Securing Access Layer Switch Ports Using Cisco Port Security

Nerd Cafe | نرد کافه

1. Scenario Description

A small office network uses a Layer 2 switch to connect employees. The network administrator wants to prevent unauthorized devices from connecting to the switch.

Only specific devices (PCs) should be allowed on each switch port.

If an unauthorized device connects:

  • The port should restrict traffic

  • The violation should be logged

  • The port should remain active for authorized devices

This is achieved using Port Security.

2. What is Port Security?

Port Security is a Cisco switch feature that:

  • Limits number of MAC addresses allowed on a port

  • Allows only authorized MAC addresses

  • Prevents unauthorized device access

  • Protects against MAC flooding attacks

Port Security Features

Feature
Description

Maximum MAC

Limits number of devices

Sticky MAC

Learns MAC automatically

Violation Mode

Action when violation occurs

Aging

Removes old MAC addresses

3. Network Topology

4. IP Address Table

Device
Interface
IP Address
Subnet Mask

Router

FA0/0

192.168.1.1

255.255.255.0

PC1

NIC

192.168.1.11

255.255.255.0

PC2

NIC

192.168.1.12

255.255.255.0

Switch

VLAN1

192.168.1.2

255.255.255.0

Default Gateway = 192.168.1.1

5. Configuration

Step 1 — Configure Router

Step 2 — Configure Switch Basic Settings

6. Port Security Configuration

Configure Port Fa0/2 (PC1)

Allow only one device using Sticky MAC.

Configure Port Fa0/3 (PC2)

Allow only one specific MAC address.

Example MAC:

So, we have:

7. Verify Port Security

Command 1

Command 2

Command 3

8. Operation Scenario

Normal Operation

Step1

PC1 connects to Fa0/2.

Switch learns MAC automatically:

Result:

  • Port remains UP

  • Communication works

  • Ping succeeds

9. Violation Scenario

Step 2

Disconnect PC1 and connect another PC.

Unauthorized PC MAC:

Result

Switch detects violation.

Violation Mode = Restrict

Result:

✔ Authorized MAC allowed ✖ Unauthorized MAC blocked ✔ Port stays up

Now, we have:

10. Violation Modes Explained

Protect Mode

  • Drops unauthorized traffic

  • No logs

  • No counter increase

Restrict Mode (Used Here)

  • Drops unauthorized traffic

  • Logs violation

  • Counter increases

Recommended mode.

Shutdown Mode

  • Port goes into err-disabled

  • Requires manual recovery

Output:

12. Recover Shutdown Port

13. Advanced Configuration (Optional)

Enable Aging

Meaning:

  • Remove MAC after 5 minutes of inactivity.

💖 Support Our Work

If you find this post helpful and would like to support my work, you can send a donation via TRC-20 (USDT). Your contributions help us keep creating and sharing more valuable content.

circle-check

Thank you for your generosity! 🙏

Keywords

Cisco Port Security, Layer 2 Security, Switch Security, MAC Address Filtering, Sticky MAC, Access Port Security, Cisco Switch Configuration, Network Security, Security Violation Modes, Protect Mode, Restrict Mode, Shutdown Mode, Secure MAC Addresses, Unauthorized Device Prevention, Access Layer Protection, Port Security Verification, MAC Address Learning, VLAN Access Ports, Cisco IOS Commands, Small Office Network Security, nerd cafe , نرد کافه

Channel Overview

🌐 Website: www.nerd-cafe.irarrow-up-right

📺 YouTube: @nerd-cafearrow-up-right

🎥 Aparat: nerd_cafearrow-up-right

📌 Pinterest: nerd_cafearrow-up-right

📱 Telegram: @nerd_cafearrow-up-right

📝 Blog: Nerd Café on Virgoolarrow-up-right

💻 GitHub: nerd-cafearrow-up-right

Last updated