Port security is just another way network engineers can lock down their network by using the variety of switchport security settings offered on Cisco switching equipment. This article will discuss locking down ports on Cisco switches on a layer 2 level. ACLs focus on source/destination IP addresses on the layer 3 side, while switchport security settings allow you to control which layer 2 MAC addresses are allowed to connect to a certain switch port. Learning this is key to being a successful engineer and working your way up to a CCNA.

Mac Address Tables

Just as a quick reminder, remember the sh mac address command will give you a quick summary of each switch port and any MAC addresses associated with it. If two switches are connected together, you will see all the MAC addresses from the devices connected to the other switch under the single switch-to-switch connection. You will also see the MAC address of the switch port. Generally speaking, you will only see switch port MAC addresses when switches are connected together, not when an end device is connected to a switch port.

Looking at Switch0 you can see multiple MAC addresses on port 1. One is for the switch-to-switch connection, and the other MAC is for the end device- PC0.

Switch Port Violation Summary

There are three violation modes that can be enforced when setting switch port security settings. They are optional, as switch port security can be enabled with default settings as discussed in the section Enabling Port-Security.

1. You can override the default maximum number of allowed MAC addresses associated with an interface by using the switchport port-security maximum ${number} interface subcommand.

2. You can override the default action to take upon a security violation (shutdown) using the switchport port-security violation {protect | restrict | shutdown} interface subcommand.

3. Predefine any allowed source MAC addresses for this interface using the switchport port-security mac-address mac-address command. Use the command multiple times to define more than one MAC address.

4. You can tell the switch to “sticky learn” dynamically learned MAC addresses with the switchport port-security mac-address sticky interface subcommand.

Setting Switch Port to Access Mode

To configure switch port security, go to global configuration mode and then interface configuration mode to configure the switch port as an access port. You cannot configure a switch port as a trunk port and enforce switch port security settings on it. In the following example, I am going to configure Switch1 interface fa0/1 as an access port and I will enable switchport port-security on the interface without editing the default port security settings.

Switch1#config t
Enter configuration commands, one per line.  End with CNTL/Z.
Switch1(config)#int fa0/1
Switch1(config-if)#switchport mode access 

Enabling Port-Security

Default Port-Security Settings

There are a variety of settings you can apply to port-security but for the first example, let’s go with the defaults. Let’s use the show port-security command on interface fa0/1 on Switch1 (priv exec mode) to see what the default settings are.

Switch1#show port-security int fa0/1
Port Security              : Disabled
Port Status                : Secure-down
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 0
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 0000.0000.0000:0
Security Violation Count   : 0

The defaults for port security show that the default action taken upon a security violation is to disable the interface (shutdown) and that a maximum of 1 MAC address is allowed on the port. You cannot use this default configuration on a switch-to-switch connection obviously because a switch will have more MAC addresses than 1. Let’s enable the defaults on int fa0/1 and review the port security settings. Make sure to ping another PC to send a data frame through the switch so it can dynamically learn your MAC before verifying the switch port security settings like we do below. Remember that to actually enable port security, you need to run the switchport port-security command with no arguments. I usually run this command after I’ve configured all the interface security settings.

Switch#config t
Enter configuration commands, one per line.  End with CNTL/Z.
Switch1(config)#int fa0/1
Switch1(config-if)#switchport port-security 
Switch1#sh port-security int fa0/1
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 1
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 0001.96C2.1D89:1
Security Violation Count   : 0

 

Let’s now create a new PC and try to connect it to Fa0/1 of Switch1. Can you predict what should happen?

Switch1#
%LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to down

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down

%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up

It doesn’t appear that the switch interface is in shutdown mode. Why is that? This is because the default specifies that only a single MAC address can be connected to the interface not multiple. The default setting doesn’t even specify WHICH mac address can only be connected, only that a single MAC can be connected at any given time. The interface would shut down if we connected a switch to that interface and another device since there would be 2 active MAC connections on that switch port (one MAC for the switch-to-switch connection and the MAC for the PC on the switch).

Interface Administratively Down

Switch1#
%LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to down

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down

%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up

%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to administratively down

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down

You can check the MAC address table after the shut down and only see a single MAC (of the network switch and not the PC).

Switch#sh mac address-table 
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----

   1    0007.ec12.8601    DYNAMIC     Fa0/2

You can also see the interface port security information and see that the port is shut down.

Switch#sh port-security interface fa0/1
Port Security              : Enabled
Port Status                : Secure-shutdown
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 0
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 0001.96C2.1D89:1
Security Violation Count   : 1

Lets change the default port-security settings to expand the allowed of MAC addresses on int fa0/1. Once you are done changing these settings, shut down the interface and then turn on the interface to get the interface back up.

Switch(config-if)#switchport port-security maximum 2
Switch(config-if)#shutdown

%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to administratively down
Switch(config-if)#no shutdown

Switch(config-if)#
%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up

Let’s review the MAC address table now. It should show us both the switch2 MAC address and PC0.

Switch#sh mac address-table 
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----

   1    0001.96c2.1d89    STATIC      Fa0/1
   1    000a.f382.6ce8    DYNAMIC     Fa0/2
   1    00d0.973e.4001    STATIC      Fa0/1

Remember- we haven’t assigned which MAC addresses should be allowed on the port. We have only configured the maximum number of MAC addresses allowed on the port. Lets disable port security on that port and then set the port security settings to dynamically learn 3 MAC addresses (using sticky command) and then add another PC to the mix.

Switch(config-if)#no switchport port-security
Switch(config-if)#do sh port-security int fa0/1
Port Security              : Disabled
Port Status                : Secure-down
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 2
Total MAC Addresses        : 0
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 00D0.973E.4001:1
Security Violation Count   : 0

Switch(config-if)#switchport port-security maximum 3
Switch(config-if)#switchport port-security ?
  aging        Port-security aging commands
  mac-address  Secure mac address
  maximum      Max secure addresses
  violation    Security violation mode
  <cr>
Switch(config-if)#switchport port-security mac-address ?
  H.H.H   48 bit mac address
  sticky  Configure dynamic secure addresses as sticky
Switch(config-if)#switchport port-security mac-address sticky
Switch(config-if)#do sh port-security int fa0/1
Port Security              : Disabled
Port Status                : Secure-down
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 3
Total MAC Addresses        : 3
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 3
Last Source Address:Vlan   : 00D0.973E.4001:1
Security Violation Count   : 0

Switch(config-if)#switchport port-security 

Now we have allowed a max of 3 MAC addresses on Fa0/1 on Switch1. We have configured the switch to dynamically learn the 3 MAC addresses allowed to communicate on that port.

Restrict and Protect Modes

Instead of setting the violation mode to shutdown mode, we can use two other modes called restrict mode and protect modes. Protect mode simply discards offending traffic and does not log SNMP messages, it doesn’t increment the violation counter on show port-security and it doesn’t put the interface in an err-disabled state (only shutdown mode does this).

Restrict mode also discards offending traffic but it logs violations. Restrict mode is good if you want visibility over what violations are taking place on an interface and protect mode is if you want to set it and forget it. Once you are on interface configuration mode you can set the violation sub command as shown below:

Switch(config-if)#switchport port-security violation ?
  protect   Security violation protect mode
  restrict  Security violation restrict mode
  shutdown  Security violation shutdown mode
Switch(config-if)#switchport port-security violation