Port Security

Port security is a feature that provides Layer 2 security by allowing the switch to restrict input to an interface by limiting and identifying MAC addresses of the devices that are allowed to connect to the interface. Port security helps prevent unauthorized access to a network by controlling the number of allowed devices and limiting their location to specific switch ports. This feature can also be configured to dynamically learn and store MAC addresses and limit the number of MAC addresses per port.

Commands

port-security mac-address sticky X:X:X:X:X:X

The command is used to configure port security with sticky MAC addresses. When this command is executed, the router dynamically learns the MAC address and adds it to the running configuration as a sticky MAC address. This ensures that only the specific devices with the sticky MAC addresses are allowed to connect to the port. Sticky MAC addresses are saved in the configuration file and retained across router reboots. When a device is connected to a switch port with port security enabled, the MAC address of that device is dynamically learned and stored in the secure address table( if the maximum address configuration is met). Subsequent traffic from that MAC address is allowed on the port, while traffic from any other MAC address is blocked.

  • X:X:X:X:X:X: is the MAC address that you want to configure as a sticky MAC address. It should be in the format of six groups of two hexadecimal digits separated by colons.

port-security maximum (1-100)

The command is used to set the maximum number of learned secure MAC addresses allowed on a port. When this limit is reached, the switch will restrict the port.

  • (1-100): is the maximum number of secure MAC addresses allowed on the port. The value can range from 1 to 100.

show port-security address [IFNAME]

The command can be used to view the learned MAC addresses, and the total secure MAC addresses allowed on the interface.

Note

this command only displays the secure MAC addresses and does not display any other MAC addresses learned by the switch. To see all MAC addresses learned by the device, use the show ip arp command.

show port-security interface [IFNAME]

The command displays the port security settings and status for a specific interface. It provides information about the number of secure MAC addresses that have been configured on the interface and the current secure MAC addresses.

  • IFNAME: is the name of the interface that you want to view the port security configuration and status for.