How to Configure Port Security on Cisco Switch

Cisco is a technology company that is very famous around the world. Cisco provides many hardware and services such as Routers, Switches, Firewalls, Access Points, Security solutions, Cloud solutions, Next-generation firewalls, and so on.

Today, we will guide you on how to configure port security on Cisco Switch. First of all, maybe you need to know the meaning of switching. What is the switch? The switch is a network device, which is configured to connect and maintain communication channels between various devices for IT operations in the company. You can connect many devices such as computers, laptops, access points, servers, routers, switches, and firewalls to the switch devices. When you connected the devices, the MAC Addresses of those devices will be detected and used by the switch device, then the switch starts to identify the devices and provide them with the requested service. Then, if you want those ports that are connected to those devices to be safe with secure, so you need to enable port security on your switch device.

Read: How to create VLAN in Cisco switch

What is Port Security on Cisco Switch?

The port security in the Cisco switch is the security feature for protects the Application Centric Infrastructure (ACI) fabric from being flooded with unknown MAC addresses by limiting the number of MAC addresses learned per switch port. For security reasons, you need to configure port security on your switch is necessary.

Enable Port Security on Cisco Switch, which ensures that data authenticity, integrity, and data confidentiality are maintained well.

How to Configure Port Security on Cisco Switch

Before you can start to configure port security on your switch, you need to prepare and list what you need to do on your Cisco switch. We recommended you brainstorm ideas and make a diagram drawing for the detail. Now, we also have a prerequisites list and diagram for configuring port security as below:

Prerequisite

• SSH terminal (Maybe you can use PUTTY) for login to your switch
• Cisco switch (Make sure the switch model you have supports port security)
• Configure FastEthernet 0/15 as a port security
• PC for testing after applying the configuration

In this article, you will know how to enable port security on the Cisco switch which is configured by the command line step-by-step below:

[Step 1] – Enable Port Security on Switch Port

• Log in to Cisco Switch by using terminal (Putty or Other) software with SSH (Security Session)
• After login into your switch successfully, the terminal prompt will appear.
• Turn fastEthernet 0/15 as an access port, by using the command. First, you need to go to the global mode, by entering the command “enable“, then use the command ” configure terminal“. Access to interface fastEthernet 15 by using the command “interface fastEthernet 0/15“, then change the mode to access mode by using the command “switchport mode access“.
• Enable port fastEthernet 15 as a security mode by using the command “switchport port-security“, then exit by using the command “exit”.

[Step 2] – Allow the switch port to learn new MAC addresses

When you enable this command in port security, the switch port will observe the incoming source MAC addresses on a configured port and dynamically learn/save this MAC address to memory. So, that port will learn MAC addresses, which are connected. To enable this command line, please see the guideline detail below:

• Access to interface fastEthernet 15 by using the command “interface fastEthernet 0/15“, then enter the command “switchport port-security mac-address sticky“, then exit by using the command “exit”.

Note: With this mode, the switch port will learn every MAC addresses that are connected and store it in memory. But if you want to limit specific MAC addresses or increase the number of MAC addresses, you can follow the next step as follows.

[Step 3] – Increase the number of MAC addresses that can connect to the switch port

After you enable the switch port as security (#switchport port-security), that port will allow only 1 MAC address by default. For example, you connect computer A to port FastEthernet 15, and it will work fine. then you unplug it. Then, now you want to plug computer B into port FastEthernet 15 again, then it will not work anymore. Because the port security allows only 1 MAC address. But you can increase the number of MAC addresses connected to the port by the method below. Now we will allow 3 MAC addresses can connect with the interface fastEthernet 15.

• Access the interface FastEthernet 15 again, and then use the command “switchport port-security maximum 3“, then exit by using the command “exit”.

[Step 4] – Configure Specific MAC address to a Switch port

When you enable this command in port security, then that switch port will allow only that MAC address. So, if you want to set that port to work with only one reserved MAC address, you can use the command line below:

• Access the interface fastEthernet 15 again, and then use the command “switchport port-security mac-address 123a.456b.789c“, then exit by using the command “exit”

[Step 5] – Enable Violation Action

A secure violation action is configured to protect the switch port also. It will protect the switch port with three modes if we connect the MAC addresses over the maximum allowed configured (See step 2). So, we use one of the three modes below to occur when over the maximum MAC addresses are allowed.

1. Restrict Mode: When you enable this mode into switch port security, the port security will be violated. So all the data transfer will be blocked and all the packets are dropped.
2. Shutdown Mode: By default, this is enabled. Then the port state will change state to error-disabled, which restricted connected devices to perform any actions. Then the port will be shut down (disabled).
3. Protect Mode: When you enable this mode, all the data packets from the defined MAC addresses are only transferred within the network only. Mean that the switch port will permit traffic from known MAC addresses to continue sending traffic while dropping traffic from unknown MAC addresses

To enable violation action in the Cisco switch, you need to use the command line as the detailed description below.

• Access the interface fastEthernet 15 again, and then use the command “switchport port-security violation protect” or “switchport port-security violation restrict” or “switchport port-security violation shutdown“, then exit by using the command “exit”.

To get a well understanding of the above description, please see the following configured in the switch on the packet tracer.

[Step 6] – Verify Configuration

Now, you have applied the command line of configuration port security in the Cisco switch. So, to make sure it works fine, you need to verify the configuration with the command line below:

• Stay on privileged mode, use the command “show port-security address“. Then you will see the detail of your configuration that has been applied above.

FAQs

How many port levels of port security are in the Cisco switch?

There are three port levels in port security. They are port security timeout, port security violation action, and maximum Endpoint.

Can we configure port security by using the GUI?

Yes, you can for sure. Nowadays, Cisco companies are building web versions for access to their product such as switches and routers. Then you can log in to your switch and then configure port security by using the graphic user interface. Thus, you don’t need any technical of using the command line, you just apply the configuration by clicking the option you need.

How many MAC addresses can allow in port security?

This is not limit the MAC addresses that are connected to your switch port. But I don’t think you need to enable many MAC addresses in the switch ports since you are focused on security in your network infrastructure. Maybe you need to enable a few MAC addresses per switch port. But if you want more MAC addresses, don’t worry just add them by using the command line in step 3.

Why do we need to configure port security?

Because we want our network infra has security. For example, if you don’t configure port security on your switch port, then everyone can connect the computer/laptop to all the ports in your switch. But when you apply port security configuration, there is only allowed computer/laptop that can use those switch ports. So, there are some people who want to hack by trying to connect to your port switch, then those ports will be blocked and shutdown the port. This is a kind of security that you need to know and should practice in your network operation.