How to configure Port Security (mac sticky) on Cisco Switches

By
Jaime Herrera
-

Port Security is enabled per port and the switch port will only allow traffic from the learned MAC address to be forwarded.

In our example below we will set a maximum of one MAC address to be dynamically learned and in the event of a violation the port will shutdown.

Port Security mac sticky
Port Security mac sticky

SW1(config-if)#switchport port-security ?
  aging        Port-security aging commands
  mac-address  Secure mac address
  maximum      Max secure addresses
  violation    Security violation mode
  <cr>
SW1(config-if)#switchport port-security
!
SW1(config-if)#switchport port-security mac-address ?
  H.H.H      48 bit mac address
  forbidden  Configure mac address as forbidden on this interface
  sticky     Configure dynamic secure addresses as sticky
SW1(config-if)#switchport port-security mac-address sticky
!
SW1(config-if)#switchport port-security maximum ?
  <1-4097>  Maximum addresses
SW1(config-if)#switchport port-security maximum 1
!
SW1(config-if)#switchport port-security violation ?
  protect   Security violation protect mode
  restrict  Security violation restrict mode
  shutdown  Security violation shutdown mode
SW1(config-if)#switchport port-security violation shutdown

Protect – Will drop traffic and NOT send SNMP messages.
Restrict – Will drop traffic and WILL send SNMP messages.
Shutdown – Will SHUT the port and Will send SNMP messages.

Verifications

SW1#show run int gi0/1
Building configuration...
Current configuration : 226 bytes
!
interface GigabitEthernet0/1
 switchport mode access
 switchport port-security mac-address sticky
 switchport port-security mac-address sticky 0050.7966.6800
 switchport port-security
 media-type rj45
 negotiation auto
end
!
!
SW1#show run int gi0/2
Building configuration...
Current configuration : 226 bytes
!
interface GigabitEthernet0/2
 switchport mode access
 switchport port-security mac-address sticky
 switchport port-security mac-address sticky 0050.7966.6801
 switchport port-security
 media-type rj45
 negotiation auto
end
!
!
SW1#show port-security 
Secure Port  MaxSecureAddr  CurrentAddr  SecurityViolation  Security Action
                (Count)       (Count)          (Count)
---------------------------------------------------------------------------
      Gi0/1              1            1                  0         Shutdown
      Gi0/2              1            1                  0         Shutdown
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port)     : 0
Max Addresses limit in System (excluding one mac per port) : 4096
!
!
SW1#show port-security address 
               Secure Mac Address Table
-----------------------------------------------------------------------------
Vlan    Mac Address       Type                          Ports   Remaining Age
                                                                   (mins)    
----    -----------       ----                          -----   -------------
   1    0050.7966.6800    SecureSticky                  Gi0/1        -
   1    0050.7966.6801    SecureSticky                  Gi0/2        -
-----------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port)     : 0
Max Addresses limit in System (excluding one mac per port) : 4096
!
!
SW1#show mac address-table 
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
   1    0050.7966.6800    STATIC      Gi0/1 
   1    0050.7966.6801    STATIC      Gi0/2 
Total Mac Addresses for this criterion: 2

RELATED ARTICLESMORE FROM AUTHOR

Topic discussion at CLI Warriors - Forum