+(65) 8344 4290 Ciscodumps.net@gmail.com Room 907, Block B, Baoneng Entrepreneurship Center, Guangrong Road, Hongqiao District, Tianjin

ThinkMo EDU Share – network 26.Port Security and Port Isolation

蒂娜 No Comments 10/29/2022

ThinkMo EDU Share – network 26.Port Security and Port Isolation

Introduction to Port Security

Port Security (Port Security) prevents hosts other than secure MAC and static MAC from communicating with the device through this interface by converting the dynamic MAC address learned by the interface into secure MAC addresses (including secure dynamic MAC and Sticky MAC), thereby enhancing the device security.

Principle description

  1. Security MAC address classification

When the port security function is not enabled, the MAC address entries of the device can be dynamically learned or statically configured. When the port security function is enabled on an interface, the previously learned dynamic MAC address entry on the interface will be deleted, and the learned MAC address will become a secure dynamic MAC address. At this time, the interface is only allowed to match secure MAC addresses. The packets with the address or static MAC address pass through.

If the Sticky MAC function is then enabled, the secure dynamic MAC address entry will be converted into a Sticky MAC entry, and the learned MAC address will also become a Sticky MAC address. Until the number of secure MAC addresses reaches the limit, no MAC addresses will be learned, and the configured protection actions will be taken on the interface or packets.

  1. Actions obtained after exceeding the security MAC address limit

After the number of secure MAC addresses on the interface reaches the limit, if it receives a packet with a source MAC address that does not exist, the port security considers that there is an attack by an illegal user, and will protect the interface according to the configured actions. By default, the protection action is to discard the packet and report an alarm.

You can configure automatic recovery to achieve automatic recovery after a port goes down.

error-down auto-recovery cause{auto-defend | bpdu-protection | error-statistics | mac-address-flapping | port–sercurity} interval interval-value

Application scenarios

  1. Port security is often used in the following two scenarios

It is applied to the access layer device. By configuring port security, you can prevent spoofed users from attacking from other ports.

It is applied to the aggregation layer device, and the number of access users can be controlled by configuring port security.

Note when using the access layer:

If the access user changes frequently, you can convert the dynamic MAC address into a secure dynamic MAC address through port security. In this way, when the user changes, the bound MAC address entry can be cleared in time.

If the access user changes less, the dynamic MAC address can be converted into a Sticky MAC address through port security. In this way, the bound MAC address entry will not be lost after the configuration is saved and restarted.

configuration command

prot-security enable

//Enable port security function

port-security max-mac-num 5

//Configure the number of port security dynamic MAC learning

display mac-address security

//View secure dynamic MAC entry

port-security mac-address sticky

//Enable the Sticky MAC function of the interface

port-security protect-action {protect | restrict | shutdown}

//Configure the port security protection action

port-security aging-time

//Configure the port security MAC address aging time

Port isolation

Methods and Application Scenarios of Port Isolation

  1. Port isolation configuration

port-isolate mode { l2 | all}

//Configure the port isolation mode. By default, the port isolation mode is Layer 2 isolation and Layer 3 interworking

port-isolate enable//Enable the port isolation function.

Port Security and Port Isolation Configuration

Port security is configured for the three ports of the three switches, and port isolation is configured to prohibit communication between the three PCs.

  1. Configuration commands
[SW]dis current-configuration

#sysname

SW

#

port-isolate mode all

//Configure the port isolation mode to be isolated at Layer 2 and Layer 3

#

interface GigabitEthernet0/0/1

port-security enable//Enable port security

port-security protect-action shutdown

//Configure the port security protection action to shutdown

port-security max-mac-num 3

//Configure the maximum number of MAC addresses on the port to 3

port-security mac-address sticky

//Configure the MAC address mode to sticky

port-isolate enable group 1

//Port isolation group 1

#

interface GigabitEthernet0/0/2

port-security enable

port-security protect-action shutdown

port-security max-mac-num 3

port-security mac-address sticky

port-isolate enable group 1

#

interface GigabitEthernet0/0/3

port-security enable

port-security protect-action shutdown

port-security max-mac-num 3

port-security mac-address sticky

port-isolate enable group 1

#

Note: When configuring multiple ports, you can configure a port group first, add the ports to be configured into the port group, and then configure multiple ports at the same time.

ThinkMo CCNA Dump exam information exchange group:

CCNA/CCNP/CCIE telegram study group:https://t.me/ccie_ei_lab
CCNA/CCNP/CCIE dump:
WAHTAPP:+65 83444290
WAHTAPP:+63 9750724648

ThinkMo CCNA 200-301 Tutorial VIP Exclusive:
https://www.youtube.com/playlist?list=PLIq0cWorv-oyWHaoH79460mAa3-4AWpvw

The complete EVE_NG file, free learning PDF and PPT that can be used directly, as well as video explaining the technical points are all here!

Post Tags :

Leave a Reply

X