The basics of Switch port security

Certification: Cisco CCNA - Cisco Certified Network Associate


An important part of network is Switch Port Security that has ability to monitor switch port by which the traffic could be assigned to a specifically configured MAC address or to the list of such MAC addresses. To start with, secure MAC address has three different kinds of addresses:

  • Dynamic secure MAC address­:- This kind of MAC address is learned from the traffic dynamically coming from the switch port. These kinds of the addresses are not kept in the configuration that is running rather are kept only in the table of addresses.
  • Static secure MAC address: - This variety of MAC address is configured statically on the switch port and is kept both in the address table as well as in the configuration that is running.
  • Sticky secure MAC address: - This Kind of MAC address is configured manually or can be learned dynamically as well. These can be kept in both the address table as well as in the configuration that is running.

The intended result decides the type of which secure MAC address is being configured. When Mac addresses are not changed and are known, in that case the static secure MAC address is used. When the hosts that are connecting to specific switch port is changing constantly, and you are intended to limit the usage of port to a certain number of hosts, then the Dynamic secure MAC address are uses. The difference lies in the fact that dynamically learned addresses can be put into the running configuration, if it is decided to put into the device reboot, there is an option to save the configuration that is running in the start up mode making the running address static effectively.

Configuration of Switch port Security

There are different steps, guidelines, requirements that are required to know before implementing a configuration:

  • Switch port security can be configured only on the trunk ports or statically configured accesses, the switch port with dynamic features are not supported.
  • Switch port Analyzer does not support Switch port security.
  • Gigabit or Fast Ether channel does not support along with Switch port security.
  • The Sticky secure MAC address does not support Switch port security aging.

Overall the configuration of the switch port security is not complex; following are the list of some commands that are used to configure switch port security:

  1.  Router#configure terminal = allows the entry of the device to configuration mode globally.
  2. Router(config)#interface interface-id = the device enters the interface for configuration.

Aging of Switch port Security

While configuring the security of switch port, an option is available that is using aging timer. The aging timer provides an option to remove a MAC address from being learned after the given point of time. The process of implementation of secure MAC address can be done in two ways:

  • Absolute method enables the deletion of the secure MAC address after the specified time of aging.
  • Inactivity method enables the deletion of the secure MAC address only in the case when the MAC address becomes inactive for specific period of aging time.

Violations of Switch Port Security

Another aspect of Switch port security that need to be taken care of is the violations of Switch port security, including what violation is, what causes the violations and what are the different modes of violations existing. The violation of switch port occurs in one of the two present situations:

  • When the no of secure MAC addresses reaches to maximum which is by default 1 per switch port
  • When the address that is configured or learned on one of the secured interface is present on another interface that is secure in the same VLAN

The actions that should be taken by the device during the configuration of these violations are:

  • Protection mode that allows traffic to be forwarded coming from MAC address that are known while stopping the traffic by Mac address that are unknown, when the MAC address reaches its allowed limit. This configuration mode does not provide any notification when traffic is stopped.
  • Restriction mode that allows traffic to be forwarded coming from MAC address that are known while stopping the traffic by Mac address that are unknown, when the MAC address reaches its allowed limit. This mode of configuration loges syslog messages, sends a SNMP (simple network management protocol) trap, and violation is made whenever the traffic is dropped.
  • Shutdown mode is the mode which is present by default violation mode; whenever a violation occurs in this mode the switch port is automatically forced by the switch to go into an error disabled mode. In this mode there is n forwarding of traffic. To come out of this disabled state a CLI command is issued or by re-enabling and disabling of the switch port is done.
  • Shutdown of VLAN mode is similar in action to the shutdown mode but limiting the error disabling state.   

Switch port security benefits

Following the important benefits of using Switch port security:

  • The availability of the network is made wide by reducing the outages of the campus network, caused due to broadcast storms.
  • The reliability of the network can be guaranteed if the MAC address is limited to one. The bandwidth of the network can not be guaranteed if the network port is being shared by other networking devices.
  • The security of the switch port is increased if the MAC addresses are being limited to one and are prevented from mitigation attack. This type of attack can be stopped by Macof.
  • The proofing of future can be done by implementing port authentication, and also limiting the port to one MAC address.