Port security configuration
|Port security is a Layer 2 security mechanism that can be used to restrict ingress traffic on a port from dynamically learned or statically configured MAC addresses.
Turning on Port Security
Switch(config)#int fa 1/0/48
Switch(config-if)#switchport mode access
Switch(config-if)#switchport port-security
The above command marks interface fa 1/0/48 as an access port and turns on port-security.
Configuring MAC addresses
Switch(config-if)#switchport port-security maximum 1
Switch(config-if)#switchport port-security mac-address sticky
The above command specifies that only one mac-address is allowed on the port. Keyword sticky specifies that the mac-address that is currently connected to the port should be learned.
Switch(config-if)#switchport port-security maximum 1 vlan access
Switch(config-if)#switchport port-security maximum 1 vlan voice
The maximum number of MAC addresses on the voice and access vlan can be configured independently using the above command.
Switch(config-if)#switchport port-security mac-address aaaa.bbbb.cccc
The mac-address can also be statically configured as above.
Violation Action
Switch(config-if)#switchport port-security violation shutdown
The above command states the action to be taken when port-security is violated. In this case it is shutdown.
Other actions are protect and restrict.
Switch(config-if)#switchport port-security violation protect
Switch(config-if)#switchport port-security violation restrict
Protect: When a violation occurs, the administrator is not notified.
Restrict: When a violation occurs, the administrator is notified via SNMP and the violation is logged.
MAC Address Aging
Switch(config-if)#switchport port-security aging type absolute
Switch(config-if)#switchport port-security aging type inactivity
Switch(config-if)#switchport port-security aging time 180
Absolute: The dynamically learned MAC addresses expire once the timer expires
Inactivity: The dynamically learned MAC addresses expire after specified minutes of inactivity
Recovering an interface after shutdown
An interface that has been configured with a violation action of shutdown would enter into an error-disabled state if a violation occurs. To recover the interface, you’d have to manually shutdown the interface and no shutdown the interface to make it operational again.
Use the following commands to automatically recover interfaces that have been error-disabled due to violation:
Switch(config)# errdisable recovery cause psecure-violation
Switch(config)# errdisable recovery interval 300
The above configuration would auto recover the interface after 300 seconds.
Below is a sample port-security configuration:
Here is the status of port-security on the configured interface: