port security — CISCO.OOO



Port security легок в конфигурации и позволяет вам защитить интерфейсы при помощи ограничения MAC адресов. Port security обычно настраивается на интерфейсах, к которым подключены серверы и другие устройства, у которых вероятность смены MAC адреса крайне мала. Включая port security на интерфейсе, вы можете предотвратить неавторизованный доступ к сети, если злоумышленник подключит свое устройство к этому интерфейсу.


Configuration Steps:


По умолчанию, switchport security отключен на всех интерфейсах.


1) Включить port security можно только на L2 интерфейсе, настроенном как access интерфейс. 

Your switch interface must be L2 as «port security» is configure on an access interface.You can make your L3 switch port to an access interface by using the «switchport» command.


2) Then you need to enable port security by using the «switchport port-security» command. This can also be applied in a range of the interfaces on a switch or individual interfaces.


3) This step is optional, but you can specify how many MAC addresses the switch can have on one interface at a time. If this setting is not applied the default of one MAC address is used. The command to configure this is as follows, «switchport port-security maximum N» (where N can be from 1 to 6272) Keep in mind the range the number of maximum MAC address depends on the hardware and Cisco IOS you use.


4) This step is also optional, but you can define the action to take when a violation occurs on that interface or interfaces. The default is to shut down the interface or interfaces. The command to configure this is as follows «switch port-security violation { protect | restrict | shutdown }»


Protect which discards the traffic but keeps the port up and does not send a SNMP message.

Restrict which discards the traffic and sends a SNMP message but keeps the port up

Shutdown which discards the traffic sends a SNMP message and disables the port. (This is the default behavior is no setting is specified.)


5) You can specify the MAC address that is allowed to access the network resources manually by using the command «switchport port-security mac-address value». Use this command multiple times if you want to add more than one MAC address.


6) If you don’t want to configure manually every single MAC address of your organization then you can have the switch learn the MAC address dynamically using the «switchport port-security mac-address sticky» command. This command allow switch to learn the first MAC address that comes into on the interface.

Configuration Example:


Switch(config)# interface gig0/2

Switch(config-if)# switchport port-security

Switch(config-if)# switchport port-security maximum 1

Switch(config-if)# switchport port-security mac-address 00-d0-ba-11-21-31

Switch(config-if)# switchport port-security violation shutdown



To Verify the port security status use «show port-security»

Related Information:

Configuring Port Security

Оставьте комментарий