Port security allows you to control the number of MAC addresses that can be learned on a single switch port. It is enabled on a per interface basis.

It can protect against malicious applications that can sned thousands of of frames into a network with a different MAC address therefore exhausting the limits of the MAC address table. The result of this is the switch forwarding all frames out interfaces for that VLAN (normal switch behaviour for unknown MACs) thus allowing the attacker to capture them. This is known as β€˜CAM table overflow attack’.

It can also prevent clients from depleting DHCP resources which could be done by sending thousands of requests using different MAC addresses as a source.

The port security feature has 2 options when it detects a violation;

  • Shut the port down (default)
  • Protect mode, in which it will deny frames from new MAC sources
  • Restrict mode, same a protect but will send a syslog as well

To implement;

interface gig 0/1 switchport port-security switchport port-security maxium 5 !sets the max no if MACs allowed switchport port-security violation protect switchport port-security mac-address sticky show port-security show port-security interface gig0/1