Port Security on a Cisco Switch
What is Port Security?
Port security is a feature available on Cisco Catalyst switches that allows a network administrator to configure individual switch ports to allow only a specific number of source MAC addresses to be learned on that port.
This prevents an attacker from connecting a device such as a hub or another switch to gain access to additional switch ports, as only a certain amount of MAC addresses can be learned on that specific port.
Configuring Port Security
Port security can only be applied to access ports or manually configured trunk ports. Port security cannot be applied to ports that are configured to use DTP (Dynamic Trunking Protocol).
To enable port security on an interface:
Switch(config)# interface fastethernet 0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-securityBy default, port security allows only 1 MAC address to be learned on the port. If you want to modify this number, use the switchport port-security maximum command:
Switch(config-if)# switchport port-security maximum 5Port Security Violation Actions
When a port security violation occurs (when more MAC addresses than the configured maximum attempt to access the port), the switch can take one of three actions:
- Protect - Drops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value
- Restrict - Drops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value, and increments the SecurityViolation counter
- Shutdown - Puts the interface into the error-disabled state immediately and sends an SNMP trap notification (this is the default action)
To configure the violation action:
Switch(config-if)# switchport port-security violation {protect | restrict | shutdown}Configuring Secure MAC Addresses
There are several ways to configure which MAC addresses are allowed on a port:
Static Secure MAC Addresses
You can manually configure specific MAC addresses that are allowed on the port:
Switch(config-if)# switchport port-security mac-address 1234.5678.90ABDynamic Secure MAC Addresses
The switch can dynamically learn MAC addresses up to the maximum number configured. These addresses are not saved in the configuration and are lost when the switch restarts.
Sticky Secure MAC Addresses
Sticky learning allows the switch to dynamically learn MAC addresses and then save them to the running configuration. This combines the convenience of dynamic learning with the security of static configuration:
Switch(config-if)# switchport port-security mac-address stickyVerifying Port Security
To view port security configuration and status, use these commands:
Switch# show port-security
Switch# show port-security interface fastethernet 0/1
Switch# show port-security addressRecovering from Error-Disabled State
If a port is put into error-disabled state due to a security violation, you can recover it in two ways:
Manual Recovery
Switch(config)# interface fastethernet 0/1
Switch(config-if)# shutdown
Switch(config-if)# no shutdownAutomatic Recovery
Configure the switch to automatically recover from error-disabled state:
Switch(config)# errdisable recovery cause psecure-violation
Switch(config)# errdisable recovery interval 300This configuration will automatically bring the port back up after 300 seconds (5 minutes).
Port Security Best Practices
- Use sticky learning for end-user ports to balance security and convenience
- Set appropriate maximum MAC address limits based on your network requirements
- Consider using
restrictmode instead ofshutdownfor less critical violations - Regularly monitor port security violations using
show port-securitycommands - Implement automatic recovery for error-disabled ports with appropriate intervals
Port security is an effective layer 2 security feature that helps prevent unauthorized access to your network infrastructure by limiting the number of devices that can connect to individual switch ports.