Configuration of Switch Port Security

Port Security

Port Security is a process in which network admin restricts the switch to stick the mac address of the devices connected with switch interfaces. With the help of this only authorized users can connect with the switch and access the network. Network Admin can define the limit of sticky mac address on a single port. When that number of mac address are stick with the switch interface then no more device can connect with that interface of switch.

There are two ways to stick the mac address to the switch interface.
1. Manual
2. Automatic

=> In manual way network admin configure the mac address manually to the interfaces of the switches.

=> In automatic way network admin only configure the command to get the mac address of the connected device and switch will automatic update it's mac address table with the mac address of the connected devices on it's interfaces.

What are Switches?

Switch is also like HUB but it is also an intelligent device. It is also use on Physical Layer of OSI model which is used to connect multiple end devices to create a local area network. Switch works on the basis of MAC-Address Table which it maintains in its memory. In this table switch stores the MAC-Address of device and port number on which that end device is connected.

When switch receives a packets it first of all matches the source and destination MAC-Address written in packet header with the table which maintained by switch. If source and destination MAC-Address matches with the table entries then switch sends that packet to the destination but if address doesn't match then switch holds the packet and first sends a broadcast message to all the devices to update its MAC table.

Switches also have ability to control the collision and broadcast domains.

Configurations

Switch>enable
Switch#configure terminal
Switch(config)#hostname TestSwitch
TestSwitch(config)#enable password cisco (Plain Text Password)
TestSwitch(config)#enable secret class (Enycrpted Password)
TestSwitch(config)#username TestSwitch secret csico
TestSwitch(config)#ip domain-name cisco.com
TestSwitch(config)#crypto key generate rsa
(Set key between 360 - 2048)
TestSwitch(config)#line console 0
TestSwitch(config-line)#password cisco
TestSwitch(config-line)#login
TestSwitch(config-line)#exit
TestSwitch(config)#line vty 0 15
TestSwitch(config-line)#transport input ssh
TestSwitch(config-line)#login local
TestSwitch(config-line)#exit
TestSwitch(config)#interface vlan 1
TestSwitch(config-if)#ip address 192.168.1.254 255.255.255.0
TestSwitch(config-if)#no shutdown
TestSwitch(config-if)#exit
TestSwitch(config)#interface range fastEthernet 0/1-24, gigabitEthernet 0/1-2 (Defines the rang of all ports so that they can be configured in single step)
TestSwitch(config-if-range)#switchport mode access
TestSwitch(config-if-range)#switchport port-security
TestSwitch(config-if-range)#switchport port-security mac-address sticky
TestSwitch(config-if-range)#switchport port-security maximum 1 (Defines the maximum mac address which can be stick to switch interface)
TestSwitch(config-if-range)#switchport port-security violation shutdown (What will happen when violation occurs)
TestSwitch(config-if-range)#exit
TestSwitch(config)#exit
TestSwitch#copy running-config startup-config

Results

In this image mac address table of switch is shown in which after mac address field there is a field of TYPE which is STATIC which means if device is removed for the switch these mac address remains sticky and can't be changed until manually they are not removed by network admin.

In above image running configuration of the switch are show in which we can see that their is command at the end of which mac address is stick.

If admin wants to change that stick mac address then he have to write no before the command like that

no switchport port-security mac-address sticky <mac address of the device>