Port Security

1-1 What’s port Security

In Cisco switches, you can limit PCs based on their Mac-address. Port security enhances the security in Cisco devices

Let’s implement a scenario to learn more about port security:

Senario 1: In company A, we want to define port-security to learn mac-address of all PCs on the nework and maximum each port has to learn maximum two mac-address. In a case of violation, ports should shutdown immediately.

SW1# conf t
SW1(config)# int range fa0/1-24
SW1(config-if)# switchport mode access
SW1(config-if)# switchport port-security maximum 2
SW1(config-if)# switchport port-security mac-address sticky
SW1(config-if)# switchport port-security voilation shutdown
SW1(config-if)# switchport port-security

port security voilation has three modes:

  • shutdown: This is a default mode. It’ll shutdown the interface.

  • protect: Allow traffic from valid mac-address but block traffic from invalid.

  • restrict: Assist with troubleshooting by keeping count of voilations.

You can define static mac-address with this command:

SW1(config-if)# switchport port-security mac-address ——-Mac-address————–

In real scenario, network administrators define auto recovery for port security. It means in case of violation, ports automatically enable timer to recover from psecure violation disable state:

SW1(config)# errdisable recovery cause psecure-violation

also we can define timer interval(second), to recover automatically:

SW1(config)# errdisable recovery interval 30
1-2 Show Port Security

You can use these commands to see port security:

SW1(config)# show port-security
or
SW1(config)# show port-security int fa0/1
/by