Cisco port security for Small Business / SG series switches
Last updated: Aug 11, 2023
We will see how to set Ciscoport security with command line on Small Business series Switch.
Configuration
Switch model : Cisco SG550X
Switch model : Cisco SG350X
Definitions
Modes
Lock (default): Secure mode without MAC learning. The static and secure MAC addresses may be added on the port manually by the mac address-table static command.
Max-addresses: Non-secure mode with limited learning dynamic MAC addresses. The static MAC addresses may be added on the port manually by the mac address-table static command.
Secure permanent: Secure mode with limited learning permanent secure MAC addresses with the permanent time-of-live. The static and secure MAC addresses may be added on the port manually by the mac address-table static command.
Secure delete-on-reset: Secure mode with limited learning secure MAC addresses with the delete-on-reset time-of-live. The static and secure MAC addresses may be added on the port manually by the mac address-table static command.
Action on Violation
Discard (default): The packets are discarded if the source is unknown/unlearned. It is possible to send snmp trap.
Forward: The packets are forwarded even if the source is unknown/unlearned. It is possible to send snmp trap.
Discard-Shutdown: The packets are discarded and shuts down the port if the source is unknown/unlearned. It is possible to send snmp trap.
Enable Port Security
Enableport security on gi1/0/1 interface, with Discard-Shutdown and Lock mode.
Switch(config)# interface gi1/0/1
Switch(config-if)# port security mode lock
Switch(config-if)# port security discard-shutdown
Switch(config-if)# port security
Disable Port Security
Disableport security on gi1/0/1 interface.
Switch(config)# interface gi1/0/1
Switch(config-if)# no port security
Set MAC addresses max number
We can set the maximum number of MAC addresses the port is allowed to speak with. It can be usefull if we want to avoid personnal switches.
Here we give the possibility to connect up to twoMAC addresses on a physical interface (gi1/0/1) :
Switch(config)# interface gi1/0/1
Switch(config-if)# port security mode max-addresses
Switch(config-if)# port security max 2
Switch(config-if)# port security
Port Security with limited learning addresses
We can mix Lock mode and max mac addresses number
Switch(config)# interface gi1/0/1
Switch(config-if)# port security mode secure permanent
Switch(config-if)# port security max 5
Switch(config-if)# port security
Show Commands
Displayport security settings
Switch# show ports security
Displayport security detailled settings
Switch# show ports security detailed
Displayport security interface settings
Switch# show ports security GigabitEthernet1/0/20
Display the entire MAC address table
Switch# show mac address-table
Display address table entries containing the specifiedMAC address
Switch# show mac address-table 00:3f:bd:45:5a:b1
Display the number of addresses present in the Forwarding Database
Switch# show mac address-table count
Display the addresses present for a specific interface
Switch# show mac address-table interface GigabitEthernet1/0/20
Fr