Wednesday, June 17, 2009

Switch port security

Cisco switches come with some undesirable defaults:

  • The ports are open (whereas router interfaces are shut by default), so use shutdown command on unused ports
  • They are actively attempting to trunk, so use the switchport mode access command so it cannot trunk
  • All ports are in VLAN 1, so place the port into an unused dummy VLAN

To lock down a particular port for a particular MAC address:

cont f
int fast 0/1
switchport mode access
switchport port-security mac-address aa-aa-aa-aa-aa-aa
switchport port-security mac-address sticky (the first MAC address connected will be used)
switchport port-security violation ?

shutdown, which is the default, will shut the port down, logs the action taken and interface status will be "err-disabled" - this must be manually reopened.

restrict will drop the frames, logs the message indicating an issue, but does not shutdown the port.

protect simply drops the violating frames.

show port-security int fast 0/1 command shows you all the info.

No comments:

Post a Comment