# Switch security configuration ## Implement port security ### Secure unused ports A simple method that many administrators use to help secure the network from unauthorized access is to disable all unused ports on a switch. ``` S1(config)# interface range fa0/8 - 24 S1(config-if-range)# shutdown %LINK-5-CHANGED: Interface FastEthernet0/8, changed state to administratively down (output omitted) %LINK-5-CHANGED: Interface FastEthernet0/24, changed state to administratively down S1(config-if-range)# ``` If a port must be reactivated at a later time, it can be enabled with the **no shutdown** command. ### **Mitigate MAC address table attacks** The simplest and most effective method to prevent MAC address table overflow attacks is to enable port security. Port security limits the number of valid MAC addresses allowed on a port. It allows an administrator to manually configure MAC addresses for a port or to permit the switch to dynamically learn a limited number of MAC addresses. By limiting the number of permitted MAC addresses on a port to one, port security can be used to control unauthorized access to the network, as shown in the figure. ![Port security usage](/files/-M4itLStqYG0aFreUp2R) ### Enable port security Port security can only be configured on manually configured access ports or manually configured trunk ports. By default, Layer 2 switch ports are set to dynamic auto (trunking on). ``` S1(config)# interface f0/1 S1(config-if)# switchport mode access S1(config-if)# switchport port-security S1(config-if)# end ``` Use the **show port-security interface** command to display the current port security settings. Notice how port security is enabled, the violation mode is shutdown, and how the maximum number of MAC addresses is 1. If a device is connected to the port, the switch will automatically add the device’s MAC address as a secure MAC. In this example, no device is connected to the port. ``` S1# show port-security interface f0/1 Port Security : Enabled Port Status : Secure-shutdown Violation Mode : Shutdown Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 1 Total MAC Addresses : 0 Configured MAC Addresses : 0 Sticky MAC Addresses : 0 Last Source Address:Vlan : 0000.0000.0000:0 Security Violation Count : 0 S1# ``` **Note**: If an active port is configured with the **switchport port-security** command and more than one device is connected to that port, the port will transition to the error-disabled state. After port security is enabled, other port security specifics can be configured, as shown in the example. ``` S1(config-if)# switchport port-security ? aging Port-security aging commands mac-address Secure mac address maximum Max secure addresses violation Security violation mode ``` ### Limit and learn MAC addresses To set the maximum number of MAC addresses allowed on a port (default is one), use the following command: ``` Switch(config-if)# switchport port-security maximum ``` The switch can be configured to learn about MAC addresses on a secure port in one of three ways: #### **Manually configured** ``` Switch(config-if)# switchport port-security mac-address ``` **Dynamically learned** When the **switchport port-security** command is entered, the current source MAC for the device connected to the port is automatically secured but is not added to the startup configuration. If the switch is rebooted, the port will have to re-learn the device’s MAC address. **Dynamically Learned – Sticky** The administrator can enable the switch to dynamically learn the MAC address and “stick” them to the running configuration by using the following command: ``` Switch(config-if)# switchport port-security mac-address sticky ``` Saving the running configuration will commit the dynamically learned MAC address to NVRAM. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://man.protyro.eu/network-security/ccnav7/switch-security-configuration.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.