port security feature to restrict input to an interface by limiting and identifying MAC addresses of the stations allowed to access the port.
- Can only be configured on static access or trunk ports. No dynamic links.
You can configure these types of secure MAC addresses:
1. Static secure MAC addresses: Manually configured by using the switchport port-security mac-address
- MAC address interface configuration command.
2. Dynamic secure MAC addresses: Dynamically learned, stored only in the address table and removed when the switch restarts.
3. Sticky secure MAC addresses: Dynamically learned or manually configured, stored in the address table and added to the running configuration. These addresses can be saved in the configuration file.
3 violation modes, based on the action to be taken if a violation occurs:
1. Protect: Packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses.
2. Restrict: Packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses; you are notified.
-Generates SNMP/Syslogs.
3. Shutdown: Port security violation causes the interface to immediately become error-disabled and turns off the port LED; it also sends a Simple Network Management Protocol (SNMP) trap, logs a syslog message, and increments the violation counter.
command set to configure port security:
switchport port-security
switchport port-security maximum value [vlan [vlan-list]]
switchport port-security violation {protect | restrict | shutdown}
switchport port-security mac-address mac-address [vlan vlan-id]
switchport port-security mac-address sticky
You can use port security aging to set the aging time for static and dynamic secure addresses on a port. Two types of aging are supported per port:
1. Absolute: The secure addresses on the port are deleted after the specified aging time.
2. Inactivity: The secure addresses on the port are deleted only if the secure addresses are inactive for the specified aging time.
command:
switchport port-security aging {static | time time | type {absolute | inactivity}}
setting error disable aging for port security:
errdisable recovery cause psecure-violation
errdisable recovery interval 5400 (sec)
VIRTUALRACK for Network Engineers... This blog is all about networking technologies that drives the human network today... Welcome to the Human Network!!
No comments:
Post a Comment