Port Security

Port security is a feature that provides Layer 2 security by allowing the device to restrict input to an interface by limiting and identifying MAC addresses of the devices that are allowed to connect to the interface. Port security helps prevent unauthorized access to a network by controlling the number of allowed devices and limiting their location to specific device ports. This feature can also be configured to dynamically learn and store MAC addresses and limit the number of MAC addresses per port.

Violations

a violation occurs when a device with an unauthorized MAC address attempts to connect to a port that has port security enabled. An unauthorized MAC address is any MAC address that is not included in the list of allowed MAC addresses for that port or when the number of connected devices exceeds the maximum limit set for that port. When a violation is detected, the device can run a user-defined script to handle the violation. The script can be used to log the violation, shutdown the interface, or take other actions as needed.

Commands

port-security mac-address sticky X:X:X:X:X:X

The command is used to configure port security with a static sticky MAC address. This ensures that only the specific devices with specific MAC addresses are allowed to connect to the port. Sticky MAC addresses are saved in the configuration file and retained across router reboots.

  • X:X:X:X:X:X: is the MAC address that you want to configure as a sticky MAC address. It should be in the format of six groups of two hexadecimal digits separated by colons.

port-security maximum (1-100)

The command is used to set the maximum number of learned secure MAC addresses allowed on a port. When a device is connected to a device port with port security enabled, the MAC address of that device is dynamically learned and stored in the secure address table( if the maximum address configuration is met). Subsequent traffic from that MAC address is allowed on the port, while traffic from any other MAC address is blocked. When this limit is reached, the device will restrict the port and a violation occures.

  • (1-100): is the maximum number of secure MAC addresses allowed on the port. The value can range from 1 to 100.

Note

dynamically learned MAC addresses are sticky and are saved in the running configuration. To remove a dynamically learned MAC address, use the no form of command port-security mac-address sticky X:X:X:X:X:X.

show port-security address [IFNAME]

The command can be used to view the learned MAC addresses, and the total secure MAC addresses allowed on the interface.

Note

this command only displays the secure MAC addresses and does not display any other MAC addresses learned by the device. To see all MAC addresses learned by the device, use the show ip arp command.

show port-security interface [IFNAME]

The command displays the port security settings and status for a specific interface. It provides information about the number of secure MAC addresses that have been configured on the interface and the current secure MAC addresses.

  • IFNAME: is the name of the interface that you want to view the port security configuration and status for.

port-security violation script:

The command is used to configure a user-defined script to be executed when a port security violation occurs on the interface.

  • script: is the name of the user-defined script that you want to execute when a port security violation occurs.

clear port-security violation IFNAME

The command is used to clear the port security violation status on the interface. This command resets the violation status and allows the interface to resume normal operation after a violation has occurred.

  • IFNAME: is the name of the interface for which you want to clear the port security violation status.