Friday, September 10, 2010

CISCO IOS Tips – Port Security

Setting up port security in Cisco switches 
To see all the ports in a concise manner 
sh ip interface brief 
In a Telnet or SSH session to see all the messages coming from the switch 
terminal monitor 
Port interface is up means something is connected 
line protocol is up means data link layer is up 
After connecting devices to switch 
Switch will dynamically learn their mac-address and store them in CAM table 
To see them 
sh mac-address-table 
sh mac address-table (In newer device)
To access a physical interface 
int fa 0/1

To set it as access port which means pc will be connected to this interface 

switchport mode access 
To secure that interface 
switchport port-security 
To bind only one mac-address to that interface 
switchport port-security maximum 1 
In case of violation to set the action to perform 
to shutdown the port in case of violation 
switchport port-security violation shutdown 
to restrict other mac-address to access(attached extra mac-address will get rejected) 
switchport port-security violation restrict 
(This command will ignore the extra mac-address and log the incident) 
switchport port-security violation protect 
(This command will ignore the extra mac-address) 
To make the a switch learn about the mac address automatically so that we don't have to type the mac-address table by ourselves 
switchport port-security mac-address sticky 
Now see the whole configuration typing 
sh run 
Or run show commands by typing do first from whatever mode you are in 
For example 
do sh run 
From global config mode and it will run 
To see the port security features on any particular interface 
sh port-security int fa 0/1 
In case of violation the security violation counter will increase by number 
To configure all the switchports at once 
int range fa 0/1-24
switchport mode access
switchport port-security
switchport port-security maximum 1
switchport port-security  violation shutdown
switchport port-security   mac-address sticky 
Now to see the port security that is configured on every ports on your switch 

sh port-security 

most important tips
If you set 
switchport port-security maximum 1 
You won't see this line if you perform sh run because this is the default 
If you increase the maximum violation to 2 or 3 or more you will see this in the result of sh run 
Run show commands by typing do first from whatever mode you are in 
For example 

do sh run 


No comments:

Post a Comment