Documente Academic
Documente Profesional
Documente Cultură
Free Resources
View Archives
CCIE Bloggers
Search
Dec
2 Comments
Security,Security,Switches,Switching,VLANs
Search
Submit
Catalyst switch port security is so often recommended. This is because of a couple of important points:
Categories
There are many attacks that are simple to carry out at Layer 2
Select Category
Sticky Learning
Sticky learning is a convenient way to set static MAC address mappings for MAC addresses that you allow on your
network. What you do is confirm that the correct devices are connected. You then turn on sticky learning and the
port security feature itself, for example:
CCIE Bloggers
Brian Dennis, CCIEx5 #2210
Routing & Sw itching
Voice
Security
Service Provider
ISP Dial
Brian McGahan, CCIEx4 #8593,
CCDE #2013::13
Design
Data Center
Routing & Sw itching
Security
Service Provider
Mark Snow , CCIEx4 #14073
Data Center
Collaboration
Security
Voice
Now what happens is the 2 MAC addresses for the two devices you trust (perhaps an IP Phone and a PC) are
dynamically learned by the switch. The switch now automatically writes static port security entries in the running
configuration for those two devices. All you have to do is save the running configuration, and poof, you are now
configured with the powerful static MAC port security feature.
Please note that it is easy to forget to actually turn on port security after setting the parameters. This is what the
third line is doing in the configuration above. Always use your show port-security commands to confirm you
remembered this important step of the process!
Popular Posts
No posts to display
Violation Modes
The violation modes are Shutdown, Protect, and Restrict. Shutdown is the default and the most severe. If there is
a violation, the port is error-disabled and notifications are sent (SNMP traps can be used and violation counters
are incremented, etc.). With Restrict mode, the bad MAC cannot communicate on the port, but the port does not
error-disable. There are notifications sent. With the Protect mode, the bad MAC cannot communicate and there is
no eror-disabling, but the problem is, there are no notfications sent. Cisco does not recommend this mode as a
result.
How can you remember these easily? Just think of the alphabet. P the R then S gives you the levels of severity.
Where do you find these features documented should you still forget?
Cisco.com Support Configure Products Switches LAN Switches Access 3560 Series Configuration Guides Software Configuration Guides Latest Release Configuring Port-Based Traffic Control
Download this page as a PDF
About INE Instructor:
Find all posts by INE Instructor | Visit Website
Jochen Bartl
Ive recently discovered that the shutdown mode also has the optional keyword vlan. Which shuts down either the voice vlan or the
access vlan, depending on which one the violation has occured.
(config-if)#switchport port-security violation shutdown vlan
This allows you to give the users at least a chance to call the helpdesk if the violation has occurred on the access vlan, because it
doesnt shutdown the whole port
Best Regards,
Jochen
Reply
December 18, 2010 at 6:38 am
Amit jayaprakash
Hi,
i love reading your postsits Awesome.
simple and to the point:-)
Reply
Leave a Reply
Name (required)
Submit Comment
twitter.com/ine
pdfcrowd.com