Setting up port security in Cisco switches
To see all the ports in a concise manner
Type
sh ip interface brief
In a Telnet or SSH session to see all the messages coming from the switch
Type
terminal monitor
Port interface is up means something is connected
line protocol is up means data link layer is up
After connecting devices to switch
Switch will dynamically learn their mac-address and store them in CAM table
To see them
sh mac-address-table
or
sh mac address-table (In newer device)
To access a physical interface
type
int fa 0/1
To set it as access port which means pc will be connected to this interface
switchport mode access
To secure that interface
switchport port-security
To bind only one mac-address to that interface
switchport port-security maximum 1
In case of violation to set the action to perform
to shutdown the port in case of violation
switchport port-security violation shutdown
to restrict other mac-address to access(attached extra mac-address will get rejected)
switchport port-security violation restrict
(This command will ignore the extra mac-address and log the incident)
or
switchport port-security violation protect
(This command will ignore the extra mac-address)
To make the a switch learn about the mac address automatically so that we don't have to type the mac-address table by ourselves
switchport port-security mac-address sticky
Now see the whole configuration typing
sh run
Or run show commands by typing do first from whatever mode you are in
For example
Type
do sh run
From global config mode and it will run
To see the port security features on any particular interface
Type
sh port-security int fa 0/1
In case of violation the security violation counter will increase by number
To configure all the switchports at once
Type
int range fa 0/1-24
switchport mode access
switchport port-security
switchport port-security maximum 1
switchport port-security violation shutdown
switchport port-security mac-address sticky
Now to see the port security that is configured on every ports on your switch
Type
sh port-security
********************************************************************
most important tips
If you set
switchport port-security maximum 1
You won't see this line if you perform sh run because this is the default
If you increase the maximum violation to 2 or 3 or more you will see this in the result of sh run
Run show commands by typing do first from whatever mode you are in
For example
Type
do sh run
***************************************************************************
No comments:
Post a Comment