Configure Port Security on Cisco SG Switches

Last updated: Nov 11, 2024

In this guide, I’ll show how to configure port security on Cisco Small Business switches using the command-line interface (CLI).

Port security is a powerful feature that helps protect your network by restricting access to specific devices based on their MAC address. It allows you to control which devices are allowed to connect to each switch port.

This feature allows you to:
- Block unauthorized devices from accessing the network
- Limit the number of devices per port (e.g. to prevent users from adding unmanaged switches or Wi-Fi access points)
- Apply MAC address filtering, either manually or automatically

Image of stacked Cisco SG Series switches, showcasing various models designed for small business network environments.

Definitions

The different modes

Lock (default): Secure mode without MAC learning. The static and secure MAC addresses may be added on the port manually by the mac address-table static command.
Max-addresses: Non-secure mode with limited learning dynamic MAC addresses. The static MAC addresses may be added on the port manually by the mac address-table static command.
Secure permanent: Secure mode with limited learning permanent secure MAC addresses with the permanent time-of-live. The static and secure MAC addresses may be added on the port manually by the mac address-table static command.
Secure delete-on-reset: Secure mode with limited learning secure MAC addresses with the delete-on-reset time-of-live. The static and secure MAC addresses may be added on the port manually by the mac address-table static command.

Action on Violation

Discard (default): Discards packets with unlearned source addresses.
Forward: Forwards packets with unlearned source addresses, but does not learn the address.
Discard-Shutdown: Discards packets with unlearned source addresses and shuts down the port.

Adding static addresses

Addresses can be learned statically or dynamically. Static addresses are added with the mac address-table static command.

Parameters for the mac address-table static command:
- permanent (default): MAC address is saved until it is removed manually.
- delete-on-reset: MAC address is saved until the next reboot.
- delete-on-timeout: MAC address that may be removed by the aging time.

The following example adds a permanent static MAC address:

Switch(config)# mac address-table static 00:3f:bd:45:5a:b2 vlan 1 interface gi1 permanent

The following example adds a deleted-on-reset static MAC address:

Switch(config)# mac address-table static 00:3f:bd:45:5a:b2 vlan 1 interface gi1 delete-on-reset

The following example adds a deleted-on-timeout static MAC address:

Switch(config)# mac address-table static 00:3f:bd:45:5a:b2 vlan 1 interface gi1 delete-on-timeout

The following example adds a secure MAC address:

Switch(config)# mac address-table static 00:3f:bd:45:5a:b2 vlan 1 interface gi1 secure

Enable Port Security

Enable port security on interface gi1/0/1, with Discard-Shutdown and Lock mode. In this example, the port will be disabled if an address other than 00:3f:bd:45:5a:b1 is connected to port gi1/0/1:

Switch(config)# mac address-table static 00:3f:bd:45:5a:b1 vlan 1 interface gi1/0/1 permanent
Switch(config)# interface gi1/0/1
Switch(config-if)# port security mode lock
Switch(config-if)# port security discard-shutdown
Switch(config-if)# port security

Disable Port Security

Disable port security on interface gi1/0/1:

Switch(config)# interface gi1/0/1
Switch(config-if)# no port security

Set maximum number of MAC addresses

We can define the maximum number of MAC addresses a port is allowed to communicate with. This can be useful if you don't want a user to connect a switch or a WiFi access point.

Here, we give the option of connecting up to two MAC addresses to a physical interface. (Note: The two addresses will be learned dynamically):

Switch(config)# interface gi1/0/1
Switch(config-if)# port security mode max-addresses
Switch(config-if)# port security max 2
Switch(config-if)# port security discard
Switch(config-if)# port security

Secure permanent with limited learning addresses

Here we manually add two mac addresses and enable the secure permanent and max mac addresses modes at the same time:

Switch(config)# mac address-table static 00:3f:bd:45:5a:b1 vlan 1 interface gi1/0/1 permanent
Switch(config)# mac address-table static 00:3f:bd:45:5a:b2 vlan 1 interface gi1/0/1 permanent
Switch(config)# interface gi1/0/1
Switch(config-if)# port security mode secure permanent
Switch(config-if)# port security max 5
Switch(config-if)# port security

Clear mac address-table

Delete all dynamic (learned) addresses on the gi1/0/1 interface:

Switch# clear mac address-table dynamic interface gi1/0/1

Delete all the secure addresses learned on the gi1/0/1 interface:

Switch# clear mac address-table secure interface gi1/0/1

Show Commands

Display port security settings:

Switch# show ports security

Detailed display of port security settings:

Switch# show ports security detailed

Display port security interface settings:

Switch# show ports security GigabitEthernet1/0/20

Display the entire MAC address table:

Switch# show mac address-table

Display address table entries containing the specified MAC address:

Switch# show mac address-table 00:3f:bd:45:5a:b1

Display the number of addresses in the Forwarding Database:

Switch# show mac address-table count

Display the addresses present for a specific interface:

Switch# show mac address-table interface GigabitEthernet1/0/20