Faculty of Computer Sciences and Informatics

Department of Cybersecurity

Switch Port Security

Network Monitoring and documentation
Dr. Mohammad Alshinwan
20212
Switch Port Security
• Switch port Security is a network security feature that associates
specific MAC addresses of devices(such as PCs) with specific
interfaces on a switch. 
• This will enable you to restrict access to a given switch interface so
that only the authorized devices can use it.
• If an unauthorized device is connected to the same port, you can
define the action that the switch will take, such as discarding the
traffic, sending an alert, or shutting down the port.
Switch Port Security
• Understanding How Port Security Works
• You can use port security to block input to an Ethernet, Fast Ethernet,
or Gigabit Ethernet port when the MAC address of the station
attempting to access the port is different from any of the MAC
addresses that are specified for that port.
• Alternatively, you can use port security to filter traffic that is destined
to or received from a specific host that is based on the host MAC
address.
Allowing Traffic Based on the Host MAC
Address
The total number of MAC addresses that can be specified per port is limited to the
global resource of 1024 plus 1 default MAC address. That is, the total number of MAC
addresses on any port cannot exceed 1025.
The maximum number of MAC addresses that you can allocate for each port depends
on your network configuration. The following combinations are valid allocations:

• 1025 (1 + 1024) addresses on one port and 1 address each on the rest of the ports

• 513 (1 + 512) each on two ports in a system and 1 address each on the rest of the ports

• 901 (1 + 900) on one port, 101 (1 + 100) on another port, 25 (1 + 24) on a third port, and 1
address on each of the rest of the ports
Allowing Traffic Based on the Host MAC
Address
• After you allocate the maximum number of MAC addresses on a port, you can either specify
the secure MAC address for the port manually or have the port dynamically configure the MAC
address of the connected devices.
• Out of a maximum allocated number of MAC addresses on a port, you can manually configure
all, allow all to be autoconfigured, or configure some manually and allow the rest to be
autoconfigured.
• Once you manually configure or autoconfigure the addresses, they are stored in nonvolatile
RAM (NVRAM) and are maintained after a reset.
• When you manually change the maximum number of MAC addresses that are associated to a
port greater than the default value and then manually enter the authorized MAC addresses,
any remaining MAC addresses are automatically configured. For example, if you configure the
port security for a port to have a maximum of ten MAC addresses but add only two MAC
addresses, the next eight new source MAC addresses that are received on that port are added
to the secured MAC address list for the port.
Allowing Traffic Based on the Host MAC
Address
• After you allocate a maximum number of MAC addresses on a port, you
can also specify how long the addresses on the port will remain secure.
After the age time expires, the MAC addresses on the port become
insecure. By default, all addresses on a port are secured permanently.
• If a security violation occurs, you can configure the port to go either into
shutdown mode or restrictive mode. The shutdown mode option allows
you to specify whether the port is to be permanently disabled or
disabled for only a specified time. The default is for the port to shut
down permanently. The restrictive mode allows you to configure the
port to remain enabled during a security violation and drop only packets
that are coming in from insecure hosts.
Allowing Traffic Based on the Host MAC
Address
• When a secure port receives a packet, the source MAC address of the packet is
compared to the list of secure source addresses that were manually configured
or autoconfigured (learned) on the port. If a MAC address of a device that is
attached to the port differs from the list of secure addresses, the port either
shuts down permanently (default mode), shuts down for the time that you
have specified, or drops incoming packets from the insecure host.
• The behavior of a port depends on how you configure it to respond to a
security violation. If a security violation occurs, the LED labeled Link for that
port turns orange, and a link-down trap is sent to the Simple Network
Management Protocol (SNMP) manager. An SNMP trap is not sent if you
configure the port for restrictive violation mode. A trap is sent only if you
configure the port to shut down during a security violation.
Restricting Traffic Based on the Host MAC Address

• You can filter traffic based on a host MAC address, so that packets
tagged with a specific source MAC address are discarded. When you
specify a MAC address filter with the set cam filter command,
incoming traffic from that host MAC address is dropped, and packets
that are addressed to that host are not forwarded. You cannot filter
traffic for multicast addresses with this command.
Blocking Unicast Flood Packets on Secure
Ports
• You can block unicast flood packets on a secure Ethernet port by
disabling the unicast flood feature. If you disable unicast flood on a
port, the port will drop unicast flood packets when the port reaches
the allowed maximum number of MAC addresses.
• The port automatically restarts unicast flood packet learning when
the number of MAC addresses drops below the maximum number
that is allowed. The learned MAC address count decreases when a
configured MAC address is removed or a time to live counter (TTL) is
reached
Port Security Configuration Guidelines
Configure port security in Packet Tracer.

PC1  connects to fa0/1  and  PC2 to fa0/2 of the switch

Configure port security in Packet Tracer.
• Now configure switch port  security on switch interfaces.
• We’ll configure port security interfaces on fa0/1 and fa0/2. To do this,
we’ll:
• Configure the port as an access port
• Enable port security
• Define which MAC addresses are allowed to send frames through this
interface. 
Configure port security in Packet Tracer.
• Here are the commands:

• Switch(config)#int fa0/1
• Switch(config-if)#switchport mode access
• Switch(config-if)#switchport port-security
• Switch(config-if)#switchport port-security mac-address sticky

The sticky keyword instructs the switch to dynamically learn the MAC address

of the currently connected host.
Configure port security in Packet Tracer.
• defining the action that the switch will take when a frame from an
unathorized device is received. This is done using the switchport port-
security violation {protect | restrict | shutdown} interface command. All
three options discard the traffic from the unauthorized device.
• defining the maximum number of MAC addresses that can be received
on the port using the switchport port-security maximum
NUMBER interface submode command.
• Let’s add the above 2 commands to our configuration:

• Switch(config-if)#switchport port-security violation shutdown

• Switch(config-if)#switchport port-security maximum 1
Configure port security in Packet Tracer.
• In a similar way to switch interface fa0/1, configure switch port
security for fa0/2 connected to PC2:

• Switch(config)#interface fa0/2
• Switch(config-if)#switchport mode access
• Switch(config-if)#switchport port-security
• Switch(config-if)#switchport port-security mac-address sticky
• Switch(config-if)#switchport port-security violation shutdown
• Switch(config-if)#switchport port-security maximum 1
Configure port security in Packet Tracer.
• Here, we define a range of interfaces on which we want to configure
port security, then proceed to configure port-security for all the
interfaces specified  at a go instead of one interface at a time.
• The interface range command can save you tons of work in doing
individual  configurations if you were configuring port security for
many switch interfaces, say,  24  ports on a switch.
Configure port security in Packet Tracer.
• We’ll verify port security configurations on interfaces fa0/1 and fa0/2
• To verify if the switch has learnt the MAC address of PC1, you can use
the command:
• show port-security interface fa0/1 (Verify that the switch has learnt
the MAC address of PC1)
Configure port security in Packet Tracer.
• You may also use the command:
• show port-security address

• Try also pinging PC2 from  PC1. Ping should be successful here since
switch port security is not violated
The case of Port Security Violation
• Now  connect  a different  PC to fa0/1  in place of PC1. See the effect
of doing this:

• Notice that fa0/1 shuts down upon connecting the new PC, as indicated by
the red LED.
• This is because the switch had already associated fa0/1 with the MAC address
of PC1  and the maximum number of MAC addresses that we defined for this
port is 1. So attaching the new PC to fa0/1 violates the port security rules that
we set and as a result, the interface shuts down.
The case of Port Security Violation
• You can verify this further by using the command we used before: show port-security
interface fa0/1

• Verify from above that port status is now Secure-shutdown upon violation of port
security.
• Further, a ping from the New PC to PC2 will definitely fail because the switch cannot
forward a frame via an interface that  is shut down.
How to Reset an interface that has been
shut down due to Violation of Port
Security:
• One of the options on the table is to manually restart the shutdown
interface(fa0/1 in our case here). Unplug the cable from unauthorized
PC(new PC) and plug it back to authorized PC(PC1)
• Then run following commands on switch and test connectivity from
the authorized PC (PC1):
• Switch(config)#interface fa0/1
• Switch(config-if)#shutdown
• Switch(config-if)#no shutdown
How to Reset an interface that has been
shut down due to Violation of Port
Security:
• Now the interface fa0/1 should change status to up.