2. By default, all interfaces on a Cisco switch are turned on.
That means that an attacker could connect to your network
through a wall socket and potentially threaten your network.
If you know which devices will be connected to which ports, you
can use the Cisco security feature called port security.
By using port security, a network administrator can associate
specific MAC addresses with the interface, which can prevent an
attacker to connect his device.
This way you can restrict access to an interface so that only the
authorized devices can use it. If an unauthorized device is
connected, you can decide what action the switch will take, for
example discarding the traffic and shutting down the port.
3. To configure port security, three steps are required:
1. Define the interface as an access interface by using
the switchport mode access interface subcommand
2. Enable port security by using the switchport port-
security interface subcommand
3. Define which MAC addresses are allowed to send frames
through this interface by using the switchport port-security
mac-address MAC_ADDRESS interface subcommand or using
the swichport port-security mac-address sticky interface
subcommand to dynamically learn the MAC address of the
currently connected host
4. Two steps are optional:
1. Define what action the switch will take when receiving a frame
from an unauthorized device by using the port security
violation {protect | restrict | shutdown} interface subcommand.
All three options discards the traffic from the unauthorized
device. The restrict and shutdown options send a log messages
when a violation occurs. Shut down mode also shuts down the
port.
2. Define the maximum number of MAC addresses that can be
used on the port by using the switchport port-security
maximum NUMBER interface submode command
5. The following example shows the configuration of port
security on a Cisco switch:
6. First, we need to enable port security and define which
MAC addresses are allowed to send frames:
7. Next, by using the show port-security interface fa0/1 we can see
that the switch has learned the MAC address of host A:
8. By default, the maximum number of allowed MAC addresses are
one, so if we connect another host to the same port, the security
violation will occur:
Status code of „err-disabled“ means that the security violation
occurred on the port.
NOTE - to enable the port, we need to use the shutdown and no
shutdown interface subcommands