In order to control what machines are plugged into your network, Cisco introduced the “switchport port-security” command.
In this tutorial I’m going to explain how to use this command, and different options available using it.
Below is the breakdown of the commands I used in the live demo, and an explanation of each.
AOIP.ORG_Switch# terminal monitor
Since I was connected to my switch via telnet, and I knew there were going to be messages from the switch, I needed to configure Terminal Monitor so I would have these messages sent to my telnet session. By default when connected to a Cisco device via telnet or ssh, no messages will be displayed to your terminal.
AOIP.ORG_Switch(config)# interface fa0/6
Enter the interface that I wish to configure the port security on
AOIP.ORG_Switch(config-if)# switchport mode access
In order for port security to be used, the port MUST be an access port, this command defines that
AOIP.ORG_Switch(config-if)# switchport port-security
This enables the port security feature, and allows me to define the commands below.
AOIP.ORG_Switch(config-if)# switchport port-security maximum 1
I have chosen to only allow 1 mac-address to be learned on this port. At any point if more than 1 mac address was to be discovered, the violation action I define will come into effect.
AOIP.ORG_Switch(config-if)# switchport port-security mac-address aaaa.bbbb.cccc
I have further secured the switch port by defining what mac address is allowed to be learned on this port. If a machine is plugged into this port that does NOT have this mac-address, the violation action will take effect.
AOIP.ORG_Switch(config-if)# switchport port-security violation shutdown
I have 3 choices when defining the violation action
1. protect – The switch will drop packets until the violation has been removed
2. restrict – This is the same as protect, however it also causes the Security/Violation counter to increment
3. shutdown – This will put the interface into a error-disabled state and send an SNMP trap notification
I have chosen the more harsh of the options, and the port will be shut if any of my conditions (more than 1 mac address is learned on the port, and if that one mac address is not aaaa.bbbb.cccc)
AOIP.ORG_Switch(config-if)# exit
Exit interface mode
AOIP.ORG_Switch(config)# exit
Exit global configuration mode
AOIP.ORG_Switch# show port-security interface f 0/6
The first time I run this command in the live demo below, there are no violations recorded. Shortly afterwards, I plugged a device into port f0/6 that DID NOT have the mac address aaaa.bbbb.cccc which caused a violation. You will notice I received error messages on screen (thanks to terminal monitor), and when I run the show port-security command again, you will notice the violation count has incremented.
Additional commands I could have used are.
AOIP.ORG_Switch(config-if)# switchport port-security aging time 5
If you have configured the switch to allow 5 mac addresses to be learned dynamically, those addresses will be kept in the database until the aging time has expired. This command will set the aging time to 5 minutes, which overrides my switches default value of 20 minutes.
AOIP.ORG_Switch(config-if)# no switchport port-security aging
This will DISABLE the aging time.
In order to activate a port that has been put into ‘error-disabled’ state. Shut the port, and no shut it afterwards. If the violation has not been removed, the port will revert back to error-disabled.
Below is the live demo.