Port security is a crucial feature for securing network switches. It allows network administrators to restrict access to a switch port based on MAC addresses, providing a layer of security against unauthorized devices. In this guide, we will delve into the configuration of port security on a switch using Cisco IOS commands. We will cover step-by-step instructions, along with explanations and examples.
Configuring Port Security
Step 1: Access the Interface Configuration Mode
To begin, access the interface configuration mode for the specific interface or a range of interfaces. Use the following commands:
S1(config)# interface fa0/1
Or, for a range of interfaces:
S1(config)# interface range fa0/1 – 15, gi1/1
Step 2: Set the Interface Mode to Access
Switch ports are often in dynamic mode by default. Change the mode to access to enable port security:
S1(config-if)# switchport mode access
Step 3: Enable Port Security
Activate port security on the interface:
S1(config-if)# switchport port-security
Step 4: Set Maximum Allowed MAC Addresses
Define the maximum number of MAC addresses that can be learned on this port. Here, we allow up to 25 MAC addresses:
S1(config-if)# switchport port-security maximum 25
Step 5: Enable Sticky MAC Address Learning
Configure the switch to automatically learn and retain MAC addresses:
S1(config-if)# switchport port-security mac-address sticky
Step 6: Define Violation Mode
Set the action to be taken when a security violation occurs. There are three options:
Restrict: Sends an SNMP message but allows traffic from known MAC addresses.
S1(config-if)# switchport port-security violation restrict
Protect: Only blocks traffic from unknown MAC addresses without sending an SNMP message.
S1(config-if)# switchport port-security violation protect
Shutdown: Shuts down the interface upon a violation. This is the default mode.
S1(config-if)# switchport port-security violation shutdown
Step 7: Configure Protected Ports
To prevent traffic between protected ports:
S1(config-if)# switchport protected
Step 8: Enable BPDU Guard
Disable the interface if a BPDU (Bridge Protocol Data Unit) is received, enhancing security against certain types of network attacks:
S1(config-if)# spanning-tree bpduguard enable
Step 9: Reactivate a Disabled Interface
If an interface is shut down due to a security violation, you can manually restore it by shutting down and then bringing it back up:
S1(config-if)# shutdown
S1(config-if)# no shutdown
Step 10: Enable Error Recovery for Security Violations
Automatically recover an interface that was shut down due to a security violation after 5 minutes:
S1# errdisable recovery cause psecure_violation
Step 11: Verify Port Security Configuration
Check the port security settings for a specific interface:
S1# show port-security interface fa0/12
This command provides a detailed view of the current port security configuration for the specified interface.
Example:
S1(config)# interface fa0/1 or interface range fa0/1 – 15, gi1/1
S1(config-if)# switchport mode access (must change from dynamic to access mode)
S1(config-if)# switchport port-security (must do to activate port-security)
S1(config-if)# switchport port-security maximum 25 (allow 25 MAC addresses)
S1(config-if)# switchport port-security mac-address sticky (memorize MAC addresses)
S1(config-if)# switchport port-security violation restrict (send SNMP message) --or--
S1(config-if)# switchport port-security violation protect (only stop excess MACs) –or--
S1(config-if)# switchport port-security violation shutdown (shutdown interface - default)
S1(config-if)# switchport protected (does not allow traffic to/from other protected ports)
S1(config-if)# spanning-tree bpduguard enable (disables interface if it receives a BPDU)
S1(config-if)# shutdown then no shutdown (restore individual interface if it has shutdown)
S1# errdisable recovery cause psecure_violation (restore shutdown interfaces in 5 min)
Verify:
S1# show port-security interface fa0/12 (show security configuration for an interface)
Port security is a vital component in securing a network by controlling access based on MAC addresses. By following this guide, you can effectively configure port security on your switch, ensuring that only authorized devices can access your network. Remember to regularly monitor and update your security settings to maintain optimal network security.
By leveraging these commands and configurations, you enhance the security and integrity of your network, protecting it against unauthorized access and potential threats.
If found helpful please share likes and comments for more
Thank you for your valuable time
