Friday, March 9, 2012

Basic Cisco Switch Security

basic security measures

close unused ports with the shutdown command

prevent the port from trunking with the switchport mode access command

place the port in an unused vlan(dummy vlan)

to implement port security the port has to be access

(switchport mode access)

switchport port-security maximum 1

switchport port-security violation 

there are 3 options




the default mode is shutdown,it shuts the port down,transmits a message to the 

log indecating the action taken and drops the violating frames.The interface 

status will be err-disabled(error-disabled),it must be manually reopened

restrict drops the violating frames transmits a message to the log indecating 

the issue,but does not shut down the port.

protect simply drops the violating frames

to configure the port to shut down if a frame is recieved with any source Mac 

Address other than bb-bb-bb-bb-bb-bb,we would use the following config

int fa 0/1

switchport mode access

switchport port-security mac address bb-bb-bb-bb-bb-bb

or you can use the command 

switchport port-security mac-address sticky(the first mac address which was 


see the result in 

show port-security int fa 1/0

in case of violation the led on the port will be dark

No comments:

Post a Comment