By default, all interfaces for a Cisco switch are enabled. This means that an attacker can connect to your network through a wall outlet and possibly compromise your network. If you know which devices are connected to which ports, you can use the Cisco Port Security security feature. Using port protectors, a network administrator can associate specific MAC addresses with the interface, preventing an attacker from connecting to the device. This allows you to restrict access to an interface so that only authorized devices can use it. If an unauthorized device is connected, you can determine which action the switch is performing, such as discarding traffic and turning off the port.
There are three steps to configuring port security:
1. Define the interface as the access interface using the Switchport Mode interface interval.
2. Enable port security with the SwitchPort Port-security interface subcmd.
3. Specify which MAC addresses are allowed to send frames through this interface. Use the switchport port security mac address MAC_ADDRESS interface command or switchport port security mac address interface command sticky to dynamically learn the MAC address of the currently connected host.
Two steps are optional:
1. Determine the action to be taken by the replacement when receiving a frame from an unauthorized device using the port security breach {protect | limit | shutdown} interface subcommand. All three options interrupt traffic from the unauthorized device. Limit and close the options send a log message when an injury occurs. The shut-off mode also turns off the port.
2. Define the maximum number of MAC addresses that can be used for the port using the submod option for switchport port security maximum NUMBER options.
The following example shows the configuration of port security on a Cisco switch:
First, we must enable port security and specify which MAC addresses are allowed to send frames:
Then you can see from the port security interface window fa0 / 1 that the switch learned host A MAC address:
The maximum number of MAC addresses allowed is one by default. So when we connect another host to the same port, a security breach occurs:
The incorrectly disabled status code indicates that the security breach occurred in the port.
1. Define the interface as the access interface using the Switchport Mode interface interval.
2. Enable port security with the SwitchPort Port-security interface subcmd.
3. Specify which MAC addresses are allowed to send frames through this interface. Use the switchport port security mac address MAC_ADDRESS interface command or switchport port security mac address interface command sticky to dynamically learn the MAC address of the currently connected host.
Two steps are optional:
1. Determine the action to be taken by the replacement when receiving a frame from an unauthorized device using the port security breach {protect | limit | shutdown} interface subcommand. All three options interrupt traffic from the unauthorized device. Limit and close the options send a log message when an injury occurs. The shut-off mode also turns off the port.
2. Define the maximum number of MAC addresses that can be used for the port using the submod option for switchport port security maximum NUMBER options.
The following example shows the configuration of port security on a Cisco switch:
First, we must enable port security and specify which MAC addresses are allowed to send frames:
Then you can see from the port security interface window fa0 / 1 that the switch learned host A MAC address:
The incorrectly disabled status code indicates that the security breach occurred in the port.