Once the mac limit has exceeded the maximum configured value on a port, all traffic from. Enable portsecurity on sw1s fa01 interface and configure the interface to sticky the mac address learned. To configure the port to learn only 1 mac address, we need to set maximum to 1. Port security is a topic on the ccent exam and its important to know what it is and how to configure it.
The default configuration of a cisco switch has port security disabled. Basic switch configuration and port security danscourses. Aruba 2930f 2930m management and configuration guide for arubaos. Configure terminal emula tion software to connect to the switch. Thats all initial configuration we need to understand the switch port security. The switchport portsecurity maximum and switchport portsecurity violation commands can be used to change the default behavior.
The port has the maximum number of mac addresses that is supported by a layer 2 switch port which is configured for port security. In the apic, the user can configure the port security on switch ports. Switch a port security configured switch b mac address authorized by switch a pc 1 mac address authorized. Today i will discuss about cisco switch port security issue. A best approach to securing a switchis to apply port security. Lets now see the basic portsecurity configuration on cisco switches. Aruba 2930f 2930m management and configuration guide for.
Sw1 con0 is now available press return to get started. This tutorial explains switchport security modes protect, restrict and shutdown, sticky address, mac address, maximum number of hosts and switchport security violation rules in detail with examples. Next, we will enable dynamic port security on a switch. From global configuration mode enter in specific interface. The following example shows the configuration of port security on a cisco switch. The mac address of a host generally does not change. Try to test your switch port security configuration with ping command and testing with the rogue laptop on the lab. Port security guidelines and restrictions when configuring port security, follow these guidelines. This feature enables you to configure each switch port with a unique list of the mac addresses of devices that are authorized to access. Switchport security is not supported along with etherchannel fast or gigabit. Switchport security concepts and configuration cisco press. You can use port security to block input to an ethernet, fast ethernet, or gigabit ethernet port when the mac address of the station attempting to access the port is different from any of the mac addresses that are specified for that port. Create a basic switch configuration, including a name and an ip address configure passwords to ensure that access to the cli is secured configure switch port speed and duplex properties for an interface configure basic switch port security manage the mac address table assign static mac addresses. Packets that have a matching mac address secure packets are.
This is a way to limit which device can connectto a switch on a given port. To enable port security on a specific port you use the switchport portsecurity command in interface configuration mode as shown below sw1 con0 is now available press return to get started. Following these steps to enable and configure port security. In this activity, you will configure and verify port security on a switch. What is port security and how does it work with my managed.
With the default port security configuration, to brin g all secure ports out of the errordisabled state. A switch that does not provide port security allows an attacker to attach a system to an unused, enabled port and to perform information gathering or attacks. Port security can be used to limit access on an ethernet port based on the mac address of the device to which it is connected. Enabling port security on a switch port is done with a simple command. Using port security, you can configure each switch port with a unique list of the mac addresses of devices that are authorized to access the network through that. Switchport security can only be configured on statically configured access or trunk ports access or trunk. A secure port cannot be a destination port for switch port analyzer span. Learn how to secure a switch port with switchport security feature step by step. Enabling port security is extremely easy at is core. The svi for vlan 99 will not appear as upup until vlan 99 is created and there is a device connected to a switch port associated with vlan 99. Reconnect the power cord to the switch and, within 15 seconds, press and hold down the mode button while the system led is still flashing green. Consider what happens if we connect a different host to the same port.
Default port security configuration table 621 shows the default port security configuration for an interface. By default, the maximum number of allowed mac addresses is one. Default port security configuration table 261 shows the default port security configuration for an interface. Cisco switch port security configuration and best practices. Configuring and monitoring port security ftp directory listing. Future updates can be userscheduled, ensuring the network is kept uptodate with bug fixes, security updates, and new features. When using port level security, the mac addresses andor number of mac addresses of the connected devices is controlled. Switch port configuration speed and duplex some switch interfaces are fixed at a single speed. Mar 15, 2018 in this activity, you will configure and verify port security on a switch.
How to configure switch port security on cisco switches. To enable port security on a specific port you use the switchport portsecurity command in interface configuration mode as shown below. The best advise is to follow this video through, then some other settings to see how it reacts. Configuring dynamic switchport security free ccna workbook. Understanding how port security works port security configuration guidelines configuring port security on the switch monitoring port security understanding how port security works. Do not configure span destination on a secure port. Entering the switchport portsecurity command sets the maximum mac addresses to 1 and the violation action to shutdown. To enable portsecurity youll execute the switchport portsecurity command as. Aruba 2930f 2930m management and configuration guide.
Basic switch security concepts and configuration basic. Follow these guidelines when configuring port security. Layer 2 interfaces on a cisco switch are referred to as ports. Aruba 3810 5400r management and configuration guide for. Switch and vlan security switch port security port security adds an additional layer of security to the switching network. Port security adds an additional layer of security to the switching network. Another approach is to automatically,or allow the switch, to automatically learnthe mac address. Switch security overview in the video tutorials below, i show how to use packet tracer to build a small lan with a cisco 2960 switch, three pc clients, and two pc servers, one of the servers is placed on a separate vlan for management purposes. Configuring port security port security configuration learn address mode select the learn mode of the mac addresses on the port. How to configure port security on a cisco switch youtube. It then sets the maximum number of macs for the port to 1 and shuts down the port if there is a violation.
May 06, 2007 port security configuration guidelines. Configuring sticky switchport security free ccna workbook. If you do not configure the following command, sw1 only logs the violation in the port. Click switch and click cli and press enter key port can be secure from interface mode.
Figure 41port security follow these steps to configure port security. Verify port security is enabled and the mac addresses of pc1 and pc2 were added to the running configuration with show run command. Port security configurations 41 managing physical interface 4 port security configurations 4. Next, by using the show port security interface fa01 we can see that the switch has learned the mac address of host a. Port security is easy to configured and it allows you to secure access to a port based upon a mac address basis. Enabling port security on an access port to enable port security on an access port, perform this task. Next, by using the show portsecurity interface fa01 we can see that the switch has learned the mac address of host a. Switchport portsecurity securite sur les ports cisco en. Ports configured for either active or passive lacp, and which are not members of a trunk, can be configured for port security. Configuring port security on the switch monitoring port security. Although only a single interface is used for illustration in this article, port security, if configured, is typically configured on all userfacing interfaces.
Port security allows you to restrict a ports ingress traffic by limiting the mac addresses that are allowed to send traffic into the port. Pdf packet tracer configuring switch port security. The configuration shown in table 5 will enable the use of the switchport security feature on ports f01 and f02, statically configure the 0000. There are three different ways that mac addresses can be configured onto a port. To practice and learn to configure port security on cisco switch, just download the port security packet tracer lab or create your own lab and follow the switch port security configuration guideline. The port security feature offers the following benefits. I have some questions regarding to port security on my 2690 catalyst. First, we need to enable port security and define which mac addresses are allowed to send frames. Using the show port security interface fa01 command on sw1, we can see that the switch has learned the mac address of host a. The following commands will work on most cisco switch models such as 4500, 3850, 3650, 2960, 3560 etc.
Often though, a single switch interface can support multiple speeds. A secure port cannot belong to an etherchannel portchannel interface. The configuration output used in this lab is produced from a 2950 series switch. When connected, new ms125 switches automatically reach out to the meraki cloud and download the most current configuration. It provides guidelines, procedures, and configuration examples. With the default port security configuration, to brin g. Basic switching concepts and configuration 25 address 172. Feb 24, 2016 port security is a topic on the ccent exam and its important to know what it is and how to configure it. Backgroundpreparation cable a network similar to the one in the diagram. To configure port security we need to access the command prompt of switch.
Connect a pc by console cable to the switch console port. The mac address learned on the port can be added to stuck to the running configuration for that port. Enable portsecurity on sw1 interface fa01 and allow a maximum of 3 mac addresses. To enable portsecurity youll execute the switchport portsecurity command as previously learned in lab 419. Do not configure port security on a span destination port. It also can be used to limit the total number of devices plugged into a switch port, thereby protecting the switch from a mac flooding attack as well as reducing the risks of rogue wireless access points or hubs. The mac address learned on the port can also be added to the running configuration of.
Do not configure dynamic, static, or permanent cam entries on a secure port. Port security does not support switch port analyzer span destination ports. We can view the default port security configuration with show port security. Mar 29, 2020 this article describes how to configure switch port security on cisco switches. Cisco switch port security commands the tech factors. From privilege exec mode use configure terminal command to enter in global configuration mode. The simplest form of switch security is using port level security. Port security can also configured locally and has no mechanism for controlling port security in a centralized fashion for distributed switches. Configure port security on individual fastethernet ports. Packet tracer configuring switch port security instructor version objective part 1. One approach is to manually configure the mac addressfor the directly connected device. If a specific host will always remain connected to a specific switch port, then the switch can filter all other mac addresses on that port using port security.
If you enable switch port security, the default behavior is to allow only 1 mac address, shutdown the port in case of security violation and sticky address learning is disabled. By default, if a security violation occurs, the switch will shut down the offending. If you think that this is to much configuration, search the web for information about the switchport host command associating the port with a vlan in order to tell the switch what vlan an access port should be associated with, use the following command in this case to associate it with vlan 10. The switch will delete the mac addresses that are not used or updated within the aging time. The main reason for using hyperterminal is that it is free and comes with microsoft windows. Switchport security is not supported on switch port analyzer span destination ports. This section lists the guidelines for configuring port security. The continue reading basic switch configuration and port security. Using the show portsecurity interface fa01 command on sw1, we can see that the switch has learned the mac address of host a. Cisco switch port security configuration gpon solution. When a link goes down, all dynamically locked addresses are freed. We can view the default port security configuration with show portsecurity.
Jan 29, 2017 the port has the maximum number of mac addresses that is supported by a layer 2 switch port which is configured for port security. Port security helps secure the network by preventing unknown devices from forwarding packets. You can use port security to block input to an ethernet, fast ethernet, or gigabit ethernet port when the mac address of the station. You can limit the number of mac addresses on a given port. Catalyst 6500 series switch cisco ios software configuration guiderelease 12. Attach rogue laptop to any unused switch port and notice that the link lights are. When a mac address, or a group of mac addresses are configured to enable switch port security, the switch will forward packets only to the devices using those mac addresses. Port security guidelines and restrictions follow these guidelines when configuring port security. A secure port and static mac address configuration are mutually exclusive.
Its called port security and you can use it to limit the number of mac addresses per interface or even to specify which mac address can connect to each physical port of the switch. Port security allows you to restrict a port s ingress traffic by limiting the mac addresses that are allowed to send traffic into the port. Access the command line for s1 and enable port security on fast ethernet ports 01 and 02. The settings for hyperterminal need to match the console port settings on the switch. How to configure the port to automatically shut down if port security is violated. Switchport security configuration example to wrap the configuration commands into a single example to ensure clarity, this section will show a basic switchport security example. Cisco ccna port security and configuration switch port security limits the number of valid mac addresses allowed on a port. For example, a gigabit ethernet interface is often backwardscompatible with original and fast ethernet, and is referred to as a 10100 interface. To return the interface to the default number of secure mac addresses, use the no switchport.
1322 567 673 328 1268 1472 1403 1119 303 1450 52 486 593 541 1341 982 377 106 806 257 1014 1299 661 538 210 121 1322 1117 1503 1336 331 38 376 454 695 407 26 248 978 783 748 1286 529 107 1219 1207