Port security is a crucial Layer 2 security feature implemented on Cisco switches that helps protect network infrastructure from unauthorized access and various attacks. This feature restricts input to an interface by limiting and identifying the MAC addresses of devices permitted to access the por…Port security is a crucial Layer 2 security feature implemented on Cisco switches that helps protect network infrastructure from unauthorized access and various attacks. This feature restricts input to an interface by limiting and identifying the MAC addresses of devices permitted to access the port.
The primary purpose of port security is to control which devices can connect to switch ports, preventing unauthorized users from plugging into network jacks and gaining access to corporate resources. When enabled, the switch learns and stores MAC addresses associated with each secure port.
There are three methods for learning MAC addresses: Static secure MAC addresses are manually configured and stored in the address table and running configuration. Dynamic secure MAC addresses are learned during operation but removed when the switch restarts. Sticky secure MAC addresses combine both approaches, allowing dynamically learned addresses to be saved to the running configuration.
Administrators can configure the maximum number of MAC addresses allowed per port, with the default being one. This prevents attackers from connecting switches or hubs to extend network access to multiple unauthorized devices.
When a security violation occurs, such as when the maximum MAC address count is exceeded or an unknown MAC address attempts communication, the switch responds based on the configured violation mode. Protect mode drops packets from unknown sources while allowing legitimate traffic. Restrict mode also drops violating traffic but generates log messages and SNMP traps. Shutdown mode, the default setting, places the port in an error-disabled state, requiring administrative intervention to restore functionality.
Port security also helps mitigate MAC flooding attacks, where attackers attempt to overflow the switches MAC address table to force it into hub-like behavior, potentially exposing traffic to sniffing.
Implementing port security is considered a network security best practice, particularly on access layer switches where end-user devices connect, forming an essential component of defense-in-depth strategies.
Port Security: Complete Guide for CCNA Exam
Why Port Security is Important
Port security is a critical Layer 2 security feature that protects your network from unauthorized access. In enterprise environments, attackers can potentially connect rogue devices to open switch ports, launch MAC flooding attacks, or attempt to steal sensitive data. Port security prevents these threats by controlling which devices can communicate through specific switch ports, making it an essential topic for network administrators and a frequently tested concept on the CCNA exam.
What is Port Security?
Port security is a Cisco switch feature that restricts input to an interface by limiting and identifying the MAC addresses of devices allowed to access the port. When enabled, the switch monitors the source MAC addresses of frames entering the port and takes action if an unauthorized device attempts to connect.
Key Components: - Secure MAC addresses: MAC addresses that are permitted on the port - Maximum MAC addresses: The number of MAC addresses allowed per port (default is 1) - Violation modes: Actions taken when a security violation occurs
How Port Security Works
Step 1: Enable on Access Ports Port security can only be configured on access ports or trunk ports, not on dynamic ports. The interface must first be set as an access port.
Step 2: Configure Secure MAC Addresses There are three ways to learn MAC addresses: - Static: Manually configured using the command switchport port-security mac-address [mac-address] - Dynamic: Learned from traffic and stored in the MAC address table (lost after reboot) - Sticky: Dynamically learned but added to running configuration using switchport port-security mac-address sticky
Step 3: Set Maximum MAC Addresses Use switchport port-security maximum [number] to specify how many MAC addresses are allowed.
Step 4: Configure Violation Mode Three violation modes determine what happens when an unauthorized MAC address is detected:
- Shutdown (default): Port enters err-disabled state, sends SNMP trap and syslog message, violation counter increments - Restrict: Drops unauthorized traffic, sends SNMP trap and syslog message, violation counter increments, port stays up - Protect: Drops unauthorized traffic silently, no logging, violation counter does not increment, port stays up
Essential Commands
Configuration Commands: - switchport mode access - Sets port to access mode - switchport port-security - Enables port security - switchport port-security maximum 2 - Allows 2 MAC addresses - switchport port-security violation restrict - Sets violation mode - switchport port-security mac-address sticky - Enables sticky learning
Verification Commands: - show port-security interface [interface] - Shows detailed port security status - show port-security address - Shows secure MAC addresses - show port-security - Shows summary of all secured ports
Recovery from Err-disabled: - Manual: shutdown followed by no shutdown - Automatic: errdisable recovery cause psecure-violation
Exam Tips: Answering Questions on Port Security
1. Remember the Defaults: - Default maximum MAC addresses: 1 - Default violation mode: Shutdown - Default aging time: 0 (addresses never age out)
2. Know Violation Mode Differences: When asked which mode does what, remember: - Only Shutdown disables the port - Protect is the only mode that does NOT log or increment counters - Both Restrict and Protect keep the port operational
3. Sticky MAC Address Behavior: Sticky addresses are saved to running-config but NOT to startup-config unless you manually save. This is a common exam trap.
4. Port Must Be Access Mode: If a question shows port security failing, check if the port is configured as an access port first.
5. Err-disabled Recovery: Know that a shutdown port requires manual intervention (shut/no shut) unless automatic recovery is configured.
6. Common Scenario Questions: - MAC flooding attack prevention = port security with low maximum value - Port goes down after connecting new device = violation mode is shutdown - Need to persist learned addresses = use sticky learning
7. Command Syntax: Pay attention to command order in questions. Port security must be enabled AFTER setting the port to access mode.