Cisco ICND2 – Implement basic switch security (including: port security, unassigned ports, trunk access, etc.)

Basic switch security

In this topic we will discuss basic switch security and how we can lock down the ports on a switch. I found when using Packet Tracer the port-security didn’t work constantly and in some cases didn’t work at all.

I would recommend configuring this if possible on real equipment. Packet Tracer will accept the commands but the desired effect might not happen.

interVLA _DiagramOur three switches have 24 ports each, currently only three ports are used on each switch. With the remaining ports we will turn these into access ports to stop someone from plugging in a switch and creating a trunk link but we will also shut them down.

By default switches are in desired mode, meaning if another switch is plugged in it will trunk.

configure terminal
interface range fa0/4-fa0/24
switchport mode access

We’ll now configure fa0/3 on Switch A to dynamically learn the connected PC’s MAC address and setup violation so the port shutdowns if an unknown MAC address such as another device is plugged into fa0/3.

configure terminal
interface fa0/3
switchport port-security 
switchport port-security mac sticky
switchport port-security violation shutdown

The sticky command is useful for the switch to detect the MAC address, we can manually set the MAC address:

configure terminal
interface fa/0/3
switchport port-security MAC

It’s possible to allow more than one MAC address assigned to a switchport:

configure terminal
interface fa0/3
switchport port-security maximum 2

Other violation modes:

switchport port-security violation restrict
switchport port-security violation protect

Restrict: This mode allows known MAC addresses to continue sending frames whilst blocking unknown MAC addresses from sending. A violation message is sent to a SNMP service if configured.

Protect: This mode allows known MAC addresses to continue sending frames whilst blocking unknown MAC addresses from sending. A violated message is not sent.

Configuring violations are all well and good but what happens if a PC hasn’t been live on a port for a while? a new PC will come along and the port may be put into a shutdown state.

We can configure how long before the MAC addresses are pruned using the aging command:

switchport port-security aging time 10

The aging timer is done in minutes, so 10 minutes in this example.

We can also prune the MAC addresses if the port has had no activity:

switchport port-security aging type inactivity


  • show port-security interface <interface>
  • show port-security address

Switch security practises:

  • Ensure physical access to switches is restricted
  • Set login password/enable passwords on switches and configure banners
  • Web service can be disabled if the switch supports web service (no ip http server/secure server)
  • Access-lists can be used to restrict SSH/telnet access by only allowing a specific subnet or host to SSH/telnet to the switch
  • Use SSH rather than telnet as it’s more secure – Telnet is sent in plain text, SSH is encrypted
  • Config logging to SNMP to capture violation etc