Pendahuluan utk pening kepala... how do we enable the port-security in a switch port?!
That´s easy to answer, using the interface command: switchport port-security.
But, what will be actually configured in this specific switch port if
we just type this command and nothing else?! It´ll set the switchport to
allow only "one" MAC Address and the Violation mode will be set to Shutdown.
Probably the LAB will ask you something more specific, that´s where you
have to know a few things... The violation mode for example,
we have three violation modes availabe:
*Protected - When a violation occurs, it´ll simple ignore any exceeding
MAC Addresses, according to your configuration (if you allow only one MAC Address,
it´ll permit the first MAC Address to transmit, and drop everything else for any
new MAC Address trying to transmit to this port).
*Restrict - Does exactly the same thing as Protected mode, but will also
send a SNMP Trap regarding the violation.
*Shutdown - When a violation occurs in the shutdown mode, it sets the
port to ERRDISABLE state. The port will stop transmitting anything in the ERRDISABLE
state, also, the port LED will turn off. It sends out a SNMP Trap about this.
When a port enters in the ERRDISABLE state you can do a shut and no shut to recover
it! That can be a boring task, if you have many "smart users" in your network.
Fortunately, there´s another way to do that, you can also set it to "autorecovery"
using the feature errdisable recovery (global configuration mode), the commands for this are:
errdisable recovery cause <violation cause>
errdisable recovery interval <#seconds>
For example, if the Port-Security placed a port in ERRDISABLE state, you can set
your switch to recovery it like that:
errdisable recovery cause psecure-violation
errdisable recovery interval 1800
That will recover the port 30min (1800sec) after the violation event!
Another thing to keep in mind is: the command switchport port-security mac-address <MAC>
by itself will not get the configured MAC Address into the running-configuration of your
switch. If you issue a show switchport port-security you´ll see the configured MAC
there, but not in the show run!
In order to have it in your running configuration, you have to use the STICKY keyword:
switchport port-security mac-address sticky <MAC> that way, the configured MAC Address
will appear at the running-configuration, and of course, you´ll be able to save it!
If you do not specify any MAC Addresses after the STICKY keyword, the switch will
dynamically learn the attached MAC Address and place it into your running-configuration.
So, for example, to allow two MAC Addresses (1111.1111.1111 and 2222.2222.2222)
at FastEthernet 0/6 (configured as an access-port), and, if any violation to
that rule occurs, the port should be placed in ERRDISABLE state, recovering
itself after 1hour without any intervation. The MAC Address MUST appear in the
running-configuration.
How can we solve that!? Not that difficult, right!? Here´s the answer:
conf t
!
errdisable recovery cause psecure-violation
errdisable recovery interval 3600
!
interface fastethernet 0/6
switchport mode access
switchport port-security violation shutdown
switchport port-security maximum 2
switchport port-security mac-address sticky 1111.1111.1111
switchport port-security mac-address sticky 2222.2222.2222
exit
That will meet the requirements of our question!
Also, if you issue a switchport port-security ? under the interface configuration
mode you´ll have all available options for this command (in fact, there are just a few options).
Is it difficult?! Not at all, but, there are some things to keep in mind to be used either
in the exam and in real-life networks!
You can find more information at the following link from Cisco Website:
http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_46_se/command/reference/cli3.html#wp1948361
No comments:
Post a Comment