Scribd Logo
Încărcați

Bine ați venit la Scribd!

  • Catalyst Switch Port Security Basics: Sticky Learning

    Încărcat de

    Utkarsh Hsraktu
    330 vizualizări1 pagină
    fdfds

    Titlu original

    dgfgdf

    Drepturi de autor

    © © All Rights Reserved

    Formate disponibile

    PDF, TXT sau citiți online pe Scribd

    Vi se pare util acest document?

    Este necorespunzător acest conținut?

    Raportați acest document
    fdfds

    Drepturi de autor:

    © All Rights Reserved
    Descărcați ca PDF, TXT sau citiți online pe Scribd
    Indicator pentru conținut neadecvat
    330 vizualizări1 pagină

    Catalyst Switch Port Security Basics: Sticky Learning

    Încărcat de

    Utkarsh Hsraktu
    fdfds

    Drepturi de autor:

    © All Rights Reserved
    Descărcați ca PDF, TXT sau citiți online pe Scribd
    Indicator pentru conținut neadecvat
    din 1

    Blog Home | INE Home | Members | Contact Us | Subscribe

    Free Resources

    View Archives

    All Access Pass

    Switch Port Security Basics


    01 Catalyst
    Posted by INE Instructor in CCENT,CCIE R&S,CCIE Security,CCNA,Layer 2 Technologies,Network

    CCIE Bloggers

    Search

    Dec

    2 Comments

    Security,Security,Switches,Switching,VLANs

    Search
    Submit

    Catalyst switch port security is so often recommended. This is because of a couple of important points:

    Categories

    There are many attacks that are simple to carry out at Layer 2

    Select Category

    There tends to be a gross lack of security at Layer 2


    Port Security can guard against so many different types of attacks such as MAC flooding, MAC spoofing,
    and rouge DHCP and APs, just to name a few
    I find when it comes to port security, however, many students cannot seem to remember two main points:
    1. What in the world is Sticky Learning and how does it work?
    2. What is the difference between the different violation modes and how can I remember them?

    Sticky Learning
    Sticky learning is a convenient way to set static MAC address mappings for MAC addresses that you allow on your
    network. What you do is confirm that the correct devices are connected. You then turn on sticky learning and the
    port security feature itself, for example:

    CCIE Bloggers
    Brian Dennis, CCIEx5 #2210
    Routing & Sw itching
    Voice
    Security
    Service Provider
    ISP Dial
    Brian McGahan, CCIEx4 #8593,
    CCDE #2013::13
    Design
    Data Center
    Routing & Sw itching
    Security
    Service Provider
    Mark Snow , CCIEx4 #14073

    switchport port-security maximum 2

    Data Center
    Collaboration
    Security
    Voice

    switchport port-security mac-address sticky


    switchport port-security

    Now what happens is the 2 MAC addresses for the two devices you trust (perhaps an IP Phone and a PC) are
    dynamically learned by the switch. The switch now automatically writes static port security entries in the running
    configuration for those two devices. All you have to do is save the running configuration, and poof, you are now
    configured with the powerful static MAC port security feature.
    Please note that it is easy to forget to actually turn on port security after setting the parameters. This is what the
    third line is doing in the configuration above. Always use your show port-security commands to confirm you
    remembered this important step of the process!

    Petr Lapukhov, CCIEx4 #16379,


    CCDE #2010::7
    Design
    Routing & Sw itching
    Security
    Service Provider
    Voice

    Popular Posts
    No posts to display

    Violation Modes
    The violation modes are Shutdown, Protect, and Restrict. Shutdown is the default and the most severe. If there is
    a violation, the port is error-disabled and notifications are sent (SNMP traps can be used and violation counters
    are incremented, etc.). With Restrict mode, the bad MAC cannot communicate on the port, but the port does not
    error-disable. There are notifications sent. With the Protect mode, the bad MAC cannot communicate and there is
    no eror-disabling, but the problem is, there are no notfications sent. Cisco does not recommend this mode as a
    result.
    How can you remember these easily? Just think of the alphabet. P the R then S gives you the levels of severity.
    Where do you find these features documented should you still forget?
    Cisco.com Support Configure Products Switches LAN Switches Access 3560 Series Configuration Guides Software Configuration Guides Latest Release Configuring Port-Based Traffic Control
    Download this page as a PDF
    About INE Instructor:
    Find all posts by INE Instructor | Visit Website

    You can leave a response, or trackback from your own site.

    2 Responses to Catalyst Switch Port Security Basics


    December 2, 2010 at 4:15 am

    Jochen Bartl
    Ive recently discovered that the shutdown mode also has the optional keyword vlan. Which shuts down either the voice vlan or the
    access vlan, depending on which one the violation has occured.
    (config-if)#switchport port-security violation shutdown vlan
    This allows you to give the users at least a chance to call the helpdesk if the violation has occurred on the access vlan, because it
    doesnt shutdown the whole port
    Best Regards,
    Jochen

    Reply
    December 18, 2010 at 6:38 am

    Amit jayaprakash
    Hi,
    i love reading your postsits Awesome.
    simple and to the point:-)

    Reply

    Leave a Reply
    Name (required)

    Mail (will not be published) (required)

    Submit Comment

    twitter.com/ine

    2011 INE, Inc., All Rights Reserved

    pdfcrowd.com

    S-ar putea să vă placă și