Port Protection can be utilised to protect hosts from malware and abuse. By placing ports into protected mode the connected hosts are unable to talk to other hosts connected to ports that are also in protected mode.
Hosts connected to ports in protected mode can communicate with hosts on non-protected ports. Typically hosts offering services should not be connected to ports that have been placed in protected mode.
Below I configure ports 9 to 16 as protected ports. I use a show command to view the running config.
switch2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
switch2(config)#interface range fastEthernet 0/9 - 16
switch2(config-if-range)#switchport protected
switch2(config-if-range)#end
switch2#show run | begin interface FastEthernet0/9
interface FastEthernet0/9
switchport protected
no ip address
spanning-tree portfast
!
interface FastEthernet0/10
switchport protected
no ip address
spanning-tree portfast
!
interface FastEthernet0/11
switchport protected
no ip address
spanning-tree portfast
!
interface FastEthernet0/12
switchport protected
no ip address
spanning-tree portfast
!
interface FastEthernet0/13
switchport protected
no ip address
spanning-tree portfast
!
interface FastEthernet0/14
switchport protected
no ip address
spanning-tree portfast
!
interface FastEthernet0/15
switchport protected
no ip address
spanning-tree portfast
!
interface FastEthernet0/16
switchport protected
no ip address
spanning-tree portfast
!
Using ping I verify that hosts on protected ports cannot communicate with each other but can still access services on non-protected ports.
Showing posts with label Port Security. Show all posts
Showing posts with label Port Security. Show all posts
Sunday, 7 February 2010
Wednesday, 3 February 2010
Port Security
In this post I will configure a port with port security as sticky port (will learn the first mac address). I then configure the switch to re-enable the port after 2 minutes of shutdown.
Finally I will use some useful show commands to view the interface configuration, state of the port and verify that the correct settings are in the running config.
switch1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
switch1(config)#interface fastEthernet 0/17
switch1(config-if)#switchport port-security
switch1(config-if)#switchport port-security mac-address sticky
switch1(config-if)#end
switch1(config)#errdisable recovery cause psecure-violation
switch1(config)#errdisable recovery interval 120
switch1#sh run interface fastEthernet 0/17
Building configuration...
Current configuration : 254 bytes
!
interface FastEthernet0/17
switchport access vlan 2
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security mac-address sticky 001e.68ff.d35f
no ip address
spanning-tree portfast
end
switch1#show port-security interface fastEthernet 0/17
Port Security : Enabled
Port status : SecureUp
Violation mode : Shutdown
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 1
Aging time : 0 mins
Aging type : Absolute
SecureStatic address aging : Disabled
Security Violation count : 0
switch1#show port-security address
Secure Mac Address Table
-------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- -------------
2 001e.68ff.d35f SecureSticky Fa0/17 -
-------------------------------------------------------------------
Total Addresses in System : 1
Max Addresses limit in System : 1024
switch1#show running-config | include errdisable
errdisable recovery cause psecure-violation
errdisable recovery interval 120
Finally I will use some useful show commands to view the interface configuration, state of the port and verify that the correct settings are in the running config.
switch1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
switch1(config)#interface fastEthernet 0/17
switch1(config-if)#switchport port-security
switch1(config-if)#switchport port-security mac-address sticky
switch1(config-if)#end
switch1(config)#errdisable recovery cause psecure-violation
switch1(config)#errdisable recovery interval 120
switch1#sh run interface fastEthernet 0/17
Building configuration...
Current configuration : 254 bytes
!
interface FastEthernet0/17
switchport access vlan 2
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security mac-address sticky 001e.68ff.d35f
no ip address
spanning-tree portfast
end
switch1#show port-security interface fastEthernet 0/17
Port Security : Enabled
Port status : SecureUp
Violation mode : Shutdown
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 1
Aging time : 0 mins
Aging type : Absolute
SecureStatic address aging : Disabled
Security Violation count : 0
switch1#show port-security address
Secure Mac Address Table
-------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- -------------
2 001e.68ff.d35f SecureSticky Fa0/17 -
-------------------------------------------------------------------
Total Addresses in System : 1
Max Addresses limit in System : 1024
switch1#show running-config | include errdisable
errdisable recovery cause psecure-violation
errdisable recovery interval 120
Subscribe to:
Posts (Atom)
