To configure port security we need to access the command prompt of switch. Port security guidelines and restrictions when configuring port security, follow these guidelines. What is port security and how does it work with my managed. May 06, 2007 port security configuration guidelines. Packet tracer configuring switch port security instructor version objective part 1. This is a way to limit which device can connectto a switch on a given port. Configure terminal emula tion software to connect to the switch. Configuring dynamic switchport security free ccna workbook.
Cisco switch port security configuration gpon solution. To enable portsecurity youll execute the switchport portsecurity command as. Packets that have a matching mac address secure packets are. The following commands will work on most cisco switch models such as 4500, 3850, 3650, 2960, 3560 etc. Enters interface configuration mode and specifies the physical interface to configure. Default port security configuration table 621 shows the default port security configuration for an interface. Port security is a topic on the ccent exam and its important to know what it is and how to configure it. Switchport portsecurity securite sur les ports cisco en. The switchport portsecurity maximum and switchport portsecurity violation commands can be used to change the default behavior. Enabling port security on an access port to enable port security on an access port, perform this task. The port security feature offers the following benefits. Understanding how port security works port security configuration guidelines configuring port security on the switch monitoring port security understanding how port security works. We can view the default port security configuration with show port security.
When a link goes down, all dynamically locked addresses are freed. Jan 29, 2017 the port has the maximum number of mac addresses that is supported by a layer 2 switch port which is configured for port security. A best approach to securing a switchis to apply port security. Connect a pc by console cable to the switch console port. Switchport security concepts and configuration cisco press. How to configure switch port security on cisco switches. Enabling port security on a switch port is done with a simple command. Aruba 3810 5400r management and configuration guide for. Port security does not support switch port analyzer span destination ports. Switchport security can only be configured on statically configured access or trunk ports access or trunk.
Reconnect the power cord to the switch and, within 15 seconds, press and hold down the mode button while the system led is still flashing green. Do not configure dynamic, static, or permanent cam entries on a secure port. Using port security, you can configure each switch port with a unique list of the mac addresses of devices that are authorized to access the network through that. For example, a gigabit ethernet interface is often backwardscompatible with original and fast ethernet, and is referred to as a 10100 interface. Switchport security configuration example to wrap the configuration commands into a single example to ensure clarity, this section will show a basic switchport security example. How to configure port security on a cisco switch youtube. Today i will discuss about cisco switch port security issue.
Switchport security is not supported on switch port analyzer span destination ports. Figure 41port security follow these steps to configure port security. Switch and vlan security switch port security port security adds an additional layer of security to the switching network. It then sets the maximum number of macs for the port to 1 and shuts down the port if there is a violation. It also can be used to limit the total number of devices plugged into a switch port, thereby protecting the switch from a mac flooding attack as well as reducing the risks of rogue wireless access points or hubs. Configuring port security on the switch monitoring port security. Switch port configuration speed and duplex some switch interfaces are fixed at a single speed. Feb 24, 2016 port security is a topic on the ccent exam and its important to know what it is and how to configure it. By default, the maximum number of allowed mac addresses is one. The mac address learned on the port can be added to stuck to the running configuration for that port. Verify port security is enabled and the mac addresses of pc1 and pc2 were added to the running configuration with show run command.
With the default port security configuration, to brin g. Sw1 con0 is now available press return to get started. Thats all initial configuration we need to understand the switch port security. Attach rogue laptop to any unused switch port and notice that the link lights are. Do not configure span destination on a secure port. Often though, a single switch interface can support multiple speeds. From global configuration mode enter in specific interface. Next, by using the show port security interface fa01 we can see that the switch has learned the mac address of host a. Basic switch configuration and port security danscourses. Configuring sticky switchport security free ccna workbook.
Future updates can be userscheduled, ensuring the network is kept uptodate with bug fixes, security updates, and new features. Once the mac limit has exceeded the maximum configured value on a port, all traffic from. To practice and learn to configure port security on cisco switch, just download the port security packet tracer lab or create your own lab and follow the switch port security configuration guideline. From privilege exec mode use configure terminal command to enter in global configuration mode. Port security allows you to restrict a port s ingress traffic by limiting the mac addresses that are allowed to send traffic into the port. If you enable switch port security, the default behavior is to allow only 1 mac address, shutdown the port in case of security violation and sticky address learning is disabled. Learn how to secure a switch port with switchport security feature step by step. There are three different ways that mac addresses can be configured onto a port. You can use port security to block input to an ethernet, fast ethernet, or gigabit ethernet port when the mac address of the station attempting to access the port is different from any of the mac addresses that are specified for that port. To enable port security on a specific port you use the switchport portsecurity command in interface configuration mode as shown below sw1 con0 is now available press return to get started. Enable portsecurity on sw1s fa01 interface and configure the interface to sticky the mac address learned.
Port security helps secure the network by preventing unknown devices from forwarding packets. The default configuration of a cisco switch has port security disabled. The following example shows the configuration of port security on a cisco switch. The mac address of a host generally does not change. If a specific host will always remain connected to a specific switch port, then the switch can filter all other mac addresses on that port using port security. Its called port security and you can use it to limit the number of mac addresses per interface or even to specify which mac address can connect to each physical port of the switch. In this activity, you will configure and verify port security on a switch. Port security can also configured locally and has no mechanism for controlling port security in a centralized fashion for distributed switches. Configure port security on individual fastethernet ports. A switch that does not provide port security allows an attacker to attach a system to an unused, enabled port and to perform information gathering or attacks. Consider what happens if we connect a different host to the same port. Cisco switch port security commands the tech factors. You can use port security to block input to an ethernet, fast ethernet, or gigabit ethernet port when the mac address of the station. Switch a port security configured switch b mac address authorized by switch a pc 1 mac address authorized.
A secure port cannot belong to an etherchannel portchannel interface. Switchport security is not supported along with etherchannel fast or gigabit. Configuring and monitoring port security ftp directory listing. Lets now see the basic portsecurity configuration on cisco switches. To enable port security on a specific port you use the switchport portsecurity command in interface configuration mode as shown below. One approach is to manually configure the mac addressfor the directly connected device. Switch security overview in the video tutorials below, i show how to use packet tracer to build a small lan with a cisco 2960 switch, three pc clients, and two pc servers, one of the servers is placed on a separate vlan for management purposes. When connected, new ms125 switches automatically reach out to the meraki cloud and download the most current configuration. This section lists the guidelines for configuring port security.
Create a basic switch configuration, including a name and an ip address configure passwords to ensure that access to the cli is secured configure switch port speed and duplex properties for an interface configure basic switch port security manage the mac address table assign static mac addresses. With the default port security configuration, to brin g all secure ports out of the errordisabled state. Do not configure port security on a span destination port. Follow these guidelines when configuring port security. In the apic, the user can configure the port security on switch ports.
This tutorial explains switchport security modes protect, restrict and shutdown, sticky address, mac address, maximum number of hosts and switchport security violation rules in detail with examples. The svi for vlan 99 will not appear as upup until vlan 99 is created and there is a device connected to a switch port associated with vlan 99. Catalyst 6500 series switch cisco ios software configuration guiderelease 12. We can view the default port security configuration with show portsecurity. Using the show portsecurity interface fa01 command on sw1, we can see that the switch has learned the mac address of host a. Port security adds an additional layer of security to the switching network. First, we need to enable port security and define which mac addresses are allowed to send frames. To enable portsecurity youll execute the switchport portsecurity command as previously learned in lab 419. This feature enables you to configure each switch port with a unique list of the mac addresses of devices that are authorized to access. The simplest form of switch security is using port level security. Mar 15, 2018 in this activity, you will configure and verify port security on a switch. How to configure the port to automatically shut down if port security is violated.
When a mac address, or a group of mac addresses are configured to enable switch port security, the switch will forward packets only to the devices using those mac addresses. Port security allows you to restrict a ports ingress traffic by limiting the mac addresses that are allowed to send traffic into the port. Port security is easy to configured and it allows you to secure access to a port based upon a mac address basis. A secure port and static mac address configuration are mutually exclusive. Ports configured for either active or passive lacp, and which are not members of a trunk, can be configured for port security. Pdf packet tracer configuring switch port security. The port has the maximum number of mac addresses that is supported by a layer 2 switch port which is configured for port security. Click switch and click cli and press enter key port can be secure from interface mode.
Aruba 2930f 2930m management and configuration guide. Although only a single interface is used for illustration in this article, port security, if configured, is typically configured on all userfacing interfaces. Port security does not support etherchannel portchannel interfaces. Configuring port security port security configuration learn address mode select the learn mode of the mac addresses on the port. Access the command line for s1 and enable port security on fast ethernet ports 01 and 02. Backgroundpreparation cable a network similar to the one in the diagram. Basic switch security concepts and configuration basic. Mar 29, 2020 this article describes how to configure switch port security on cisco switches. Enable portsecurity on sw1 interface fa01 and allow a maximum of 3 mac addresses. If you think that this is to much configuration, search the web for information about the switchport host command associating the port with a vlan in order to tell the switch what vlan an access port should be associated with, use the following command in this case to associate it with vlan 10. Another approach is to automatically,or allow the switch, to automatically learnthe mac address. The settings for hyperterminal need to match the console port settings on the switch. The configuration output used in this lab is produced from a 2950 series switch. Port security can be used to limit access on an ethernet port based on the mac address of the device to which it is connected.
The mac address learned on the port can also be added to the running configuration of. By default, if a security violation occurs, the switch will shut down the offending. It provides guidelines, procedures, and configuration examples. Basic switching concepts and configuration 25 address 172. Next, by using the show portsecurity interface fa01 we can see that the switch has learned the mac address of host a. Using the show port security interface fa01 command on sw1, we can see that the switch has learned the mac address of host a. To return the interface to the default number of secure mac addresses, use the no switchport. The continue reading basic switch configuration and port security. The configuration shown in table 5 will enable the use of the switchport security feature on ports f01 and f02, statically configure the 0000. A secure port cannot be a destination port for switch port analyzer span. Try to test your switch port security configuration with ping command and testing with the rogue laptop on the lab.
Entering the switchport portsecurity command sets the maximum mac addresses to 1 and the violation action to shutdown. Cisco ccna port security and configuration switch port security limits the number of valid mac addresses allowed on a port. The main reason for using hyperterminal is that it is free and comes with microsoft windows. When using port level security, the mac addresses andor number of mac addresses of the connected devices is controlled. Aruba 2930f 2930m management and configuration guide for. I have some questions regarding to port security on my 2690 catalyst.
Port security configurations 41 managing physical interface 4 port security configurations 4. Cisco switch port security configuration and best practices. You can limit the number of mac addresses on a given port. Default port security configuration table 261 shows the default port security configuration for an interface. Following these steps to enable and configure port security. Layer 2 interfaces on a cisco switch are referred to as ports. The switch will delete the mac addresses that are not used or updated within the aging time. Enabling port security is extremely easy at is core. Next, we will enable dynamic port security on a switch.
243 338 1356 884 375 654 1268 700 42 136 1417 533 167 888 988 114 521 132 271 1394 303 142 1222 860 667 965 1230 1163 411 1101 1277 1385 185 580 85 235 1059 973