Switchport Port Security Explained With Examples

By default, all switch ports operate in plug-and-play mode. This default behavior provides flexibility but at the cost of security. In an environment where all users are known to you, you can use a switch with the default configuration. However, using switches with default configuration in an office or company environment increases the security risks. Anyone can access unsecured network resources by simply connecting their device to any available switch port. Users can change their locations.

To block unauthorized access to switch ports, switches support a feature called port security. This feature allows you to configure which devices are allowed or blocked on each port. If you use this feature, the switch will allow only the authorized device to access the port. This tutorial explains how to configure, implement, and verify this feature.

Lab setup

Create a practice lab on Packet Tracer as shown in the following image. Packet Tracer is a network simulator software. It allows you to configure and test essential Cisco devices in a simulated environment.

Lab setup for Port Security

Assign static IP configurations to both PCs.

PC IP address Subnet mask
PC0 10.0.0.10 255.0.0.0
PC1 10.0.0.20 255.0.0.0

Assigning IP addresses

Assign the IP address 10.0.0.100 and subnet mask 255.0.0.0 to Server0.

Assigning an IP address to Server0

Accessing the CLI prompt

Access the switch's CLI prompt.

access command of switch in packet tracer

Viewing available port security commands

Port security works on an interface basis. You can secure each port individually. Enter interface configuration mode for the port you want to secure and run the following command.

switch(config-if)switchport port-security ?

switchport port-security command

The above command lists all available options for this command.

Securing ports

The port security feature does not work on three types of ports.

  1. Trunk ports
  2. Ether channel ports
  3. Switch port analyzer ports

Port security works only on the access port. An access port connects an end device to the switch. By default, all switch ports work in access mode. If a port’s mode is set to other than the access mode, use the following command to set it to the access mode again.

switch(config-if)#switchport mode access
Limiting the number of devices that can connect to a port

You can limit the number of hosts that can be attached to a port. The maximum limit is 132. The default is 1. You can set this limit to any value between 1 and 132. Use the following command to set this value.

switch(config-if)#switchport port-security maximum [value]
Assigning a specific port to an end device

Each end device has a unique MAC address. You can map this address to a switch port. After that, the port will allow incoming frames only from the mapped address. You have two options for mapping MAC addresses to switch ports: static and dynamic.

The static method is more secure than the dynamic method, but it requires more manual work. In this method, you manually map MAC addresses to switch ports using the following command.

switch(config-if)#switchport port-security mac-address [MAC Address]

In the dynamic method, you use the sticky feature. This feature enables an interface to automatically learn the MAC addresses of connected devices. Interface will learn MAC addresses until it reaches the maximum number of allowed hosts.

Access violation rules

Access violation rules specify the action the port takes when a violation occurs.

Protect:
This mode only works with the sticky option. In this mode, frames from non-allowed addresses would be dropped. It will not log dropped frames. The port will learn the address until it reaches the maximum allowed number. Any additional addresses learned would be dropped while keeping the interface operational.

Restrict:
In restrict mode, frames from non-allowed addresses would be dropped. But in this mode, the switch will log an entry and generate a security violation alert.

Shutdown:
In this mode, the switch generates a violation alert and disables the port. The only way to re-enable the port is to manually enter the no shutdown command. This is the default violation mode.

Example

In this topology, PC0 is connected to F0/1. Enter the following commands to secure the F0/1 port.

configure switchport port-security

The following table explains the above commands.

Command Description
Switch>enable Enter privilege exec mode
Switch#configure terminal Enter global configuration mode
Switch(config)#interface fastethernet 0/1 Enter interface mode
Switch(config-if)#switchport mode access Change the port mode to access port
Switch(config-if)#switchport port-security Enable port security feature on this port
Switch(config-if)#switchport port-security maximum 1 Set limit for hosts that can be associated with the interface. The default value is 1. Skip this command to use the default value.
Switch(config-if)#switchport port-security violation shutdown Set security violation mode to shutdown. The default mode is shutdown. Skip this command to use the default mode.
Switch(config-if)#switchport port-security mac-address sticky Enable the sticky feature.

Unless you manually assign a MAC address to a port, the port uses dynamic mapping. In dynamic mapping, incoming frames' MAC addresses are automatically mapped to the MAC addresses of allowed devices. The above configuration allows one device on the F0/1 port. The F0/1 port will associate the first learned MAC address with the allowed device. To view the currently learned or mapped address, you can check the CAM table entries.

show mac-address-table

A switch learns MAC addresses from incoming frames. Since this switch has received no frames so far, the CAM table is empty. PC0 is connected to F0/1. Generate frames from PC0. The switch will receive these frames on F0/1.

Open a command prompt on PC0 and run ping to test connectivity to Server0. The ping command sends frames to Server0.

Testing from PC0

Check the CAM table on the switch again.

show mac-address-table

One interesting thing that you may notice here is the type. Switch learns this address dynamically. However, it is showing as STATIC. This is because of the sticky option, which you used with the port security command. The sticky option automatically converts a dynamically learned address into a static address.

Switchport port security testing

This topology has one additional PC for testing. Let's suppose this PC belongs to an unauthorized person. He unplugged PC0 from the switch and attached his PC to F0/1. To simulate this scenario, remove the connection between PC0 and swtich’s F0/1 and create a new connection between PC1 and swtich’s F0/1 port.

remove connection in packet tracer

Send the ping request from PC1 to Server0.

ping command in packet tracer

PC1 did not get a response from Server0. This is because, when the F0/1 port receives frames from a new MAC address, it treats it as a violation and shuts down the port. You have three show commands to verify this on the switch.

The show port-security command

This command displays port security information for all interfaces on the switch.

The show port-security address command

This command displays statically configured or dynamically learned addresses that are enabled for port security.

The show port-security interface [port] command

This command displays port security information about the specific port.

verify port security

Resetting a port

To reset a port that is shut down due to a security violation, manually restart it from interface configuration mode.

restart interface

Conclusion

Port security is an essential security feature on switches. This tutorial explained the commands and configuration steps you need to secure switch ports. Learning these commands and configuration steps allows you to secure your network from unauthorized access.

ComputerNetworkingNotes CCNA Study Guide Switchport Port Security Explained With Examples

We do not accept any kind of Guest Post. Except Guest post submission, for any other query (such as adverting opportunity, product advertisement, feedback, suggestion, error reporting and technical issue) or simply just say to hello mail us ComputerNetworkingNotes@gmail.com