• Port-Security
    • Used to limit access based on MAC address
    • Violation modes
      • Shutdown (default)
        • Send port to err-disabled
      • Protect
        • Violators cannot send traffic in
      • Restrict
        • Violators cannot send traffic in
        • Switch sends syslog/snmp trap
    • Can be applied to trunk and access, not dynamic.
    • Secure MAC addresses
      • can only belong to one port
      • Static
      • Learned (dynamic)
      • Sticky
    • Trunk Ports
      • Support per-vlan limits (default unlimited)
      • Port limit is aggregate across all VLANs.
    • Keep in mind FHRP when using port-security
      • HSRP/VRRP/GLBP
    • Avoid using ‘protected’ mode on trunks.
      • Disables MAC learning once limit is reached for any VLAN.
    • Consider multiple MACs for IP phones.
  • Port Protection
    • Protected ports cannot exchange L2 frames.
    • Used to prevent devices on same VLAN from communicating at layer 3.
      • Switchport protected
      • Limited to one switch.
    • Ex. prevent compromised web server from launching DoS at other hosts within same VLAN.
    • Unknown unicast and multicast packets are allowed.
      • Could be disabled explicitly.
  • Static CAM Entries
    • Points to a fixed port.
    • Can be used for null routing.
  • Storm Control
    • Limits amount of Broadcast/Multicast/Unicast traffic allowed in port.
      • Ingress rate limiting only
    • ‘storm-control <xcast> level
      • Level is percent of interface speed, not bandwidth.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s