How to configure port-security on Cisco Switch

By default there is no limit to the number of MAC addresses a switch can learn on an interface and all MAC addresses are allowed. If we want we can change this behavior with port-security. Let’s take a look at the following situation:

By default there is no limit to the number of MAC addresses a switch can learn on an interface and all MAC addresses are allowed. If we want we can change this behavior with port-security. Let’s take a look at the following situation: In the topology above someone connected a cheap (unmanaged) switc



cisco and cheap switch

In the topology above someone connected a cheap (unmanaged) switch that they brought from home to the FastEthernet 0/1 interface of our Cisco switch. Sometimes people like to bring an extra switch from home to the office. As a result our Cisco switch will learn the MAC address of H1 and H2 on its FastEthernet 0/1 interface.

Of course we don’t want people to bring their own switches and connect it to our network so we want to prevent this from happening. This is how we can do it:

Switch(config)#interface fa0/1
Switch(config-if)#switchport port-security
Switch(config-if)#switchport port-security maximum 1

Use the switchport port-security command to enable port-security. I have configured port-security so only one MAC address is allowed. Once the switch sees another MAC address on the interface it will be in violation and something will happen. I’ll show you what happens in a bit…

Besides setting a maximum on the number of MAC addresses we can also use port security to filter MAC addresses. You can use this to only allow certain MAC addresses. In the example above I configured port security so it only allows MAC address aaaa.bbbb.cccc. This is not the MAC address of my computer so it’s perfect to demonstrate a violation.

Switch(config)#interface fa0/1
Switch(config-if)#switchport port-security mac-address aaaa.bbbb.cccc

Use the switchport port-security mac-address command to define the MAC address that you want to allow. Now we’ll generate some traffic to cause a violation:

 C:\Documents and Settings\H1>ping 1.2.3.4

I’m pinging to some bogus IP address…there is nothing that has IP address 1.2.3.4; I just want to generate some traffic. Here’s what you will see:

 SwitchA#
%PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/1, putting Fa0/1 in err-disable state
%PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0090.cc0e.5023 on port FastEthernet0/1.
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down
%LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to down

We have a security violation and as a result the port goes in err-disable state. As you can see it is now down. Let’s take a closer look at port-security:

 Switch#show port-security interface fa0/1
Port Security              : Enabled
Port Status                : Secure-shutdown
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 1
Configured MAC Addresses   : 1
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 0090.cc0e.5023:1
Security Violation Count   : 1

Here is a useful command to check your port security configuration. Use show port-security interface to see the port security details per interface. You can see the violation mode is shutdown and that the last violation was caused by MAC address 0090.cc0e.5023 (H1).

Switch#show interfaces fa0/1
FastEthernet0/1 is down, line protocol is down (err-disabled)

Shutting the interface after a security violation is a good idea (security-wise) but the problem is that the interface will stay in err-disable state. This probably means another call to the helpdesk and you bringing the interface back to the land of the living! Let’s activate it again:

Switch(config)#interface fa0/1
Switch(config-if)#shutdown
Switch(config-if)#no shutdown

To get the interface out of err-disable state you need to type “shutdown” followed by “no shutdown”. Only typing “no shutdown” is not enough!

It might be easier if the interface could recover itself after a certain time. You can enable this with the following command:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 657 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

537 Sign Ups in the last 30 days

satisfaction-guaranteed
100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags:


Forum Replies

  1. Hi Rene, I have a strange problem related to your post. We have a unmananged switch connected to a managed switch port. That port is configured as follows:

     description Conference Room
     switchport access vlan 43
     switchport mode access
     switchport port-security maximum 16
     switchport port-security
     authentication host-mode multi-host
     authentication port-control auto
     dot1x pae authenticator
     dot1x timeout quiet-period 20
     dot1x timeout tx-period 10
     spanning-tree bpduguard enable
    

    If a user connects to this switch and then unplugs (not Logoff), goes to their d

    ... Continue reading in our forum

  2. Hi Rene,

    This sound silly but i want know how you can ping from the IOS command line with a packet tracer instead of the command prompt?.
    Thanks,
    Peter

  3. Hello Hussein.

    In order to clearly answer this question, we have to define two different functionalities of the switch: port security and the MAC address table.

    Port security has been explained well in this lesson, so I’ll just mention that port security allows only devices with specific MAC addresses to connect and function on a specific interface.

    The MAC address table is a table that records MAC addresses and the corresponding interface on which they can be found. This table exists to give a switch it’s most basic function which also distinguishes it from a

    ... Continue reading in our forum

  4. Hello Hussein.

    That’s a very good point, and yes, it requires clarification.

    In order for port security to function, the “allowed” MAC addresses are configured for each port. These are the secure addresses. Now there are several ways a switch can learn these addresses: Statically or dynamically.

    The statically configured MAC addresses for port security DO NOT age out. They are permanent. These are the addresses that are configured using the command:

    switchport port-security mac-address 1000.2000.3000

    The switchport port-security aging time command only aff

    ... Continue reading in our forum

  5. Hello Roger Hugues,

    Article is specifically mentioning “cheap” switch, you can understand it as “dumb switch”.

    • Dumb switches are unmanaged and do not support features like STP.
    • Dumb switch is not generating any traffic by itself, well because it has no features to do so. Therefore “smart” switch can not learn switchport MAC address of this dum
    ... Continue reading in our forum

52 more replies! Ask a question or join the discussion by visiting our Community Forum