Home
Secure Network using Cisco Port Security, Part 2: Configuration

Secure Network using Cisco Port Security, Part 2: Configuration

January 23, 2009 Networking 2 Comments
This entry is part 2 of 2 in the series Secure Network using Cisco Port Security

Secure Network using Cisco Port Security

From the previous, you know basic concept about Port Security. Now let’s see it in the real action.

Step-by-step for configuration port security

  1. Telnet to the switch. 
    c:\telnet 10.0.0.1
  2. Enter configuration mode. 
    switch#config t
  3. Enter interface configuration mode. I’m going to enable port security on the first interface (GigabitEthernet 0/1). 
    switch(config)#interface GigabitEthernet 0/1
  4. Sets the interface mode as access. 
    switch(config-if)#switchport mode access
  5. Enables port security on this interface. When you’ve enabled port security, all the connection on the interface 
    switch(config-if)#switchport port-security

    Note:When you’ve enabled port security, all connections on this interface will be resetted so don’t try to enable on a working interface.

  6. Set the maximum number of secure MAC Addresses on the interface to 2. Some interfaces may have more than a device connected to. Default is 1. 
    switch(config-if)#switchport port-security maximum 2
  7. Set the violation mode to restrict. For more information about violation mode, see Port Security Options section above. 
    switch(config-if)#switchport port-security violation restrict
  8. If there is any device connected to this interface, the switch will learn and insert into Secure Mac Address Table. This is Dynamic secure MAC Addresses. These MAC Addresses will be removed if the port shut down or the switch restarts.
    To view the current Secure Mac Address Table, exit the configuration mode and enters the command below.

    switch(config-if)#exit
switch(config)#exit
switch#show port-security interface GigabitEthernet 0/1 address

    Note: If the port shuts down, all dynamically learned addresses are removed.
    You’ll see the figure as below. This example has 2 PCs connect to the interface so there are 2 MAC Addresses on the table. It may takes some time for the switch to learn MAC Addresses.
    Secure Mac Address Table

  9. After the interface has reached the maximum number of secure MAC Addresses. In this example is 2. No more devices can access the network’s resource anymore. To check if there is any violation on the interface, type the command below. 
    switch#show port-security interface GigabitEthernet 0/1

    In this example, I have connected a third device to the interface so you’ll see the last line Security Violation Count. If this value is more than 0, then there is a violation occur on the interface.
    Port Security Detail

  10. If you want MAC Addresses to be deleted after a period of time from the Secure Mac Addresses Table, you’ll have to set aging of the interface. In this example, I’m going to set to delete a MAC Address after no activity of the device for 5 minutes. 
    switch#conf t
switch(config)#interface GigabitEthernet 0/1
switch(config-if)#switchport port-security aging type inactivity
switch(config-if)#swtichport port-security aging time 5
  11. View Secure Mac Address Table again. You’ll the Remaining Age is change to 5 (I) which I indicates inactivity type of aging. So if there is an inactivity device for 5 minutes, the MAC Address of the device will be removed from the Secure Mac Address Table.
    Inactivity Aging
  12. You can add a Static secure MAC Address by type the command below. 
    switch#conf t
switch(config)#interface GigabitEthernet 0/1
switch(config-if)#switchport port-security mac-address 000C.29E9.F24A
  13. To enable sticky learning, type the command below. 
    switch(config-if)#switchport port-security mac-address sticky

    When you’ve enabled sticky learning, it converts the dynamic MAC addresses to sticky secure MAC addresses and to add them to the running configuration automatically.
    Sticky Learning

  14. Now when you want to add a new device to the interface, you only have 2 options: delete one sticky secure MAC Address or increase maximum allowed secure MAC Addresses.
    To delete one sticky secure MAC Address,

    switch(config-if)#no switchport port-security mac-address sticky 000c.29e9.f24a

    To increase maximum allowed secure MAC Addresses

    switch(config-if)#no switchport port-security maximum 3
  15. Next, to disable sticky learning. 
    switch(config-if)#no switchport port-security mac-address sticky
  16. To disable port security 
    switch(config-if)#no switchport port-security

Summary

Port Security can protect network from unauthorized access efficiency (if it is applied properly). But it requires some work for administrator. For example, add/remove secure MAC Addresses in sticky secure MAC Address type. There is also another way to implement Network Access Control by implement IEEE 802.1X which authenticate through RADIUS server.

Series Navigation<< Secure Network using Cisco Port Security, Part 1: Concept

Related Posts

2 Comments

  1. Bruce April 10, 2009

    Thanks….

  2. Stef Nighthawk August 11, 2009

    Beware; on our network we’ve discovered a bug with port-security. When enabled it takes 3 seconds between putting the MAC-address in the mac address-table and forwarding the first packet.

Leave a Reply