Friday, August 25, 2006

Q: How do I configure port security on my ASW (3550s or 3750s)?

A:
First, make sure your IOS supports port security. You can use the Software Advisor tool on CCO to show you what versions of IOS support port security. Port security is set at the interface level. First, you set the maximum number of MAC addresses for the switchport (default is 1, so if you set it to this you will see nothing in sho run). sw(config-if)# switchport port-secu max 1 Then, choose between the three ways of learning MACs.
  • static - manually configured. command is switchport port-sec mac-add 0011.2233.4455
  • dynamic - port will learn MAC addresses as usual, but stop learning more addresses when it has reached the max.
  • sticky - converts dynamic address to static addresses in the running config only. To use this, wait until your switchport has learned the MACs you want, then issue the interface command switchport port-sec mac sticky. As soon as you do this, these MACs become static commands, but in the running config only. You then have to copy run start to make these settings survive a reload.
Next, decide how to handle security violations. A violation occurs either when the max number of MACs is exceeded, or when an address on one secure port is seen on another secure port on the same VLAN. The effects are:
  • protect - silently drop the packets from the excess MAC addresses.
  • restrict - drop the packets over the max, and log the event.
  • shutdown - err-disable the port. This is the default.
After finishing the config, enable security on the port with interface command port-security ena. Check the settings with sho port sec int f1/0/11.