Tech Tip: Implement port security to maintain security behind the wall

By Mike Mullins

Controlling the devices that are plugged into your internal network is one of the most fundamental aspects of network security. While most security administrators do a good job of erecting a fortress wall to keep the Internet at bay, we don't tend to maintain security behind that wall quite as well.

To improve security behind the wall, document every device that's plugged into the network, and secure it for both least privilege and least traffic before it's physically connected. That will mean developing a technical implementation guide for each device, turning off unneeded services, and securing the OS.

All devices that haven't been secured and any equipment that power users bring in and connect without your knowledge is unauthorized. For example, this includes printers running unnecessary protocols, as well as a hub in a user's cube that has a wireless access point attached. Depending on the device, the security consequences of unauthorized devices can be catastrophic.

Using port security on your switches is one of the primary methods for controlling access to the "wire." But then again, there's always an argument for both sides.

Port security: Pro

Enabling port security on your switches gives you total control over every device connected to the switch. Anyone who tries to connect unauthorized equipment to a switch port won't be able to communicate with any internal or external devices. It's that simple. You have total control over what will be connected to your internal network.

Port security: Con

Chief among the arguments against enabling port security is that you have to enable or change switch configuration each time a device is added, or whenever a NIC fails. You'll also have to document every Media Access Control (MAC) address on your internal network. Depending on the size of your network, this might involve considerable work.

Enabling port security could lead to more people being involved in after-hours troubleshooting. Also, it tends to invoke a blame the switch mentality, such as, "The switch is the reason I can't get my e-mail."

Implementation methods

If you have Cisco switches and decide you'd like to implement port security, there are two preferred methods: MAC Access Groups and Port Security. Both methods are applied to the inbound, or wire side, of the switch port.

MAC Access Groups
MAC Access Groups are generally used for small networks of 20 devices or less. You create the MAC Access Group in the global configuration mode. An example would be:

mac access-list extended name
permit {any | host source MAC address} {any | host destination MAC address}

Add a permit statement for all of your workstations, servers, printers, and router interface MAC addresses and apply the access list to each interface. This will limit inbound traffic to that interface to only those MAC addresses on your list.

Port Security
Port Security is the more secure method of the two. To use it, map a switch port to the specific MAC address of the connected device (e.g., workstation or server). Execute the following command in the global configuration mode for each interface:

switchport port-security mac-address mac-address

Final thoughts

I highly recommend enabling some type of port security for your organization's network. The additional entries of MAC addresses will either come from your network documentation or force you to properly document your network. Properly documenting your network is always a step toward a more secure network.

Port security has become necessary for total network security. It is another tool in your Defense in Depth security layer. Without port security, you don't really have control over what is connected to your network--unless, of course, you can physically see every device connected to it.

Mike Mullins has served as a database administrator and assistant network administrator for the U.S. Secret Service. He is a Network Security Administrator for the Defense Information Systems Agency.


We have attempted to use the mac address group method, but does not appear to work. We were able to plug in another device and IP traffic flowed with no problem. We are attempting to prevent Lab systems from accidently being plugged in to ports that connect to our production system. (Lab exactly duplicates production in IP subnet, OSPF settings, etc). Someone remembers finding some discussions which say that port security does not prevent IP based traffic.


Can any body help me as iam doing my project on "how to implement port based security " thanks kumar

Editor's Picks