Understanding Port Security: Protecting Your Network from Unauthorized Access

PitsPits
12 min read

In networking, keeping your network secure is essential. One of the ways to do this is by controlling which devices can connect to your network through the switch ports. This is where port security comes in. Port security helps prevent unauthorized devices from accessing your network, reducing the risk of attacks or misuse. In this blog, we will break down what port security is, how it works, and the key steps to configure it effectively. The goal is to make it simple enough for beginners to understand while giving practical insight into securing a network.

What is Port Security and Why It Matters

Port security is a feature on network switches that controls which devices can connect to the network through each switch port. Essentially, it allows you to limit access based on the device’s MAC address. If an unknown device tries to connect, the switch can block it, prevent network access, or alert the network administrator.

The main reason we use port security is to protect the network from unauthorized devices and potential attacks. Without it, anyone could plug into an open port and access sensitive data, introduce malware, or disrupt network operations. By using port security, you add a layer of control that keeps the network safer and more reliable.

Enabling Port Security

Enabling port security on a switch is straightforward and helps protect your network from unauthorized devices. The process involves three main steps: defining the port, setting the allowed devices, and choosing how the switch should respond if a violation occurs.

  1. Define the Port:
    First, select the switch port where you want to enable port security. This is usually a port connected to a user device, like a computer or printer.

  2. Set Allowed Devices:
    You can specify which devices are allowed to connect by their MAC addresses. You can manually enter the addresses or let the switch learn them automatically when a device connects for the first time. You can also limit the number of devices allowed on a port.

  3. Choose the Violation Action:
    The switch can react in different ways if an unauthorized device tries to connect:

    • Protect: The switch blocks the new device but does not alert you.

    • Restrict: The switch blocks the device and sends a notification.

    • Shutdown: The switch shuts down the port completely until you manually re-enable it.

Once these steps are in place, the port is secured. This simple configuration can significantly reduce the risk of unauthorized access and keep your network more controlled.

Example: Configuring Port Security with Commands

Let’s look at how to enable port security on a switch port using basic commands. Assume we are securing port FastEthernet 0/1.

  1. Enter Interface Configuration Mode:

     Switch> enable
 Switch# configure terminal
 Switch(config)# interface FastEthernet0/1

  2. Enable Port Security:

     Switch(config-if)# switchport port-security

  3. Set Maximum Allowed Devices:
    Here, we allow only one device on the port.

     Switch(config-if)# switchport port-security maximum 1

  4. Set Violation Action:
    Choose what happens if an unauthorized device connects. Example: shut down the port.

     Switch(config-if)# switchport port-security violation shutdown

  5. Optionally, Specify a Known Device (MAC Address):

     Switch(config-if)# switchport port-security mac-address 00AA.BBCC.DDEE

  6. Verify the Configuration:

     Switch# show port-security interface FastEthernet0/1

With these steps, port security is active. Now, only the allowed device can connect, and the port will shut down if someone else tries to access it. This helps keep your network safe and under control.

Where Port Security Works

Port security only works on access ports, not on trunk ports.

  • Access Ports: These are the ports that connect end devices like computers, printers, or IP phones. Port security is designed for these ports because they typically connect a limited number of devices, making it easy to control who can access the network.

  • Trunk Ports: These are used to connect switches to other switches or network devices, carrying multiple VLANs at the same time. Since trunk ports are meant to carry traffic for many devices and VLANs, port security does not apply here.

By enabling port security only on access ports, you can effectively control which devices are allowed on the network without affecting the connections between switches or network infrastructure.

Checking Port Security: show port-security interface

After configuring port security, it’s important to verify that it’s working as expected. The show port-security interface command lets you check the status of a specific port.

Example:

Switch# show port-security interface FastEthernet0/1

What You’ll See:

  • Port Security Status: Whether port security is enabled.

  • Violation Mode: What action the switch will take if a rule is broken (protect, restrict, shutdown).

  • Maximum Allowed MAC Addresses: How many devices can connect to the port.

  • Current MAC Addresses: Which devices are currently allowed or learned on the port.

  • Security Violations: Number of times unauthorized devices tried to connect.

This command helps you monitor your network, see which devices are connected, and detect any security violations. It’s a key tool for keeping your network safe and managing access effectively.

Re-Enabling a Port Manually After a Security Violation

If a port goes into shutdown because of a security violation, you need to manually re-enable it. Here’s how to do it:

  1. Enter Privileged Mode:

     Switch> enable

  2. Enter Global Configuration Mode:

     Switch# configure terminal

  3. Select the Port:

     Switch(config)# interface FastEthernet0/1

  4. Bring the Port Up:

     Switch(config-if)# shutdown
 Switch(config-if)# no shutdown

  5. Optionally, Clear Security Violations:

     Switch# clear port-security sticky interface FastEthernet0/1

After these steps, the port is active again, and devices allowed on the port can connect. Remember, this only works if the violation action was set to shutdown.

Re-Enabling a Port Automatically with Err-Disabled Recovery

Instead of manually re-enabling a port after a security violation, you can configure err-disabled recovery. This allows the switch to automatically recover a port after a set time if it was shut down due to a violation.

Steps to Enable Err-Disabled Recovery:

  1. Enter Global Configuration Mode:

     Switch> enable
 Switch# configure terminal

  2. Enable Recovery for Security Violations:

     Switch(config)# errdisable recovery cause security-violation

  3. Set Recovery Interval (Optional):
    By default, the switch waits 300 seconds (5 minutes) before re-enabling the port. You can change this interval:

     Switch(config)# errdisable recovery interval 120

    This example sets the recovery time to 2 minutes.

Once configured, if a port is shut down due to a security violation, it will automatically come back up after the recovery interval, making network management easier.

NOTE: ErrDisable Recovery is useless if you don’t remove the device that cause the interface to enter the err-disabled state.

Violation Modes in Port Security

When an unauthorized device tries to connect to a port with port security, the switch can respond in different ways. These responses are called violation modes. There are three main modes: protect, restrict, and shutdown.

1. Protect Mode

In protect mode, the switch blocks the unauthorized device but does not send any alert. Other allowed devices can still connect without interruption.

Command Example:

Switch(config)# interface FastEthernet0/1
Switch(config-if)# switchport port-security violation protect

Example Scenario:
You allow one device on the port. If a second device tries to connect, the switch ignores it, but the port remains active for the first device.

2. Restrict Mode

In restrict mode, the switch blocks the unauthorized device and sends a notification. This helps administrators know when someone is trying to access the network without permission.

Command Example:

Switch(config)# interface FastEthernet0/1
Switch(config-if)# switchport port-security violation restrict

Example Scenario:
One device is allowed on the port. If a second device connects, the switch blocks it and logs a violation. You can check this using:

Switch# show port-security

3. Shutdown Mode

In shutdown mode, the switch completely shuts down the port if an unauthorized device connects. This is the strictest option and ensures no unauthorized access. The port must be manually or automatically (err-disabled recovery) re-enabled.

Command Example:

Switch(config)# interface FastEthernet0/1
Switch(config-if)# switchport port-security violation shutdown

Example Scenario:
The port is configured for one device. If an unknown device connects, the port shuts down. You can re-enable it manually:

Switch(config)# interface FastEthernet0/1
Switch(config-if)# shutdown
Switch(config-if)# no shutdown

Or configure err-disabled recovery to automatically bring it back up.

These violation modes let you choose how strict you want your network security to be, balancing control and convenience.

Port Security Aging Timer

The aging timer in port security determines how long a learned MAC address stays in the switch’s memory. After this time, the address is removed, freeing the port for new devices. This is useful in environments where devices frequently change or move.

Key Points:

  • Static MAC addresses (manually assigned) are not affected by the aging timer.

  • Sticky or dynamically learned MAC addresses can age out based on the timer you set.

  • The timer can be configured to age based on time or based on inactivity.

Commands Example:

  1. Enable Aging on a Port:

     Switch(config)# interface FastEthernet0/1
 Switch(config-if)# switchport port-security aging time 10

    This sets the aging time to 10 minutes.

  2. Set Aging Type:

     Switch(config-if)# switchport port-security aging type inactivity

    This means the MAC address will only age out if the device is inactive during the timer period.

How It Works:

  • If a device is actively sending traffic, its MAC address stays in the table until it goes inactive (if using inactivity mode).

  • Once the aging timer expires, the MAC address is removed, allowing a new device to connect to the port.

Using the aging timer helps manage ports in dynamic networks without manually clearing MAC addresses or disabling ports.

Aging for Static MAC Addresses

By default, static MAC addresses (manually configured on a port) do not age out. This means the port will always allow the same device to connect, regardless of how long it’s been inactive. This is useful for devices that should always have network access, like servers or printers.

Configuring Aging for Static MAC Addresses

If you want even static MAC addresses to be removed after a certain time, you can enable aging:

  1. Enter Interface Configuration Mode:
Switch> enable
Switch# configure terminal
Switch(config)# interface FastEthernet0/1
  1. Set Aging Time:
Switch(config-if)# switchport port-security aging time 30

This sets the timer to 30 minutes.

  1. Set Aging Type:
Switch(config-if)# switchport port-security aging type absolute

  • Absolute: The MAC address is removed after the timer expires, regardless of activity.

  • Inactivity: The MAC address is removed only if the device has not sent any traffic during the timer period.

Using aging for static MAC addresses gives more flexibility if devices change occasionally, while still keeping your network secure.

Aging for Static MAC Addresses

By default, static MAC addresses (manually configured on a port) do not age out. This means the port will always allow the same device to connect, regardless of how long it’s been inactive. This is useful for devices that should always have network access, like servers or printers.

Configuring Aging for Static MAC Addresses

If you want even static MAC addresses to be removed after a certain time, you can enable aging:

  1. Enter Interface Configuration Mode:
Switch> enable
Switch# configure terminal
Switch(config)# interface FastEthernet0/1
  1. Set Aging Time:
Switch(config-if)# switchport port-security aging time 30

This sets the timer to 30 minutes.

  1. Set Aging Type:
Switch(config-if)# switchport port-security aging type absolute

  • Absolute: The MAC address is removed after the timer expires, regardless of activity.

  • Inactivity: The MAC address is removed only if the device has not sent any traffic during the timer period.

Using aging for static MAC addresses gives more flexibility if devices change occasionally, while still keeping your network secure.

Viewing Secure MAC Addresses: show mac address-table secure

After configuring port security, it’s important to check which MAC addresses are currently secured on your switch ports. The show mac address-table secure command shows all the MAC addresses that are being controlled by port security.

Command Example:

Switch# show mac address-table secure

What You’ll See:

  • VLAN: The VLAN the secured MAC address belongs to.

  • MAC Address: The secured MAC address learned or configured on the port.

  • Type: Indicates whether the address is static, dynamic, or sticky.

  • Ports: The switch port where the MAC address is connected.

Why It’s Useful

  • Helps you verify which devices are allowed on each port.

  • Lets you monitor for unauthorized devices.

  • Useful for troubleshooting if a device cannot connect due to port security.

Using this command regularly ensures your network stays controlled and any security violations are easy to identify.

Understanding All MAC Address Types in Port Security

In port security, there are three main types of MAC addresses you can use: static, dynamic, and sticky. Each type has its own advantages and use cases.

1. Static MAC Addresses

  • Manually configured by the administrator.

  • Do not age out by default, so the device is always allowed to connect.

  • Good for permanent devices like servers or printers.

Command Example:

Switch(config)# interface FastEthernet0/1
Switch(config-if)# switchport port-security mac-address 00AA.BBCC.DDEE

2. Dynamic MAC Addresses

  • Learned automatically when a device connects.

  • Can age out based on the aging timer.

  • Useful in environments where devices frequently change.

Command Example:

Switch(config)# interface FastEthernet0/1
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum 2
Switch(config-if)# switchport port-security aging time 10
Switch(config-if)# switchport port-security aging type inactivity

3. Sticky MAC Addresses

  • Dynamically learned like dynamic addresses but saved in the running configuration.

  • Can persist across reboots if saved to startup configuration.

  • Combines flexibility and control.

Command Example:

Switch(config)# interface FastEthernet0/1
Switch(config-if)# switchport port-security mac-address sticky
Switch(config-if)# switchport port-security maximum 2
Switch# copy running-config startup-config

Port Security Command Summary

Here’s a quick reference for the main port security commands:

TaskCommand Example
Enable port securityswitchport port-security
Set maximum allowed devicesswitchport port-security maximum 2
Configure violation modeswitchport port-security violation shutdown/restrict/protect
Add a static MAC addressswitchport port-security mac-address 00AA.BBCC.DDEE
Enable sticky MAC addressesswitchport port-security mac-address sticky
Set aging timeswitchport port-security aging time 10
Set aging typeswitchport port-security aging type inactivity/absolute
Show port security on a portshow port-security interface FastEthernet0/1
Show secured MAC addressesshow mac address-table secure
Clear security violationsclear port-security sticky interface FastEthernet0/1
Automatic recovery of shutdown portserrdisable recovery cause security-violation

Wrap-Up

Port security is a simple but powerful tool to protect your network. By controlling which devices can connect to each switch port, you reduce the risk of unauthorized access and network disruptions. You can use static, dynamic, or sticky MAC addresses, depending on your needs, and configure violation modes to control how the switch responds to unauthorized devices. Features like the aging timer and err-disabled recovery make managing ports easier and more flexible.

With these commands and concepts, you can keep your network secure while maintaining smooth access for authorized devices. Start with small configurations on a few ports, practice the commands, and soon port security will become a natural part of your network management toolkit.

0
Subscribe to my newsletter

Read articles from Pits directly inside your inbox. Subscribe to the newsletter, and don't miss out.

networkingnetworking for beginnersPort Security

Written by

Pits
Pits