Cisco port security for Small Business / SG series switches

We will see how to set Cisco port security with command line on Small Business series Switch.

Configuration

Switch model : Cisco SG550X
Switch model : Cisco SG350X

Definitions

Modes

lock (default) : Secure mode without MAC learning. The static and secure MAC addresses may be added on the port manually by the mac address-table static command.
max-addresses : Non-secure mode with limited learning dynamic MAC addresses. The static MAC addresses may be added on the port manually by the mac address-table static command.
secure permanent : Secure mode with limited learning permanent secure MAC addresses with the permanent time-of-live. The static and secure MAC addresses may be added on the port manually by the mac address-table static command.
secure delete-on-reset : Secure mode with limited learning secure MAC addresses with the delete-on-reset time-of-live. The static and secure MAC addresses may be added on the port manually by the mac address-table static command.

Action on Violation

Discard (default) : The packets are discarded if the source is unknown/unlearned. It is possible to send snmp trap.
Forward : The packets are forwarded even if the source is unknown/unlearned. It is possible to send snmp trap.
Discard-Shutdown : The packets are discarded and shuts down the port if the source is unknown/unlearned. It is possible to send snmp trap.

Enable Port Security

Enable port security on gi1/0/1 interface, with Discard-Shutdown and Lock mode.

Switch(config)# interface gi1/0/1
Switch(config-if)# port security mode lock
Switch(config-if)# port security discard-shutdown
Switch(config-if)# port security

Disable Port Security

Disable port security on gi1/0/1 interface.

Switch(config)# interface gi1/0/1
Switch(config-if)# no port security

Set MAC addresses max number

We can set the maximum number of MAC addresses the port is allowed to speak with. It can be usefull if we want to avoid personnal switches.

Here we give the possibility to connect up to two MAC addresses on a physical interface (gi1/0/1) :

Switch(config)# interface gi1/0/1
Switch(config-if)# port security mode max-addresses
Switch(config-if)# port security max 2
Switch(config-if)# port security

Port Security with limited learning addresses

We can mix Lock mode and max mac addresses number

Switch(config)# interface gi1/0/1
Switch(config-if)# port security mode secure permanent
Switch(config-if)# port security max 5
Switch(config-if)# port security

Show Commands

Display port security settings

Switch# show ports security

Display port security detailled settings

Switch# show ports security detailed

Display port security interface settings

Switch# show ports security GigabitEthernet1/0/20

Display the entire MAC address table

Switch# show mac address-table

Display address table entries containing the specified MAC address

Switch# show mac address-table 00:3f:bd:45:5a:b1

Display the number of addresses present in the Forwarding Database

Switch# show mac address-table count

Display the addresses present for a specific interface

Switch# show mac address-table interface GigabitEthernet1/0/20

Computing

Music

Misc