Port Security Configuration Script

Use these configuration parameters:

• Enable port security on Fast Ethernet port 1

• Set the maximum number of secure addresses to 50

• Set violation mode to default

• No static secure MAC addresses needed

• Enable sticky learning

Switch# configure terminal

Switch(config)# interface fastethernet0/1 Switch(config-if)# switchport mode access Switch(config-if)# switchport port-security Switch(config-if)# switchport port-security maximum 50 Switch(config-if)# switchport port-security mac-address sticky Switch(config-if)# switchport port-security aging time 20 Switch(config-if)# end

MAC addresses are gathered dynamically with some switches supporting static entries and sticky entries. Static entries are manually entered for each port (for example, switchport port-security mac-address mac-address) and saved in the running configuration. Sticky entries are similar to static entries except that they are dynamically learned. Existing dynamic entries are converted to sticky entries when the switchport port-security mac-address sticky command is issued for a port. These former dynamic entries are entered into the running configuration using the command switchport port-security mac-address sticky mac-address. If the running configuration is then saved to the startup configuration, these MAC addresses do not need to be relearned on restart. Also, the maximum number of MAC addresses (for example, the command switchport port-security maximum value) for the port can be set.

This figure shows how to enable port security on Fast Ethernet port 0/1 and to set the maximum number of secure addresses to 50. The violation mode is the default, no static secure MAC addresses are configured, and sticky learning is enabled.

3-42 Securing Cisco Network Devices (SND) v2.0 © 2006 Cisco Systems, Inc.

+1 0

Post a comment