How to Set Up Port Security on Cisco Small Business / SG Series Switches

Definitions

The different modes

• Lock (default): Secure mode without MAC learning. The static and secure MAC addresses may be added on the port manually by the mac address-table static command.
• Max-addresses: Non-secure mode with limited learning dynamic MAC addresses. The static MAC addresses may be added on the port manually by the mac address-table static command.
• Secure permanent: Secure mode with limited learning permanent secure MAC addresses with the permanent time-of-live. The static and secure MAC addresses may be added on the port manually by the mac address-table static command.
• Secure delete-on-reset: Secure mode with limited learning secure MAC addresses with the delete-on-reset time-of-live. The static and secure MAC addresses may be added on the port manually by the mac address-table static command.

Action on Violation

• Discard (default): Discards packets with unlearned source addresses.
• Forward: Forwards packets with unlearned source addresses, but does not learn the address.
• Discard-Shutdown: Discards packets with unlearned source addresses and shuts down the port.

Adding static addresses

Addresses can be learned statically or dynamically. Static addresses are added with the mac address-table static command.

• Parameters for the mac address-table static command:
  • permanent (default): MAC address is saved until it is removed manually.
  • delete-on-reset: MAC address is saved until the next reboot.
  • delete-on-timeout: MAC address that may be removed by the aging time.

• The following example adds a permanent static MAC address:

• The following example adds a deleted-on-reset static MAC address:

• The following example adds a deleted-on-timeout static MAC address:

• The following example adds a secure MAC address:

Enable Port Security

• Enable port security on interface gi1/0/1, with Discard-Shutdown and Lock mode. In this example, the port will be disabled if an address other than 00:3f:bd:45:5a:b1 is connected to port gi1/0/1:

Disable Port Security

• Disable port security on interface gi1/0/1:

Set maximum number of MAC addresses

We can define the maximum number of MAC addresses a port is allowed to communicate with. This can be useful if you don't want a user to connect a switch or a WiFi access point.

• Here, we give the option of connecting up to two MAC addresses to a physical interface. (Note: The two addresses will be learned dynamically):

Secure permanent with limited learning addresses

• Here we manually add two mac addresses and enable the secure permanent and max mac addresses modes at the same time:

Clear mac address-table

• Delete all dynamic (learned) addresses on the gi1/0/1 interface:

• Delete all the secure addresses learned on the gi1/0/1 interface:

Show Commands

• Display port security settings:

• Detailed display of port security settings:

• Display port security interface settings:

• Display the entire MAC address table:

• Display address table entries containing the specified MAC address:

• Display the number of addresses in the Forwarding Database:

• Display the addresses present for a specific interface: