Configuring Port Security

Today this tutorial is going to be talking about how to configure port security on a Cisco Catalyst switch. Port security is one of the first things you can do to keep your network secure from unauthorized access. Port security can restrict devices so only devices you allow are granted access to network resources. If and when an unauthorized device is connected to a port you can decide what you want the switch to do. Let’s get started!

There are three different settings you can configure with port security:

  • Protect which discards the traffic but keeps the port up and does not send a SNMP message.
  • Restrict which discards the traffic and sends a SNMP message but keeps the port up
  • Shutdown which discards the traffic sends a SNMP message and disables the port. (This is the default behavior is no setting is specified.

Before setting up port security some steps need to be completed before we can set it up correctly:

  • Must make the switch interface an access interface by using the switchport mode access command. This can be applied in a range of the interfaces on a switch or individual interfaces.
  • You must enable port security by using the switchport port-security command. This can be applied in a range of the interfaces on a switch or individual interfaces.
  • This step is optional, but you can specify how many MAC addresses the switch can have on one interface at a time. If this setting is not applied the default of one MAC address is used. The command to configure this is as follows, swithcport port-security maximum X (where X can be from 1 to 6272) Keep in mind the range the number of maximum MAC address depends on the hardware and Cisco IOS you use.
  • This step is optional, but you can define the action to take when a violation occurs on that interface or interfaces. The default is to shut down the interface or interfaces. The command to configure this is as follows switch port-security violation { protect | restrict | shutdown }.
  • You can specify the MAC address that is allowed to access the network resources manually by using the command switchport port-security mac-address value of MAC address. Use this command multiple times if you want more than one MAC address.
  • If you want to be lazy and not enter every single MAC address in your organization then you can have the switch learn the MAC address by learning it with the sticky command. You would use this command as follows switchport port-security mac-address sticky. This will learn the first MAC address that comes into on the interface or interfaces.

The below output is an example of configuring port security on a range of ports fa0/1 – 10, for this example the maximum MAC addresses I want on one port is two, I also want the violation to change from the default setting to restrict. Finally instead of manually configuring the ports with a MAC addresses I am going to have the switch learn them with the sticky command.

Switch>enable
Switch#configure terminal
Switch(config)#interface range fastEthernet 0/1 - 10
Switch(config-if-range)#switchport port-security maximum 2
Switch(config-if-range)#switchport port-security violation restrict
Switch(config-if-range)#switchport port-security mac-address sticky
Switch(config-if-range)#exit
Switch(config)#exit
Switch#
%SYS-5-CONFIG_I: Configured from console by console

That’s it! Port security is a good step in keeping only authorized devices connected to the network, but keep in mind there are plenty more security options that need to be taken into consideration. To find more information about port security like a web search will do, along with checking with Cisco documentation at Cisco.com. I hope this tutorial is helpful and please comment below for suggestions.