Friday, April 2, 2010


There are times when we want to allow only one device to be connected to each switch port. We can also restrict the MAC address allowed on the switch port.
One of the best commands on a Cisco device is:
show ip int br

This shows a flyby view of all interfaces on the device. From here, we can see the interfaces' IP addresses and their statuses. From a VTY session, you would typically not see status messages. To make them appear, use:
terminal monitor

To view the switch's CAM table, use:
show mac address-table

Some versions use:
show mac-address-table

To hardcode a switch to be an access port, use:
switchport mode access

To turn on switch security, use:
switchport port-security

To limit the number of devices allowed on a port, use:
switchport port-security violation shutdown

There are actually three types of violation:
Protect - Ignore violating devices
Restrict - Ignore violating devices and log the event
Shutdown - Shut down a port when a violation occurs

It is set to shutdown by default.

You can set the MAC-addresses allowed through:
switchport port-security mac-address 1234:5678:9ABC

You can automatically learn attached devices through:
switchport port-security mac-address sticky

Once sticky is entered, all the currently attached devices are hardcoded into the running configuration. When you view it in the running configuration, you would see attached devices under:
switchport port-security mac-address sticky
switchport port-security mac-address sticky 1324:5678:9ABC

When switchport port-security is turned on, a maximum of 1 device is allowed on that port. Therefore, switchport port-security maximum 1 will not show up in the configuration. To allow more than 1 device, you'll have to manually raise the maximum.

You can view a port's status through:
show int f0/1

When you view a port's status, you'll see either Secure-up or Secure-down. This is same as Up or Down, with port-security applied. Secure-down does not mean that a violation has occurred. Security Violation Count tell us the number of violations encountered, and the Last Source Address tells us the last offender. When a port has a violation, it would be in the "Secure-shutdown" mode.

You can access multiple interfaces through:
int ran f0/2 - 12

You can also execute Privileged Mode commands such as "show run" from anywhere through:
do show run

No comments :

Post a Comment