Configure Cisco Port Security on Switches and Router interface

Written by

Cisco Port Security is a features that can help secure access to the physical network. Any Network admins nightmare is an unauthorised device or a PC connecting to the network. This could be as simple as an innocent guest plugging his PC into a floor port hoping to get an internet connection or a malicious intruder connecting to the network trying to gain access to confidential information.

Consequences could as bad as

Virus, Spyware or malware infection from a PC unprotected PC
A malicious hacker or an intruder gaining access to the network
A malicous attacker launching a Denial of Service attack using MAC Address flooding

Cisco IOS has the port-security feature which can be used to restrict the MAC-Address of the devices that connects to each of the physical switchports.

Cisco Port-Security can help to

restrict the MAC-address or addresses that can connect through a switchport [default: first connected device MAC Address]
restrict the number of MAC-Addresses that can connect through a switchport [default is 1 and maximum is 128]
set aging in minutes of the MAC Addresses registed
Action to take when there is a violation detected (default is to disable the port and send an SNMP Trap message to the SNMP management server (if any))

For a switch port to be security enabled,

the switchport cannot be a Trunk Port
the switchport cannot be a destination port for a Switchport Analyzer (SPAN)
the switchport cannot belong to an EtherChannel port-channel interface
the switchport cannot be an 802.1X port

If you try to enable 802.1X on a secure port, an error message appears, and 802.1X is not enabled. If you try to change an 802.1X-enabled port to a secure port, an error message appears, and the security settings are not changed.

To enable Port Security on a Cisco Switch or router interface

Enter the interface config mode (say fa0/1)

Switch# conf t
Switch(config)# interface fastethernet 0/1
Switch(config-if)# switchport mode access

This sets the switchport to access mode. Default mode of "Dynamic desirable" cannot be configured as a secure port

Switch(config-if)# switchport port-security

This enables the port security on the switchport with the defaults [1 MAC Address allowed, 1st connected MAC Address, disable port if there is a violation]

If you know the MAC Address of the device and that thats the only device that connects to the swicthport (for example, A server on a Serverfarm switch) then you can set the MAC-Address manually.

Switchport(config-if)# switchport port-security mac-address 1111.2222.3333

Where 1111.2222.3333 is the MAC Address of the server. This will disable the secure port, if any other device other than the one with the above MAC-Address connects to the switch port.

If there is a switch or a hub (say 12 port or a 24 port) that connects to the switchport which you want to secure then you can set the maximum number of MAC-Addresses that connects to the port and/or set the MAC-Address optionally.

Switchport(config-if)# switchport port-security max 12

This sets the maximum number of mac-address allowed on the secure port (default is 128).

One step further, if you want to manually add some or all of these MAC-Addresses then you can specify using the following command one for each MAC-Address

Switchport(config-if)# switchport port-security mac-address 0000.0000.0000
Switchport(config-if)# switchport port-security mac-address 0000.0000.1111

If now, you need to set the maximum number of MAC Addresses on the switchport but are aware that some or most of them are temporary ones (guest users or temporary workers) then you can set the aging time on the port-security which allows MAC-Addresses on the Secure switchport will be deleted after the set aging time. This helps to avoid a situation where obsolete MAC-Address occupy the table and saturates causing a violation (when the max number exceeds).

Switchport(config-if)# switchport port-security aging time 10

Where time is specified in minutes (10 mins in the above)

Now, you can set the action to be taken when there is a violation. The default is to shutdown the port and mark the port err-disabled.

For example,

Switchport(config-if)# switchport port-security violation protect

Where protect is the action taken when a violation event is triggered.

The actions are

protect — Drops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value.

restrict — Drops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value and causes the Security Violation counter to increment.

shutdown (default) — Puts the interface into the error-disabled state immediately and sends an SNMP trap notification.

To show the port-security,

Switch# show port-security interface fastethernet 0/1
Security Enabled:Yes, Port Status:SecureUp
Violation Mode:Shutdown
Max. Addrs:5, Current Addrs:0, Configure Addrs:0

To display port-security info without any interface provided

Switch# show port-security
Secure Port      MaxSecureAddr CurrentAddr SecurityViolation Security
Action
                    (Count)        (Count)      (Count)
—————————————————————————-
     Fa0/1           11            11            0            Shutdown
     Fa0/2           15            5             0            Restrict
     Fa0/3           5             4             0            Protect
—————————————————————————-
Total Addresses in System: 21
Max Addresses limit in System: 128

To display the security MAC-Address table

Switch# show port-security address
          Secure Mac Address Table
——————————————————————-
Vlan    Mac Address       Type                Ports   Remaining Age
                                                         (mins)
—-    ———–       —-                —–   ————-
   1    0001.0001.0001    SecureDynamic       Fa0/1      15 (I)
   1    0001.0001.0002    SecureDynamic       Fa0/1      15 (I)
   1    0001.0001.0003    SecureConfigured    Fa0/1      16 (I)
   1    0001.0001.0004    SecureConfigured    Fa0/1      –
   1    0001.0001.0005    SecureConfigured    Fa0/1      –
   1    0005.0005.0006    SecureConfigured    Fa0/5      23
   1    0005.0005.0007    SecureConfigured    Fa0/5      23
   1    0005.0005.0008    SecureConfigured    Fa0/5      23
   1    0011.0011.0009    SecureConfigured    Fa0/11     25 (I)
   1    0011.0011.0010    SecureConfigured    Fa0/11     25 (I)
——————————————————————-
Total Addresses in System: 10
Max Addresses limit in System: 128

For more information, check this Cisco documentation

Comments

16 responses to “Configure Cisco Port Security on Switches and Router interface”

March 12, 2008
Qasim
its a great about port security but i have trying much on simulator ( boson netsim )but it doesnt working proprely, what could the problem behind it ?
Many Thnx
Regards
May 15, 2008
Peter Kirk
Switch# show port-security address is listed 2 times 😉
Thx for article
May 15, 2008
admin
Thanks Sorted!!!
December 19, 2008
Vairamohan
It’s very interesting but i need to know which simulator is best to practice these things.
February 2, 2009
redian
download PACKET TRACER for the simulation
btw, thanks a lot for the information
May 6, 2009
Manna
interface FastEthernet0/8
switchport access vlan 4
switchport mode access
switchport port-security
switchport port-security mac-address 001f.d010.62e9
hi
i have config as above. but sorry to say, it did not work!!!! any advise pls.
November 7, 2009
siowlim
Whoever use Boson simulator are warned that Bosn simulator is full of bugs. I have personal owned one, it is completely useless and decepful for Cisco learners. As a student you probably have trusted it. Unfortunately it is just opposite of what you thought it was. Anyone who reads this, please warn your friends not to waste the money and time getting Boson simulator.
November 25, 2009
rohjit
nice solution but how can i enable the errordisable port state.
December 16, 2009
JOE
To enable shutdown the port and then give “no shut”. also ensure that the unwanted device has been removed from the port.
April 19, 2010
Hari
Cool info provided.Thxn so much…
May 11, 2010
Iain Harper
Can the same mac addresses be put onto a number of ports on a cisco 2950 & 3750 switch.
May 12, 2010
Usman
how can one configure multiple mac add on all the switch ports?
September 7, 2010
Ayanaw Hagos
Could you please help me,
I configured port security to the switch port
switchport access vlan ###
switchport mode access
swtichport port-security
switchport port-security mac-address sticky
shut
no shut.
After I cleared the port-security, I use show mac-address | include mac-address to check if the mac-address in the multiple switch ports, it is only show the port address I am working on it. every time I unable port security, the error-disable clear up, and the port is up. when I put the port security back, the error-disable come up, I check the fiber with know good to double check the problems, I didn’t change the NIC card yet, but I ping 127.0.0.1 to check the NIC cards, the NIC card is good. Please help me.
May 9, 2011
Vicky
this article hepls alot, thanks.
i did conf like
Switch# conf t
Switch(config)# interface fastethernet 0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security
Chekc mac of your computer using ipconfig /all command or getmac command , eg mac is 1111.2222.3333
Switchport(config-if)# switchport port-security mac-address 1111.2222.3333
in packet tracer , it takes 2-5 min to shut the desired port so have patient to c the result.
July 13, 2011
Ashish
why i get this
Port-security not enabled on interface FastEthernet0/1
what should i do
August 6, 2011
Babiano
@ashish ive had also encountered the same problem before, but i found out that you have to activate 1st the port-security by typing this.. switchport port-security..
Best wishes to everyone here!! ^_^