Port Security

Port security is the means whereby you can prevent network devices from using a port on your switch. At the port level, you can specify certain MAC addresses that you allow or deny the right to use the port. You can do this statically or dynamically. For example, you can tell the switch to allow only the first three stations that connect to use a port, and then deny all the rest. You can also tell the switch that only the device with the specified MAC address can use the switch port, or that any node except the one with the specified MAC address can use the switch port.

MAC addresses can be either manually configured or dynamically learned. Addresses that are learned can be saved. Manually configured addresses are called static secure MAC addresses; dynamically learned MAC addresses are termed dynamic secure MAC addresses; and saved dynamic MAC addresses are called sticky secure MAC addresses.

You enable port security with the switchport port-security interface command. This command can be configured only on an interface that has been set as a switchport. Trunks and interfaces that are dynamic (the default) cannot be configured with port security:

3750(config-if)#switchport port-security
Command rejected: GigabitEthernet1/0/20 is a dynamic port.

If you get this error, you need to configure the port for switchport mode access before you can continue:

3750(config-if)#switchport mode access
3750(config-if)# switchport port-security

You cannot configure port security on a port ...

Get Network Warrior, 2nd Edition now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.