Switch Port Security

What is port security?

The Port Security feature remembers the Ethernet MAC address connected to the switch port and allows only that MAC address to communicate on that port. If any other MAC address tries to communicate through the port, port security will disable the port. Most of the time, network administrators configure the switch to send a SNMP trap to their network monitoring solution that the port’s disabled for security reasons.

 

How to enable port security

 

Switch)# config t

Switch(config)# int fa0/18

Switch(config-if)# switchport port-security ?

            aging                            Port-security aging commands

            mac-address                             Secure mac address

            maximum                      Max secure addresses

            violation                         Security violation mode

 

 

Switch(config-if)# switchport port-security

Switch(config-if)#^Z

 

 

You can also configure port security on a range of ports.

 

Switch)# config t

Switch(config)# int range fastEthernet 0/1 – 24

Switch(config-if)# switchport port-security

Switch(config-if)#^Z

 

 

SNMP Trap?

 

 

TBA

 

 

 

Show port security status of switch ports

 

Switch)# show port-security address

 
The output should look something like this.

 

Switch#sh port-security address

 

Secure Mac Address Table

————————————————————————

Vlan    Mac Address                Type                            Ports

116       0013.d333.9007             SecureSticky                 Fa1/1     

116       001a.6b61.5274             SecureSticky                 Fa1/2     

990       0000.0000.0001             SecureConfigured         Fa1/4     

116       0016.41ef.4b5b              SecureSticky                 Fa1/5     

148       0000.74ad.e544             SecureSticky                 Fa1/6     

136       0013.d333.9bef              SecureSticky                 Fa1/7     

990       0000.0000.0002             SecureConfigured         Fa1/8     

116       0013.d333.955f              SecureSticky                 Fa1/9     

990       0000.0000.0003             SecureConfigured         Fa1/10    

116       0016.1789.9d9f              SecureSticky                 Fa1/12    

116       000d.60c1.f423              SecureSticky                 Fa1/14    

116       0013.d333.ab4d             SecureSticky                 Fa1/15    


Clear port security

 

There are few ways you can clear port securities.

 

Console> (enable) clear port security 4/1 00-11-22-33-44-55

 

00-11-22-33-44-55 cleared from secure address list list for port 4/1.

 

Console> (enable) clear port security sticky interface fa 0/1

 

 

Note: When port is in the disable mode (err- disable), in most cases you need to shutdown the interface and bring it up.

 

Note: if a MAC address is registered on a port and if you still want to assign this MAC address to another port in the same switch, I got in to so much trouble by doing this. In my experience you can not allocate 2 ports the same MAC address. You need to clear the port security and shut down one interface and assign the MAC address to the other port.

 

Cisco Reference: http://supportwiki.cisco.com/ViewWiki/index.php/How_to_configure_port_security_on_Cisco_Catalyst_switches_running_CatOS

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: