To use most of the security features of any l2 cisco switch first convert the port to access port.
Switch>en
Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#interface f0/1
Switch(config-if)#switchport mode access ----->converting f0/1 to access port
Switch(config-if)#switchport port-security--->use this command to enable the port security. You can follow with further commands as a new command
Switch(config-if)#switchport port-security ?
mac-address Secure mac address
maximum Max secure addresses
violation Security violation mode
<cr>
Switch(config-if)#switchport port-security maximum 1 -->only 1 mac address allowed to learn on this interface
Switch(config-if)#switchport port-security violation ?
protect Security violation protect mode ----> it ignores the other mac address and no logs
restrict Security violation restrict mode --->logs the violation
shutdown Security violation shutdown mode --->shuts down the port
Switch#show port-security interface f0/1
Port Security : Disabled
Port Status : Secure-down
Violation Mode : Restrict
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0000.0000.0000:0
Security Violation Count : 0 --->this will go up
To enable the security violated port:
conf t
errdisable recovery cause security-violation
errdisable recovery interval <time in seconds>
To learn the dynamic and allow limited mac address, you can use combination of maximum and sticky:
Switch(config)#interface fastEthernet 0/2
Switch(config-if)#switchport port-security maximum 2
Switch(config-if)#switchport port-security mac-address ?
H.H.H 48 bit mac address
sticky Configure dynamic secure addresses as sticky
Switch(config-if)#switchport port-security mac-address sticky ?
H.H.H 48 bit mac address
<cr>
Switch(config-if)#switchport port-security mac-address sticky
Switch>en
Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#interface f0/1
Switch(config-if)#switchport mode access ----->converting f0/1 to access port
Switch(config-if)#switchport port-security--->use this command to enable the port security. You can follow with further commands as a new command
Switch(config-if)#switchport port-security ?
mac-address Secure mac address
maximum Max secure addresses
violation Security violation mode
<cr>
Switch(config-if)#switchport port-security maximum 1 -->only 1 mac address allowed to learn on this interface
Switch(config-if)#switchport port-security violation ?
protect Security violation protect mode ----> it ignores the other mac address and no logs
restrict Security violation restrict mode --->logs the violation
shutdown Security violation shutdown mode --->shuts down the port
Switch#show port-security interface f0/1
Port Security : Disabled
Port Status : Secure-down
Violation Mode : Restrict
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0000.0000.0000:0
Security Violation Count : 0 --->this will go up
To enable the security violated port:
conf t
errdisable recovery cause security-violation
errdisable recovery interval <time in seconds>
To learn the dynamic and allow limited mac address, you can use combination of maximum and sticky:
Switch(config)#interface fastEthernet 0/2
Switch(config-if)#switchport port-security maximum 2
Switch(config-if)#switchport port-security mac-address ?
H.H.H 48 bit mac address
sticky Configure dynamic secure addresses as sticky
Switch(config-if)#switchport port-security mac-address sticky ?
H.H.H 48 bit mac address
<cr>
Switch(config-if)#switchport port-security mac-address sticky
No comments:
Post a Comment