Switchport Port Security Explained With Examples

Port security features add additional layer of security in LAN network. It is used to secure the switch port. In this
article we will explain port security with examples. We will illustrate how a switch locks down the ports based on
MAC address to prevent unauthorized access. For demonstration purpose we will use packet tracer network
simulator software.

Port Security
Anyone can access unsecure network resources by simply plugging his host into one of our available switch
ports. A user can also change his physical location in LAN network without telling the admin. You can secure
layer two accesses as well as keep users in their tracks by using port security. Thus port security feature
enhances the LAN security.
Create a simple topology as illustrate in following figure

Click PC0 and Click Desktop and Click IP Configuration and select Static from radio options and assign the IP
address (10.0.0.10) and subnet mask (255.0.0.0)

Follow same process to assign IP address (10.0.0.20) and subnet mask (255.0.0.0) to PC1.
Click Server0 and click Desktop and click IP Configuration and select Static from radio options and assign IP
address (10.0.0.100) and subnet mask (255.0.0.0)

That's all initial configuration we need to demonstrate the port security.

How to configure port security

To configure port security we need to access the command prompt of switch. Click Switch and click CLI and
press Enter Key.

Port can be secure from interface mode. Use enable command to move in Privilege Exec mode. From Privilege
Exec mode use configure terminal command to enter in Global Configuration mode. From global configuration
mode enter in specific interface.
Port security feature will not work on three types of ports.
1.

Trunk ports

2.

Ether channel ports

3. Switch port analyzer ports

Port security will work on host port. In order to configure port security we need to set it as host port. It could be
done easily by switchport mode access command. You can secure trunk connections with port security but that
is beyond the scope of this article. I will cover them in CCNP section.
Following figure illustrates available commands for port security.

How to enable switchport port-security

Port security is disabled by default. switchport port-security command enables it.

switchport port-security limit maximum number of hosts

According to our requirements we can limit hosts that can be associated with an interface. We can set this limit
anywhere from 1 to 132. Maximum number of devices that can be associated with the interface is 132. By default
it is set to 1. switchport port-security maximumvalue command will set the maximum number of hosts.

switchport port-security mac address

We have two options static and dynamic to associate mac address with interface.
In static method we have to manually define exact host mac address with switchport port-security macaddress MAC_address command. This is the most secure method but it needs a lot of manual works. We need
to enter all mac addresses manually that is too much tedious job.
In dynamic mode we use sticky feature that allows interface to learn mac address automatically. Interface will
learn mac addresses until it reaches maximum number of allowed hosts.

switchport port-security violation

We need to specify what action; it should take in security violation. Three possible modes are available:
Protect: - This mode will only work with sticky option. In this mode frames from non-allowed address would be
dropped. It will not make log entry for dropped frames. Interface will learn address until it reach maximum allowed
number. Any additionally learned addresses would be dropped while keeping interface operational.
Restrict: - In restrict mode frames from non-allowed address would be dropped. But in this mode, switch will
make a log entry and generate a security violation alert.
Shutdown: - In this mode switch will generate the violation alert and disable the port. Only way to re-enable the
port is to manually enter no shutdown command. This is the default violation mode.

switchport port security example

In our topology PC0 is connected with F0/1 port of switch. Enter following commands to secure F0/1 port.

Switchport port security explained

Command

Description

Switch>enable

Move in privilege exec mode

Switch#configure terminal

Move in global configuration mode

Switch(config)#interface fastethernet
0/1

Move in interface mode

Switch(config-if)#switchport mode
access

Assign port as host port

Switch(config-if)#switchport portsecurity

Enable port security feature on this port

Switch(config-if)#switchport portsecurity maximum 1

Set limit for hosts that can be associated with interface.

Default value is 1. Skip this command to use default
value.

Switch(config-if)#switchport portsecurity violation shutdown

Set security violation mode. Default mode is shutdown.

Skip this command to use default mode.

Switch(config-if)#switchport portsecurity mac-address sticky

Enable sticky feature.

We have successfully secured F0/1 port of switch. We used dynamic address learning feature of interface. Switch
will associate first learned mac address (on interface F0/1) with this port. You can check MAC Address table for
currently associated address.

So far no mac address is associated with F0/1 port. Switch learns mac address from incoming frames.
Check our following article to learn, how a switch learn mac address or how it build MAC address table.

Switching Methods and Types Explained in Computer Networks

We need to generate frame from PC0 that would be receive on F0/1 port of switch. ping command is used to
test the connectivity between two hosts. In our scenario we have connectivity between server and pc. We can
use this utility to generate frames from PC0.
To access command prompt of PC0 click PC0 and click Desktop menu item and click Command Prompt.
Use ping command to generate frames.

Now check again the MAC Address table on switch.

One interesting thing that you may notice here is the type. Switch learns this address dynamically but it is showing
as STATIC. This is the magic of sticky option, which we used with port security command. Sticky option
automatically converts dynamically learned address in static address.

Switchport port security testing

In our topology we have one additional PC. Assume that, this is the cracker's PC. To gain unauthorized access
in network he unplugged the Ethernet cable from pc (PC0) and plugged in his pc (PC1).

Click red X button on the right hand partition of packet tracer window and place the X over the connection between
Switch and PC0. This will remove the connection.
Click lightning bolt button on the bottom left-handed corner and click copper straightthrough connection.
Click PC1 and select FastEthernet port. Next click Switch and select the same F0/1 port.
From the command prompt of PC1 try to ping the Server IP.

What happened this time? Why ping command did not get response from server? Because switch detected the
mac address change and shutdown the port.

Verify port security

We have three commands to verify the port security

show port-security
This command displays port security information about all the interfaces on switch.

show port-security address

Display statically defined or dynamically learned address with port security.

show port-security interface interface

Display port security information about the specific interface.

How to reset an interface that is disabled due to violation of port security

When an interface is down due to port security violation, we have two options to bring it back. First is following
global configuration mode command
Switch(config)# errdisable recovery cause psecure-violation
This command neither includes in CCNA exam nor available in packet tracer.
Second option is manually restart the interface. Unplugged cable from unauthorized pc and plugged back it to
authorized pc.
Run following commands on switch and test connectivity from pc

Thats all for this article.