Ethernet MAC Port-security

Today we will implement port security on our Cisco switch. We will bind the MAC address of the NIC device with our related port. So if some changes happen on the physical ports, then new device will be restricted.

CISCO SWITCH MAIN CONFIGURATION

Switch>enable
Switch#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)#vlan 10
Switch(config-vlan)#vlan 20
Switch(config-vlan)#exit
Switch(config)#interface vlan 10
Switch(config-if)#
%LINK-5-CHANGED: Interface Vlan10, changed state to up

Switch(config-if)#ip address 192.168.10.1 255.255.255.0
Switch(config-if)#no shutdown
Switch(config-if)#exit
Switch(config)#interface vlan 20
Switch(config-if)#
%LINK-5-CHANGED: Interface Vlan20, changed state to up

Switch(config-if)#ip address 192.168.20.1 255.255.255.0
Switch(config-if)#no shutdown
Switch(config-if)#exit
Switch(config)#ip routing
Switch(config)#interface range g1/0/1-2
Switch(config-if-range)#switchport mode access
Switch(config-if-range)#switchport access vlan 10
Switch(config-if-range)#
%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan10, changed state to up

Switch(config-if-range)#no shutdown
Switch(config-if-range)#exit
Switch(config)#int g1/0/3
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlan 20
Switch(config-if)#
%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan20, changed state to up

Switch(config-if)#no shutdown
Switch(config-if)#exit
Switch(config)#

CHECK MAC ADDRESS TABLE

After your first package (PING) switch will create the ARP table and you will be able to find MAC addresses.

Switch#show mac address-table
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----

  10    0060.3e42.a25a    DYNAMIC     Gig1/0/1
  10    0060.5cad.cbc6    DYNAMIC     Gig1/0/2
  20    0090.21d6.3283    DYNAMIC     Gig1/0/3
Switch#
Switch#

PORT-SECURITY AND MAC BINDING

Switch(config-if)#switchport port-security maximum 1  (max 1 MAC can connect)
Switch(config-if)#switchport port-security  (enabling port-security feature)
Switch(config-if)#switchport port-security mac-address 0060.3e42.a25a (MAC binding)
Switch(config-if)#no shutdown
Switch(config-if)#ex

After enabling port security and binding MAC address, try to connect another device to this port-security enabled port. Then you will realize that you have no access.