Switches

Port-security

Sometimes people like to bring an extra switch from home to the office

As a result the Cisco switch will learn the MAC address of Computer A and
Computer B on its FastEthernet 0/1 interface

we want to prevent this from happening

1
 Switches

Port-security

The switchport port-security command to enable port-security

so only one MAC address is allowed

Once the switch sees another MAC address on the interface

it will be in violation

2
 Switches

Port-security

The switchport port-security mac-address command to define the

MAC address that you want to allow

Now we'll generate some traffic to cause a violation

3
 Switches

Port-security

The aging time is 0 mins means

it will stay in err-disable state forever

Use show portsecurity interface to see the port security details per interface.

4
 Switches

Port-security
To get the interface out of err-disable state you need to type
“shutdown” followed by “no shutdown”

Only typing “no shutdown” is not enough!

Instead of typing in the MAC address ourselves we can also make the switch
learn a MAC address for port-security

The sticky keyword will make sure that the switch uses the first MAC address that it
learns on the interface for port-security
5
 Switches

Port-security

6
 Switches

Port-security

Violation Modes

Protect: Ethernet frames from MAC addresses that are not allowed will be
dropped but you won't receive any logging information

Restrict: Ethernet frames from MAC addresses that are not allowed will be
dropped but you will see logging information and a SNMP trap is sent

Shutdown: Ethernet frames from MAC addresses that are not allowed will
cause the interface to go to err-disable state. You will see logging information
and a SNMP trap is sent