Simple Layer 2 security
This section will show the features of port-security of a switch.
Damn… I need a switch with full security feature, probably I will buy one 2950 switch next year.
I will do this using Packet Tracer version 5.2.
Switch(config-if)#switchport mode ?
access Set trunking mode to ACCESS unconditionally
dynamic Set trunking mode to dynamically negotiate access or trunk mode
trunk Set trunking mode to TRUNK unconditionally
Some switch interfaces were configured as dynamic or desirable by cisco, as far as security is concern it is undesirable for switch to automatically changes to trunk or access mode on the fly. What dynamic and desirable means are: if i connect a switch to a specific interface of another switch, the switch interface will change to trunk automatically, and if I connect a pc to the switch interface (example fa0/1) the interface will automatically changes to access mode.
For this example, the 2950’s fast ethernet 0/1 will be the trunk port connecting to the router.
Switch(config-if)#switchport mode trunk
Set the rest of the remaining ports as access mode.
Switch(config)#interface range fa0/2 – 24
Switch(config-if-range)#switchport mode access
Configure all my interface fast Ethernet ports to allow only one mac address.
If there is more than one mac address using the switch ports a shutdown of the port will occur.
the last statement turns on the port-security feature.
Note: If you are using ip phones, you have to change the maximum to 2, here’s why:
an ip phone has a fast ethernet port connects to switch and another ethernet port connects to pc, hence two mac addresses will be appeared; mac address of pc and ip phone.
Switch(config)#interface range fa0/1 – 24
Switch(config-if-range)#switchport port-security maximum 1
Switch(config-if-range)#switchport port-security violation shutdown
This statement tells the switch to remember the first mac address that’s plug into this interface, if there’s other pc connects to the port, the port will be error disabled.
Switch(config-if-range)#switchport port-security mac-address sticky