Cisco MAC Address Port Security<\/p>\n
We are going to configure basic, no frills, port security on the Cisco Catalyst 2960. From Understanding Port Security – Chapter 62 – Configuring Port Security<\/p>\n
You can use port security with dynamically learned and static MAC addresses to restrict a port\u2019s ingress traffic by limiting the MAC addresses that are allowed to send traffic into the port. When you assign secure MAC addresses to a secure port, the port does not forward ingress traffic that has source addresses outside the group of defined addresses. If you limit the number of secure MAC addresses to one and assign a single secure MAC address, the device attached to that port has the full bandwidth of the port.<\/em> We are going to keep it simple and work with FastEthernet port 0\/1. Resources<\/p>\n
\n
\nThe table below lists the default values on each port for the Cisco 2960. To ensure you also have the default values to follow along with this tutorial I suggest following my previous post on how to reset your switch to the factory defaults<\/a>. The tutorial also shows you have to connect to the Cisco device via the console cable and a serial-to-USB adapter.<\/p>\n\n\n\n
\n\t \nFeature<\/th> Default Setting<\/th>\n<\/tr>\n<\/thead>\n \n\t Port security<\/td> Disabled on a port.<\/td>\n<\/tr>\n \n\t Sticky address learning<\/td> Disabled.<\/td>\n<\/tr>\n \n\t Maximum number of secure MAC addresses per port<\/td> 1<\/td>\n<\/tr>\n \n\t Violation mode<\/td> Shutdown. The port shuts down when the maximum number of secure MAC addresses is exceeded.<\/td>\n<\/tr>\n \n\t Port security aging<\/td> Disabled. Aging time is 0.
\nStatic aging is disabled.
\nType is absolute.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n\n
\n\nSwitch con0 is now available\n\nPress RETURN to get started.\n\nSwitch>enable\nSwitch#config t\nEnter configuration commands, one per line. End with CNTL\/Z.\nSwitch(config)#interface FastEthernet 0\/1\nSwitch(config-if)#switchport mode access\nSwitch(config-if)#switchport port-security\nSwitch(config-if)#switchport port-security maximum 1\nSwitch(config-if)#switchport port-security violation protect\nswitchport port-security mac-address 0015.99d2.99fd\nSwitch(config-if)#end\nSwitch#show port-security\nSecure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action\n (Count) (Count) (Count)\n---------------------------------------------------------------------------\n Fa0\/1 1 1 0 Protect\n---------------------------------------------------------------------------\nTotal Addresses in System (excluding one mac per port) : 0\nMax Addresses limit in System (excluding one mac per port) : 8192\n<\/code><\/pre>
\nThe only thing you need to change regarding the commands above is the MAC address you want to filter. I chose my printer. Older printers are the likely culprit in office environments for port security based on MAC addresses.
\n <\/p>\n