Port Security - Port Security helps secure the network by preventing unknown devices from forwarding packets. If you know which devices will be connected to which ports, you can use the Cisco security feature called port security. It a versatile feature that can mitigate attacks against the network and prevent unauthorized moves, adds, and changes by limiting the number of unique media access control (MAC) addresses that can use a given port.
.png)
- en
- conf
- interface fa0/1
- switchport mode access
- switchport port-security
- switchport port-security mac-address sticky
- switchport port-security sticky mac-address sticky (mac of PC8)
- switchport port-security maximum 1 (maximum no. of MAC addresses)
- switchport port-security violation shutdown (violation policy)
Now remove the wire from old system and connect with new computer and change IP address in the new computer.
- show port-security address
- show port-security interface 0/1
- interface fa0/1
- no shutdown
- shutdown
Sticky – This is not a violation mode. By using the sticky command, the user provides static MAC address security without typing the absolute MAC address. For example, if user provides maximum limit of 2 then the first 2 Mac addresses learned on that port will be placed in the running configuration.
Violation
mode – protect, restrict, or shutdown
Protect – When a violation occurs in this mode, the switchport will permit traffic from known MAC addresses to continue sending traffic while dropping traffic from unknown MAC addresses. When using this mode, no notification message is sent when this violation occurs.
Restrict – When a violation occurs in this mode, the switchport will permit traffic from known MAC addresses to continue sending traffic while dropping traffic from unknown MAC addresses. However, unlike the protect violation type, a message is also sent indicating that a violation has occurred.
Shutdown – When a violation occurs in this mode, the switchport will be taken out of service and placed in the err-disabled state. The switchport will remain in this state until manually removed; this is the default switchport security violation mode.
Switchport Security MAC Addresses
When using the switchport security feature, source MAC addresses are separated into three different categories, these include.
Static – Static secure MAC addresses are statically configured on each switchport and stored in the address table. The configuration for a static secure MAC address is stored in the running configuration by default and can be made permanent by saving them to the start-up configuration.
Dynamic – Dynamic secure MAC addresses are learned from the device (or devices) connected to the switchport. These addresses are stored in the address table only and will be lost when the switchport state goes down or when the switch reboots.
Sticky – Sticky secure MAC addresses are a hybrid. They are learned dynamically from the devices connected to the switchport, are put into the address table AND are entered into the running configuration as a static secure MAC address (sometimes referred to as a static sticky MAC address). Like a static secure MAC address, these MAC addresses will be lost unless saved to the start-up configuration.
The type of secure MAC addresses that an organization uses depends on
the specific network environment.
.png)
.png)
.png)
.png&description=How to configure Port Security){kind=link}
0 Comments
I'd love to hear your thoughts!