Setting up Port Security
- Port security is a way to lock down what devices can plug into your switch, or how many devices can plug in.
- This prevents users from putting switches on their own lines.
- It is possible to use a specific MAC address and if a new device is plugged in, it will shut down the switch port.
While it is generally not recommended to lock down ALL ports (since this can cause a lot of headaches), it is strongly recommended for “Public Ports”, such as publicly accessible wall jacks, because these do allow access into your network!
Sw1#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/1 unassigned YES manual up up
FastEthernet0/2 unassigned YES manual down down
FastEthernet0/3 unassigned YES manual down down
FastEthernet0/4 unassigned YES manual down down
FastEthernet0/5 unassigned YES manual down down
FastEthernet0/6 unassigned YES manual down down
FastEthernet0/7 unassigned YES manual down down
FastEthernet0/8 unassigned YES manual down down
FastEthernet0/9 unassigned YES manual down down
FastEthernet0/10 unassigned YES manual down down
FastEthernet0/11 unassigned YES manual down down
FastEthernet0/12 unassigned YES manual down down
FastEthernet0/13 unassigned YES manual down down
FastEthernet0/14 unassigned YES manual down down
FastEthernet0/15 unassigned YES manual down down
FastEthernet0/16 unassigned YES manual down down
FastEthernet0/17 unassigned YES manual down down
FastEthernet0/18 unassigned YES manual down down
FastEthernet0/19 unassigned YES manual down down
FastEthernet0/20 unassigned YES manual down down
FastEthernet0/21 unassigned YES manual down down
FastEthernet0/22 unassigned YES manual down down
FastEthernet0/23 unassigned YES manual down down
FastEthernet0/24 unassigned YES manual down down
Vlan1 172.2.30.180 YES manual up up
Terminal Monitor
Allows you to see all messages that come from the switch from a Telnet/SSH session.
** Can see if a new device is connected in real time.
Sw1#terminal monitor
Set the To Statically set a MAC address to a Switchport
Configure Interface Mode for a Specific Switchport
Sw1(config)#interface fastethernet 0/1 Sw1(config-if)#_
Configure Interface Mode for a RANGE of Switchports
Sw1(config)#interface range fastethernet 0/1 - 24 Sw1(config-if-range)#_
Set the Port as an Access Port and not a Trunk (Required before you can enable port security!!)
Sw1(config-if)#switchport mode access
Enable Port Security
Sw1(config-if)#switchport port-security
Set Maximum allowed MAC addresses to 1 (Default)
Sw1(config-if)#switchport port-security maximum 1
Violation Handling
- Protect – Will ignore any secondary MAC addresses
- Restrict – (Recommended) Will ignore any secondary MAC addresses AND will log it
- Shutdown – Will shutdown the port if a violation is detected. Will require manual “no shutdown”
Sw1(config-if)#switchport port-security violation shutdown
Define which MAC address is allowed
- H.H.H 48 bit MAC Address (type it in manually)
- sticky: Will automatically hardcode all mac address currently plugged into the port.
Sw1(config-if)#switchport port-security mac-address sticky
Check Your Results
Sw1(config-if)#Ctrl+Z Sw1#show port-security interface fastethernet 0/1 Port Security : Enabled Port Status : Secure-up Violation Mode : Shutdown Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 1 Total MAC Addresses : 0 Configured MAC Addresses : 0 Sticky MAC Addresses : 0 Last Source Address:Vlan : 0000.0000.0000:0 Security Violation Count : 0
How to know if there is a security violation
Sw1#show port-security interface fastethernet 0/1
Port Security : Enabled
Port Status : Secure shutdown
Violation Mode : Shutdown
...