When configuring the security for a network, it is important to take advantage of the security features of all deployed devices. One of the security features available with Cisco switches (among other vendors) is switchport security.
The switchport security feature offers the ability to configure a switchport so that traffic can be limited to only a specific configured MAC address or list of MAC addresses.
Secure MAC Address Types
To begin with, there are three different types of secure MAC address:
Static secure MAC addresses—This type of secure MAC address is statically configured on a switchport and is stored in an address table and in the running configuration.
Dynamic secure MAC addresses—This type of secure MAC address is learned dynamically from the traffic that is sent through the switchport. These types of addresses are kept only in an address table and not in the running configuration.
Sticky secure MAC addresses—This type of secure MAC address can be manually configured or dynamically learned. These types of addresses are kept in an address table and in the running configuration.
Switchport Security Violations
The second piece of switchport port-security that must be understood is a security violation including what it is what causes it and what the different violation modes that exist. A switchport violation occurs in one of two situations:
- When the maximum number of secure MAC addresses has been reached (by default, the maximum number of secure MAC addresses per switchport is limited to 1)
- An address learned or configured on one secure interface is seen on another secure interface in the same VLAN
The action that the device takes when one of these violations occurs can be configured:
Protect—This mode permits traffic from known MAC addresses to continue to be forwarded while dropping traffic from unknown MAC addresses when over the allowed MAC address limit. When configured with this mode, no notification action is taken when traffic is dropped.
Restrict—This mode permits traffic from known MAC addresses to continue to be forwarded while dropping traffic from unknown MAC addresses when over the allowed MAC address limit. When configured with this mode, a syslog message is logged, a Simple Network Management Protocol (SNMP) trap is sent, and a violation counter is incremented when traffic is dropped.
Shutdown—This mode is the default violation mode; when in this mode, the switch will automatically force the switchport into an error disabled (err-disable) state when a violation occurs. While in this state, the switchport forwards no traffic. The switchport can be brought out of this error disabled state by issuing the errdisable recovery cause CLI command or by disabling and reenabling the switchport.
Configuration
No comments:
Post a Comment