Friday, August 12, 2011

Cisco Port Security

Cisco's port security feature is a great way to increase your internal network security. The port security feature associates MAC addresses to switch ports and allows only those MAC addresses to access the ports. This can be done on a per port basis, except for trunk ports or etherchannel ports. If an unknown MAC address tries to communicate through the port, port security will shutdown the port (default setting).

Basically you are going to do the following steps, depending on your needs:

1) Determine which ports you will apply port-security to. (Not trunk or etherchannel ports.)
2) Decide if you will use an aging time and how many minutes.
3) Choose how many MAc addresses you will allow on the ports.
4) Choose the security violation mode to enforce.
Apply Port-Security
I will setup port 1/0/1 with the default port-security (you could use t
he range command here)...

Apply Aging Time and Maximum Mac Addresses
The default settings will allow only one MAC address to communicate through the port (Maximum MAC Addresses). This is done dynamically by default, meaning that only the first MAC learned will be allowed. Also, remember that once a MAC is learned on a port it can't be used on another port. This may be terribly inconvenient. What if you use a laptop and need to take it to the conference room? This is what the "aging time" setting is for. After the specified time (in minutes) the port will clear the MACs it has learned dynamically, allowing you to use them elsewhere.

Also, I need more than one MAC address here because I'm plugged into a Cisco phone. Let's add these parameters to the port...

Here is my interface config now...

If another MAC tries to communicate on that port, a violation will occur, and...

1) The port gets shut down.
2) A message gets generated in the log.
3) An snmp trap is generated.

Log entry...

Aug 2 15:18:26.583 MDT: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0c26.0a1d.1ec2 on port FastEthernet1/0/1.

Verify with these commands...

To recover from the err-disabled state, do a "shutdown", "no shutdown" on the interface.
Other global commands can be helpful also, the "clear port-security all" can clear all MACs learned on the switch.
If you are using the default port-security configuration, running the "err-disable recovery cause psecure-violation" command will bring all secure ports out of the error-disabled state.


User's also viewed these links:
cisco phone boot basics

No comments:

Post a Comment