Switch Port Security

You can use the port security feature to restrict input to an interface by limiting and identifying MAC addresses of the workstations that are allowed to access the port. When you assign secure MAC addresses to a secure port, the port does not forward packets with source addresses outside the group of defined addresses. If you limit the number of secure MAC addresses to one and assign a single secure MAC address, the workstation attached to that port is assured the full bandwidth of the port.

If a port is configured as a secure port and the maximum number of secure MAC addresses is reached, when the MAC address of a workstation attempting to access the port is different from any of the identified secure MAC addresses, a security violation occurs.
Switch Port Security
A security violation occurs if the maximum number of secure MAC addresses has been added to the address table and a workstation whose MAC address is not in the address table attempts to access the interface.
You can configure the interface for one of these violation modes, based on the action to be taken if a violation occurs:

•Restrict—A port security violation restricts data, causes the SecurityViolation counter to increment, and causes an SNMP Notification to be generated. The rate at which SNMP traps are generated can be controlled by the snmp-server enable traps port-security trap-rate command. The default value ("0") causes an SNMP trap to be generated for every security violation.

•Shutdown—A port security violation causes the interface to shut down immediately. When a secure port is in the error-disabled state, you can bring it out of this state by entering the errdisable recovery cause psecure-violation global configuration command or you can manually reenable it by entering the shutdown and no shut down interface configuration commands. This is the default mode.

•Protect—A port security violation causes it get shutdown, it would mean nobody can use the port again until an administrator brings the port back up, thus assuring somebody is aware of the security breach before anyone uses the port again.

Port Security Guidelines and Restrictions

Follow these guidelines when configuring port security:

•A secure port cannot be a trunk port.

•A secure port cannot be a destination port for Switch Port Analyzer (SPAN).

•A secure port cannot belong to an EtherChannel port-channel interface.

•A secure port and static MAC address configuration are mutually exclusive.

Configuring Port Security

Step1: Switch(config)# interface interface_id

Step2: Switch(config-if)# switchport mode access

Step3: Switch(config-if)# switchport port-security

Step4: Switch(config-if)# switchport port-security maximum value

Step5: Switch(config-if)# switchport port-security violation {restrict | shutdown}

Step6: Switch(config-if)# switchport port-security mac-address mac_address

Step7: Switch(config-if)# switchport port-security mac-address sticky

Step8: Switch# show port-security address interface interface_id
Step9: Switch# show port-security address

Purpose of above steps:
Step1: Enters interface configuration mode and enters the physical interface to configure, for example fastethernet 3/1.

Step2: Sets the interface mode as access; an interface in the default mode (dynamic desirable) cannot be configured as a secure port.

Step3: Enables port security on the interface.

Step4: This is Optional and it Sets the maximum number of secure MAC addresses for the interface. The range is 1 to 3072; the default is 1.

Step5: Sets the violation mode, the action to be taken when a security violation is detected, as one of these:

•restrict—A port security violation restricts data and causes the SecurityViolation counter to increment and send an SNMP trap notification.

•shutdown—The interface is error-disabled when a security violation occurs.

Step6: (Optional) Enters a secure MAC address for the interface. You can use this command to enter the maximum number of secure MAC addresses. If you configure fewer secure MAC addresses than the maximum, the remaining MAC addresses are dynamically learned.

Step7: (Optional) Enable sticky learning on the interface.

Step8: Verifies your entries.