Port Security Cisco: All interfaces on a Cisco switch are turned on by default. This means that an attacker could connect his laptop to your network through a wall socket and potentially perform an attack on your network. Luckily, there is a feature on Cisco switches called port security that can help you mitigate the threat.
With port securities, you associate specific MAC addresses with specific interfaces on your switch. This enables you to restrict access to an interface so that only authorized devices can use it. If an unauthorized device is connected, you can decide the action that the switch will take, such as discarding the traffic, sending an alert, or shutting down the port.
Download Free CCNA Android Apps from Playstore
Table of Contents
Three steps are required to configure switch port security
Defining the interface as an access interface using the switchport mode access interface subcommand.
Enabling port security using the switchport port-security interface subcommand.
Defining which MAC addresses are allowed to send frames through this interface using the switchport port-security mac-address MAC_ADDRESS interface subcommand or using the switchport port-security mac-address sticky interface subcommand. The sticky keyword instructs the switch to dynamically learn the MAC address of the currently connected host.
Check Out the Headphones – 50% to 70% Off
Check Out the Earbuds – 50% to 70% Off
Check Out The LAB Configuration eBook – Class A, Class B, Class C, MiN worth $78 Get at $18
Two steps are optional
Defining the action that the switch will take when a frame from an unauthorized device is received. This is done using the port-security violation interface subcommand. All options discard the traffic from the unauthorized device. the restrict and shutdown options send log messages when a violation occurs. Shutdown mode also shuts down the port.
Defining the maximum number of MAC address that can be received on the port using the switchport port-security maximum NUMBER interface submode command.
Example: Host A is connected to Fa0/1 on SW1. To enable port security on Fa0/1, we need to define the port as an access port, enable port security and define which MAC addresses are allowed to send frames through this interface. We can do this with the following set of commands:
Sw1(config)#int fa0/1
Sw1(config-if)#switchport mode access
Sw1(config-if)#switchport port-security
Sw1(config-if)#switchport port-security mac-address sticky
Using the show port-security interface fa0/1 command on sw1, we can see that the switch has learned the MAC address of Host A.
By default, the maximum number of allowed MAC address is one. Consider what happens if we connect a different host to the same port.
By default, if a security violation occurs, the switch will shut down the offending port. To enable the port, you need to enter the shutdown and no shutdown interface subcommands.
