This tutorial explain Switchport Port-Security Configuration, Verification’s & troubleshooting, port security violation mode, static & sticky mac address configuration etc…
Switch port port-security:- Port security is used to block input to an Ethernet/FastEthernet/Gigabit Ethernet port, when the MAC address of the station attempting to access the port is different from any of the MAC address that are specified for that port.
By default, port security is disabled.
To enable it follow given below configuration steps.
1- Login into switch & enter in configuration mode.
2- Then go to the interface on switch you want to enable port security.
3- Enable port security on the interface.
4- Set the interface mode as access, because if the interface is in default mode we can not configured port security. If you try to do this, display error: command rejected.
Set maximum number of MAC address:- You can set maximum number of secure MAC address on the interface. Default value is 1.
You can allow more than one MAC addresses for same interface port.
Configure violation mode on the interface.
If you are setting violation mode on the interface it will work while security violation is detected.
There are three violation mode.
a – protect- In protect mode only the traffic from authorized MACs are allowed and other traffic is blocked.
b – restrict- In restrict mode it will restrict this interface to access anybody in the network.
c – shutdown- In shutdown mode it will shut this interface.
Bind MAC address with Interface on switch- You can use the following command to add mac address on switch for host.
1- Static MAC address– Bind static MAC address with interface on switch for specific host. Its manually configured, & added to the switch running configuration.
2- Sticky (Learning) MAC address- These can be dynamically learned or manually configured, & added to the switch running configuration.
Switchport port-security verification-
Switchport port-security Troubleshooting-
If you have configured the port security feature the maximum problem, you would face is MAC violation problem.
The user will complaint for not able to access internet or local server.
The first step you need to do is:- Login in to the switch & enter in enable mode & type
command- show port-security
The window will give you output like given bellow.
In this case user might be changed the location of his/her PC, due to MAC binding on interface, It will restrict or shutdown the interface.
Here i am connecting another PC to Fa0/3, then SecurityViolation(count- 1) is detected.
You can solve the problem by manually removing the MAC id which is bind for this interface.
The step are given bellow.
Step 1- Go to the interface and disable port security
Step 2- Remove the interface which is bind for the interface.
Step 3- Now again enable the port security on the interface & set the required features, then user ip address.
If you are able to ping the user ip address, it means problem is solved…