Cisco Port security is an important feature to most of my customer. Especially Software development companies and BPOs are the constant customer types asking for this feature to restrict devices connecting to their network.
Cisco Port security is to limit the devices that are connecting to the Wired network via switches. This feature checks for MAC address of the device that has just accessed the switch port and verifies whether that device is allowed to connect wired network or not. The wireless equivalent of this feature is MAC address Authentication. The number of addresses the feature accepts is equivalent to the maximum limit of MAC address of the switch.
When there is a violation then switch will respond depends upon configuration. Config gives you three options 1. Protect 2. Restrict and 3. Shutdown. 2nd and 3rd options will notify administrators via SNMP Traps. For those who dont want to go each and every workstation and collect MAC addresses, there is an option called “sticky”. After switch completes learning MAC addresses you can disable sticky and let the MAC address in dynamic allocation. However if you want more strict restriction, go for manual static entries. In case you want to remove dynamic learned addresses also, then disable Port security completely and re-enable it. Port security support aging also. Use options “absolute” to retain till specified time limit and option “inactive” to retain MAC address till specified time after inactivity.
Example config for dynamic learning
LAB1(config)# interface gigabitethernet 0/1
LAB1(config-if)# switchport mode access
LAB1(config-if)# switchport port-security
LAB1(config-if)# switchport port-security maximum 5
LAB1(config-if)# switchport port-security mac-address sticky
For static entries
Switch(config-if)# switchport port-security mac-address 0123.4567.89AB vlan 21
Issue “show port-security” command to view and verify settings for a switch or interface.
There are some limitation for port security
- It cannot be configured on a IEEE 802.1X port.
- It cannot be configured on a mirrored port (SPAN)
- It cannot be configured on a EtherChannel port
- On a trunk port take care on violation options. Better not configure port-security on a trunk interface.