Overview:
Port security can be used on an interface to identify and limit the MAC addresses of clients that are allowed to access that port.
Study Notes:
- Port security identifies the MAC addresses of clients allowed to forward traffic through an interface
- Port security is applied to access ports
- Port security cannot be applied to a trunk port
- Port security cannot be applied to the destination port for a SPAN port
- Port security cannot be applied to an EtherChannel/Port-Channel interface
- Port security and static MAC configuration are mutually exclusive
- By default
- Port security is turned off
- The maximum number of secure MAC addresses is 1
- When a violation occurs the port gets shutdown
- Aging is disabled
- Aging type is absolute
- Static aging is disabled
- Sticky is disabled
- If the number of MAC addresses configured on a port is less than the maximum then the remaining MAC addresses are able to be learned dynamically
- If a port shuts down, all dynamically learned MAC addresses are removed
- A sticky MAC lets an interface retain dynamically learned MAC addresses when the switch is restarted or if the interface goes down and is brought back online
- To recover a port from err-disabled, you must shut and no shut it
- Port-security violation modes:
| protect | Drops all the packets from the insecure hosts at the port-security process level but does not increment the security-violation count |
| restrict | Drops all the packets from the insecure hosts at the port-security process level and increments the security-violation count |
| shutdown | Shuts down the port if there is a security violation |
Required
Switch(config)# interface f0/1 Switch(config-if)#switchport mode access Switch(config-if)#switchport port-security
Optional
6.1.a Static/6.1.b Dynamic
Set the MAC addresses that are allowed to use the port. If less than the maximum are set than the remaining are learned dynamically.
Switch(config-if)#switchport port-security mac-address <mac_address>
6.1.c Sticky
Enable sticky learning on the interface
Switch(config-if)#switchport port-security mac-address sticky
6.1.d Maximum MAC Addresses
Set the number of MAC addresses allowed to use this port
Switch(config-if)#switchport port-security maximum (1-3072)
6.1.e Violation Actions
Set the action to be taken when port-security is violated
Switch(config-if)#switchport port-security violation {protect | restrict | shutdown}
6.1.f Err-disabled recovery
Once port security is violated on an interface, the interface will go to err-disabled. To return it to normal, do the following:
Switch#show interface status err-disabled Switch#show interface f0/1 Switch#config t Switch(config)#interface f0/1 Switch(config-if)#shut Switch(config-if)#no shut Switch(config-if)#Ctrl+Z Switch#show interface status err-disabled
Verification commands
Switch#show port-security address Switch#show port-security address interface f0/1 Switch#show interface status err-disabled
PacketTracer Lab: CCNA-6.1-Configure-verify-and-troubleshoot-port-security.pkt
Subscribe Now for access to the labs!