Port security

By default, all interfaces on a Cisco switch are turned on. That means that an attacker could connect to your network through a wall socket and potentially threaten your network. If you know which devices will be connected to which ports, you can use the Cisco security feature called port security. By using port security, a network administrator can associate specific MAC addresses with the interface, which can prevent an attacker to connect his device. This way you can restrict access to an interface so that only the authorized devices can use it. If an unathorized device is connected, you can decide what action the switch will take, for example discarding the traffic and shutting down the port.

To configure port security, three steps are required:

1. define the interface as an access interface by using the switchport mode access interface subcommand
2. enable port security by using the switchport port-security interface subcommand
3. define which MAC addresses are allowed to send frames through this interface by using the switchport port-security mac-address MAC_ADDRESS interface subcommand or using the swichport port-security mac-address sticky interface subcommand to dynamically learn the MAC address of the currently connected host

Two steps are optional:

1. define what action the switch will take when receiving a frame from an unathorized device by using the port security violation {protect | restrict | shutdown} interface subcommand. All three options discards the traffic from the unauthorized device. The restrict and shutdown options send a log messsages when a violation occurs. Shut down mode also shuts down the port.
2. define the maximum number of MAC addresses that can be used on the port by using the switchport port-security maximum NUMBER interface submode command

The following example shows the configuration of port security on a Cisco switch:

port security topology
First, we need to enable port security and define which MAC addresses are allowed to send frames:

configuring port security

Next, by using the show port-security interface fa0/1 we can see that the switch has learned the MAC address of host A:

show port security interface command

By default, the maximum number of allowed MAC addresses are one, so if we connect another host to the same port, the security violation will occur:

interface error disabled

The status code of err-disabled means that the security violation occured on the port.

To enable the port, we need to use the shutdown and no shutdown interface subcommands.