Port security is your first line of defence. By that, I mean that this is measure closest to host. Block any unwanted host to access your network by defining allowed mac addresses.
First enable port security on interface.
TestSwitch(config)#int gigabitEthernet 0/0
TestSwitch(config-if)#switchport mode access
Then you can you can define number of mac addresses that will be allowed on that specific port. Depending on switch type you can define any number between 1 and 4097. By default only 1 address is allowed.
TestSwitch(config-if)#switchport port-security maximum 1
Now you can define mac address which will be allowed.
TestSwitch(config-if)#switchport port-security mac-address 0027.1015.E7E8
On the end on the basic setup define security measure that will be applied to port in case of rule violation. You can configure 3 measures: shutdown port, protect and restrict:
- protect will drop packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value.
- restrict will drops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value and causes the SecurityViolation counter to increment.
- shutdown will put the interface into the error-disabled state immediately and sends an SNMP trap notification.
TestSwitch(config-if)#switchport port-security violation shutdown
Now you can verify your port security configuration by typing following (output is omitted):
TestSwitch#sh port-security interface gigabitEthernet 0/0
Port Security : Enaled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
There are some more configuration such as sticky mac address. Sticky mac address is dynamically learned mac address on secured port.
I hope that this tutorial was informative to you and thank you for visiting this website.