Cisco switches come with some undesirable defaults:
- The ports are open (whereas router interfaces are shut by default), so use shutdown command on unused ports
- They are actively attempting to trunk, so use the switchport mode access command so it cannot trunk
- All ports are in VLAN 1, so place the port into an unused dummy VLAN
To lock down a particular port for a particular MAC address:
cont f
int fast 0/1
switchport mode access
switchport port-security mac-address aa-aa-aa-aa-aa-aa
switchport port-security mac-address sticky (the first MAC address connected will be used)
switchport port-security violation ?
shutdown, which is the default, will shut the port down, logs the action taken and interface status will be "err-disabled" - this must be manually reopened.
restrict will drop the frames, logs the message indicating an issue, but does not shutdown the port.
protect simply drops the violating frames.
show port-security int fast 0/1 command shows you all the info.
No comments:
Post a Comment