Switch Port Security

What is port security?

The Port Security feature remembers the Ethernet MAC address connected to the switch port and allows only that MAC address to communicate on that port. If any other MAC address tries to communicate through the port, port security will disable the port. Most of the time, network administrators configure the switch to send a SNMP trap to their network monitoring solution that the port’s disabled for security reasons.


How to enable port security


Switch)# config t

Switch(config)# int fa0/18

Switch(config-if)# switchport port-security ?

            aging                            Port-security aging commands

            mac-address                             Secure mac address

            maximum                      Max secure addresses

            violation                         Security violation mode



Switch(config-if)# switchport port-security




You can also configure port security on a range of ports.


Switch)# config t

Switch(config)# int range fastEthernet 0/1 – 24

Switch(config-if)# switchport port-security




SNMP Trap?







Show port security status of switch ports


Switch)# show port-security address

The output should look something like this.


Switch#sh port-security address


Secure Mac Address Table


Vlan    Mac Address                Type                            Ports

116       0013.d333.9007             SecureSticky                 Fa1/1     

116       001a.6b61.5274             SecureSticky                 Fa1/2     

990       0000.0000.0001             SecureConfigured         Fa1/4     

116       0016.41ef.4b5b              SecureSticky                 Fa1/5     

148       0000.74ad.e544             SecureSticky                 Fa1/6     

136       0013.d333.9bef              SecureSticky                 Fa1/7     

990       0000.0000.0002             SecureConfigured         Fa1/8     

116       0013.d333.955f              SecureSticky                 Fa1/9     

990       0000.0000.0003             SecureConfigured         Fa1/10    

116       0016.1789.9d9f              SecureSticky                 Fa1/12    

116       000d.60c1.f423              SecureSticky                 Fa1/14    

116       0013.d333.ab4d             SecureSticky                 Fa1/15    

Clear port security


There are few ways you can clear port securities.


Console> (enable) clear port security 4/1 00-11-22-33-44-55


00-11-22-33-44-55 cleared from secure address list list for port 4/1.


Console> (enable) clear port security sticky interface fa 0/1



Note: When port is in the disable mode (err- disable), in most cases you need to shutdown the interface and bring it up.


Note: if a MAC address is registered on a port and if you still want to assign this MAC address to another port in the same switch, I got in to so much trouble by doing this. In my experience you can not allocate 2 ports the same MAC address. You need to clear the port security and shut down one interface and assign the MAC address to the other port.


Cisco Reference: http://supportwiki.cisco.com/ViewWiki/index.php/How_to_configure_port_security_on_Cisco_Catalyst_switches_running_CatOS


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: