Port security on Cisco switches

Port security is your first line of defence. By that, I mean that this is measure closest to host. Block any unwanted host to access your network by defining allowed mac addresses.

First enable port security on interface.

TestSwitch(config)#int gigabitEthernet 0/0
TestSwitch(config-if)#switchport mode access
TestSwitch(config-if)#switchport port-security

Then you can you can define number of mac addresses that will be allowed on that specific port. Depending on switch type you can define any number between 1 and 4097. By default only 1 address is allowed.

TestSwitch(config-if)#switchport port-security maximum 1

Now you can define mac address which will be allowed.

TestSwitch(config-if)#switchport port-security mac-address 0027.1015.E7E8

 

On the end on the basic setup define security measure that will be applied to port in case of rule violation. You can configure 3 measures: shutdown port, protect and restrict:

  • protect will drop packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value.
  • restrict¬†will drops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value and causes the SecurityViolation counter to increment.
  • shutdown¬†will put the interface into the error-disabled state immediately and sends an SNMP trap notification.

TestSwitch(config-if)#switchport port-security violation shutdown

Now you can verify your port security configuration by typing following (output is omitted):

TestSwitch#sh port-security interface gigabitEthernet 0/0
Port Security : Enaled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute

There are some more configuration such as sticky mac address. Sticky mac address is dynamically learned mac address on secured port.

I hope that this tutorial was informative to you and thank you for visiting this website.

 

 

Dejan Dzodan

Dejan Dzodan

IT professional for more then 15 years, mostly in financial institutions but with experience in ISP and retail. Proven in networking and overall infrastructure projects. Cisco instructor.

Leave a Reply

Your email address will not be published. Required fields are marked *


4 + 1 =