How to prevent unauthorized users from connecting their PCs to an enterprise network? How to prevent employees from connecting unauthorized devices to a LAN or moving their computers without permission?
Port Security is a Layer 2 feature, which can be enabled on an interface, to prevent devices with untrusted MAC address, from accessing a switch interface. When enabled, MAC address of the device connected to the port, is dynamically learned by the switch and stored in a memory (by default it is not aged out). Only this MAC address is then allowed to forward traffic over switch port (only one trusted MAC is allowed by default). Every different MAC address will cause the port to go into one of the following states:
- Protect – packets coming from untrusted MAC address will be dropped,
- Restrict – packets coming from untrusted MAC address will be dropped and SNMP trap message will be generated (default behavior),
- Shutdown – port will be put into shutdown state.
Let’s configure port security feature on a switch port and see, how it works.
<labnarioSW1>sys Enter system view, return user view with Ctrl+Z. [labnarioSW1]interface gi0/0/1 [labnarioSW1-GigabitEthernet0/0/1]port link-type access [labnarioSW1-GigabitEthernet0/0/1]port-security enable