Cisco WS-C2960G-8TC-L Configuration page 20

376
Chapter 12: Initial Switch Configuration
switch(config-if)# switchport port-security
switch(config-if)# switchport port-security maximum value
switch(config-if)# switchport port-security violation
switch(config-if)# switchport port-security mac-address MAC_address
switch(config-if)# switchport port-security mac-address sticky
Be familiar with configuring
port security with the switchport
port-security commands (enabling it,
First, you must enter the appropriate interface where you want to set up restricted
security. The first command, switchport mode access, defines the interface
as a host (access) port instead of a trunk port (trunking is explained in Chapter 13).
The second command places the access port in a specific VLAN (also discussed
Set the maximum to
1 address for an interface to prevent
spoofing of MAC addresses: only one
MAC address is learned.
The fifth command on the interface specifies what should occur if a security
violation occurs—the MAC address is seen connected to a different port. Three
options are possible:
protect When the number of secure addresses reaches the maximum
■
number allowed, any additionally learned addresses will be dropped. This
applies only if you have enabled the sticky option, discussed in the next
paragraph.
restrict Causes the switch to generate a security violation alert.
■
shutdown Causes the switch to generate an alert and to disable the
■
interface. The only way to re-enable the interface is to use the no shutdown
command. This is the default violation mode if you don't specify the mode.
protect|restrict|shutdown
limiting the MAC addresses, violation mode,
and sticky learning).
in Chapter 13). The third command on the
interface, switchport port-security,
enables port security (it is disabled, by default).
The fourth command, switchport port-
security maximum, specifies the maximum
number of devices that can be associated with
the interface. This defaults to 1 and can range
from 1 to 132.