Port security configuration

Port security is a Layer 2 security mechanism that can be used to restrict ingress traffic on a port from dynamically learned or statically configured MAC addresses.

Turning on Port Security

Switch(config)#int fa 1/0/48
Switch(config-if)#switchport mode access
Switch(config-if)#switchport port-security

The above command marks interface fa 1/0/48 as an access port and turns on port-security.

Configuring MAC addresses

Switch(config-if)#switchport port-security maximum 1
Switch(config-if)#switchport port-security mac-address sticky

The above command specifies that only one mac-address is allowed on the port. Keyword sticky specifies that the mac-address that is currently connected to the port should be learned.

Switch(config-if)#switchport port-security maximum 1 vlan access
Switch(config-if)#switchport port-security maximum 1 vlan voice

The maximum number of MAC addresses on the voice and access vlan can be configured independently using the above command.

Switch(config-if)#switchport port-security mac-address aaaa.bbbb.cccc

The mac-address can also be statically configured as above.

Violation Action

Switch(config-if)#switchport port-security violation shutdown

The above command states the action to be taken when port-security is violated. In this case it is shutdown.

Other actions are protect and restrict.

Switch(config-if)#switchport port-security violation protect
Switch(config-if)#switchport port-security violation restrict

Protect: When a violation occurs, the administrator is not notified.
Restrict: When a violation occurs, the administrator is notified via SNMP and the violation is logged.

MAC Address Aging

Switch(config-if)#switchport port-security aging type absolute
Switch(config-if)#switchport port-security aging type inactivity
Switch(config-if)#switchport port-security aging time 180

Absolute: The dynamically learned MAC addresses expire once the timer expires
Inactivity: The dynamically learned MAC addresses expire after specified minutes of inactivity

Recovering an interface after shutdown

An interface that has been configured with a violation action of shutdown would enter into an error-disabled state if a violation occurs. To recover the interface, you’d have to manually shutdown the interface and no shutdown the interface to make it operational again.

Use the following commands to automatically recover interfaces that have been error-disabled due to violation:

Switch(config)# errdisable recovery cause psecure-violation
Switch(config)# errdisable recovery interval 300

The above configuration would auto recover the interface after 300 seconds.

Below is a sample port-security configuration:

Here is the status of port-security on the configured interface: