OverviewThe switchport security feature (Port Security) is an important piece of the network switch security puzzle; it provides the ability to limit what addresses will be allowed to send traffic on individual switchports within the switched network. Show
Once an organization decides to utilize the switchport security feature on their networks, it is important to carefully plan before any configuration is put in place. While the switchport security feature is very useful if used correctly, it can easily be misconfigured; this misconfiguration can cause service interruption and ongoing headaches for an organization. The planning of the configuration includes determining which violation mode and operation mode to use based on the goals of the organization, as well as determining which switchports should be enabled with the feature. This article takes a look at how the switchport security feature is configured by extending on the concepts that were covered in Switchport Security Concepts. Switchport Security ConfigurationBy default, the switchport security feature is disabled on all switchports and must be enabled. Table 1 shows the steps required to enable the switchport security feature on an interface (This can cause some confusion, but when using Cisco IOS, switchport configuration is performed while in interface configuration mode. The terms interface and switchport are interchangeable).
Without configuring any other specific parameters, the switchport security feature will only permit one MAC address to be learned per switchport (dynamically) and use the shutdown violation mode; this means that if a second MAC address is seen on the switchport the port will be shutdown and put into the err-disabled state. Table 2 shows the steps required to alter these default parameters:
As stated above, by default MAC addresses are learned on a switchport dynamically and are called dynamic MAC addresses. MAC addresses can also be configured in two other ways: statically and sticky. Static MAC addresses can be configured on a switchport to ensure that only a device with a specific MAC can utilize a switchport (for example, if the switchport location and a device are publically accessible and the organization wants to ensure only that authorized device can access the network). A sticky MAC address is a hybrid between a static and dynamic MAC address. When it is dynamically learned, the MAC address is automatically entered into the running configuration as a static MAC address; the address is then kept in the running configuration until a reboot. On reboot, the MAC address will be lost; if the network engineer wants to keep the MAC address across a reboot a configuration save is required (copy running startup). Table 3 shows the steps required to configure a static MAC address:
Table 4 shows the steps required to enable the use of sticky learning on a switchport:
Switchport Security Configuration ExampleTo wrap the configuration commands into a single example to ensure clarity, this section will show a basic switchport security example. The configuration shown in Table 5 will enable the use of the switchport security feature on ports f0/1 and f0/2, statically configure the 0000.1111.2222 MAC address on the f0/1 switchport and enable sticky learning on the f0/2 switchport.
SummaryWhile the switchport security feature does not require that many commands to operate properly, it can also be misconfigured just as easily. Take the time to write down and triple-check that the proposed configuration is doing what is expected, and/or test a proposed configuration in a non production environment. Hopefully the content in this article can be used to get started with the switchport security feature. Ready to test your skills for the CCNA exam? See how they stack up with this assessment from Smarterer. Start this CCNA test now What is the effect of entering the Switchport port security configuration command on switch?The switchport security feature (Port Security) is an important piece of the network switch security puzzle; it provides the ability to limit what addresses will be allowed to send traffic on individual switchports within the switched network.
What is the effect of entering the switchport mode access configuration command?The switchport mode access command sets the port as an access port, and the switchport access vlan <#> command designates the port as a member of VLAN 10. However, it is not recommended that you depend on this.
What is the effect of using the switch port security command?By using port security, a network administrator can associate specific MAC addresses with the interface, which can prevent an attacker to connect his device. This way you can restrict access to an interface so that only the authorized devices can use it.
What are the reasons for configuring port security?Port Security helps secure the network by preventing unknown devices from forwarding packets. When a link goes down, all dynamically locked addresses are freed. The port security feature offers the following benefits: You can limit the number of MAC addresses on a given port.
|
What is the effect of entering the Switchport port security configuration command?
zusammenhängende Posts
Urheberrechte © © 2024 paraquee Inc.
