Port security prevents rogue network extensions via hub or wireless access points (APs) from connecting to your switch. Because it limits the number of MAC addresses to a port, port security can also be used as a mechanism to prevent users from adding extensions to the IT-created network.
For example, if a user plugs a computer or a device into a user-facing port or data port with port security defined for a single MAC address, the computer or device itself would occupy that MAC address and not allow any devices behind it to access the network, as shown in Figure 18-5. Generally, a configuration appropriate to stop MAC flooding is also appropriate to inhibit rogue access.
Figure 18-5 Port Security Limits MAC Address to Prevent Rogue Access
Port security also allows you to configure Layer 2 physical interfaces and Layer 2 port channel interfaces to allow inbound traffic from only a restricted set of MAC addresses. The MAC addresses in the restricted set are called secure MAC addresses. In addition, the device does not allow traffic from these MAC addresses on another interface within the same VLAN. The number of MAC addresses that the device can secure is configurable per interface.
The process of securing a MAC address is called learning. A MAC address can be a secure MAC address on one interface only. For each interface on which you enable port security, the device can learn a limited number of MAC addresses by using the static, dynamic, or sticky methods. The way that the device stores secure MAC addresses varies depending on how the device learned the secure MAC address.
Static method: The static learning method allows you to manually add or remove secure MAC addresses to the running configuration of an interface. If you copy the running configuration to the startup configuration, static secure MAC addresses are unaffected if the device restarts. A static secure MAC address entry remains in the configuration of an interface until one of the following events occurs:
You explicitly remove the address from the configuration.
You configure the interface to act as a Layer 3 interface.
Note
Adding secure addresses by using the static method is not affected by whether dynamic or sticky address learning is enabled.
Dynamic method: By default, when you enable port security on an interface, you enable the dynamic learning method. With this method, the device secures MAC addresses as ingress traffic passes through the interface. If the address is not yet secured and the device has not reached any applicable maximum, it secures the address and allows the traffic. The device stores dynamic secure MAC addresses in memory. A dynamic secure MAC address entry remains in the configuration of an interface until one of the following events occurs: