Scribd
Upload
23 views12 pages

Port Security v2.0

Uploaded by

Elyn Rose Franco
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
23 views12 pages

Port Security v2.0

Uploaded by

Elyn Rose Franco
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 12

Port Security

Restrictions for Port Security


 The maximum number of secure MAC addresses that you can configure on a switch is
set by the maximum number of available MAC addresses allowed in the system. This
number is the total of available MAC addresses, including those used for other Layer 2
functions and any other secure MAC addresses configured on interfaces.
 Port Security is not supported on EtherChanel interfaces.
 Port Security is not supported on private VLAN ports.

Information About Port Security


Port Security
You can use the port security feature to restrict input to an interface by limiting and identifying
MAC addresses of the stations allowed to access the port. When you assign secure MAC
addresses to a secure port, the port does not forward packets with source addresses outside
the group of defined addresses. If you limit the number of secure MAC addresses to one and
assign a single secure MAC address, the workstation attached to that port is assured the full
bandwidth of the port.
If a port is configured as a secure port and the maximum number of secure MAC addresses is
reached, when the MAC address of a station attempting to access the port is different from any
of the identified secure MAC addresses, a security violation occurs. Also, if a station with a
secure MAC address configured or learned on one secure port attempts to access another
secure port, a violation is flagged.

Types of Secure MAC Addresses


The switch supports these types of secure MAC addresses:
 Static secure MAC addresses—These are manually configured by using
the switchport port-security mac-address mac-address interface configuration
command, stored in the address table, and added to the switch running configuration.
 Dynamic secure MAC addresses—These are dynamically configured, stored only in
the address table, and removed when the switch restarts.
 Sticky secure MAC addresses—These can be dynamically learned or manually
configured, stored in the address table, and added to the running configuration. If these
addresses are saved in the configuration file, when the switch restarts, the interface
does not need to dynamically reconfigure them.

Sticky Secure MAC Addresses


You can configure an interface to convert the dynamic MAC addresses to sticky secure MAC
addresses and to add them to the running configuration by enabling sticky learning. The
interface converts all the dynamic secure MAC addresses, including those that were

www.cisco.com/port security
dynamically learned before sticky learning was enabled, to sticky secure MAC addresses. All
sticky secure MAC addresses are added to the running configuration.
The sticky secure MAC addresses do not automatically become part of the configuration file,
which is the startup configuration used each time the switch restarts. If you save the sticky
secure MAC addresses in the configuration file, when the switch restarts, the interface does not
need to relearn these addresses. If you do not save the sticky secure addresses, they are lost.
If sticky learning is disabled, the sticky secure MAC addresses are converted to dynamic secure
addresses and are removed from the running configuration.

Security Violations
It is a security violation when one of these situations occurs:
 The maximum number of secure MAC addresses have been added to the address table,
and a station whose MAC address is not in the address table attempts to access the
interface.
 An address learned or configured on one secure interface is seen on another secure
interface in the same VLAN.
 Running diagnostic tests with port security enabled.
You can configure the interface for one of three violation modes, based on the action to be
taken if a violation occurs:
 protect—when the number of secure MAC addresses reaches the maximum limit
allowed on the port, packets with unknown source addresses are dropped until you
remove a sufficient number of secure MAC addresses to drop below the maximum value
or increase the number of maximum allowable addresses. You are not notified that a
security violation has occurred.

Note We do not recommend configuring the protect violation mode on a trunk port.
The protect mode disables learning when any VLAN reaches its maximum limit,
even if the port has not reached its maximum limit.
 restrict—when the number of secure MAC addresses reaches the maximum limit
allowed on the port, packets with unknown source addresses are dropped until you
remove a sufficient number of secure MAC addresses to drop below the maximum value
or increase the number of maximum allowable addresses. In this mode, you are notified
that a security violation has occurred. An SNMP trap is sent, a syslog message is
logged, and the violation counter increments.
 shutdown—a port security violation causes the interface to become error-disabled and
to shut down immediately, and the port LED turns off. When a secure port is in the error-
disabled state, you can bring it out of this state by entering the errdisable recovery
cause psecure-violation global configuration command, or you can manually re-enable it
by entering the shutdown and no shut down interface configuration commands. This is
the default mode.

www.cisco.com/port security
 shutdown vlan—Use to set the security violation mode per-VLAN. In this mode, the
VLAN is error disabled instead of the entire port when a violation occurs

 This table shows the violation mode and the actions taken when you configure an interface
for port security.

Table 1. Security Violation Mode Actions

Violati Traffic Sends Sends Displays Violation Shuts


on is SNMP syslog error counter down port
Mode forwar trap messag message increments
ded e 2

protect No No No No No No

restrict No Yes Yes No Yes No

shutdo No No No No Yes Yes


wn

shutdo No No Yes No Yes No


wn 3

vlan
1 Packets with unknown source addresses are dropped until you remove a sufficient number of
secure MAC addresses.
2 The switch returns an error message if you manually configure an address that would cause a
security violation.
3 Shuts down only the VLAN on which the violation occurred.

Port Security Aging

That means after 2 hours, learned MAC addresses are removed. For example, if you have 2
learned MAC addresses on that port and the switch sees a third, the port will err-disable. If there
is no activity from one of those 2 MAC addresses for the specified aging time, the MAC address
is removed.

You can use port security aging to set the aging time for all secure addresses on a port. Two
types of aging are supported per port:

 Absolute—The secure addresses on the port are deleted after the specified aging time.
 Inactivity—The secure addresses on the port are deleted only if the secure addresses
are inactive for the specified aging time.

Port Security and Switch Stacks

www.cisco.com/port security
When a switch joins a stack, the new switch will get the configured secure addresses. All
dynamic secure addresses are downloaded by the new stack member from the other stack
members.

When a switch (either the active switch or a stack member) leaves the stack, the remaining
stack members are notified, and the secure MAC addresses configured or learned by that
switch are deleted from the secure MAC address table.

Default Port Security Configuration

Table 2. Default Port Security Configuration


Feature Default Setting
Port security Disabled on a port.
Sticky address learning Disabled.
Maximum number of secure MAC 1.
addresses per port
Violation mode Shutdown. The port shuts down when the maximum
number of secure MAC addresses is exceeded.
Port security aging Disabled. Aging time is 0.
Static aging is disabled.
Type is absolute.

Port Security Configuration Guidelines

 Port security can only be configured on static access ports or trunk ports. A secure port
cannot be a dynamic access port.
 A secure port cannot be a destination port for Switched Port Analyzer (SPAN).
 Voice VLAN is only supported on access ports and not on trunk ports, even though the
configuration is allowed.
 When you enable port security on an interface that is also configured with a voice VLAN,
set the maximum allowed secure addresses on the port to two. When the port is
connected to a Cisco IP phone, the IP phone requires one MAC address. The Cisco IP
phone address is learned on the voice VLAN, but is not learned on the access VLAN. If
you connect a single PC to the Cisco IP phone, no additional MAC addresses are
required. If you connect more than one PC to the Cisco IP phone, you must configure
enough secure addresses to allow one for each PC and one for the phone.
 When a trunk port configured with port security and assigned to an access VLAN for
data traffic and to a voice VLAN for voice traffic, entering the switchport
voice and switchport priority extend interface configuration commands has no effect.
When a connected device uses the same MAC address to request an IP address for the access
VLAN and then an IP address for the voice VLAN, only the access VLAN is assigned an IP
address.
 When you enter a maximum secure address value for an interface, and the new value is
greater than the previous value, the new value overwrites the previously configured
value. If the new value is less than the previous value and the number of configured
secure addresses on the interface exceeds the new value, the command is rejected.
 The switch does not support port security aging of sticky secure MAC addresses.
This table summarizes port security compatibility with other port-based features.

www.cisco.com/port security
Table 3. Port Security Compatibility with Other Switch Features

Type of Port or Feature on Port Compatible with Port Security


DTP 4 port 5 No
Trunk port Yes
Dynamic-access port 6 No
Routed port No
SPAN source port Yes
SPAN destination port No
EtherChannel No
Tunneling port Yes
Protected port Yes
IEEE 802.1x port Yes
Voice VLAN port 7 Yes
IP source guard Yes
Dynamic Address Resolution Protocol (ARP) inspection Yes
Flex Links Yes

How to Configure Port Security

Enabling and Configuring Port Security

Before you begin


This task restricts input to an interface by limiting and identifying MAC addresses of the stations
allowed to access the port:

Procedure
Command or Action Purpose
Step enable Enables privileged EXEC mode.
1 Example:  Enter your password if prompted.

Device> enable

Step configure terminal Enters global configuration mode.


2 Example:

Device# configure terminal

Step interface interface-id Specifies the interface to be configured, and


3 Example: enter interface configuration mode.

Device(config)# interface
gigabitethernet1/0/1

Step switchport mode {access | trunk} Sets the interface switchport mode as access
4 Example: or trunk; an interface in the default mode
(dynamic auto) cannot be configured as a
Device(config-if)# switchport mode secure port.

www.cisco.com/port security
Command or Action Purpose
access

Step switchport voice vlan vlan-id Enables voice VLAN on a port.


5 Example: vlan-id—Specifies the VLAN to be used for
voice traffic.
Device(config-if)# switchport voice
vlan 22

Step switchport port-security Enable port security on the interface.


6 Example: Not Under certain conditions, when port
e security is enabled on the member
Device(config-if)# switchport port- ports in a switch stack, the DHCP and
security ARP packets would be dropped. To
resolve this, configure a shut and no
shut on the interface.
Step switchport port-security (Optional) Sets the maximum number of
7 [maximum value [vlan {vlan-list | secure MAC addresses for the interface. The
{access | voice}}]] maximum number of secure MAC addresses
Example: that you can configure on a switch or switch
stack is set by the maximum number of
Device(config-if)# switchport port- available MAC addresses allowed in the
security maximum 20 system. This number is the total of available
MAC addresses, including those used for
other Layer 2 functions and any other secure
MAC addresses configured on interfaces.
(Optional) vlan —sets a per-VLAN maximum
value
Enter one of these options after you enter
the vlan keyword:
 vlan-list —On a trunk port, you can set
a per-VLAN maximum value on a
range of VLANs separated by a
hyphen or a series of VLANs
separated by commas. For
nonspecified VLANs, the per-VLAN
maximum value is used.
 access —On an access port,
specifies the VLAN as an access
VLAN.
 voice —On an access port, specifies
the VLAN as a voice VLAN.
Not The voice keyword is available only if
e a voice VLAN is configured on a port
and if that port is not the access
VLAN. If an interface is configured for
voice VLAN, configure a maximum of
two secure MAC addresses.
Step switchport port-security (Optional) Sets the violation mode, the action
8 violation {protect | restrict | shutdow to be taken when a security violation is

www.cisco.com/port security
Command or Action Purpose
n | shutdown vlan} detected, as one of these:
Example:  protect —When the number of port
secure MAC addresses reaches the
Device(config-if)# switchport port- maximum limit allowed on the port,
security violation restrict packets with unknown source
addresses are dropped until you
remove a sufficient number of secure
MAC addresses to drop below the
maximum value or increase the
number of maximum allowable
addresses. You are not notified that a
security violation has occurred.
Note We do not recommend
configuring the protect mode
on a trunk port. The protect
mode disables learning when
any VLAN reaches its
maximum limit, even if the
port has not reached its
maximum limit.
 restrict —When the number of secure
MAC addresses reaches the limit
allowed on the port, packets with
unknown source addresses are
dropped until you remove a sufficient
number of secure MAC addresses or
increase the number of maximum
allowable addresses. An SNMP trap is
sent, a syslog message is logged, and
the violation counter increments.
 shutdown —The interface is error-
disabled when a violation occurs, and
the port LED turns off. An SNMP trap
is sent, a syslog message is logged,
and the violation counter increments.
 shutdown vlan —Use to set the
security violation mode per VLAN. In
this mode, the VLAN is error disabled
instead of the entire port when a
violation occurs.
No When a secure port is in the
te error-disabled state, you can
bring it out of this state by
entering the errdisable
recovery cause psecure-
violation global configuration
command. You can manually
re-enable it by entering
the shutdown and no shutdo
wn interface configuration

www.cisco.com/port security
Command or Action Purpose
commands or by using
the clear errdisable interface
vlan privileged EXEC
command.
Step switchport port-security [mac- (Optional) Enters a secure MAC address for
9 address mac-address [vlan {vlan-id | the interface. You can use this command to
{access | voice}}] enter the maximum number of secure MAC
Example: addresses. If you configure fewer secure
MAC addresses than the maximum, the
Device(config-if)# switchport port- remaining MAC addresses are dynamically
security mac-address learned.
00:A0:C7:12:C9:25 vlan 3 voice Not If you enable sticky learning after you
e enter this command, the secure
addresses that were dynamically
learned are converted to sticky
secure MAC addresses and are
added to the running configuration.
(Optional) vlan —sets a per-VLAN maximum
value.
Enter one of these options after you enter
the vlan keyword:
 vlan-id —On a trunk port, you can
specify the VLAN ID and the MAC
address. If you do not specify a VLAN
ID, the native VLAN is used.
 access —On an access port,
specifies the VLAN as an access
VLAN.
 voice —On an access port, specifies
the VLAN as a voice VLAN.
Not The voice keyword is available only if
e a voice VLAN is configured on a port
and if that port is not the access
VLAN. If an interface is configured for
voice VLAN, configure a maximum of
two secure MAC addresses.
Step switchport port-security mac- (Optional) Enables sticky learning on the
10 address sticky interface.
Example:

Device(config-if)# switchport port-


security mac-address sticky
Step switchport port-security mac- (Optional) Enters a sticky secure MAC
11 address sticky [mac- address, repeating the command as many
address | vlan {vlan-id | times as necessary. If you configure fewer
{access | voice}}] secure MAC addresses than the maximum,
Example: the remaining MAC addresses are
dynamically learned, are converted to sticky
Device(config-if)# switchport port- secure MAC addresses, and are added to the

www.cisco.com/port security
Command or Action Purpose
security mac-address sticky running configuration.
00:A0:C7:12:C9:25 vlan voice Not If you do not enable sticky learning
e before this command is entered, an
error message appears, and you
cannot enter a sticky secure MAC
address.
(Optional) vlan —sets a per-VLAN maximum
value.
Enter one of these options after you enter
the vlan keyword:
 vlan-id —On a trunk port, you can
specify the VLAN ID and the MAC
address. If you do not specify a VLAN
ID, the native VLAN is used.
 access —On an access port,
specifies the VLAN as an access
VLAN.
 voice —On an access port, specifies
the VLAN as a voice VLAN.
Not The voice keyword is available only if
e a voice VLAN is configured on a port
and if that port is not the access
VLAN.
Step end Returns to privileged EXEC mode.
12 Example:

Device(config)# end

Step show port-security Verifies your entries.


13 Example:

Device# show port-security

Step show running-config Verifies your entries.


14 Example:

Device# show running-config

Step copy running-config startup-config


15 Example:

Device# copy running-config


startup-config

Enabling and Configuring Port Security Aging

Use this feature to remove and add devices on a secure port without manually deleting the
existing secure MAC addresses and to still limit the number of secure addresses on a port. You
can enable or disable the aging of secure addresses on a per-port basis.

www.cisco.com/port security
Procedure

Command or Action Purpose


Step 1 enable Enables privileged EXEC
Example: mode.
 Enter your password
Device> enable if prompted.

Step 2 configure terminal Enters global configuration


Example: mode.

Device# configure terminal

Step 3 interface interface-id Specifies the interface to be


Example: configured, and enter
interface configuration
Device(config)# interface gigabitethernet1/0/1 mode.

Step 4 switchport port-security Enables or disable static


aging {static | time time | type {absolute | inactivity}} aging for the secure port, or
Example: set the aging time or type.
Note The switch does not
Device(config-if)# switchport port-security aging support port security
time 120 aging of sticky
secure addresses.
Enter static to enable aging
for statically configured
secure addresses on this
port.
For time , specifies the
aging time for this port. The
valid range is from 0 to 1440
minutes.
For type , select one of
these keywords:
 absolute —Sets the
aging type as
absolute aging. All
the secure
addresses on this
port age out exactly
after the time
(minutes) specified
lapses and are
removed from the
secure address list.
 inactivity —Sets the
aging type as
inactivity aging. The

www.cisco.com/port security
Command or Action Purpose
secure addresses on
this port age out only
if there is no data
traffic from the
secure source
addresses for the
specified time period.
Step 5 end Returns to privileged EXEC
Example: mode.

Device(config)# end

Step 6 show port-security [interface interface-id] [address] Verifies your entries.


Example:

Device# show port-security interface


gigabitethernet1/0/1
Step 7 show running-config Verifies your entries.
Example:

Device# show running-config

Step 8 copy running-config startup-config (Optional) Saves your


Example: entries in the configuration
file.
Device# copy running-config startup-config

Configuration Examples for Port Security

This example shows how to enable port security on a port and to set the maximum
number of secure addresses to 50. The violation mode is the default, no static secure
MAC addresses are configured, and sticky learning is enabled.

Device(config)# interface gigabitethernet1/0/1


Device(config-if)# switchport mode access
Device(config-if)# switchport port-security
Device(config-if)# switchport port-security maximum 50
Device(config-if)# switchport port-security mac-address sticky

This example shows how to configure a static secure MAC address on VLAN 3 on a
port:

Device(config)# interface gigabitethernet1/0/2


Device(config-if)# switchport mode trunk
Device(config-if)# switchport port-security
Device(config-if)# switchport port-security mac-address 0000.0200.0004 vlan 3

www.cisco.com/port security
This example shows how to enable sticky port security on a port, to manually configure
MAC addresses for data VLAN and voice VLAN, and to set the total maximum number
of secure addresses to 20 (10 for data VLAN and 10 for voice VLAN).

Device(config)# interface tengigabitethernet1/0/1


Device(config-if)# switchport access vlan 21
Device(config-if)# switchport mode access
Device(config-if)# switchport voice vlan 22
Device(config-if)# switchport port-security
Device(config-if)# switchport port-security maximum 20
Device(config-if)# switchport port-security violation restrict
Device(config-if)# switchport port-security mac-address sticky
Device(config-if)# switchport port-security mac-address sticky 0000.0000.0002
Device(config-if)# switchport port-security mac-address 0000.0000.0003
Device(config-if)# switchport port-security mac-address sticky 0000.0000.0001 vlan voice
Device(config-if)# switchport port-security mac-address 0000.0000.0004 vlan voice
Device(config-if)# switchport port-security maximum 10 vlan access
Device(config-if)# switchport port-security maximum 10 vlan voice

www.cisco.com/port security

You might also like