So, just how do you stop someone from simply plugging a host into one of your switch ports—
or worse, adding a hub, switch, or access point into the Ethernet jack in their office? By
default, MAC addresses will just dynamically appear in your MAC forward/filter database.
You can stop them in their tracks by using port security by using the following command from
Table 5.4:
To enable port security on a switch port, use the following:
Switch#
config t
Switch(config)#
int f0/1
Switch(config-if)#
switchport port-security
Table 5.5 lists your options for the
switchport port-security
command.
TABLE 5 . 4
Command and Meaning
Options for
switchport port-security
Options Meaning
aging
Configures a timer for dynamically learned addresses to decay
out of the cache.
mac-address
Configures a statically assigned secure hardware address for a
given ports table.
maximum
Configures a max number of secure addresses for a given port.
violation
Configures an action should a violation on the port occur. There
are three violation modes: protect, restrict, and shutdown.
Here is an example of setting port security on a switch port:
Switch#
config t
Switch(config)#
int f0/1
Switch(config-if)#
switchport port-security ?
aging Port-security aging commands
mac-address Secure mac address
maximum Max secure addresses
violation Security violation mode
If you want to set up a switch port to allow only one host per port and shut down the port
if this rule is violated, use the following commands:
Switch#
config t
Switch(config)#
int f0/1
Switch(config-if)#
switchport port-security maximum 1
Switch(config-if)#
switchport port-security violation shutdown
These commands are probably the most popular because they prevent users from connecting
to a switch or access point into their office. A
maximum
of 1 means only one MAC address
can be used on that port, and if the user tries to add another host on that segment, the switch
port will then shut down. If that happens, you’d have to manually go into the switch and
enable the port with a
no shutdown
command.
Probably one of my favorite commands is the
sticky
command. Not only does it perform
a cool function, but it has a cool name! You can find this command under the
mac-address
command:
Switch(config-if)#
switchport port-security mac-address sticky
Switch(config-if)#
switchport port-security maximum 2
Switch(config-if)#
switchport port-security violation shutdown
Basically, this provides static MAC address security without having to type in everyone’s
MAC address on the network!