Dear Friend Jude,
I have this for you
1) for ssh enabling
line vty 0 4
transport input ssh
login local
For Port security removal
conf t
no switchport port-security
for securing over mac
conf t
Switch(config)# interface gig 0/1
Switch(config-if)# switchport port-security mac-address ?
H.H.H 48 bit mac address
sticky Configure dynamic secure addresses as sticky
Set port to protect
conf t
Switch(config)# interface gigabitethernet0/1
Switch(config-if)# switchport protected
Set RSTP
MSTP—This spanning-tree mode is based on the IEEE 802.1s standard. You can map multiple VLANs to the same spanning-tree instance, which reduces the number of spanning-tree instances required to support a large number of VLANs. The MSTP runs on top of the RSTP (based on IEEE 802.1w), which provides for rapid convergence of the spanning tree by eliminating the forward delay and by quickly transitioning root ports and designated ports to the forwarding state. In a switch stack, the cross-stack rapid transition (CSRT) feature performs the same function as RSTP. You cannot run MSTP without RSTP or CSRT
Beginning in privileged EXEC mode, follow these steps to restrict input to an interface by limiting and identifying MAC addresses of the stations allowed to access the port:
| Command | Purpose |
|---|
Step 1 | configure terminal | Enter global configuration mode. |
Step 2 | interface interface-id | Specify the interface to be configured, and enter interface configuration mode. |
Step 3 | switchport mode {access | trunk} | Set the interface switchport mode as access or trunk; an interface in the default mode (dynamic auto) cannot be configured as a secure port. |
Step 4 | switchport voice vlan vlan-id | Enable voice VLAN on a port. vlan-id—Specify the VLAN to be used for voice traffic. |
Step 5 | switchport port-security | Enable port security on the interface. |
Step 6 | switchport port-security [maximum value [vlan {vlan-list | {access | voice}}]] | (Optional) Set the maximum number of secure MAC addresses for the interface. The maximum number of secure MAC addresses that you can configure on a switch is set by the maximum number of available MAC addresses allowed in the system. This number is the total of available MAC addresses, including those used for other Layer 2 functions and any other secure MAC addresses configured on interfaces. (Optional) vlan—set a per-VLAN maximum value Enter one of these options after you enter the vlan keyword: • vlan-list—On a trunk port, you can set a per-VLAN maximum value on a range of VLANs separated by a hyphen or a series of VLANs separated by commas. For nonspecified VLANs, the per-VLAN maximum value is used. •access—On an access port, specify the VLAN as an access VLAN. •voice—On an access port, specify the VLAN as a voice VLAN. Note The voice keyword is available only if a voice VLAN is configured on a port and if that port is not the access VLAN. If an interface is configured for voice VLAN, configure a maximum of two secure MAC addresses. |
Step 7 | switchport port-security [violation {protect | restrict | shutdown | shutdown vlan}] | (Optional) Set the violation mode, the action to be taken when a security violation is detected, as one of these: •protect—When the number of port secure MAC addresses reaches the maximum limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses to drop below the maximum value or increase the number of maximum allowable addresses. You are not notified that a security violation has occurred. Note We do not recommend configuring the protect mode on a trunk port. The protect mode disables learning when any VLAN reaches its maximum limit, even if the port has not reached its maximum limit. •restrict—When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. An SNMP trap is sent, a syslog message is logged, and the violation counter increments. •shutdown—The interface is error disabled when a violation occurs, and the port LED turns off. A syslog message is logged, and the violation counter increments. •shutdown vlan—Use to set the security violation mode per VLAN. In this mode, the VLAN is error disabled instead of the entire port when a violation occurs. Note When a secure port is in the error-disabled state, you can bring it out of this state by entering the errdisable recovery cause psecure-violation global configuration command. You can manually re-enable it by entering the shutdown and no shutdown interface configuration commands or by using the clear errdisable interface vlan privileged EXEC command. |
Step 8 | switchport port-security [mac-address mac-address [vlan {vlan-id | {access | voice}}] | (Optional) Enter a secure MAC address for the interface. You can use this command to enter the maximum number of secure MAC addresses. If you configure fewer secure MAC addresses than the maximum, the remaining MAC addresses are dynamically learned. Note If you enable sticky learning after you enter this command, the secure addresses that were dynamically learned are converted to sticky secure MAC addresses and are added to the running configuration. (Optional) vlan—set a per-VLAN maximum value. Enter one of these options after you enter the vlan keyword: •vlan-id—On a trunk port, you can specify the VLAN ID and the MAC address. If you do not specify a VLAN ID, the native VLAN is used. •access—On an access port, specify the VLAN as an access VLAN. •voice—On an access port, specify the VLAN as a voice VLAN. Note The voice keyword is available only if a voice VLAN is configured on a port and if that port is not the access VLAN. If an interface is configured for voice VLAN, configure a maximum of two secure MAC addresses. |
Step 9 | switchport port-security mac-address sticky | (Optional) Enable sticky learning on the interface. |
Step 10 | switchport port-security mac-address sticky [mac-address | vlan {vlan-id | {access | voice}}] | (Optional) Enter a sticky secure MAC address, repeating the command as many times as necessary. If you configure fewer secure MAC addresses than the maximum, the remaining MAC addresses are dynamically learned, are converted to sticky secure MAC addresses, and are added to the running configuration. Note If you do not enable sticky learning before this command is entered, an error message appears, and you cannot enter a sticky secure MAC address. (Optional) vlan—set a per-VLAN maximum value. Enter one of these options after you enter the vlan keyword: •vlan-id—On a trunk port, you can specify the VLAN ID and the MAC address. If you do not specify a VLAN ID, the native VLAN is used. •access—On an access port, specify the VLAN as an access VLAN. •voice—On an access port, specify the VLAN as a voice VLAN. Note The voice keyword is available only if a voice VLAN is configured on a port and if that port is not the access VLAN. |
Step 11 | end | Return to privileged EXEC mode. |
Step 12 | show port-security | Verify your entries. |
Step 13 | copy running-config startup-config | (Optional) Save your entries in the configuration file. |
TFTP
Needs to install tftp in the server and you must be able to ping the router/switch from the tftp server and able to telnet the ports of tftp server and vice versa.
You may also follow the link as guided by Rick
http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_tech_note09186a008020260d.shtml
Please rate all the help full posts, it may help others to find the answers quickly
Regards
Thanveer
"Everybody is genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is a stupid."
