How to Configure Port-Security on Cisco Switch

Introduction:

Cisco switches come with a useful port security feature(bydefaut it disable) that helps network administrators limit the number of devices that can connect to a specific switch port. It thus prevents any unauthorized access from occurring and also safeguards against MAC address spoofing attacks.

Your switch interface must be L2, as "port security" is configured on an access interface only. You can make your L3 switch port an access interface by using the "switchport" command.>

Configuration Example:

if we want to configure the port-security on inteface gig0/1, We will do the below configuration.

SwitchFirewall#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
SwitchFirewall(config)#interface gigabitEthernet 0/1
SwitchFirewall(config-if)#switchport port-security
SwitchFirewall(config-if)#switchport port-security maximum 1
SwitchFirewall(config-if)#switchport port-security mac-address sticky 
SwitchFirewall(config-if)#switchport port-security violation restrict 
SwitchFirewall(config-if)#end
SwitchFirewall#

You can allow numbers of mac-address on each port by setting the maximum allowed mac-address.
SwitchFirewall(config-if)#switchport port-security maximum ?
<1-132> Maximum addresses
SwitchFirewall#

To verify the port-security configuration:

SwitchFirewall#show port-security 
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
               (Count)       (Count)        (Count)
--------------------------------------------------------------------
       Gig0/1        1          1                 0         Restrict
----------------------------------------------------------------------
SwitchFirewall#

If unauthorised person try to connect the system on that port(interface gig0/1), due to different mac-address port will block the access shows the security violation and port will remain on because we have configured the port violation mode restrict.

SwitchFirewall#show port-security 
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
               (Count)       (Count)        (Count)
--------------------------------------------------------------------
       Gig0/1        1          1               7       Restrict
----------------------------------------------------------------------
SwitchFirewall#

If you want to the remove the port-security run the below commands.

SwitchFirewall#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
SwitchFirewall(config)#interface gigabitEthernet 0/1
SwitchFirewall(config-if)#no switchport port-security
SwitchFirewall(config-if)#no switchport port-security maximum 1
SwitchFirewall(config-if)#no switchport port-security mac-address sticky 
SwitchFirewall(config-if)#no switchport port-security violation  
SwitchFirewall(config-if)#end
SwitchFirewall#

It can happen that the port goes into an err-disabled state. To rectify this, you can run the shutdown and no shutdown commands on the affected interface.

SwitchFirewall#sh interfaces gigabitEthernet 0/1 status
Port      Name               Status       Vlan       Duplex  Speed Type
Gig0/1                       err-disabled    1          auto    auto  10/100BaseTX

SwitchFirewall#configure  terminal
SwitchFirewall(config)#interface gigabitEthernet 0/1
SwitchFirewall(config-if)#shutdown  
SwitchFirewall(config-if)#
SwitchFirewall(config-if)#no shutdown 
SwitchFirewall(config-if)#

Port-Security configurations completed!!!!

Summary:

configure terminal 
interface gigabitEthernet 0/1
switchport port-security
switchport port-security maximum 1
switchport port-security mac-address sticky 
switchport port-security violation restrict 
end

configure terminal 
interface gigabitEthernet 0/1
no switchport port-security
no switchport port-security maximum 1
no switchport port-security mac-address sticky 
no switchport port-security violation restrict 
end