Cisco has implemented some security measures to safeguard its Cisco devices from the unauthorized access. Therefore, to be able to secure the physical ports on a Cisco Switch, we have to enable the Port Security.

There are a few options available to the user while configuring the Port Security. One such option is to limit the number of MAC Addresses that the port can connect with. This security feature does not provide complete security however it makes extremely difficult for the attacker to break into the network. The only way hacker can beat this security parameter is by finding out the attached mac-address and giving the same mac-address to the device which attackers wants to connect to the particular switch port.

Many times, some employees in the organization connect their personal devices to the switchport available in their cubicle just for the fun or sometimes for the experimental purposes and if the security is not implemented then that device can jeopardize the whole network and hackers can also this vulnerability to hack into the network.

In this lab, we will allow only one MAC Address to be able to access the interface fast Ethernet 0/2. If some other device is attached to the interface the port will go to shutdown state. Also, when the port will be shutdown then the light on the switch will turn amber on that switch port so admin can find out the issue just by looking at the physical indicator on the switch.

To enable Port Security on a Cisco switch, we have to change the ‘Switchport’ mode from dynamic to access. By default, the Switchport mode is set to dynamic. Once the Switchport mode is changed, we can then enable the Switchport security on that port.

There are couples of ways in which we can restrict devices with random mac-address to connect with the switchport.

One way is to hardcode the mac address on switch interface with command “switchport port-security mac-address [mac-address number]”

Other command that we can use is “switchport port-security mac-address sticky”, this command will stick the already attached mac-address  to the interface and other mac-address will be rejected so if devices with other mac-address will try to connect with the interface then interface will simply reject the connection and we can also configure how interface should react when the security violation take place.


Lab Tasks

  1. Set maximum number of allowed mac addresses to port fastethernet 0/2 to 1
  2. Port 0/2 should go to shutdown state if other mac address device try to connect

Lab Configuration

Task 1

Switch(config)#interface fastethernet 0/2

Switch(config-if)#switchport mode access

Switch(config-if)#switchport port-security

Switch(config-if)#switchport port-security maximum 1


Task 2

Switch(config-if)#switchport port-security violation shutdown