With the help of Security ports, you can only allow a specified MAC address or a specified number of MAC addresses to access a port, so as to avoid unauthorized computer access to the network or limit the number of computers connected to a port, this ensures the security of network access.
When configuring port security, pay attention to the following issues:
1. The security port cannot be a trunk port.
2. The Security Port cannot be the destination port of Switch Port Analyzer (SPAN.
3. The security port cannot be an etherchannel port.
4. The security port cannot be a private-VLAN port.
1. Configure the Security Port
Step 1: Enter the global configuration mode.
Switch # configure Terminal
Step 2: Specify the port security interface to be configured.
Switch (config) # interface interface_id
Step 3: Set the interface to access mode.
Switch (config-If) # switchport Mode Access
Step 4: enable port security on the interface.
Switch (config-If) # switchport port-Security
Step 5: (optional) set the maximum number of secure MAC addresses on the interface to limit the number of computers connected to the port. Value Range: 1 ~ 3 072. The default value is 1.
Switch (config-If) # switchport port-Security Maximum Value
Step 6: (optional) set the processing mode after the violation occurs. When a security violation occurs, place the port in restrict or shutdown mode. When restrict mode is selected, when an invalid MAC address or too many MAC addresses are connected to this interface, the packet is discarded and an SNMP Trap notification is sent to the network administrator. When the shutdown mode is selected, the port with a security error will be placed in the error-Disable State, unless the network administrator uses the no shutdown command to manually activate the port, otherwise the port fails.
Switch (config-If) # switchport port-security violation {restrict | Shutdown}
Step 7: Set the speed limit for bad packets.
Switch (config-If) # switchport port-security limit rate invalid-source-Mac
Step 8: (optional) specify a secure MAC address for this interface. You can also use this command to specify the maximum number of secure MAC addresses. If the number of specified MAC addresses is less than the maximum number of secure addresses, the dynamically learned MAC addresses are retained.
Switch (config-If) # switchport port-security Mac-address mac_address
Step 9: Start sticky learning on the port.
Switch (config-If) # switchport port-security Mac-address sticky
Step 10: return the Privileged EXEC mode.
Switch (config-If) # End
Step 2: View and verify the configuration.
Switch # Show Port-security address interface interface_id
Switch # Show Port-security address
Step 2: Save the current configuration.
Switch # copy running-config startup-config
[Note] You can use the no switchport port-security Mac-address mac_address command to delete the MAC address from the address table.
2. Set Port Security aging
When you specify the maximum number of MAC addresses for a port, you can set the port security aging time and mode to make full use of the port, this allows the system to automatically delete unconnected MAC addresses for a long time without manual deletion, reducing network maintenance workload.
Step 1: Enter the global configuration mode.
Switch # configure Terminal
Step 2: Specify the interface for configuring Port Security aging.
Switch (config) # interface interface_id
Step 3: Set the aging time and type for the security port. The value range of the aging time is 0 ~ 1440 minutes. When the absolute mode is used, once the specified aging time is reached, it will be removed from the security address list. When inactivity is used, even if the specified aging time is reached, if there is no other data communication, the MAC address remains in the secure address list.
Switch (config-If) # switchport port-security [aging time aging_time | type {absolute | inactivity}]
Step 4: return the Privileged EXEC mode.
Switch (config-If) # End
Step 5: View and verify the configuration.
Switch # Show Port Security [interface interface_id] [address]
Step 6: Save the current configuration.
Switch # copy running-config startup-config
After setting the maximum number of secure MAC addresses allowed by the port, you can add the secure MAC addresses to the MAC address table as follows:
Manually configure all addresses (switchport port-security Mac-address 0008. eeee. eeee );
Allow the port to dynamically configure all addresses (switchport port-security Mac-address sticky );
Configure a certain number of MAC addresses and allow dynamic configuration of the remaining addresses.
You can enable sticky learning for an interface to convert a dynamic MAC address to a sticky and secure MAC address and add it to the running configuration. To enable sticky, use the interface configuration command switchport port-security Mac-address sticky. After this command is configured, the interface will convert all the dynamic security MAC addresses (including the Security MAC addresses that are dynamically learned before enabling viscous learning) to the viscous Security MAC addresses.