[CCNA] Port Security Configuration

In this lab, a hub has been connected to interface Fa0/1 of Switch 1. It is an 8-port hub but only 5 hosts are allowed to connect to it. The administrator wants to ensure that only 5 hosts can connect. PC-1 and PC-2 along with any 3 other hosts can connect to the hub.

Configure port security on Fa0/1 to fulfill this requirement. In case of a violation, the port should not be put in an error disabled mode but the administrator should be informed.

Port Security

Depending on the action you want a switch to take when a security violation occurs, you can configure the behavior of a switch port to one of the following:

  • Shutdown: this is the default behavior on a switch. In this mode, the switch ports shuts down when the violation occurs. Also, a SNMP trap is sent and the message is logged. You can enable the port again with the no shutdown interface configuration command.
  • Protect: when the maximum number of secure MAC addresses has been reached, packets from devices with unknown source addresses are dropped until you remove the necessary number of secure MAC addresses from the table. In this mode, you are not notified when a security violation occurs.
  • Restrict: is identical with protect mode, but notifies you when a security violation occurs. Specifically, a SNMP trap is sent, a syslog message is logged and the violation counter increments.
SW1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
SW1(config)#int fa0/1
SW1(config-if)#switchport mode access 
SW1(config-if)#switchport port-security maximum 5
! --- We can also use: switchport port-security mac-address sticky
SW1(config-if)#switchport port-security mac-address 000C.CFC9.45BD
SW1(config-if)#switchport port-security mac-address 0005.5E41.B252
SW1(config-if)#switchport port-security violation restrict 
SW1(config-if)#switchport port-security 

switchport port-security mac-address sticky: configures the port to dynamically learn the MAC address and automatically configure the MAC address as a static MAC address associated with the port.

You can verify the configuration using the show port-security command as shown below:

SW1#show port-security 
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
               (Count)       (Count)        (Count)
        Fa0/1        5          2                 0         Restrict
SW1#show port-security address 
                        Secure Mac Address Table
Vlan    Mac Address     Type                    Ports           Remaining Age
----    -----------     ----                    -----           -------------
1       0005.5E41.B252  SecureConfigured        FastEthernet0/1         -
1       000C.CFC9.45BD  SecureConfigured        FastEthernet0/1         -
Total Addresses in System (excluding one mac per port)     : 1
Max Addresses limit in System (excluding one mac per port) : 1024
SW1#show port-security interface fastEthernet 0/1
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Restrict
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 5
Total MAC Addresses        : 2
Configured MAC Addresses   : 2
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 0000.0000.0000:0
Security Violation Count   : 0


I hope this been informative for you, enjoy !

Tagged: , , , , ,

Leave a Reply :

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: