the no shutdown interface configuration command.
CLI Commands:
For dynamic:
Switch(config)#interface FastEthernet 0/1
Switch(config-if)#switchport mode access
Switch(config-if)#switchport port-security
For Sticky:
Switch(config)#interface FastEthernet 0/1
Switch(config-if)#switchport mode access
Switch(config-if)#switchport port-security
Switch(config)if)#switchport port-security maximum 10
Switch(config-if)#switchport port-security mac-address sticky
Switch(config-if)#switchport port-security violation restrict
To see all port security configuration for the switch port use this command:
show port-security int fa0/1
No comments:
Post a Comment