How to Configure Port Security in Cisco Switch?
Enter privileged mode
router>enable
Enter global configuration mode
router#configure terminal
Enter interface configuration mode
router(config)# interface interface
Enable the switchport security feature
router(config-if)# switchport port-security
2. It shows the steps required to alter these default parameters:
Enter privileged mode
router>enable
Enter global configuration mode
router#configure terminal
Enter interface configuration mode
router(config)# interface interface
Configure the maximum number of MAC addresses allowed on a switchport (default : 1)
router(config-if)# switchport port-security maximum value
Configure the switchport violation mode (default : shutdown)
router(config-if)# switchport port-security violation {protect | restrict | shutdown}
3. It shows the steps required to configure a static MAC address:
Enter global configuration mode
router#configure terminal
Enter interface configuration mode
router(config)# interface interface
Configure a static MAC address
router(config-if)# switchport port-security mac-address mac-address
4. It shows the steps required to enable the use of sticky learning on a switchport:
Enter global configuration mode
router#configure terminal
Enter interface configuration mode
router(config)# interface interface
Enabling the use of sticky MAC address learning
router(config-if)# switchport port-security mac-address sticky
Switchport Security Configuration Example
router#configure terminal
Enter interface configuration mode
router(config)# interface f0/1
Enabling the switchport security feature
router(config-if)# switchport port-security
Configuring a static MAC Address (0000.1111.2222) on the switchport. router(config-if)# switchport port-security mac-address 0000.1111.2222
Enter interface configuration mode
router(config)# interface f0/2
Enabling the switchport security feature
router(config-if)# switchport port-security
Configuring the use of sticky MAC address learning
router(config-if)# switchport port-security mac-address sticky
By default, the switchport security feature is disabled on all switchports and must be enabled.
1. It shows the steps required to enable the switchport security feature on an interface (This can cause some confusion, but when using Cisco IOS, switchport configuration is performed while in interface configuration mode. The terms interface and switchport are interchangeable).
Enter privileged mode
router>enable
Enter global configuration mode
router#configure terminal
Enter interface configuration mode
router(config)# interface interface
Enable the switchport security feature
router(config-if)# switchport port-security
Without configuring any other specific parameters, the switchport security feature will only permit one MAC address to be learned per switchport (dynamically) and use the shutdown violation mode; this means that if a second MAC address is seen on the switchport the port will be shutdown and put into the err-disabled state.
Enter privileged mode
router>enable
Enter global configuration mode
router#configure terminal
Enter interface configuration mode
router(config)# interface interface
Configure the maximum number of MAC addresses allowed on a switchport (default : 1)
router(config-if)# switchport port-security maximum value
Configure the switchport violation mode (default : shutdown)
router(config-if)# switchport port-security violation {protect | restrict | shutdown}
As stated above, by default MAC addresses are learned on a switchport dynamically and are called dynamic MAC addresses. MAC addresses can also be configured in two other ways: statically and sticky. Static MAC addresses can be configured on a switchport to ensure that only a device with a specific MAC can utilize a switchport (for example, if the switchport location and a device are publically accessible and the organization wants to ensure only that authorized device can access the network). A sticky MAC address is a hybrid between a static and dynamic MAC address. When it is dynamically learned, the MAC address is automatically entered into the running configuration as a static MAC address; the address is then kept in the running configuration until a reboot. On reboot, the MAC address will be lost; if the network engineer wants to keep the MAC address across a reboot a configuration save is required (copy running startup).
3. It shows the steps required to configure a static MAC address:
Enter global configuration mode
router#configure terminal
Enter interface configuration mode
router(config)# interface interface
Configure a static MAC address
router(config-if)# switchport port-security mac-address mac-address
4. It shows the steps required to enable the use of sticky learning on a switchport:
Enter global configuration mode
router#configure terminal
Enter interface configuration mode
router(config)# interface interface
Enabling the use of sticky MAC address learning
router(config-if)# switchport port-security mac-address sticky
Switchport Security Configuration Example
To wrap the configuration commands into a single example to ensure clarity, this section will show a basic switchport security example.
5. It will enable the use of the switchport security feature on ports f0/1 and f0/2, statically configure the 0000.1111.2222 MAC address on the f0/1 switchport and enable sticky learning on the f0/2 switchport.
Enter global configuration mode router#configure terminal
Enter interface configuration mode
router(config)# interface f0/1
Enabling the switchport security feature
router(config-if)# switchport port-security
Configuring a static MAC Address (0000.1111.2222) on the switchport. router(config-if)# switchport port-security mac-address 0000.1111.2222
Enter interface configuration mode
router(config)# interface f0/2
Enabling the switchport security feature
router(config-if)# switchport port-security
Configuring the use of sticky MAC address learning
router(config-if)# switchport port-security mac-address sticky
No comments:
Post a Comment