Cisco has implemented some security measures to safeguard its devices from unauthorized access. Therefore, to be able to secure the physical ports on a Cisco Switch, we have to enable Port Security.
There are a few options available to the user while configuring the Port Security. One such option is to limit the number of MAC Addresses that the port can connect with. This security feature does not provide complete security however it makes it extremely difficult for the attacker to break into the network. The only way a hacker can beat this security parameter is by finding out the attached mac-address and giving the same mac-address to the device which attackers want to connect to the particular switch port.
Many times, some employees in the organization connect their devices to the switch port available in their cubicle just for the fun or sometimes for experimental purposes, and if the security is not implemented then that device can jeopardize the whole network and hackers can also this vulnerability to hack into the network.
In this lab, we will allow only one MAC Address to be able to access the interface fast Ethernet 0/2. If some other device is attached to the interface the port will go to a shutdown state. Also, when the port will be shut down then the light on the switch will turn amber on that switch port so the admin can find out the issue just by looking at the physical indicator on the switch.
To enable Port Security on a Cisco switch, we have to change the ‘Switchport’ mode from dynamic to access. By default, the Switchport mode is set to dynamic. Once the Switchport mode is changed, we can then enable the Switchport security on that port.
There are couple of ways in which we can restrict devices with random mac-address to connect with the switch port.
One way is to hardcode the mac address on the switch interface with the command “switchport port-security mac-address [mac-address number]”
Another command that we can use is “switchport port-security mac-address sticky”, this command will stick the already attached mac-address to the interface and other mac-address will be rejected so if devices with other mac-address will try to connect with the interface then the interface will simply reject the connection and we can also configure how the interface should react when the security violation takes place.
- Set maximum number of allowed mac addresses to port fastethernet 0/2 to 1
- Port 0/2 should go to shutdown state if other mac address device try to connect
Switch(config)#interface fastethernet 0/2
Switch(config-if)#switchport mode access
Switch(config-if)#switchport port-security maximum 1
Switch(config-if)#switchport port-security violation shutdown