Cisco MAC Address Port Security
We are going to configure basic, no frills, port security on the Cisco Catalyst 2960. From Understanding Port Security – Chapter 62 – Configuring Port Security
You can use port security with dynamically learned and static MAC addresses to restrict a port’s ingress traffic by limiting the MAC addresses that are allowed to send traffic into the port. When you assign secure MAC addresses to a secure port, the port does not forward ingress traffic that has source addresses outside the group of defined addresses. If you limit the number of secure MAC addresses to one and assign a single secure MAC address, the device attached to that port has the full bandwidth of the port.
The table below lists the default values on each port for the Cisco 2960. To ensure you also have the default values to follow along with this tutorial I suggest following my previous post on how to reset your switch to the factory defaults. The tutorial also shows you have to connect to the Cisco device via the console cable and a serial-to-USB adapter.
| Feature | Default Setting |
|---|---|
| Port security | Disabled on a port. |
| Sticky address learning | Disabled. |
| Maximum number of secure MAC addresses per port | 1 |
| Violation mode | Shutdown. The port shuts down when the maximum number of secure MAC addresses is exceeded. |
| Port security aging | Disabled. Aging time is 0. Static aging is disabled. Type is absolute. |
We are going to keep it simple and work with FastEthernet port 0/1.
Switch con0 is now available
Press RETURN to get started.
Switch>enable
Switch#config t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#interface FastEthernet 0/1
Switch(config-if)#switchport mode access
Switch(config-if)#switchport port-security
Switch(config-if)#switchport port-security maximum 1
Switch(config-if)#switchport port-security violation protect
switchport port-security mac-address 0015.99d2.99fd
Switch(config-if)#end
Switch#show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
---------------------------------------------------------------------------
Fa0/1 1 1 0 Protect
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 8192
The only thing you need to change regarding the commands above is the MAC address you want to filter. I chose my printer. Older printers are the likely culprit in office environments for port security based on MAC addresses.
Resources
One thought to “Cisco MAC Address Port Security”