The increasingly severe challenge facing network administrators is to determine who can access the internal network of the Organization and who cannot. If the company needs to demonstrate a foreign customer's product, unplug the ethernet cable from a computer within the company and plug it into the customer's computer. In this way, the worms and viruses inside his computer are a great threat to your LAN. Today, let's take a look at how to solve similar security problems by configuring vswitch ports.
In terms of basic principles, the Port Security feature remembers the Ethernet MAC address connected to the switch Port, that is, the network card number, and only allows a MAC address to communicate through this Port. If any other MAC address tries to communicate through this port, the port security feature will block it. The port security feature can prevent some devices from accessing the network and enhance security.
Configuring port security is relatively simple. The simplest form is to point Port Security to an enabled Port and enter the Port Security interface mode command.
Switch)# config t
Switch(config)# int fa0/18
Switch(config-if)# switchport port-security
aging Port-security aging commands
mac-address Secure mac address
maximum Max secure addresses
violation Security violation mode Switch(config-if)# switchport port-security
Switch(config-if)#^Z |
Here, we enter the most basic command to configure port security, and grant the default settings that only allow one MAC address, this determines that only the MAC address of the first device can communicate with this port; if the other MAC address tries to communicate through this port, the switch will close this port. Next, let's talk about how to change this setting.
Of course, port security should be configured according to the actual situation. In this example, you can configure other port security commands:
Switchport port-security maximum {maximum number of MAC addresses allowed}: You can use this option to allow multiple MAC addresses. For example, if you have a 12-port hub connected to the switch, you need 12 MAC: switchport port-security maximum 12/the maximum number of MAC addresses allowed for this port is 12.
Switchport port-security violation {shutdown | restrict | protect}: This Command tells the switch what to do when the number of MAC addresses on the port exceeds the maximum. Port is disabled by default. You can use restrict to warn the network administrator, or use protect to allow communication through a secure port and discard packets from other MAC addresses.
Switchport port-security mac-address {MAC address}: This option is used to manually define the MAC address that is allowed to use this port, rather than dynamically defining the MAC address by the port.
Of course, you can configure port security on a series of ports. The following is an example:
Switch)# config t
Switch(config)# int range fastEthernet 0/1 - 24
Switch(config-if)# switchport port-security |
However, if you enter this command on an UPLINK port, you must be very careful to use this option because it points to more than one device. Once the second device sends a packet, the whole port will be closed, which can be troublesome.
Once you have configured port security and the Ethernet device on this port sends out data, the switch will record the MAC address and use this address to ensure port security. To view the port security status on a vswitch, run the show port security address and show port-security interface commands. Example:
Switch# show port-security address
Switch# show port-security interface fa0/18
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address : 0004.00d5.285d
Security Violation Count : 0
Switch# |
- How to implement port security on a Cisco Switch
- How can the switch port "false dead" be restored?