Switchport Security Concepts and Configuration

Switchport Security

Expected devices can use those interfaces that are restricted by port-security. You can know on the switch particular interface which device should be connected and cabled. On the SPAN (Switch Port Analyzer) destination ports the Switchport security is not supported. Port-security reduces exposure to some types of attacks in which the attacker accesses the network by connecting the laptop to the wall socket or using the attached cable to another end device.

How to Configure Port-Security

 Several steps are involved in the configuration of port-security. The port is not doing any VLAN trunking which means if you make that port an access port, then enable port security and configure the actual MAC (Media Access Control) addresses of the devices allowed to use that port.

The List outlines the steps including configuration commands used:

Step 1

Configure the subcommand switchport mode access on the interface for access mode configuration.

Step 2

Configure the subcommand switchport port-security on the interface to enable the port security.

Step 3

Optionally, specify the allowed MAC address maximum number associated with the interface using the subcommand port-security maximum number.

Step 4

Optionally, when a frame is received from a MAC address, define the action to take other than the defined addresses using the interface subcommand switchport port-security violation {Protect / Shutdown / restrict}. The Shutdown of the port is the default action.

Step 5 (A)

Specify the allowed MAC addresses to send frames to this interface using the mac-address command switchport port-security mac-address. To define more than one MAC address, use this command multiple times.

Step 5 (B)

To learn dynamically configure the interface and configure currently connected hosts MAC addresses, by configuring the interface subcommand switchport port-security mac-address sticky.

How to Configure Port Security on a Switch 

How to Configure Switchport Security

Switch>enable

Switch# configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Switch (config) #hostname Networking2

Networking2 (config) #end

Networking2# show port-security interface fastEthernet 0/1

Port-Security on Interfaces

Port-Security Configuration on FastEthernet 0/1

Networking2# configure terminal

Networking2 (config) #interface fastEthernet 0/1

Networking2 (config-if) #switchport mode access

Networking2 (config-if) #switchport port-security

Networking2 (config-if) #switchport port-security?

Switchport Port-Security Options

Networking2 (config-if) #switchport port-security mac-address?

Switchport Port-Security Sticky

Networking2 (config-if) #switchport port-security mac-address sticky

Networking2 (config-if) #switchport port-security maximum?

  <1-132>    Maximum addresses

Networking2 (config-if) # switchport port-security maximum 1

Networking2 (config-if) #switchport port-security violation?

Switchport Port-Security Violation

Networking2 (config-if) #switchport port-security violation shutdown

Networking2 (config-if) #end

Networking2#

Note: The top two violations (protect and restrict) can be configured in packet tracer but physically it will not be shown so; we configure the violation shutdown to see the effect physically in packet tracer.

Verification after enabling the Port-Security on Interface

Networking2#show port-security

Switchport Port-Security Verification

Networking2#show port-security interface fastEthernet 0/1

Switchport Port-Security Interface Verification

Networking2#show port-security address

Switchport Port-Security MAC-Address

Ping verification (Sticky configured)

PC 1 to PC 2

PC>ping 192.168.1.2

Switchport Port-Security Ping Verification

Port-Security Interface after Ping

Networking2#show port-security interface fastEthernet 0/1

Switchport Port-Security Interface Verification

Testing Port-Security

Ping Verification from NON-Allow Device to PC 2

Switchport Port-Security Ping Verification

Networking2#show port-security interface fastEthernet 0/1

Switchport Port-Security Status

Switchport Port-Security Interface Verification

Networking2#show port-security

Switchport Port-Security Violation

Restoring the interface FastEthernet 0/1

Switchport Port-Security Restore after Violation

Networking2# configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Networking2 (config) #interface fastEthernet 0/1

Networking2 (config-if) # shutdown

Switchport Port-Security Status

Networking2 (config-if) #no shutdown

Switchport Port-Security Status

Networking2 (config-if) # end

Verification after Restoring Interface

Networking2# show port-security

Switchport Port-Security Status

Networking2# show port-security interface fastEthernet 0/1

Switchport Port-Security Verification on Interface

Ping verification after restoring Interface

PC 1 to PC 2

PC>ping 192.168.1.2

Switchport Port-Security Ping Verification

Note: when the frames are sent by an unauthorized device to the switch interface, the information message the switch can issue, from that device discard frames, or by effectively shutting down the interface even discarded frames from all devices. The option you can configure in the command switchport port-security violation, the switch depends on the action to take on that option.

The following table list shows the option (Shutdown, Restrict, or Protect) you can configure on the switch interface. The option shutdown is by default in the switch.

Actions when a Port Security Violation Occurs

Switchport Port-Security Violation Options

Search Tags

1. What is port security configuration?
2. Port Security in Computer Network
3. How do I configure a security switch?
4. How to configure port-security on Cisco Switch

Get Packet Tracer Lab