Port security works only on ports configured as static access or static trunk
#Switchport port security mac address dynamic mac#
The latter may occur in cases when the switch starts behaving like a hub, flooding frames out all ports and all VLANs because the MAC address table overflows, exceeding the maximum number of MAC address that the switch can learn. A MAC address flooding attack consists of sending a barrage of packets with different source MAC addresses, forcing the switch to overpopulate its MAC address table. The two main purposes are to prevent unauthorized connections (from unauthorized/unknown MAC addresses) on a port and to prevent MAC-address flooding attacks. Port security is a layer 2 feature that enforces a limit on the number of MAC addresses allowed per port. Switchport port-security violation shutdown vlan !–apply the err-disabled state only to offending vlanĮrrdisable recovery cause psecure-violationĮrrdisable recovery interval 180 !– global config, automatic recovery after 3 minutes. Switchport port-security maximum 1 vlan 143 Switchport port-security maximum 1 vlan 133 Switchport port-security aging time 10 !– Age the learned secure entries after 10 minutes of inactivity Switchport port-security violation restrict !–drop offending packets and generate log records of the violation. Switchport port-security mac-address sticky !– Retain the MAC addresses learned on the port in the switch configuration. Switchport port-security aging type inactivity Switchport port-security violation protect !–simply drop the traffic. Switchport port-security maximum 1 vlan access Switchport port-security maximum 1 vlan voice !– for trunk ports, limit the number of MAC addresses learned simultaneously on a port to one per VLAN Switchport port-security maximum 2 !-max two MAC entries, one per vlan Switchport port-security !–Configure SW1 to guard against MAC address flooding attacks Switchport voice vlan 100 !–VLAN 100 as the voice VLAN
0 kommentar(er)
