This chapter covers
- How Port Security protects against DHCP exhaustion and MAC flooding attacks
- Configuring Port Security on Cisco switches
- Fine-tuning Port Security configurations
Connections to an external network, such as the public internet, are obvious security concerns. However, internal network threats should not be overlooked. It could be a malware-infected device—an external threat from the internet that has taken hold in the internal network. Or it could be a malicious user; no one wants to view their own coworkers with suspicion, but ignoring such possibilities is asking for trouble.
Given these concerns, securing the points where users connect to the network—switches—is paramount. In this and the following two chapters, we will cover CCNA exam topic 5.7: Configure and verify Layer 2 security features. These include DHCP Snooping, Dynamic ARP Inspection, and Port Security—all of these are security features on switches. This chapter focuses on Port Security, which provides granular control over which devices a switch allows to communicate over the network.
12.1 Port Security basics
Port Security is a feature of Cisco switches that adds a layer of security to a switch’s MAC address-learning process. Specifically, Port Security allows you to set a limit on the number of unique MAC addresses that can be learned on each port, and it defines actions to be taken if that limit is exceeded.