O'Reilly logo

Network Warrior, 2nd Edition by Gary A. Donahue

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Port Security

Port security is the means whereby you can prevent network devices from using a port on your switch. At the port level, you can specify certain MAC addresses that you allow or deny the right to use the port. You can do this statically or dynamically. For example, you can tell the switch to allow only the first three stations that connect to use a port, and then deny all the rest. You can also tell the switch that only the device with the specified MAC address can use the switch port, or that any node except the one with the specified MAC address can use the switch port.

MAC addresses can be either manually configured or dynamically learned. Addresses that are learned can be saved. Manually configured addresses are called static secure MAC addresses; dynamically learned MAC addresses are termed dynamic secure MAC addresses; and saved dynamic MAC addresses are called sticky secure MAC addresses.

You enable port security with the switchport port-security interface command. This command can be configured only on an interface that has been set as a switchport. Trunks and interfaces that are dynamic (the default) cannot be configured with port security:

3750(config-if)#switchport port-security
Command rejected: GigabitEthernet1/0/20 is a dynamic port.

If you get this error, you need to configure the port for switchport mode access before you can continue:

3750(config-if)#switchport mode access
3750(config-if)# switchport port-security

You cannot configure port security on a port ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required