These statically configured MAC addresses are added to a switch’s running configuration and CAM table. ■ Static secure MAC address: An administrator can statically configure which MAC addresses exist off specific ports using the switchport port-security mac-address address command issued in interface configuration mode. Ports support one of three types of secure MAC addresses: A violation also can occur when a MAC address on one secure port appears on a different secure port. Therefore, after a port security violation occurs, no traffic is transmitted on that port.Ī port security violation doesn’t occur only after a port learns a maximum number of MAC addresses or after an unknown source MAC address attempts to enter the port. Not only does the shutdown option generate the same notifications as the restrict option, but it also shuts down the port. ■ Shutdown: The shutdown option is the strictest approach.
However, the restrict option sends an SNMP trap and a syslog message and increments a violation counter when a port security violation occurs. ■ Restrict: The restrict option operates similarly to the protect option.
Also, no notifications are sent if a port security violation occurs. However, frames with known (that is, learned) source MAC addresses are transmitted. ■ Protect: When configured for protect, a switch port drops frames with an unknown source MAC address after the switch port reaches its configured maximum number of secure MAC addresses. When a switch port security violation occurs, you can configure the switch port to respond in one of three ways: Cisco recommends that port security be configured on a switch before a switch is deployed in the network, to be proactive instead of reactive. Cisco Catalyst port security features can be used to combat CAM table overflow attacks and MAC address spoofing attacks.
0 kommentar(er)
