Port security is easy to configured and it allows you to secure access to a port based upon a MAC address basis.Port security can also configured locally and has no mechanism for controlling port security in a centralized fashion for distributed switches.Port security is normally configured on ports that connect servers or fixed devices, because the likelihood of the MAC address changing on that port is low. A common example of using basic port security is applying it to a port that is in an area of the physical premises that is publicly accessible. This could include a meeting room or reception area available for public usage. By restricting the port to accept only the MAC address of the authorized device, you prevent unauthorized access if somebody plugged another device into the port.
Configuring port security on Catalyst switches running CatOS:
To enable port security on CatOS, you use the "set port security" command. The first step you must take is to enable port security on a particular port. You then can allow one or more MAC addresses to use a secured port. You can manually specify these addresses, allow the switch to auto-learn the addresses, or use a mixture of both. Finally, you can specify a violation action (either shut down the entire port or block unauthorized traffic), which occurs when an unauthorized MAC address is detected on the port. The set port security command has the following syntax:
set port security mod/port [enable | disable] [mac_addr] [age age_time]
In the event of a security violation, the port can be configured to go into shutdown mode or restrictive mode. The port behavior depends on how the port is configured to respond to a security violation. If a security violation occurs, the link LED for that port turns orange.
These are the guidelines for port security configuration:
-> Port security cannot be configured on a trunk port.
-> Port security cannot be enabled on a Switched Port Analyzer (SPAN) destination port, nor SPAN enabled on a destination port with port security enabled.
-> Dynamic, static, or permanent Content-Addressable Memory (CAM) entries cannot be configured on a secure port.
-> Port security is not supported on the three-port Gigabit Ethernet module (WS-X5403).
-> When port security is enabled on a port, any static or dynamic CAM entries associated with the port are cleared. All currently configured permanent CAM entries are treated as secure.
Switch> (enable) set port security 3/1 enable
Port 2/1 port security enabled with the learned mac address.
Trunking disabled for Port 2/1 due to Security Mode
Switch> (enable) set port security 3/1 maximum 10
Maximum number of secure addresses set to 10 for port 3/1
Switch> (enable) set port security 3/1 00-d0-ba-11-21-31
Mac address 00-d0-ba-11-21-31 set for port 3/1
Switch> (enable) set port security 3/1 violation restrict
Port security violation on port 3/1 will cause insecure packets to be dropped
Hello Cisco community, I have an odd and seemingly frustrating problem...I have a set of switches/devices - Catalyst 3750 an 2960 plus a RV325The RV325 is the gateway to the internet using the primary ISPThere is a second ISP which is there for ...
I'm having problem with the trunk to trunk. My setup is as follows.. switch6a---->switch6b---->router6a---->router6b---->switch6c---->switch6d- Management VLAN 192.168.99.X 255.255.255.248 for all devices-switch6a also has a seri...
Hello AllI have a task in hand, where by i need to get Site to Site and Remote to site configure in my Branch RouterHQ- Only Site to Site VPN to Branch RouterBranch- Site to Site VPN with HQ router and Client to Branch Site VPN AccessI have following conf...
I'm trying to setup my new home network with some cisco devices. I am new with configuration of business network devices, but I want to learn to work with them get more of this devices in my home. But I have basic problems with my Cisco C1111-8P since mor...
On most of my weekends i have to go stay in a small village in france where there is no dsl or fiber line conection possible (the village is just to small not really interesting for the isp's)Bit I managed to put a Lte advanced antenna to catch some lte s...