lab2924a# conf t
lab2924a(config)# int fa0/7
lab2924a(config-if)# port security
lab2924a(config-if)# port security max-mac-count 1
lab2924a(config-if)# port security action shutdown
lab2924a(config)# int fa0/8
lab2924a(config-if)# port security
lab2924a(config-if)# port security max-mac-count 1
lab2924a(config-if)# port security action shutdown
lab2924a(config)# int fa0/9
lab2924a(config-if)# port security
lab2924a(config-if)# port security max-mac-count 1
lab2924a(config-if)# port security action shutdown
lab2924a(config)# int fa0/10
lab2924a(config-if)# port security
lab2924a(config-if)# port security max-mac-count 1
lab2924a(config-if)# port security action shutdown
<...snip...you get the idea...>
...and then repeat the config on lab2924b. To make sure everything is working as expected, you go to the server room and disconnect the cable from your port on the switch to the patch panel, then connect your laptop directly into the port. After getting a DHCP address from the server, you disconnect your laptop and connect a second laptop to the same port, and notice the link light briefly turns orange as spanning-tree reconverges, then goes out. You connect your laptop to another unused port, renegotiate an IP address with the DHCP server, then log in to the switch. You notice that the switchport to which the second laptop is still connected shows that it is "administratively down":
lab2924a# sho int fa0/9
FastEthernet0/9 is administratively down, line protocol is down
<...snip...>
You double-check the running configuration in RAM, to make sure that you plugged the second laptop into the correct port, and it shows the port is configured up -- looks like port security is working properly! To reset the port, you run "shut" on fa0/9, turn off port security, then run "no shut" and watch as the port comes up again (after a minute or so delay while spanning tree reconverges again). Since you have a spare laptop plugged into fa0/9, and that's your network port, you disconnect the second laptop, replace the cable in the patch panel, then return to your office before re-enabling port security on fa0/9.
Note: By this point, I'm starting to think that it might have been wise to spend a little more on a more modern switch for my CCNA practice. Once again, the commands I need to practice for the current CCNA exam are not supported on the switch I purchased (sigh...). On a modern switch, the procedure (in theory) goes like this:
switch(config)# int fa0/9
switch(config-if)# switchport port-security
switch(config-if)# switchport port-security mac-address 00:15:c5:08:5d:92
...to statically assign a MAC address to the port security feature,...:
switch(config)# int fa0/9
switch(config-if)# switchport port-security
switch(config-if)# switchport port-security mac-address sticky
...to have the switch automatically use the first MAC address it sees on the port, or...:
switch(config)# int fa0/9
switch(config-if)# switchport port-security
switch(config-if)# switchport port-security maximum 5
...to automatically use the first five MAC addresses the switch learns from a given port. Next, you can select from three possible actions when the switch detects a violation. I'll show examples of a port that simply discards offending traffic (fa0/9), that discards and logs offending traffic (fa0/10), and that shuts down a port entirely (fa0/11):
switch(config)# int fa0/9
switch(config-if)# switchport port-security
switch(config-if)# switchport port-security mac-address sticky
switch(config-if)# switchport port-security violations protect
switch(config)# int fa0/10
switch(config-if)# switchport port-security
switch(config-if)# switchport port-security mac-address sticky
switch(config-if)# switchport port-security violations restrict
switch(config)# int fa0/11
switch(config-if)# switchport port-security
switch(config-if)# switchport port-security mac-address sticky
switch(config-if)# switchport port-security violations shutdown
Also, on newer switches, you supposedly only have to shut/no shut the interface to clear an automatic "shutdown" on a port when a violation occurs. On my 2924, a shut/no shut didn't release the port.
Maybe with all the vast wealth that I should receive from prospective employers after earning my CCNA (yeah, right...) I'll spring for a newer switch before starting in on the CCNP ;)
No comments:
Post a Comment