Ready to Start Your Career?

Configuring Port Security

cybern4 's profile image

By: cybern4

October 9, 2016

chain-690088_1920Cisco switches offer a tool called port security using it we can:
  • Limit who connects (based on layer 2 address)
  • Control how many can connect to a port
  • Set an action when a violation occurs
 Port security is used to mitigate MAC Flooding Attacks and can prevent rogue devices from connecting to your Network. Before we can configure it we should take a look on the modes available, and note before the actual configuration what we want to achieve:
  1. Note the ports that will get configured, usually we use port security to the ports that connect end devices.
  2. What violation mode is appropriate for your network policy?
  3. How many devices are allowed on a given port? Be EXTRA CAREFUL when you are on this step,  you could deny access to a legitimate device if you allow fewer but you can have a security hole if they are more.
 
Port security has 3 violation modes :
  • Shutdown (default): when used the port shuts down, it can sent an  SNMP trap , creates a syslog message and increments the violation counter.
  • Restrict: The port ignores any packets from the rogue device, stays up, creates a syslog message and increments the violation counter.
  • Protect: This mode is similar with Restrict but it just wont do anything to let you know if there is a violation , the port stays up and ignores the offending device packets.
 

Configuring Port security

switch# configure terminal
switch(config)# interface fa0/1
switch(config-if)# switchport mode access \ port security needs the port to be in access mode to \function
switch(config-if)# switchport port-security    \ this enables the feature
switch(config-if)#switchport port-security maximum 1  \ it configures the port to allow for 1 \device.
 switch(config-if)#switchport port-security violation shutdown \ it configures the violation \mode to shutdown
 

What happened in the previous commands : 

 

  • We go to interface configuration
  • Enable access mode (it is required for port security to function)
  • Enable the port security feature
  • Set the number of devices that can connect
  • Configure the violation mode
 Note that you can even hard code the MAC Addresses of the devices you want to allow with the following command:
switch(config-if)#switchport port-security mac-address 1a2a.1ba1.a111
// the 1a2a.1ba1.a111 is an example how to correctly write the mac address .
 Personally i believe it is better to hard code the devices if they are not changing places on your network . Always be careful with this feature ! You can cause a Denial Of Service if configured poorly!
Schedule Demo