In this tutorial, we shall look at port security and how it is configured. Port security is a security feature on Cisco Catalyst Switches that is configured to restrict input to an interface by limiting or assigning particular MAC addresses of hosts that are allowed to access the port. When port security is configured on a particular port, it allows access for only allowed MAC address(es) on the port. Any unauthorized MAC address that connects to the port cannot access network resources.
Configuring Port Security
In this tutorial, we shall use the topology below to configure port security on our switch.
Configure the IP address 172.16.1.1/24 on Host0, and also make it a web server
Configure IP address 172.16.1.2/24 on Host1. See also Host1’s MAC address
Configure address 172.16.1.3/24 on Host2. Note that Host2 is not connected to the Switch nor any device. Note Host2’s MAC address as well.
On the Switch:
Now let’s configure Port Security on port fa02 the switch with commands below:
Enter configuration commands, one per line. End with CNTL/Z.
switch0(config-if)#switchport mode access
The command switchport mode access sets the interface as access. By default it is dynamic desirable mode, and cannot be configured as a secure port.
Next, we enable port security with the switchport port-security command.
The Switchport port-security command has three other options under it. You can view with the command
switchport port-security ? as in the screenshot below:
The mac-address option:
The option also has two sub options, the Static and the Sticky. You can view with the command
switchport port-security mac-address ? command, in the screenshot below:
The static method is used to define the exact mac address of the host you want to allow access on the port. With the sticky method, the interface automatically learns the mac address of the host connected to it.
In our example, we shall use the sticky method:
switch0(config-if)#switchport port-security mac-address sticky
The maximum option:
This options allows you to set the number of hosts that can be associated with an interface. The default maximum number allowed is 1. You can however assign the maximum number of allowed hosts to meet your requirement. The Pocket CLI App allows up to 5 hosts. In our example, we set it to 1:
switch0(config-if)#switchport port-security maximum 1
The Violation option:
The port-security violation has three sub options; protect, restrict, shutdown, as shown in the screenshot below:
In the protect mode, frames from non-allowed address(es) will be dropped without logging any entry on the switch. This mode works with the sticky mac-address method. The addresses are learned till the maximum number is reached, and any other additional address will be dropped.
In the Restrict mode, apart from the frame from non-allowed ports being dropped, the switch logs the entry and also generates a security violation alert.
The shutdown mode is the default violation mode for port security. In this mode, the switch will generate a violation alert and shutdown the interface. We shall use this mode in our example:
switch0(config-if)#switchport port-security violation shutdown
On our next tutorial, we shall look at how to verify and test port security.
Note: The Pocket CLI App supports custom mac address for hosts. You can simply change the mac address of a host manually to test port security without having to disconnect and reconnect a new host.