Enable port security on Cisco switch

Port security reduces the chances of insider attack by limiting each port on a switch to a specific known device. Port security configuration involves several easy steps, first port need to be an access port in order to enable port-security which means you cannot enable port-security on trunk port.

First see the interface configuration to ensure port-security is not already setup:

cisco-sw01#show port-security interface g1/0/10
Port Security : Disabled
Port Status : Secure-down
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0000.0000.0000:0
Security Violation Count : 0

Port security is not enabled on the interface above, port 10.

Run this command to enable port-security:

cisco-sw01#conf t
Enter configuration commands, one per line. End with CNTL/Z.
cisco-sw01(config)#interface g1/0/10
cisco-sw01(config-if)#switchport mode access
cisco-sw01(config-if)#switchport port-security
cisco-sw01(config-if)#switchport port-security maximum 1
cisco-sw01(config-if)#switchport port-security mac-address sticky
cisco-sw01(config-if)#switchport port-security violation restrict
cisco-sw01(config-if)#exit

To see the device MAc Addresses of security enabled ports, run this command.


cisco-sw01#show port-security address
Secure Mac Address Table
————————————————————————–
Vlan Mac Address Type Ports Remaining Age
(mins)
—- ———– —- —– ————-
6 0080.64a8.0fx5 SecureSticky Gi1/0/10 –
2 000f.fef3.38×5 SecureSticky Gi1/0/11 –

Publisher: abdirahman isse

Share this post