cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
293896
Views
32
Helpful
6
Comments
TCC_2
Level 10
Level 10

 

Introduction:

Port security is easy to configured and it allows you to secure access to a port based upon a MAC address basis.Port security can also configured locally and has no mechanism for controlling port security in a centralized fashion for distributed switches.Port security is normally configured on ports that connect servers or fixed devices, because the likelihood of the MAC address changing on that port is low. A common example of using basic port security is applying it to a port that is in an area of the physical premises that is publicly accessible. This could include a meeting room or reception area  available for public usage. By restricting the port to accept only the MAC address of the authorized device, you prevent unauthorized access if somebody plugged another device into the port.

 

Configuration Steps:

 

By default, the switchport security feature is disabled on all switchports and must be enabled.

 

1) Your switch interface must be L2 as "port security" is configure on an access interface.You can make your L3 switch port to an access interface by using the "switchport" command.

 

2) Then you need to enable port security by using the "switchport port-security" command. This can also be applied in a range of the interfaces on a switch or individual interfaces.

 

3) This step is optional, but you can specify how many MAC addresses the switch can have on one interface at a time. If this setting is not applied the default of one MAC address is used. The command to configure this is as follows, "switchport port-security maximum N" (where N can be from 1 to 6272) Keep in mind the range the number of maximum MAC address depends on the hardware and Cisco IOS you use.

 

4) This step is also optional, but you can define the action to take when a violation occurs on that interface or interfaces. The default is to shut down the interface or interfaces. The command to configure this is as follows "switch port-security violation { protect | restrict | shutdown }"

 

Protect which discards the traffic but keeps the port up and does not send a SNMP message.

Restrict which discards the traffic and sends a SNMP message but keeps the port up

Shutdown which discards the traffic sends a SNMP message and disables the port. (This is the default behavior is no setting is specified.)

 

5) You can specify the MAC address that is allowed to access the network resources manually by using the command "switchport port-security mac-address value". Use this command multiple times if you want to add more than one MAC address.

 

6) If you don’t want to configure manually every single MAC address of your organization then you can have the switch learn the MAC address dynamically using the "switchport port-security mac-address sticky" command. This command allow switch to learn the first MAC address that comes into on the interface.

Configuration Example:

 

Switch(config)# interface gig0/2

Switch(config-if)# switchport port-security

Switch(config-if)# switchport port-security maximum 1

Switch(config-if)# switchport port-security mac-address 00-d0-ba-11-21-31

Switch(config-if)# switchport port-security violation shutdown

Switch(config-if)#end

 

To Verify the port security status use "show port-security"

Related Information:

Configuring Port Security

Comments
CCNA_isnt_available_offline
Community Member

so issuing the following:

interface range fastEthernet 0/1-24

switchport mode access

switchport port-security

switchport port-security maximum 1

switchport port-security mac address sticky

switchport port security violation shutdown

end

copy run start

---

Will this allow 1 static MAC on the whole (24 port) switch (no matter where that MAC is plugged in) or does it allow the first MAC plugged into each port on a per-port basis?

Hi Sir, 

I have a Question for you , One Mac Address is enough for all (0-24) Ports on Switch, For a security. 

Bibin George
Level 1
Level 1

@ CCNA_isnt_available_offline,

 

In your example, the range command is used - which means on all 24 ports, each can learn one mac address (as the maximum mac is set to 1).

So answering your question - it allows the first MAC plugged into each port on a per-port basis.

 

Thanks,

Bibin

Star_sulaiman
Level 1
Level 1

Hello All,

 

I am planning to secure all our none used switch ports in our Cisco Catalyst for a security risks and stop our IT members to put different devices to a different VLANs.

in our DHCP Server we have different devices in different VLAN, example, Printers, APs are in the Data VLAN just because the plugged in a wrong ports.

 

I want to tidy our DHCP servers and switch ports.

 

I have few ideas but I would appreciated if someone have any suggestions and done things like that before.

 

Thank you for your time.

Regards,

Star 

caspat
Level 1
Level 1

Is there a way to find and change port security config on multiples switches, ~500?

Via Prime, script... 

Thanks! 

 

samt510
Level 1
Level 1

can I exchange between devices that the switch has learned their MAC addresses if I already configured port security?

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Review Cisco Networking for a $25 gift card