Sep 202017

Cisco MAC Address Port Security

We are going to configure basic, no frills, port security on the Cisco Catalyst 2960. From Understanding Port Security – Chapter 62 – Configuring Port Security

You can use port security with dynamically learned and static MAC addresses to restrict a port’s ingress traffic by limiting the MAC addresses that are allowed to send traffic into the port. When you assign secure MAC addresses to a secure port, the port does not forward ingress traffic that has source addresses outside the group of defined addresses. If you limit the number of secure MAC addresses to one and assign a single secure MAC address, the device attached to that port has the full bandwidth of the port.

The table below lists the default values on each port for the Cisco 2960. To ensure you also have the default values to follow along with this tutorial I suggest following my previous post on how to reset your switch to the factory defaults. The tutorial also shows you have to connect to the Cisco device via the console cable and a serial-to-USB adapter.

FeatureDefault Setting
Port securityDisabled on a port.
Sticky address learningDisabled.
Maximum number of secure MAC addresses per port1
Violation modeShutdown. The port shuts down when the maximum number of secure MAC addresses is exceeded.
Port security agingDisabled. Aging time is 0.
Static aging is disabled.
Type is absolute.

We are going to keep it simple and work with FastEthernet port 0/1.

Switch con0 is now available

Press RETURN to get started.

Switch#config t
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)#interface FastEthernet 0/1
Switch(config-if)#switchport mode access
Switch(config-if)#switchport port-security
Switch(config-if)#switchport port-security maximum 1
Switch(config-if)#switchport port-security violation protect
switchport port-security mac-address 0015.99d2.99fd
Switch#show port-security
Secure Port  MaxSecureAddr  CurrentAddr  SecurityViolation  Security Action
                (Count)       (Count)          (Count)
      Fa0/1              1            1                  0          Protect
Total Addresses in System (excluding one mac per port)     : 0
Max Addresses limit in System (excluding one mac per port) : 8192

The only thing you need to change regarding the commands above is the MAC address you want to filter. I chose my printer. Older printers are the likely culprit in office environments for port security based on MAC addresses.


 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>