### Protecting the CAM Table Using Port Security
Port security is a feature on Cisco switches that enhances network security by controlling access to switch ports based on MAC addresses. By implementing port security, you can prevent unauthorized devices from connecting to your network and protect the Content Addressable Memory (CAM) table, which is responsible for storing MAC address-to-port mappings.
This tutorial will cover the steps to configure port security, the types of port security, and the implications of using this feature. It includes terminal commands and detailed explanations.
#### Prerequisites
- Cisco switch with IOS that supports port security.
- Console access to the switch.
- Basic knowledge of Cisco IOS commands.
### Step 1: Access the Switch
1. Connect to the switch console using a terminal emulator (e.g., PuTTY, Tera Term).
2. Enter privileged EXEC mode:
```plaintext
Switch> enable
```
3. Enter global configuration mode:
```plaintext
Switch# configure terminal
```
### Step 2: Configure Port Security on a Specific Interface
Choose the interface where you want to enable port security. In this example, we will configure `FastEthernet 0/1`.
1. Enter the interface configuration mode:
```plaintext
Switch(config)# interface fastEthernet 0/1
```
2. Enable port security on the interface:
```plaintext
Switch(config-if)# switchport port-security
```
### Step 3: Set the Maximum Number of MAC Addresses
Port security allows you to specify the maximum number of MAC addresses that can be learned on a port. If the limit is exceeded, security violations can occur.
1. Set the maximum number of MAC addresses (e.g., 2):
```plaintext
Switch(config-if)# switchport port-security maximum 2
```
### Step 4: Configure the Action on Violation
You can configure how the switch reacts if a violation occurs. There are three options: protect, restrict, and shutdown. In this example, we will use the `shutdown` option, which disables the port when a violation occurs.
1. Set the violation action:
```plaintext
Switch(config-if)# switchport port-security violation shutdown
```
### Step 5: Define Secure MAC Addresses
You can manually specify which MAC addresses are allowed on the interface. This prevents unauthorized devices from connecting.
1. Add a secure MAC address (e.g., `00:11:22:33:44:55`):
```plaintext
Switch(config-if)# switchport port-security mac-address 00:11:22:33:44:55
```
2. You can also enable sticky MAC addresses, which allows the switch to learn and save MAC addresses dynamically:
```plaintext
Switch(config-if)# switchport port-security mac-address sticky
```
### Step 6: Verify the Port Security Configuration
To confirm that port security is configured correctly, exit to privileged EXEC mode and use the following command:
```plaintext
Switch# show port-security interface fastEthernet 0/1
```
This command will display the status of port security on the specified interface, including the maximum number of secure MAC addresses and the current MAC addresses that are allowed.
### Step 7: Monitor Port Security
You can monitor port security violations and learned MAC addresses by using the following commands:
1. Show the general port security status:
```plaintext
Switch# show port-security
```
2. To check for specific violations:
```plaintext
Switch# show port-security interface fastEthernet 0/1
```
### Step 8: Testing Port Security
1. Connect a device with an allowed MAC address (`00:11:22:33:44:55`) to the configured interface. The device should have access.
2. Connect a second device with a different MAC address. Since the maximum MAC address limit is set to 2, this device should also gain access.
3. Connect a third device with yet another MAC address. This should trigger a violation. Depending on your violation action, the port may go into an error-disabled state, and you will need to manually re-enable it.
```plaintext
Switch# shutdown interface fastEthernet 0/1
Switch# no shutdown interface fastEthernet 0/1
```
### Step 9: Additional Considerations
- **Sticky MAC Address Limitation**: Keep in mind that sticky MAC addresses are stored in the running configuration. If the switch is rebooted, the sticky addresses will not be saved unless the configuration is explicitly saved.
```plaintext
Switch# write memory
```
- **CAM Table Size**: Ensure that the maximum number of MAC addresses configured does not exceed the switch's CAM table size, which varies by switch model.
- **Port Security and VLANs**: Port security can be applied to multiple interfaces and can be configured per VLAN to provide granular control over MAC address learning.
### Conclusion
Configuring port security on your Cisco switch enhances network security by limiting the number of MAC addresses on a port and preventing unauthorized devices from accessing the network. By following the steps outlined in this tutorial, you can effectively protect the CAM table and ensure that only legitimate devices can connect to your network.
Rate This Article
Thanks for reading: Protecting the CAM Table Using Port Security Tutorial, Sorry, my English is bad:)