Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Switchport port security explained with examples
1. Switchport Port Security Explained With Examples
This tutorial explains Switchport security modes (Protect, Restrict and Shutdown), sticky address, mac
address, maximum number of hosts and Switchport security violation rules in detail with examples.
Learn how to secure a switch port with Switchport security feature step by step.
Anyone can access unsecure network resources by simply plugging his host into one of our available
switch ports. A user can also change his physical location in LAN network without telling the admin.
You can secure layer two accesses as well as keep users in their tracks by using port security feature.
To explain Switchport port security modes and commands, I will use packet tracer network simulator
software. You can use any network simulator software or can use a real Cisco switch to follow this
guide. There is no difference in output as long as your selected software contains the commands
explained in this tutorial.
Create a simple practice lab as shown in following figure.
If require, you can download the latest as well as earlier version of Packet Tracer from here. Download
Packet Tracer
Click PC0 and Click Desktop and Click IP Configuration and select Static from radio options and assign
the IP address (10.0.0.10) and subnet mask (255.0.0.0)
2. Follow same process to assign IP address (10.0.0.20) and subnet mask (255.0.0.0) to PC1.
Click Server0 and click Desktop and click IP Configuration and select Static from radio options and
assign IP address (10.0.0.100) and subnet mask (255.0.0.0)
That's all initial configuration we need to understand the switch port security.
How to configure port security
To configure port security we need to access the command prompt of switch.
Click Switch and click CLI and press Enter Key.
Port can be secure from interface mode. Use enable command to move in Privilege Exec mode. From
Privilege Exec mode use configure terminalcommand to enter in Global Configuration mode. From
global configuration mode enter in specific interface.
3. Following figure illustrates available commands for port security.
How to enable switchport port-security
Port security is disabled by default. switchport port-security command is used to enables it.
Port security feature does not work on three types of ports.
Trunk ports
Ether channel ports
Switch port analyzer ports
Port security work on host port. In order to configure port security we need to set it as host port. It
could be done easily by switchport mode accesscommand.
switchport port-security limit maximum number of hosts
According to our requirements we can limit the number hosts that can be associated with an interface.
We can set this limit anywhere from 1 to 132. Maximum number of devices that can be associated with
the interface is 132. By default it is set to 1. switchport port-security maximum valuecommand will set
the maximum number of hosts.
switchport port-security mac address
We have two options static and dynamic to associate mac address with interface.
In static method we have to manually define the exact mac address of host with switchport port-security
mac-address MAC_address command. This is the most secure method but requires a lot of manual
works.
4. In dynamic method we use sticky feature that allows interface to learn mac address automatically.
Interface will learn mac addresses until it reaches maximum number of allowed hosts.
switchport port-security violation
We need to specify what action; it should take in security violation. Three possible modes are available:
Protect: - This mode will only work with sticky option. In this mode frames from non-allowed address
would be dropped. It will not make log entry for dropped frames. Interface will learn address until it
reach maximum allowed number. Any additionally learned addresses would be dropped while keeping
interface operational.
Restrict: - In restrict mode frames from non-allowed address would be dropped. But in this mode,
switch will make a log entry and generate a security violation alert.
Shutdown: - In this mode switch will generate the violation alert and disable the port. Only way to re-
enable the port is to manually enter no shutdowncommand. This is the default violation mode.
switchport port security example
In our topology PC0 is connected with F0/1 port of switch. Enter following commands to
secure F0/1 port.
Following table explains above commands in detail
Command Description
Switch>enable Move in privilege exec mode
Switch#configure terminal Move in global configuration mode
Switch(config)#interface fastethernet 0/1 Move in interface mode
Switch(config-if)#switchport mode access Assign port as host port
Switch(config-if)#switchport port-security Enable port security feature on this port
Switch(config-if)#switchport port-security maximum 1 Set limit for hosts that can be associated with interface. D
Switch(config-if)#switchport port-security violation shutdown Set security violation mode. Default mode is shutdown. Sk
Switch(config-if)#switchport port-security mac-address sticky Enable sticky feature.
5. We have successfully secured F0/1 port of switch. We used dynamic address learning feature of interface.
Switch will associate first learned mac address (on interface F0/1) with this port. You can check MAC
Address table for currently associated address.
So far no mac address is associated with F0/1 port. Switch learns mac address from incoming frames.
We need to generate frame from PC0 that would be receive on F0/1 port of switch. ping command is
used to test the connectivity between two hosts. In our scenario we have connectivity between server
and pc. We can use this utility to generate frames from PC0.
To access command prompt of PC0 click PC0 and click Desktop menu item and click Command
Prompt. Use ping command to generate frames.
7. One interesting thing that you may notice here is the type. Switch learns this address dynamically but it
is showing as STATIC. This is the magic of sticky option, which we used with port security command.
Sticky option automatically converts dynamically learned address in static address.
Switchport port security testing
In our topology we have one additional PC. Assume that, this is the cracker's PC. To gain unauthorized
access in network he unplugged the Ethernet cable from pc (PC0) and plugged in his pc (PC1).
8. Click red X button on the right hand partition of packet tracer window and place the X over the
connection between Switch and PC0. This will remove the connection.
Click lightning bolt button on the bottom left-handed corner and click copper straight–through
connection.
Click PC1 and select FastEthernet port. Next click Switch and select the same F0/1 port.
From the command prompt of PC1 try to ping the Server IP.
9. What happened this time? Why ping command did not get response from server? Because switch
detected the mac address change and shutdown the port.
Verify port security
We have three commands to verify the port security
show port-security
This command displays port security information about all the interfaces on switch.
show port-security address
Display statically defined or dynamically learned address with port security.
show port-security interface interface
Display port security information about the specific interface.
10. How to reset an interface that is disabled due to violation of port security
When an interface is down due to port security violation, we have two options to bring it back. First is
following global configuration mode command
Switch(config)# errdisable recovery cause psecure-violation
This command neither includes in CCNA exam nor available in packet tracer.
Second option is manually restart the interface. Unplugged cable from unauthorized pc and plugged
back it to authorized pc.
Run following commands on switch and test connectivity from pc