Port security on a Cisco IOS switch is a security feature that restricts input to an interface by limiting and identifying MAC addresses that are allowed to access the port. This helps prevent unauthorized devices from connecting to your network.
Key Concepts:
- MAC Address Learning: The switch learns the MAC addresses of devices connected to the port.
- Maximum MAC Addresses: You can configure the maximum number of MAC addresses allowed on a port.
- Violation Modes: You can configure how the switch handles a security violation (when an unauthorized MAC address tries to connect).
- Sticky MAC Addresses: This feature allows the switch to dynamically learn MAC addresses and add them to the running configuration.
Violation Modes:
- Protect: Packets from unknown MAC addresses are dropped, but no notification is sent.
- Restrict: Packets from unknown MAC addresses are dropped, and a notification (syslog message) is sent.
- Shutdown: The port is placed in an error-disabled state, effectively shutting it down.
Cisco IOS Configuration Examples:
Here are some examples of how to configure port security on a Cisco IOS switch:
1. Basic Port Security:
Cisco CLI
interface GigabitEthernet0/1
switchport mode access
switchport port-security
switchport port-security maximum 1
switchport port-security violation shutdown
switchport mode access: Configures the port as an access port.switchport port-security: Enables port security.switchport port-security maximum 1: Limits the number of allowed MAC addresses to 1.switchport port-security violation shutdown: Configures the port to shut down if a violation occurs.
2. Configuring Specific MAC Addresses:
Cisco CLI
interface GigabitEthernet0/2
switchport mode access
switchport port-security
switchport port-security mac-address 000A.95BD.6842
switchport port-security mac-address 000B.96CE.7953
switchport port-security violation restrict
switchport port-security mac-address <MAC address>: Specifies the allowed MAC addresses.switchport port-security violation restrict: Configures the port to restrict traffic and send a notification upon violation.
3. Using Sticky MAC Addresses:
Cisco CLI
interface GigabitEthernet0/3
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security violation protect
switchport port-security mac-address sticky: 1 Enables sticky MAC addresses. The switch will dynamically learn the MAC address of the first device that connects and add it to the running configuration.1. forum.ciscoinpersian.comswitchport port-security violation protect: Configures the port to protect traffic upon violation.
4. Configuring Maximum MAC addresses with sticky MAC addresses:
Cisco CLI
interface GigabitEthernet0/4
switchport mode access
switchport port-security
switchport port-security maximum 3
switchport port-security mac-address sticky
switchport port-security violation shutdown
- This configuration will allow the first 3 mac addresses to connect to the port, and will add them to the running configuration.
Verification Commands:
show port-security interface <interface>: Displays port security settings for a specific interface.show port-security address: Displays all secure MAC addresses on the switch.show running-config interface <interface>: Shows the configuration of a specific interface, including sticky MAC addresses.
Important Considerations:
- Port security is most effective on access ports.
- Carefully plan your violation mode based on your security requirements.
- Use sticky MAC addresses with caution, as they can lead to configuration issues if devices are frequently moved.
- Regularly monitor port security logs and alerts.
- When using sticky mac addresses, remember to use the copy run start command to save the mac addresses to the startup configuration, so that they are reloaded after a switch reboot.
- If you are using voice vlan, ensure that you configure port security for the voice vlan as well as the data vlan.
Port security is a valuable tool for enhancing network security by controlling device access at the port level.
Checkout free CCNA study notes at tutorialsweb.com
No comments:
Post a Comment