Port Security

Port security is the means whereby you can prevent network devices from using a port on your switch. At the port level, you can specify certain MAC addresses that you allow or deny the right to use the port. This can be done statically or dynamically. For example, you can tell the switch to allow only the first three stations that connect to use a port, and then deny all the rest. You can also tell the switch that only the device with the specified MAC address can use the switch port, or that any node except the one with the specified MAC address can use the switch port.

MAC addresses can be either manually configured or dynamically learned. Addresses that are learned can be saved. Manually configured addresses are called static secure MAC addresses; dynamically learned MAC addresses are termed dynamic secure MAC addresses, and saved dynamic MAC addresses are called sticky secure MAC addresses.

Port security is enabled with the switchport port-security interface command. This command can be configured only on an interface that has been set as a switchport. Trunks and interfaces that are dynamic (the default) cannot be configured with port security:

3750(config-if)#switchport port-security
Command rejected: GigabitEthernet1/0/20 is a dynamic port.

If you get this error, you need to configure the port for switchport mode access before you can continue:

3750(config-if)#switchport mode access
3750(config-if)# 
switchport port-security

You cannot configure port security on a port ...

Get Network Warrior now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.