Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
4789
Views
0
Helpful
0
Comments

How to configure port security on Cisco Catalyst switches running CatOS

TCC_2
Level 10
Level 10

‎06-22-2009 05:11 PM - edited ‎03-04-2019 02:32 AM

 

Introduction:

Port security is easy to configured and it allows you to secure access to a port based upon a MAC address basis.Port security can also configured locally and has no mechanism for controlling port security in a centralized fashion for distributed switches.Port security is normally configured on ports that connect servers or fixed devices, because the likelihood of the MAC address changing on that port is low. A common example of using basic port security is applying it to a port that is in an area of the physical premises that is publicly accessible. This could include a meeting room or reception area  available for public usage. By restricting the port to accept only the MAC address of the authorized device, you prevent unauthorized access if somebody plugged another device into the port.

 

Configuring port security on Catalyst switches running CatOS:

To enable port security on CatOS, you use the "set port security" command. The first step you must take is to enable port security on a particular port. You then can allow one or more MAC addresses to use a secured port. You can manually specify these addresses, allow the switch to auto-learn the addresses, or use a mixture of both. Finally, you can specify a violation action (either shut down the entire port or block unauthorized traffic), which occurs when an unauthorized MAC address is detected on the port. The set port security command has the following syntax:

 

set port security mod/port [enable | disable] [mac_addr] [age age_time]

  [maximum limit] [shutdown shutdown-time] [violation {shutdown | restrict}]

 

In the event of a security violation, the port can be configured to go into shutdown mode or restrictive mode. The port behavior depends on how the port is configured to respond to a security violation. If a security violation occurs, the link LED for that port turns orange.

 

These are the guidelines for port security configuration:

 

    -> Port security cannot be configured on a trunk port.  

    -> Port security cannot be enabled on a Switched Port Analyzer (SPAN) destination port, nor SPAN enabled on a destination port with port security enabled.  

    -> Dynamic, static, or permanent Content-Addressable Memory (CAM) entries cannot be configured on a secure port.  

    -> Port security is not supported on the three-port Gigabit Ethernet module (WS-X5403).  

    -> When port security is enabled on a port, any static or dynamic CAM entries associated with the port are cleared. All currently configured permanent CAM entries are treated as secure.   

 

configuration example:

 

Switch> (enable) set port security 3/1 enable

Port 2/1 port security enabled with the learned mac address.

Trunking disabled for Port 2/1 due to Security Mode

Switch> (enable) set port security 3/1 maximum 10

Maximum number of secure addresses set to 10 for port 3/1

Switch> (enable) set port security 3/1 00-d0-ba-11-21-31

Mac address 00-d0-ba-11-21-31 set for port 3/1

Switch> (enable) set port security 3/1 violation restrict

Port security violation on port 3/1 will cause insecure packets to be dropped

Related Information:

Cisco Catalyst 6000 Series Switches

Labels:
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents