This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
icnd1:switchport_security [2024/05/01 00:36] 114.119.130.33 old revision restored (2023/12/02 11:02) |
icnd1:switchport_security [2024/05/21 02:45] (current) 114.119.145.194 old revision restored (2023/10/11 17:59) |
||
---|---|---|---|
Line 3: | Line 3: | ||
An attempt at securing the physical ports on cisco switches by denying access based on the MAC address of the connected device. Each port has it's own collection of acceptable MAC addresses with which to permit traffic that can be automatically or manually specified as well as the action taken upon violation of the switchport sec configuration. | An attempt at securing the physical ports on cisco switches by denying access based on the MAC address of the connected device. Each port has it's own collection of acceptable MAC addresses with which to permit traffic that can be automatically or manually specified as well as the action taken upon violation of the switchport sec configuration. | ||
- | ====Violation Actions:==== | + | Violation Actions: |
- | ---- | + | |
***Shutdown** (**DEFAULT**) | ***Shutdown** (**DEFAULT**) | ||
* Port shuts down immediately. When in error-disabled-state you can ressurect the port with errdisable recovery cause psecure-violation (global config) OR manually toggle up status on the interface with shutdown, no shutdown (int config). | * Port shuts down immediately. When in error-disabled-state you can ressurect the port with errdisable recovery cause psecure-violation (global config) OR manually toggle up status on the interface with shutdown, no shutdown (int config). | ||
***Restrict** | ***Restrict** | ||
* Causes SecurityViolation counter to increment, and generates an SNMP notification. Rate of SNMP traps are created can be altered by snmp-server enable traps port-security trap-rate command. Default val is 0, causing SNMP trap to generate on every violation. | * Causes SecurityViolation counter to increment, and generates an SNMP notification. Rate of SNMP traps are created can be altered by snmp-server enable traps port-security trap-rate command. Default val is 0, causing SNMP trap to generate on every violation. | ||
- | ***Protect** | + | |
- | * No SNMP, No counter increase. Simply block violating traffic as it occurs. | + | |
===== Configuration ===== | ===== Configuration ===== | ||
---- | ---- | ||
- | Switchport security | + | Switchport security |
- | *Int FA01 | ||
- | *swport mode access | ||
- | *enable port sec | ||
- | *port sec max address to store is 1 | ||
- | *mac-addres stick, auto learn the next mac address on this port. | ||
- | *violation mode set to shutdown. | ||
- | *Show command to verify configuration on fa0/1. | ||
< | < | ||
Switch(config)# | Switch(config)# | ||
- | Switch(config-if)# | ||
- | Switch(config-if)# | ||
- | Switch(config-if)# | ||
- | Switch(config-if)# | ||
- | Switch(config-if)# | ||
- | Switch(config-if)# | ||
</ | </ | ||
- | |||
- | ==== Notes ==== | ||
- | * With **'' |