197 |P a g eTo demonstrate how to configure this variety of the settings, Figure 6-2 and Example 6-1show four examples of port security. Three ports operate as access ports, while port F0/4,connected to another switch,operates as a trunk.SW1#show running-config(Lines omitted forbrevity)interface FastEthernet0/1switchport mode accessswitchport port-securityswitchport port-securitymac-address 0200.1111.1111!interface FastEthernet0/2switchport mode accessswitchport port-securityswitchport port-security mac-address sticky!interface FastEthernet0/3switchport mode accessswitchport port-security!interface FastEthernet0/4switchport mode trunkswitchport port-securityswitchport port-security maximum 8SW1#show running-config interface f0/2Building configuration...Current configuration : 188 bytes!interface FastEthernet0/2switchport mode accessswitchport port-securityswitchport port-security mac-address stickyswitchport port-security mac-address sticky 0200.2222.2222Port security does not save the configuration of theNOTESwitches can also use port security on voice ports and EtherChannels. For voiceports, make sure to configure the maximum MAC address to at least two (one for thephone, or for a PC connected to the phone). On EtherChannels, the port security configurationshould be placed on the port-channel interface, rather than the individual physicalinterfaces in the channel.Verifying Port SecurityThe show port-security interface command provides the most insight to how port securityoperates, as shown in Example 6-3. This command lists the configuration settings for portsecurity on an interface; plus it lists several important facts about the current operation ofport security, including information about any security violations. The two commands in the Show
Cisco CCNA – Port Security and ConfigurationSwitch port security limits the number of valid MAC addresses allowed on a port. When a MAC address, or a group of MAC addresses are configured to enable switch port security, the switch will forward packets only to the devices using those MAC addresses. Any packet coming from other device is discarded by the switch as soon as it arrives on the switch port. If you limit the number of allowed MAC addresses allowed on a port to only one MAC address, only one device will be able to connect to that port and will get the full bandwidth of the port. If the maximum number of secure MAC addresses has been reached, a security violation occurs when a devices with a different MAC addresses tries to attach to that port. In most of today’s scenarios when the switch detects a security violation, the switch automatically shuts down that port. A switch can be configured to only protect or restrict that port. We will discuss theses security violation modes a little bit later. Secure MAC addresses are of three types:
Sticky secure MAC addresses have these characteristics:
In a Cisco switch, you are able to configuration three types of security violation modes. A security violation occurs when the maximum number of MAC addresses has been reached and a new device, whose MAC address is not in the address table attempts to connect to the interface or when a learned MAC address on an interface is seen on another secure interface in the same VLAN. Depending on the action you want a switch to take when a security violation occurs, you can configure the behavior of a switch port to one of the following:
The default configuration of a Cisco switch has port security disabled. If you enable switch port security, the default behavior is to allow only 1 MAC address, shutdown the port in case of security violation and sticky address learning is disabled. Next, we will enable dynamic port security on a switch. As you can see, we did not specify an action to
be taken if a security violation occurs, neither how many MAC addresses are allowed on the port. Recalling from above, the default behavior is to shutdown the port and allow only one MAC address. Switch(config)#interface FastEthernet 0/1 Good. After you have configured port security in the desired mode on a switch, it’s time to verify the configuration and the learned MAC addresses with the show
port-security interface interface-id and with show port-security address. Switch#show port-security address ——————————————————————- ------------------------------------------------------------------- Total Addresses in System: 0 Max Addresses limit in System: 8320 Switch(config)#interface FastEthernet 0/2 In this CCNA certification topic we have covered Switch Port Security. Knowing what switch port security is and how to implement it is important. Not only you may encounter questions about this topic when you take the Cisco CCNA certification exam, but you will see switches configured with port security in almost all real-life environments. Companies and service providers are using port security to prevent attacks and unauthorized access to their networks. We hope you found this article helpful in your preparation for the CCNA exam, as well as for your day to day activities. Page load linkWhat are 3 options if there is security violation in Switchport?You can configure the port for one of three violation modes: protect, restrict, or shutdown.
When port security violation occurs what happens next by default?As you can see, we did not specify an action to be taken if a security violation occurs, neither how many MAC addresses are allowed on the port. Recalling from above, the default behavior is to shutdown the port and allow only one MAC address.
What is the maximum number of MAC addresses that are allowed on a switch port?The switch must only allow a maximum of one registered MAC address per access port.
What are port security violations?The Cisco port security violation mode is a port security feature that restricts input to an interface when it receives a frame that breaks the port security settings on the said interface.
|