![switchport port security mac address sticky vlan access switchport port security mac address sticky vlan access](https://support.edge-core.com/hc/article_attachments/360033063613/mceclip6.png)
Port security supports the following key features: By preventing MACs from being added to the switch table, port security can prevent the switch from forwarding frames to those MACs on a port. Instead of automatically adding a Layer 2 switching table entry for the source MAC and port number, the switch considers the port security configuration and whether it allows that entry. To implement port security, the switch adds more logic to its normal process of examining incoming frames. It can also enforce a restriction for only certain MAC addresses to be reachable out the port. Switch port security monitors a port to restrict the number of MAC addresses associated with that port in the Layer 2 switching table.
![switchport port security mac address sticky vlan access switchport port security mac address sticky vlan access](https://s8182.pcdn.co/wp-content/uploads/2014/07/070214_1807_SwitchConce12.png)
BPDU Guard can also be enabled for all ports with PortFast enabled by configuring the spanning-tree portfast bpduguard enable global command, spanning-tree guard root spanning-tree bpduguard enable Port Security The last two interface commands enable Root Guard and BPDU Guard, per interface, respectively. Switchport mode access switchport nonegotiate ! The switchport mode access interface subcommand prevents the port from trunking, and the switchport nonegotiate command prevents any DTP messages from being sent or processed. ! The cdp run command keeps CDP enabled globally, but it has been disabled on ! fa0/1, the unused port. DTP has been disabled as well, and STP Root Guard and BPDU Guard are enabled.Įxample 18-7 Disabling CDP and DTP and Enabling Root Guard and BPDU Guard CDP has been disabled on the interface, but it remains enabled globally, on the presumption that some ports still need CDP enabled. In this example, fa0/1 is a currently unused port. For a brief review, Example 18-7 shows an example configuration on a Cisco 3550 switch, with each of these items configured and noted. The first three items in the list of best practices for unused and user ports are mostly covered in earlier chapters.