How to configure switchport security

We know that we use switch for most of our LAN architecture. Here I will show some security measures that can be taken to configure switch.

Step 1:
 1. Move under the switchport interface where we want to set security
  CKSWCH1(config)#interface fastEthernet 0/1
  CKSWCH1(config-if)#
 2. Next, we turn on the port security for the port which would be connected to the PC on the LAN
  CKSWCH1(config-if)#switchport mode access
  CKSWCH1(config-if)#switchport port-security

Note: switchport mode access means we are letting the Switch know that this port will be used to connect to PC on the LAN, and "switchport port-security" by typing this command we have enabled the security options for the port, to which we will configure further

 3. Next, suppose we want that only one PC should be able to connect through that port, so that if anyone connects another switch or hub to that port the other devices should not work.
  CKSWCH1(config-if)#switchport port-security maximum 1

Note: maximum 1 means only one device can access the switchport

 4. Next, what should be done if anyone violates point number 3, there are 3 options
  CKSWCH1(config-if)#switchport port-security violation ?
    protect   Security violation protect mode
    restrict  Security violation restrict mode
    shutdown  Security violation shutdown mode

protect - will just ignore other devices connected to the port and connectivity will be allowed to the only device that is hard coded for, which we would see momentarily
restrict - this is same as protect, but this will keep a log
shutdown - this will simply shutdown the port

I like the shutdown option, so will use the shutdown option here

  CKSWCH1(config-if)#switchport port-security violation shutdown

 5. Next, we would like to set the device which should be able to connect to that port, there are two ways, either by hardcoding the mac-address of the device or by dynamically let the switch know.

  CKSWCH1(config-if)#switchport port-security mac-address ?
   H.H.H   48 bit mac address
   sticky  Configure dynamic secure addresses as sticky

Here we can hardcode the mac-address or make it sticky, sticky means whatever device will be connected first, switch will take that device and from then, only that device can access the port, sticky is a good option when we have a lot of PC's in the LAN
  CKSWCH1(config-if)#switchport port-security mac-address sticky

All right, we are all set with the security of the switch-port, and we can save it by "copy running-config startup-config"
and we can check the fa0/1 configuration from the running-config
interface FastEthernet0/1
 switchport mode access
 switchport port-security
 switchport port-security mac-address sticky

Now with all the above configurations, if i plug in a PC to the switch port and see the running-config with "show running-config" and look at the fastEthernet fa0/1 port:

interface FastEthernet0/1
 switchport mode access
 switchport port-security
 switchport port-security mac-address sticky
 switchport port-security mac-address sticky 000A.416C.7489

We see that it learnt the MAC Address, lets also see the CAM table

CKSWCH1#show mac-address-table
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----

   1    000a.416c.7489    STATIC      Fa0/1
CKSWCH1#

Also lets see the port security status

CKSWCH1#show port-security interface fa0/1
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 1
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 1
Last Source Address:Vlan   : 00D0.97DE.964A:1
Security Violation Count   : 0

CKSWCH1#

Port Status is secure-up, violation mode is shutdown.

Now lets try connecting a hub to the port, and connect another PC and see what happens.

After connecting HUB and a second PC

CKSWCH1#show port-security interface fastEthernet 0/1
Port Security              : Enabled
Port Status                : Secure-shutdown
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 1
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 1
Last Source Address:Vlan   : 00D0.97DE.964A:1
Security Violation Count   : 1

CKSWCH1#

And we see the Violation Count went up to 1, and the status is in shutdown, means at this stage the switch has disabled the port and no device connected to that port can communicate via the port.

To enable the port, we need to go to the interface and turn on the port

CKSWCH1(config-if)#shut

%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to administratively down
CKSWCH1(config-if)#no shut

%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up

CKSWCH1(config-if)#

Now the port is enabled, but still only one PC can communicate via the port, remember the port security is turned on. if the other device is not removed the port would lock itself up again.

Thus we see that configuring these security measures can be of great help to the network admins.

Hope this was helpful, for any doubts or confusion, feel free to comment it out.




Feel Free To Leave A Comment If Our Article has Helped You, Support Us By Making A Small Contribution, Thank You!