Port Security – Layer 2 Security
1. Introduction to Port Security
Port Security is a Layer 2 security feature used on switches to control access to a switch port by restricting the number and type of MAC addresses that can connect.
- Primary Goal: Prevent unauthorized devices from accessing the network.
- Works on: Access ports (commonly), but can also be applied to trunk ports.
- Helps mitigate: MAC flooding attacks, unauthorized device connections, CAM table overflow.
2. Why Port Security?
Without port security, any device can be plugged into a switch port, potentially leading to:
- Unauthorized access to the LAN.
- Attackers injecting malicious traffic.
- CAM table overflow (MAC flooding) – leading to DoS conditions.
Port Security limits or specifies which MAC addresses can use a port, reducing attack surface.
3. Key Concepts
- Secure MAC Address: A MAC address allowed by port security.
- Maximum MAC Addresses: Limit of secure MACs allowed per port.
- Sticky MAC Addressing: Dynamically learns and saves MAC addresses to the running/startup config.
- Violation Modes: Determines switch behavior when unauthorized MACs are detected.
4. Port Security Configuration Steps
Step 1: Enable Port Security
1
2
3
| Switch(config)# interface fa0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security
|
1
| Switch(config-if)# switchport port-security maximum 2
|
- Limits the port to 2 MAC addresses.
1
| Switch(config-if)# switchport port-security mac-address sticky
|
1
| Switch(config-if)# switchport port-security mac-address 0011.2233.4455
|
1
| Switch(config-if)# switchport port-security violation {protect | restrict | shutdown}
|
5. Violation Modes in Detail
| Mode | Behavior | Logging/Alert | Port State |
|---|
| Protect | Drops unauthorized MAC frames silently. | No | Remains up |
| Restrict | Drops unauthorized MAC frames and generates log/SNMP trap, increments violation counter | Yes | Remains up |
| Shutdown | (Default) Puts the port into err-disabled state, requires manual/no-shut to recover. | Yes | Down |
6. Verification Commands
1
| Switch# show port-security interface fa0/1
|
Displays port security configuration and status.
1
| Switch# show port-security
|
Shows global port security status.
1
| Switch# show mac address-table secure
|
Lists secure MAC addresses.
7. Recovery from Violation (Err-disabled Port)
If a port goes down due to violation (default shutdown mode):
1
2
| Switch(config)# errdisable recovery cause psecure-violation
Switch(config)# errdisable recovery interval 30
|
Or manually bring it back:
1
2
3
| Switch(config)# interface fa0/1
Switch(config-if)# shutdown
Switch(config-if)# no shutdown
|
8. Real-World Use Cases
- Enterprise networks: Preventing rogue devices from plugging in.
- Campus environments: Ensuring only authorized PCs/students connect.
- Data centers: Restricting servers/NICs from being swapped without permission.
9. Common Interview Questions
- What is Port Security and why is it used?
- Explain the difference between Protect, Restrict, and Shutdown violation modes.
- What is Sticky MAC and why is it useful?
- Can Port Security be applied on trunk ports?
- How do you recover a port in err-disabled state due to a violation?
10. Quick Revision Cheat Sheet
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
| 🔹 Enable Port Security:
Switch(config-if)# switchport port-security
🔹 Maximum MACs:
Switch(config-if)# switchport port-security maximum 2
🔹 Sticky MAC:
Switch(config-if)# switchport port-security mac-address sticky
🔹 Manual MAC:
Switch(config-if)# switchport port-security mac-address 0011.2233.4455
🔹 Violation Modes:
protect → drops silently
restrict → drops + logs
shutdown → err-disabled (default)
🔹 Verification:
show port-security
show port-security interface fa0/1
show mac address-table secure
|
🙌 Connect With Me
