Port security is probably one of the best ways to lock down an IP network. Enabling port security means that you can setup the ports on your switch to turn off automatically when an unauthorized computer or IP device is plugged into the switch. A simple configuration can also be used to allow a certain number of devices in a single port.

Setting up port security is fairly easy. After you log into your switch you’ll want to go into the text configuration mode. You can do this by typing config t at the command prompt. Once in text configuration mode you specify the port you want to configure by typing int fa1/0/port#. Note: fa1/0/port# is for a fast Ethernet switch, if you have a Gigabit switch it will probably be int gi1/0/port#. You can see this by running a show run ( before going into text configuration mode ) to see the port name. Now we can look at what is currently configured on that port by typing a do show run int fa1/0/port#. Note: The “do” in do show run lets you see your configuration while in text configuration mode (config t).

Here is a typical port security configuration for a Gigabit switch.

interface GigabitEthernet1/0/1
description Access/Voice port for: Some ones computer or IP device…
switchport access vlan 1
switchport mode access
switchport port-security maximum 1
switchport port-security
switchport port-security mac-address sticky
switchport port-security mac-address sticky 000b.97d8.9367
spanning-tree portfast
!

Each one of the lines above is a command and can by typed into the console while in text configuration mode and while an interface is selected. If you see anything else, simply type a “no line…” to remove the configuration line. For example, say we want to get rid of the 000b.97d8.9367 mac address line. All we have to do when in config t mode is type no switchport port-security mac-address sticky 000b.97d8.9367 to clear that configuration line.

When mac-address sticky mode is set, the first device that is connected will be the only device allowed to access the network. You will need to clear the port in order to plug a different device into that port using the no switchport port-security macc-address sticky mac-address# like above. Also, using vlan 1 is usually a bad idea, but we’ll save that for another article.

The switchport port-security maximum 1 line is telling the switch to only allow one mac-address on the port. So to sum things up, clear out your current port configuration by prefixing each line with a “no” and then add the lines above and modify the vlan for your specific network.