Switch Security Issues
Describing port security

Port security is a feature supported on Cisco Catalyst switches that restricts a switch port to a specific set and/or number of MAC addresses. Those addresses can be learned dynamically or configured statically. The port will then provide access to frames from only those addresses. If, however, the number of addresses is limited to four, but no specific MAC addresses are configured, then the port will allow any four MAC addresses to be learned dynamically and port access will then be limited to those four dynamically learned addresses.

There is a port security feature called "sticky learning" available on some switch platforms that combines the features of dynamically learned and statically configured addresses. When configure on an interface, the interface converts dynamically learned addresses to "sticky secure" addresses. This adds them to the running-configuration as if they were configured using the switchport port-security mac-address command.

Scenario
Let us suppose that we have five individuals whose laptops would be allowed to connect to a specific switch port when they visit an area of the building. We want to restrict switch port access to the MAC addresses of those five laptops only and allow no addresses to be learned dynamically on that port.

Process
Here is the process that can achieve the desired results for this scenario.

NOTE:

Port security cannot be applied to trunk ports where addresses might change frequently. Implementations of port security vary by Catalyst platform. Check documentation to see if and how particular hardware supports this feature.


Web Links