How to Configure Port Security on a Cisco Switch

CertBros

24 Feb 201604:11

Summary

TLDRThis video covers how to configure port security on network switches, focusing on MAC address settings and violation reactions. Viewers will learn about the options for controlling MAC addresses per port, including setting a maximum number or using sticky learning. The video also explains how to assign static MAC addresses, and covers violation responses such as 'protect', 'restrict', and 'shutdown'. With practical demonstrations, the tutorial shows how to implement these settings, observe violations, and verify configurations using various command-line tools to troubleshoot and manage network security effectively.

Takeaways

😀 Port security is used to control access to switch ports by managing MAC addresses.
😀 You can set the maximum number of MAC addresses allowed on a port to prevent unauthorized access.
😀 There are two methods for assigning MAC addresses: static assignment and sticky MAC address learning.
😀 Static MAC address assignment requires manually adding the MAC addresses allowed on a port.
😀 Sticky MAC address learning allows the switch to automatically learn and store MAC addresses of connected devices.
😀 Port security violations can trigger different actions: protect, restrict, or shutdown.
😀 The 'protect' violation action drops traffic from unauthorized devices without notifying the admin.
😀 The 'restrict' violation action drops traffic and generates notifications and violation counters.
😀 The 'shutdown' violation action disables the port entirely when a violation occurs.
😀 To configure port security, use commands like 'switchport mode access', 'switchport port-security', and 'switchport port-security maximum'.
😀 You can check port security status and violations using commands like 'show port-security' and 'show port-security interface'.

Q & A

What are the two primary options for Port Security in a network switch?
-The two primary options for Port Security are 'maximum', which controls the maximum number of MAC addresses allowed on the port, and 'mac address', where specific MAC addresses can be assigned to the port.
What is the difference between static MAC address assignment and sticky MAC address learning?
-Static MAC address assignment involves manually entering specific MAC addresses for devices, while sticky MAC address learning allows the switch to automatically learn the MAC addresses of devices currently connected to the port.
What does the 'maximum' option do in Port Security?
-The 'maximum' option in Port Security allows you to define the maximum number of MAC addresses that can be learned and assigned to a specific port.
How does the switch react when a MAC address violation occurs?
-When a MAC address violation occurs, the switch can react in three ways: 'protect' (drops data but doesn't notify), 'restrict' (drops data and notifies with violation counters), and 'shutdown' (disables the port altogether).
What does the 'protect' violation mode do in Port Security?
-In the 'protect' mode, the switch will drop all data traffic until the correct MAC address is connected to the port, but it does not send notifications of the violation.
What is the 'restrict' violation mode in Port Security?
-The 'restrict' violation mode drops data traffic like 'protect', but additionally sends notifications and increments counters each time a violation occurs.
What happens when the switch is set to 'shutdown' mode for violations?
-In 'shutdown' mode, the port is completely disabled, preventing any further communication until it is manually re-enabled.
How do you configure a port for Port Security?
-To configure Port Security, you enter the command 'switchport port-security' in the interface configuration mode of the switch and then specify the desired settings, such as maximum MAC addresses or violation types.
What happens if you try to use an invalid MAC address when configuring Port Security?
-If you enter an invalid or random MAC address (like all zeros), the configuration will not be effective, and violations may occur when a device with a different MAC address connects to the port.
How can you check if Port Security violations have occurred?
-You can check for Port Security violations using the command 'show port security' to view the violation count. For more detailed information, you can use 'show port security interface [interface_name]'.