The basic function of a switch is to pass packets from one host to another. Under normal operations, the switch learns the MAC address of the device(s) connected to each of its ports. When a device is connected to the switch port, the MAC address of the frame from the connected device is place in a forwarding table. Under normal circumstances, there are no restrictions on the devices that can be attached to a switch port.
With switch port security, you configure the switch to allow only specific devices to use a given port. You identify the MAC address of allowed devices. Any devices not explicitly identified will not be allowed to send frames through the switch. To configure port security, take the following general actions on the port:
- Explicitly configure the port as an access port (a port with attached hosts, not with an attached switch).
- Enable switch port security.
- Identify the MAC addresses that can use the switch.
The following commands list the switch port configuration commands:
The following commands configure switch port security to allow only host 5ab9.0012.02af to use Fast Ethernet port 0/12:
switch(config)#interface fast 0/12 switch(config-if)#switchport mode access switch(config-if)#switchport port-security switch(config-if)#switchport port-security mac-address 5ab9.0012.02af
The following commands configures Fast Ethernet port 0/15 to accept the first MAC address it receives as the allowed MAC address for the port:
switch(config)#interface fast 0/15 switch(config-if)#switchport mode access switch(config-if)#switchport port-security switch(config-if)#switchport port-security mac-address sticky