How to configure Layer 2 security on Switch

Port Security

Cat3750#show port-security interface fastEthernet 1/0/2
Port Security : Disabled
Port Status : Secure-down
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0000.0000.0000:0
Security Violation Count : 0

!— Default port security configuration on the switch.

Cat3750#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Cat3750(config)#interface fastEthernet 1/0/2
Cat3750(config-if)#switchport port-security
Command rejected: FastEthernet1/0/2 is a dynamic port.

!— Port security can only be configured on static access ports or trunk ports.

Cat3750(config-if)#switchport mode access

!— Sets the interface switchport mode as access.

Cat3750(config-if)#switchport port-security

!— Enables port security on the interface.

Cat3750(config-if)#switchport port-security mac-address 0011.858D.9AF9

!— Sets the secure MAC address for the interface.

Cat3750(config-if)#switchport port-security violation shutdown

!— Sets the violation mode to shutdown. This is the default mode.

Cat3750#

!— Connected a different PC (PC 4) to the FastEthernet 1/0/2 port
!— to verify the port security feature.

00:22:51: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa1/0/2,
putting Fa1/0/2 in err-disable state
00:22:51: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred,
caused by MAC address 0011.8565.4B75 on port FastEthernet1/0/2.
00:22:52: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/2,
changed state to down
00:22:53: %LINK-3-UPDOWN: Interface FastEthernet1/0/2, changed state to down

!— Interface shuts down when a security violation is detected.

Cat3750#show interfaces fastEthernet 1/0/2
FastEthernet1/0/2 is down, line protocol is down (err-disabled)

!— Output Suppressed.

!— The port is shown error-disabled. This verifies the configuration.

!— Note: When a secure port is in the error-disabled state,
!— you can bring it out of this state by entering
!— the errdisable recovery cause psecure-violation global configuration command,
!— or you can manually re-enable it by entering the
!— shutdown and no shutdown interface configuration commands.

Cat3750#show port-security interface fastEthernet 1/0/2
Port Security : Enabled
Port Status : Secure-shutdown
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 1
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0011.8565.4B75:1
Security Violation Count : 1

DHCP Snopping

Cat3750#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Cat3750(config)#ip dhcp snooping

!— Enables DHCP snooping on the switch.

Cat3750(config)#ip dhcp snooping vlan 1

!— DHCP snooping is not active until DHCP snooping is enabled on a VLAN.

Cat3750(config)#no ip dhcp snooping information option

!— Disable the insertion and removal of the option-82 field, if the
!— DHCP clients and the DHCP server reside on the same IP network or subnet.

Cat3750(config)#interface fastEthernet 1/0/3
Cat3750(config-if)#ip dhcp snooping trust

!— Configures the interface connected to the DHCP server as trusted.

Cat3750#show ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
1
Insertion of option 82 is disabled
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Interface Trusted Rate limit (pps)
———————— ——- —————-
FastEthernet1/0/3 yes unlimited

!— Displays the DHCP snooping configuration for the switch.

Cat3750#show ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
—————— ————— ———- ————- —- ——————–
00:11:85:A5:7B:F5 10.0.0.2 86391 dhcp-snooping 1 FastEtheret1/0/1
00:11:85:8D:9A:F9 10.0.0.3 86313 dhcp-snooping 1 FastEtheret1/0/2
Total number of bindings: 2

!— Displays the DHCP snooping binding entries for the switch.

Cat3750#

!— DHCP server(s) connected to the untrusted port will not be able
!— to assign IP addresses to the clients.

Dynamic ARP Inspection

Cat3750#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Cat3750(config)#ip arp inspection vlan 1

!— Enables dynamic ARP inspection on the VLAN.

Cat3750(config)#interface fastEthernet 1/0/3
Cat3750(config-if)#ip arp inspection trust

!— Configures the interface connected to the DHCP server as trusted.

Cat3750#show ip arp inspection vlan 1

Source Mac Validation : Disabled
Destination Mac Validation : Disabled
IP Address Validation : Disabled

Vlan Configuration Operation ACL Match Static ACL
—- ————- ——— ——— ———-
1 Enabled Active

Vlan ACL Logging DHCP Logging
—- ———– ————
1 Deny Deny

!— Verifies the dynamic ARP inspection configuration.

IP Source Guard

Cat3750#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Cat3750(config)#ip dhcp snooping
Cat3750(config)#ip dhcp snooping vlan 1

!— See the DHCP Snooping section of this document for
!— DHCP snooping configuration information.

Cat3750(config)#interface fastEthernet 1/0/1
Cat3750(config-if)#ip verify source

!— Enables IP source guard with source IP filtering.

Cat3750#show ip verify source
Interface Filter-type Filter-mode IP-address Mac-address Vlan
——— ———– ———– ————— —————– —–
Fa1/0/1 ip active 10.0.0.2 1

!— For VLAN 1, IP source guard with IP address filtering is configured
!— on the interface and a binding exists on the interface.