Restrict MAC addresses that can connect to switch ports to prevent unauthorized network access and MAC flooding attacks.
*This will apply default values, as soon as port security is on, it will be applied. If other devices are plugged in, define parameters first, then use switchport port-security
Step 1: Enable port security on the interface
|
|
Step 2: Configure maximum allowed MAC addresses Set the maximum number of MAC addresses allowed on this port. Default is 1.
|
|
Step 3: Define allowed MAC addresses (optional) You can manually specify which MAC addresses are allowed, or let the switch learn them dynamically. Sticky will learn whatever the maximum allowed is, then keep them statically assigned with no more.
|
|
Step 4: Set violation action Configure what happens when a security violation occurs (shutdown, restrict, or protect).
|
|
Step 5: Apply to multiple ports (bulk configuration)
|
|
Step 6: Verify port security configuration
|
|
Step 7: Recover from security violation (if needed) If a port goes into err-disabled state due to violation, you’ll need to manually recover it.
|
|
Key Points:
- Sticky learning saves learned MAC addresses to running config
- Shutdown violation puts port in err-disabled state - requires manual recovery
- Restrict violation drops violating frames but keeps port up
- Protect violation silently drops violating frames
- Only works on access ports, not trunk ports
- Use
errdisable recovery cause psecure-violationfor automatic recovery