Switch Security Issues
How to configure and verify port security on a switch

Here are the steps to setup port security that will limit switch port access to a finite number and a specific set of end device MAC addresses.  – 

Caveats to Port Security Configuration Steps
Step 1 Port security is enabled on a port by port basis.

Step 2 By default, only one MAC address is allowed access through a given switch port when port security is enabled. This parameter increases that number. It implies no restriction to specific MAC addresses, just the total number of addresses that can be learned by the port. Learned addresses are not aged out by default but can be configured to do so after a specified time. The value parameter can be any number from 1 to 1024 with some restrictions having to do with the number of ports on a given switch with port security enabled.

Step 3 Access to the switch port can be restricted to one or more specific MAC addresses. If the number of specific MAC addresses assigned using this command is lower than the value parameter set in step 2, then the remaining allowed addresses can be learned dynamically. By specifying a set of MAC addresses, if the number in that set is equal to the maximum allowed, access is limited to only that set of MAC addresses.

Step 4 By default, if the maximum number of connections is achieved and a new MAC address attempts to access the port, the switch must take an action. Below are the actions the port may take:

  • protect – frames from the non-allowed address are dropped but there is no log of the violation.
NOTE:

The protect argument is platform/version dependent.

  • restrict – frames from the non-allowed address are dropped and a log message is created.
  • shutdown – if any frames are seen from a non-allowed address, the interface is errdisabled, a log entry is made and manual intervention or errdisable recovery must be used to make the interface usable.

Verifying Network Access Security
The show port-security command can be used to verify the ports on which Port Security has been enabled. It also displays count information and security action to be taken per interface.

The full command syntax is as follows:

Switch#show port-security [interface interface_id] address

Arguments are provided to view port security status by interface or view the addresses associated with port-security on all interfaces.

Example: show port-security Command Output
Figure displays output from the show port-security command when you do not enter an interface

Switch#show port-security

Example: show port-security Command for a Specific Interface
Figure displays output from the show port-security command for a specified interface:

Switch#show port-security interface fastethernet 5/1

Use the address argument to display MAC address table security information. The remaining age column will only be populated if specifically configured for a given interface.

Example: Displaying MAC Address Table Security Information
Figure displays output from the show port-security address privileged EXEC command:

Switch#show port-security address