search

Securing Access Layer Switch Ports Using Cisco Port Security

Nerd Cafe | نرد کافه

hashtag
1. Scenario Description

A small office network uses a Layer 2 switch to connect employees. The network administrator wants to prevent unauthorized devices from connecting to the switch.

Only specific devices (PCs) should be allowed on each switch port.

If an unauthorized device connects:

  • The port should restrict traffic

  • The violation should be logged

  • The port should remain active for authorized devices

This is achieved using Port Security.

hashtag
2. What is Port Security?

Port Security is a Cisco switch feature that:

  • Limits number of MAC addresses allowed on a port

  • Allows only authorized MAC addresses

  • Prevents unauthorized device access

  • Protects against MAC flooding attacks

hashtag
Port Security Features

Feature
Description

Maximum MAC

Limits number of devices

Sticky MAC

Learns MAC automatically

Violation Mode

Action when violation occurs

Aging

Removes old MAC addresses

hashtag
3. Network Topology

hashtag
4. IP Address Table

Device
Interface
IP Address
Subnet Mask

Router

FA0/0

192.168.1.1

255.255.255.0

PC1

NIC

192.168.1.11

255.255.255.0

PC2

NIC

192.168.1.12

255.255.255.0

Switch

VLAN1

192.168.1.2

255.255.255.0

Default Gateway = 192.168.1.1

hashtag
5. Configuration

hashtag
Step 1 — Configure Router

hashtag
Step 2 — Configure Switch Basic Settings

hashtag
6. Port Security Configuration

hashtag
Configure Port Fa0/2 (PC1)

Allow only one device using Sticky MAC.

hashtag
Configure Port Fa0/3 (PC2)

Allow only one specific MAC address.

Example MAC:

So, we have:

hashtag
7. Verify Port Security

hashtag
Command 1

hashtag
Command 2

hashtag
Command 3

hashtag
8. Operation Scenario

hashtag
Normal Operation

Step1

PC1 connects to Fa0/2.

Switch learns MAC automatically:

Result:

  • Port remains UP

  • Communication works

  • Ping succeeds

hashtag
9. Violation Scenario

hashtag
Step 2

Disconnect PC1 and connect another PC.

hashtag
Unauthorized PC MAC:

hashtag
Result

Switch detects violation.

hashtag
Violation Mode = Restrict

Result:

✔ Authorized MAC allowed ✖ Unauthorized MAC blocked ✔ Port stays up

Now, we have:

hashtag
10. Violation Modes Explained

hashtag
Protect Mode

  • Drops unauthorized traffic

  • No logs

  • No counter increase

hashtag
Restrict Mode (Used Here)

  • Drops unauthorized traffic

  • Logs violation

  • Counter increases

Recommended mode.

hashtag
Shutdown Mode

  • Port goes into err-disabled

  • Requires manual recovery

Output:

hashtag
12. Recover Shutdown Port

hashtag
13. Advanced Configuration (Optional)

hashtag
Enable Aging

Meaning:

  • Remove MAC after 5 minutes of inactivity.

hashtag
💖 Support Our Work

If you find this post helpful and would like to support my work, you can send a donation via TRC-20 (USDT). Your contributions help us keep creating and sharing more valuable content.

circle-check

TRC-20 Address: TAAVVf9ZxUpbyvTa6Gd5SGPmctBdy4PQwf

Thank you for your generosity! 🙏

hashtag
Keywords

Cisco Port Security, Layer 2 Security, Switch Security, MAC Address Filtering, Sticky MAC, Access Port Security, Cisco Switch Configuration, Network Security, Security Violation Modes, Protect Mode, Restrict Mode, Shutdown Mode, Secure MAC Addresses, Unauthorized Device Prevention, Access Layer Protection, Port Security Verification, MAC Address Learning, VLAN Access Ports, Cisco IOS Commands, Small Office Network Security, nerd cafe , نرد کافه

hashtag
Channel Overview

🌐 Website: www.nerd-cafe.irarrow-up-right

📺 YouTube: @nerd-cafearrow-up-right

🎥 Aparat: nerd_cafearrow-up-right

📌 Pinterest: nerd_cafearrow-up-right

📱 Telegram: @nerd_cafearrow-up-right

📝 Blog: Nerd Café on Virgoolarrow-up-right

💻 GitHub: nerd-cafearrow-up-right

PreviousBasic Router and Switch HardeningNextNobitex Crypto Exchange

Last updated