NPS7.1 # SWITCH PORT SECURITY :
Port Security is a Layer-2 security feature on managed switches (commonly Cisco, Aruba, etc.) that restricts which devices can connect to a switch port by controlling MAC address access. It helps prevent unauthorized access, MAC flooding, and rogue device connections. Remembers the ethernet MAC address connected to the switch port. Allow only the MAC address connected on that port. If any other MAC address tries to communicate through the port, port security will disable the port. Violation to tell the switch what to do when the number of MAC addresses on the port has exceeded the maximum. Various attacks such as Dos attack at layer 2, address spoofing can take place. If the administrator has control over the network then obviously the network is safe. To take total control over the switch ports, the user can use a feature called port-security.
# How Port Security Works
- Port security limits the number of MAC addresses allowed on a switch port.- If an unknown or excess MAC address is detected, the switch triggers a violation action.
- MAC addresses can be manually configured or learned automatically.
# Types of MAC Address Configuration
- Static MAC Address : Manually configured by the admin, Most secure. Example - Fixed PC or server.
- Dynamic MAC Address : Learned automatically, Stored in CAM table only (lost after reboot).
- Sticky MAC Address : Learned dynamically and saved in running/startup config, Most commonly used in enterprises.
# Port Security Violation Modes
- Shutdown mode is the default is to no shutdown the port on the cisco switch.
- Protect mode only allow traffic from the secure port and drop packets from other MAC addresses.
- Restrict mode to alert the network administrator. It will geerate the log message, increment the counter value, and will also send an SNMP trap.
- Sticky mode This is not a violation mode. By using the sticky command, the user provides static Mac address security without typing the absolute Mac address.
Note: - The port security will work on access port only i.e to enable port security, the user first has to make it an access port.
# Port Security States
- Secure-Up: Port is enabled , Authorized MAC addresses are learned, Normal traffic flow.
- Secure-Down: Port is administratively down, No traffic allowed.
- Secure-Shutdown: Port security violation occurred, Port is err-disabled, Requires manual or auto recovery.
7.2 # CONFIGURATION OF PORT SECURITY
# How to do secure port for sticky security ?
Switch (config) #interface fastethernet 0/1
Switch (config-if) #no shutdown
Switch (config-if) #switchport mode access
Switch (config-if) #switchport port-security mac-address sticky 0060.7099.bc89
Switch (config-if) #exit
# How to do secure port for maximum security ?
Switch (config) #interface fastethernet 0/1
Switch (config-if) #no shutdown
Switch (config-if) #switchport mode access
Switch (config-if) #switchport port-security maximum ( 1-132 )
Switch (config-if) #exit
# How to do secure port for violation security ?
Switch (config) #interface fastethernet 0/1
Switch (config-if) #no shutdown
Switch (config-if) #switchport mode access
Switch (config-if) #switchport port-security violation ( Protect, Restrict, Shutdown )
Switch (config-if) #exit
# How to do secure port for aging-time security ?
Switch (config) #interface fastethernet 0/1
Switch (config-if) #no shutdown
Switch (config-if) #switchport mode ac-cess
Switch (config-if) #switchport port-security aging time 120
Switch (config-if) #storm-control broadcast level 755
Switch (config-if) #storm-control action shutdown
Switch (config-if) #exit
7.3 # DIAGRAM OF PORT SECURITY SCENARIO
| Port Type | Connected Devices | MAC Limit | Security Mode |
|---|---|---|---|
| Fa0/1 | IP Phone + PC | 2 | Sticky + Restrict |
| Fa0/2 | Wireless AP | 1 | Static MAC + shutdown |
| Trunk | Switch to Switch | Unlimited | ❌ No Port Security |
| 1️⃣ Enable Port Security on Access Port (PC + IP Phone) |
|---|
| Switch(config)# interface fastEthernet0/1 Switch(config-if)# switchport mode access Switch(config-if)# switchport voice vlan 20 Switch(config-if)# switchport access vlan 10 Switch(config-if)# switchport port-security Switch(config-if)# switchport port-security maximum 2 Switch(config-if)# switchport port-security mac-address sticky Switch(config-if)# switchport port-security violation restrict 🔹 Explanation : VLAN 10 → Data, VLAN 20 → Voice, Sticky MAC learns phone + PC, Restrict mode logs violations. |
| 2️⃣ Access Port for Wireless Access Point (High Security) |
| Switch(config)# interface fastEthernet0/2 Switch(config-if)# switchport mode access Switch(config-if)# switchport access vlan 30 Switch(config-if)# switchport port-security Switch(config-if)# switchport port-security maximum 1 Switch(config-if)# switchport port-security mac-address 001A.2B3C.4D5E Switch(config-if)# switchport port-security violation shutdown 🔹 Explanation : Only one AP allowed, Static MAC = maximum security, Unauthorized device → port disabled |
| 3️⃣ Trunk Port (No Port Security) |
| Switch(config)# interface gigabitEthernet0/1 Switch(config-if)# switchport mode trunk 🚫 Port security should not be configured on trunk ports |
| Violation Scenario Flow |
|---|
| Unauthorized Laptop Plugged In ↓ MAC Address Exceeds Limit ↓ Violation Action Triggered ↓ • Restrict → Traffic dropped + log • Shutdown → Port err-disabled |
# Verification Commands (Troubleshooting):
Q. Which command to show the port status?
Switch #show port-security
Q. Which command to show the individual port status?
Switch #show port-security interface fa 0/1
Q. Which command to clear the port-security?
Switch #clear port-security all
Q. Which command to show the port-security status?
Switch #show port-security address
Q. Which command to remove the port-security status?
Switch #no switchport port-security
Q. Which command to show the port mac-address?
Switch #show mac-address-table
|| Alway be study right sight ||
