Port Security helps to prevent the network from unauthorized access by limiting which MAC addresses are allowed to send traffic through a switchport. This way you can make sure that only authorized entity get access to the network.By default port security is disabled on a port.
Topology:
Configuration:
Switch(config)#int fas0/1
Switch(config-if)#switchport mode access
Switch(config-if)#switchport port-security
Switch(config-if)#switchport port-security mac-address sticky
If a security violation occurs we can decide what action should be taken to the switchport
Switch(config-if)#switchport port-security violation ?
protect Security violation protect mode
restrict Security violation restrict mode
shutdown Security violation shutdown mode
Switch(config-if)#switchport port-security violation ?
protect Security violation protect mode
restrict Security violation restrict mode
shutdown Security violation shutdown mode
Note: Shutdown is the default mode
A port can be configured to learn maximum number of MAC address
Switch(config-if)#switchport port-security maximum ?
<1-132> Maximum addresses
Switch(config-if)#switchport port-security maximum ?
<1-132> Maximum addresses
Note:By default maximum number of MACs allowed is 1
Switch#show port-security interface fas0/1
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 1
Last Source Address:Vlan : 00E0.F75E.CC34:1
Security Violation Count : 0
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 1
Last Source Address:Vlan : 00E0.F75E.CC34:1
Security Violation Count : 0
If a new host is added to the port fas0/1, the port status is changed to secure-shutdown
Switch#show port-security int fas0/1
Port Security : Enabled
Port Status : Secure-shutdown
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 1
Last Source Address:Vlan : 000B.BE98.D402:1
Security Violation Count : 1
Switch#show port-security int fas0/1
Port Security : Enabled
Port Status : Secure-shutdown
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 1
Last Source Address:Vlan : 000B.BE98.D402:1
Security Violation Count : 1
Switch#show interfaces fas0/1
FastEthernet0/1 is down, line protocol is down (err-disabled)
FastEthernet0/1 is down, line protocol is down (err-disabled)
err-disable is a feature available in most of the Cisco Catalyst switches that automatically disables a port. When a port is err-disabled no traffic is sent or received. To re enable the port, shutdown and no shutdown interface subcommands need to be used.
.png)
0 Comments