Configure Cisco Port Security

What is Switch Port Security? Cisco Port Security is a feature that can help secure access to the physical network. Any Network admins nightmare is an unauthorised device or a PC connecting to the network. Port security is a layer two traffic control feature on Cisco Catalyst switches. It enables an administrator configure individual switch ports to allow only a specified number of source MAC addresses ingressing the port. Its primary use is to deter the addition by users of "dumb" switches to illegally extend the reach of the network Considerations : Cisco Port-Security can help to • restrict the MAC-address or addresses that can connect through a switchport [default: first connected device MAC Address] • restrict the number of MAC-Addresses that can connect through a switchport [default is 1 and maximum is 128] • set aging in minutes of the MAC Addresses registed • Action to take when there is a violation detected (default is to disable the port and send an SNMP Trap message to the SNMP management server (if any)) For a switch port to be security enabled, • the switchport cannot be a Trunk Port • the switchport cannot be a destination port for a Switchport Analyzer (SPAN) • the switchport cannot belong to an EtherChannel port-channel interface • the switchport cannot be an 802.1X port How to configure a Switch Port Security in a Cisco Switch Enter interface configuration mode for FastEthernet 0/1 and enable port security. Before any other port security commands can be configured on the interface, port security must be enabled. SW1(config-if)#interface fa0/1 SW1(config-if)#switchport port-security * Notice that you do not have to exit back to global configuration mode before entering interface configuration mode for fa 0/1. How To configure the maximum number of MAC addresses. To configure the port to learn only one MAC address, set the maximum to 1: SW1(config-if)#switchport port-security maximum 1 How To configure the port to add the MAC address to the running configuration. The MAC address learned on the port can be added to ("stuck" to) the running configuration for that port. SW1(config-if)#switchport port-security mac-address sticky How To Configure the port to automatically shut down if port security is violated. If you do not configure the following command, SW1 only logs the violation in the port security statistics but does not shut down the port. SW1(config-if)#switchport port-security violation shutdown We have three violation modes availabe: • Protected - When a violation occurs, it´ll simple ignore any exceeding MAC Addresses, according to your configuration (if you allow only one MAC Address, it´ll permit the first MAC Address to transmit, and drop everything else for any new MAC Address trying to transmit to this port). • Restrict - Does exactly the same thing as Protected mode, but will also send a SNMP Trap regarding the violation. • Shutdown - When a violation occurs in the shutdown mode, it sets the port to ERRDISABLE state. The port will stop transmitting anything in the ERRDISABLE state, also, the port LED will turn off. It sends out a SNMP Trap about this. View the status of port security Once you've configured port security and the Ethernet device on that port has sent traffic, the switch will record the MAC address and secure the port using that address. To find out the status of port security on the switch. Switch# show port-security address Quote: router-switch.com/Price-cisco-switches_c2

URL: