Cisco Switch Port Security Configuration and Best Practices https://www.networkstraining.com/cisco-switch-port-security-c...

NETWORKS TRAINING

HOME Cisco Networking Cisco ASA Certifications Training ABOUTGeneral

MY BOOKS SUGGESTED TRAINING
Cisco Routers

Cisco Switches

You are here: Home / Cisco Switches / Cisco Switch Port Security Configuration and Best Practices

Cisco Switch Port Security Configuration and Best Practices

Written By Harris Andrea

Table of Contents

Introduction
One of the best practices in network security is to try and stop security threats from the entry-point of a LAN network.

This means that the switch can play an important role in network security since it’s the entry-point of the network.

For example, port- security on Cisco switches can be used to stop MAC-flooding attacks or prevent non-authorized
hosts to connect to the switch.

In MAC-flooding, an attacker can connect a laptop into an empty Switch port or empty RJ45 wall socket, and he can
use hacking tools to generate millions of Ethernet frames with fake source MAC addresses and send them to the
switch interface.

The switch will learn these MAC addresses and once the switch reaches its MAC address learning limit it will start
flooding all the traffic to all of its ports (i.e it will start behaving like a hub).

This means that the attacker can capture the traffic from connected devices.

The solution to this kind of attacks (and also to other Layer 2 attacks) is easy and simple. It’s called Port Security and
you can use it to limit the number of MAC addresses per interface or even to specify which MAC address can connect
to each physical port of the switch.

Configuration of Port Security

Let’s
1 of 6 now see the basic port-security configuration on Cisco switches. 20/10/2023, 12:05 PM
Cisco Switch
I will be usingPort Security
Cisco 3560Configuration and 15.0,
Switch version Best Practices
for this tutorial.https://www.networkstraining.com/cisco-switch-port-security-c...
NETWORKS TRAINING
TestSwitch#show version
ABOUT MY BOOKS SUGGESTED TRAINING
Cisco IOS Software, C3560E Software (C3560E-IPBASEK9-M), Version 15.0(2)SE7, RELEASE SOFTWARE (fc1)

Setting MAC address limits per port

Below is an example of Port Security where only one MAC address is allowed on interface g0/1.

TestSwitch(config)#int g0/1
TestSwitch(config-if)#switchport mode access
TestSwitch(config-if)#switchport port-security
TestSwitch(config-if)#switchport port-security maximum 1

Now, interface g0/1 is allowed to learn only one MAC address. If this interface receives any more MAC addresses it
will go to err-disabled state.

MORE READING: What is Cisco Switch Virtual Interface (SVI) - Configuration

Example and Explanation

Setting MAC address filtering per port

Besides setting a maximum limit on the number of MAC addresses, you can also use port security to filter MAC
addresses. In the following example I configured port security so it only allows MAC address f1d3.2c9f.abdc.ccba to
connect to the specific port of the switch.

TestSwitch(config)#int g0/1
TestSwitch(config-if)#switchport mode access
TestSwitch(config-if)#switchport port-security
TestSwitch(config-if)#switchport port-security mac-address f1d3.2c9f.abdc.ccba

Any device having different MAC address than this will violate the rule and the interface will go to err-disabled state.

You will see the message below if there would be any violation.

%PM-4-ERR_DISABLE: psecure-violation error detected on Gi0/1, putting Gi0/1 in err-disable state

%PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address

f02d.3f4e.2dcc on port GigabitEthernet0/1.

As you can see from the log message above, a device with MAC address f02d.3f4e.2dcc violated the port-security
and interface went into err-disabled state.

Setting MAC address filtering with sticky command

There is another very useful way to filter MAC addresses. Instead of typing in a MAC address manually, you can use
the “sticky” command.

With this command, switch will learn the first MAC address connected to the interface and save it for port security.

First you have to remove the existing command (if you have configured manual MAC filtering):

TestSwitch(config-if)#no switchport port-security mac-address f1d3.2c9f.abdc.ccba

TestSwitch(config-if)#switchport port-security mac-address sticky

To See what MAC address is learned/“sticks” on the interface, type “show run interface” command

TestSwitch#sh run int g0/1

2 of 6 20/10/2023, 12:05 PM
Cisco Switch
Building Port Security Configuration
configuration. .. and Best Practices https://www.networkstraining.com/cisco-switch-port-security-c...
NETWORKS TRAINING
Current configuration : 544 bytes
!
interface GigabitEthernet0/1 ABOUT MY BOOKS SUGGESTED TRAINING
switchport mode access
switchport port-security
switchport port-security aging time 15
switchport port-security mac-address sticky
switchport port-security mac-address sticky f02d.3f4e.2dcc

As you can see from above, the switch has learned MAC address f02d.3f4e.2dcc and from now on only this address
will be allowed to connect to this port.

MORE READING: Cisco Switch Layer2 Layer3 Design and Configuration

Verification Commands
You can see the switch ports which have entered into error-disabled state (because of security violation) with the
following command:

TestSwitch#show int status err-disabled

Port Name Status Reason Err-disabled Vlans

Gi0/1 err-disabled psecure-violation

You can also verify this with show “interface g0/1 command”

TestSwitch#sh int g0/1

GigabitEthernet0/1 is down, line protocol is down (err-disabled)

To take this interface out of err-disabled state you have to unplug the device and run commands “Shutdown” followed
by “no shutdown”.

TestSwitch(config)#int g0/1
TestSwitchconfig-if)#shut
TestSwitchconfig-if)#no shut

To verify, run the commands “show interface status err-disabled” or “show interface g0/1”

Recovering from error-disabled stated

You can also set an automatic recovery on a switch-port with the following commands:

TestSwitch(config)#errdisable recovery cause psecure-violation

TestSwitch(config)#interface g0/1
TestSwitch(config-if)#switchport port-security aging time 15

After 15 minutes the interface g0/1 will automatically recover from err-disable state. Make sure in these 15 minutes
you solve the problem because otherwise it will have another violation and the interface will end up in err-disable state
again.

And don’t forget to enable automatic recovery in global configuration mode with “errdisable recovery cause psecure-
violation” command.

Other Port Security Commands

TestSwitch(config-if)#switchport port-security violation ?
3 of 6 20/10/2023, 12:05 PM
 protect [Security violation protect mode]
restrict [Security violation restrict mode]
shutdown [Security violation shutdown mode]

There are three actions for each port to take when there will be a violation on the interface. These options are
“Shurdown” (default), “Protect” and “Restrict”.

Protect: From the restricted MAC addresses, the frames will be dropped but there won’t be any logging information.

Restrict: From the restricted MAC addresses, the frames will be dropped but you will see logging information and
SNMP trap will be sent.

Shutdown: This is the default action of the interface. If an interface receives frames from a restricted MAC address,
the interface will go to err-disable state and will be practically shutdown. There will be logging and an SNMP trap will
be sent. For recovery you have to enable the interface manually or set automatic recovery.

Related Posts
How to Find a Device MAC Address on a Cisco Switch (show mac address-table)
How to Configure a Loopback Interface on Cisco Router & Switch
Cisco Switch Layer2 Layer3 Design and Configuration
Description of Switchport Mode Access vs Trunk Modes on Cisco Switches
What is an SFP Port-Module in Network Switches and Devices

Filed Under: Cisco Switches

Download Free Cisco Commands Cheat Sheets

Enter your Email below to Download our Free Cisco Commands Cheat Sheets for Routers, Switches and
ASA Firewalls.

Email
 sami says
August 3, 2016 at 9:10 pm

Hi
thank u so much
i think if u add topology to lesson maybe is more easy

Leave a Reply
Your email address will not be published. Required fields are marked *

Comment *

Name *

Email *

POST COMMENT

SEARCH THIS SITE

ABOUT NETWORKS TRAINING AMAZON DISCLOSURE

We Provide Technical Tutorials and Configuration Examples As an Amazon Associate I earn from qualifying purchases.
about TCP/IP Networks with focus on Cisco Products and Amazon and the Amazon logo are trademarks of
Technologies. This blog entails my own thoughts and ideas, Amazon.com, Inc. or its affiliates.
which may not represent the thoughts of Cisco Systems Inc.
This blog is NOT affiliated or endorsed by Cisco Systems SEARCH
Inc. All product names, logos and artwork are
copyrights/trademarks of their respective owners.