Configuring Port Security

October 9, 2016 | Views: 4944

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Cisco switches offer a tool called port security using it we can:

  • Limit who connects (based on layer 2 address)
  • Control how many can connect to a port
  • Set an action when a violation occurs


Port security is used to mitigate MAC Flooding Attacks and can prevent rogue devices from connecting to your Network. 

Before we can configure it we should take a look on the modes available, and note before the actual configuration what we want to achieve:

  1. Note the ports that will get configured, usually we use port security to the ports that connect end devices.
  2. What violation mode is appropriate for your network policy?
  3. How many devices are allowed on a given port? Be EXTRA CAREFUL when you are on this step,  you could deny access to a legitimate device if you allow fewer but you can have a security hole if they are more.


Port security has 3 violation modes :

  • Shutdown (default): when used the port shuts down, it can sent an  SNMP trap , creates a syslog message and increments the violation counter.
  • Restrict: The port ignores any packets from the rogue device, stays up, creates a syslog message and increments the violation counter.
  • Protect: This mode is similar with Restrict but it just wont do anything to let you know if there is a violation , the port stays up and ignores the offending device packets.


Configuring Port security

switch# configure terminal

switch(config)# interface fa0/1

switch(config-if)# switchport mode access \ port security needs the port to be in access mode to \function

switch(config-if)# switchport port-security    \ this enables the feature

switch(config-if)#switchport port-security maximum 1  \ it configures the port to allow for 1 \device.

 switch(config-if)#switchport port-security violation shutdown \ it configures the violation \mode to shutdown


What happened in the previous commands : 


  • We go to interface configuration
  • Enable access mode (it is required for port security to function)
  • Enable the port security feature
  • Set the number of devices that can connect
  • Configure the violation mode

 Note that you can even hard code the MAC Addresses of the devices you want to allow with the following command:

switch(config-if)#switchport port-security mac-address 1a2a.1ba1.a111

// the 1a2a.1ba1.a111 is an example how to correctly write the mac address .


Personally i believe it is better to hard code the devices if they are not changing places on your network .


Always be careful with this feature ! You can cause a Denial Of Service if configured poorly!

Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
  1. good article. It is possible to mitigate this type of attack on a domestic modem?

  2. Thnx for sharing…

Page 2 of 2«12
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?