Port security is a layer two traffic control feature on Cisco Catalyst switches. . It enables an administrator configure individual switch ports to allow only a specified number of source MAC addresses ingressing the port. Its primary use is to deter the addition by users of “dumb” switches to illegally extend the network .Port security can also be configured locally and has no mechanism for controlling port security in a centralized fashion for distributed switches. Port security is normally configured on ports that connect servers or fixed devices, because the likelihood of the MAC address changing on that port is low. By restricting the port to accept only the MAC address of the authorized device, we prevent unauthorised access if somebody plugged another device into the port. If one wants to ensure that only a certain device—for example, a server—is plugged into a particular switch port, you can configure the MAC address of the server as a static entry associated with the switch port.
Configuring the Port Security feature is relatively easy.Simply, port security requires going to an already enabled switch port and entering the port-security Interface Mode command.
Port security can’t be applied to a Layer 3 port , hence first , one needs to convert the Switch port to layer 2 by issuing following command on the specific port –
E.g. –
SW1(config)# interface Fa0/1
SW1(config-if)# switchport
Now that we have made the port configured as Layer 2 and part of Vlan, let’s see what options are seen while enabling port security –
SW1>enable
SW1(config-if)# switchport port-security ?
aging = Port-security aging commands
mac-address = Secure mac address
maximum = Max secure addresses
violation = Security violation mode
USAGE OF “MAC-ADDRESS” IN PORT SECURITY –
As in above statement, “mac-address” specifies the MAC address that is allowed to access the network resources manually by using the command
E.g. –
SW1(config-if)# switchport port-security mac-address 0a-b0-ba-11-22-33
Additionally, in case each switch needs to be manually configured with mac address of connected device, the activity will take hours to complete. Cisco has a way to achieve this condition by configuring the switch to learn the MAC address dynamically using the “switchport port-security mac-address sticky” command.
USAGE OF “MAXIMUM” IN PORT SECURITY –
One can specify how many MAC addresses the switch can have on one interface at a time. The command to configure this is as follows, “switchport port-security maximum N” (where N can be from 1 to 6272).Also, let’s be aware that the number of maximum MAC address depends on the hardware and Cisco IOS in use.
USAGE OF “VIOLATION” IN PORT SECURITY –
By using above keyword , adminsitator can define the action to take when a violation occurs on that interface or interfaces. The default is to shut down the interface or interfaces. The command to configure this is as follows “switch port-security violation { protect | restrict | shutdown }”
Protect which discards the traffic but keeps the port up and does not send a SNMP message.
Restrict which discards the traffic and sends a SNMP message but keeps the port up
Shutdown which discards the traffic sends a SNMP message and disables the port. (This is the default behavior is no setting is specified.)
Related- Cisco Catalyst 9400 vs 9500
ABOUT THE AUTHOR
I am here to share my knowledge and experience in the field of networking with the goal being – “The more you share, the more you learn.”
I am a biotechnologist by qualification and a Network Enthusiast by interest. I developed interest in networking being in the company of a passionate Network Professional, my husband.
I am a strong believer of the fact that “learning is a constant process of discovering yourself.”
– Rashmi Bhardwaj (Author/Editor)
