Issuing the switchport port-security mac-address sticky command will allow a switch to save a dynamically learned MAC address in the running-configuration of the switch, which prevents the administrator from having to document or configure specific MAC addresses. Once the approved MAC addresses have all been learned, the network administrator simply saves the running-configuration file to NVRAM with the copy running-config startup-config command. Show Switches dynamically build MAC address tables in RAM, which allow the switch to forward incoming frames to the correct target port. By default, an unlimited number of MAC addresses can be learned on a single switch port, whether it is configured as an access port or a trunk port. Switch ports can be secured by defining one or more specific MAC addresses that should be allowed to connect, and by defining violation policies (such as disabling the port) if additional hosts try to gain a connection. The following command secures a switch by manually defining an allowed MAC address: switch(config-if)# switchport port-security mac-address 00C0.35F0.8301 This command statically defines the MAC address of 00c0.35F0.8301 as an allowed host on the switch port. Manually configuring all of your switch ports in this way, however, would require documenting all of your existing MAC addresses and configuring them specifically per switch port, which could be an extremely timeconsuming task. By default, there is no limit to the number of MAC addresses a switch can learn on an interface, and all MAC addresses are allowed. If we want, we can change this behavior with port security. Let’s take a look at the following situation:
 In the topology above, someone connected a cheap (unmanaged) switch that they brought from home to the FastEthernet 0/1 interface of our Cisco switch. Sometimes people like to bring an extra switch from home to the office. As a result, our Cisco switch will learn the MAC address of H1 and H2 on its FastEthernet 0/1 interface. Of course, we don’t want people to bring their own switches and connect them to our network, so we want to prevent this from happening. This is how we can do it: Switch(config)#interface fa0/1 Switch(config-if)#switchport port-security Switch(config-if)#switchport port-security maximum 1 Use the Besides setting a maximum on the number of MAC addresses, we can also use port security to filter MAC addresses. You can use this to only allow specific MAC addresses. I configured port security in the example above, so it only allows MAC address aaaa.bbbb.cccc. This is not the MAC address of my computer, so it’s perfect for demonstrating a violation. Switch(config)#interface fa0/1 Switch(config-if)#switchport port-security mac-address aaaa.bbbb.cccc Use the switchport port-security mac-address command to define the MAC address that you want to allow. Now we’ll generate some traffic to cause a violation: C:\Documents and Settings\H1>ping 1.2.3.4 I’m pinging to some bogus IP address…there is nothing with IP address 1.2.3.4; I just want to generate some traffic. Here’s what you will see: SwitchA# %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/1, putting Fa0/1 in err-disable state %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0090.cc0e.5023 on port FastEthernet0/1. %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to down We have a security violation, and as a result, the port goes in err-disable state. As you can see, it is now down. Let’s take a closer look at port security: Switch#show port-security interface fa0/1 Port Security : Enabled Port Status : Secure-shutdown Violation Mode : Shutdown Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 1 Total MAC Addresses : 1 Configured MAC Addresses : 1 Sticky MAC Addresses : 0 Last Source Address:Vlan : 0090.cc0e.5023:1 Security Violation Count : 1 Here is a useful command to check your port security configuration. Use Switch#show interfaces fa0/1
FastEthernet0/1 is down, line protocol is down (err-disabled)Shutting the interface after a security violation is a good idea (security-wise), but the problem is that the interface will stay in err-disable state. This probably means another call to the helpdesk and you bringing the interface back to the land of the living! Let’s activate it again: Switch(config)#interface fa0/1 Switch(config-if)#shutdown Switch(config-if)#no shutdown To get the interface out of the err-disable state, you need to type “shutdown” followed by “no shutdown.” Only typing “no shutdown” is not enough! It might be easier if the interface could recover itself after a certain time. You can enable this with the following command: What is sticky command?sticky command is used to avoid pain of statically configuring each and every mac address on the switch port.
What is the function of MAC address sticky command?Overview. Persistent (Sticky) MAC is a Layer 2 port security feature that prevents unauthorized devices from connecting to your network. When this feature is enabled, the switch will observe the incoming source MAC addresses on a configured port and dynamically learn/save this address to memory.
Which command will save a dynamically learned MAC address in the running configuration of a Cisco switch?switchport port-security mac-address sticky Issuing the switchport port-security mac-address sticky command will allow a switch to save a dynamically learned MAC address in the running-configuration of the switch, which prevents the administrator from having to document or configure specific MAC addresses.
What command lists the configuration settings for port security on an interface?The show mac address-table secure command does list the address and port.
|
What command should you use to save the configuration of the sticky addresses
zusammenhängende Posts
Urheberrechte © © 2024 nguoilontuoi Inc.
