Port security is just another way network engineers can lock down their network by using the variety of switchport security settings offered on Cisco switching equipment. This article will discuss locking down ports on Cisco switches on a layer 2 level. ACLs focus on source/destination IP addresses on the layer 3 side, while switchport security settings allow you to control which layer 2 MAC addresses are allowed to connect to a certain switch port. Learning this is key to being a successful engineer and working your way up to a CCNA.
Mac Address Tables
Just as a quick reminder, remember the sh mac address command will give you a quick summary of each switch port and any MAC addresses associated with it. If two switches are connected together, you will see all the MAC addresses from the devices connected to the other switch under the single switch-to-switch connection. You will also see the MAC address of the switch port. Generally speaking, you will only see switch port MAC addresses when switches are connected together, not when an end device is connected to a switch port.
Switch Port Violation Summary
There are three violation modes that can be enforced when setting switch port security settings. They are optional, as switch port security can be enabled with default settings as discussed in the section Enabling Port-Security.
1. You can override the default maximum number of allowed MAC addresses associated with an interface by using the switchport port-security maximum ${number} interface subcommand.
2. You can override the default action to take upon a security violation (shutdown) using the switchport port-security violation {protect | restrict | shutdown} interface subcommand.
3. Predefine any allowed source MAC addresses for this interface using the switchport port-security mac-address mac-address command. Use the command multiple times to define more than one MAC address.
4. You can tell the switch to “sticky learn” dynamically learned MAC addresses with the switchport port-security mac-address sticky interface subcommand.
Setting Switch Port to Access Mode
To configure switch port security, go to global configuration mode and then interface configuration mode to configure the switch port as an access port. You cannot configure a switch port as a trunk port and enforce switch port security settings on it. In the following example, I am going to configure Switch1 interface fa0/1 as an access port and I will enable switchport port-security on the interface without editing the default port security settings.
Switch1#config t
Enter configuration commands, one per line. End with CNTL/Z.
Switch1(config)#int fa0/1
Switch1(config-if)#switchport mode access
Enabling Port-Security
Default Port-Security Settings
There are a variety of settings you can apply to port-security but for the first example, let’s go with the defaults. Let’s use the show port-security command on interface fa0/1 on Switch1 (priv exec mode) to see what the default settings are.
Switch1#show port-security int fa0/1
Port Security : Disabled
Port Status : Secure-down
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0000.0000.0000:0
Security Violation Count : 0
The defaults for port security show that the default action taken upon a security violation is to disable the interface (shutdown) and that a maximum of 1 MAC address is allowed on the port. You cannot use this default configuration on a switch-to-switch connection obviously because a switch will have more MAC addresses than 1. Let’s enable the defaults on int fa0/1 and review the port security settings. Make sure to ping another PC to send a data frame through the switch so it can dynamically learn your MAC before verifying the switch port security settings like we do below. Remember that to actually enable port security, you need to run the switchport port-security command with no arguments. I usually run this command after I’ve configured all the interface security settings.
Switch#config t
Enter configuration commands, one per line. End with CNTL/Z.
Switch1(config)#int fa0/1
Switch1(config-if)#switchport port-security
Switch1#sh port-security int fa0/1
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0001.96C2.1D89:1
Security Violation Count : 0
Let’s now create a new PC and try to connect it to Fa0/1 of Switch1. Can you predict what should happen?
Switch1#
%LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to down
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down
%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
It doesn’t appear that the switch interface is in shutdown mode. Why is that? This is because the default specifies that only a single MAC address can be connected to the interface not multiple. The default setting doesn’t even specify WHICH mac address can only be connected, only that a single MAC can be connected at any given time. The interface would shut down if we connected a switch to that interface and another device since there would be 2 active MAC connections on that switch port (one MAC for the switch-to-switch connection and the MAC for the PC on the switch).
Interface Administratively Down
Switch1#
%LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to down
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down
%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to administratively down
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down
You can check the MAC address table after the shut down and only see a single MAC (of the network switch and not the PC).
Switch#sh mac address-table
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
1 0007.ec12.8601 DYNAMIC Fa0/2
You can also see the interface port security information and see that the port is shut down.
Switch#sh port-security interface fa0/1
Port Security : Enabled
Port Status : Secure-shutdown
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0001.96C2.1D89:1
Security Violation Count : 1
Lets change the default port-security settings to expand the allowed of MAC addresses on int fa0/1. Once you are done changing these settings, shut down the interface and then turn on the interface to get the interface back up.
Switch(config-if)#switchport port-security maximum 2
Switch(config-if)#shutdown
%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to administratively down
Switch(config-if)#no shutdown
Switch(config-if)#
%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
Let’s review the MAC address table now. It should show us both the switch2 MAC address and PC0.
Switch#sh mac address-table
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
1 0001.96c2.1d89 STATIC Fa0/1
1 000a.f382.6ce8 DYNAMIC Fa0/2
1 00d0.973e.4001 STATIC Fa0/1
Remember- we haven’t assigned which MAC addresses should be allowed on the port. We have only configured the maximum number of MAC addresses allowed on the port. Lets disable port security on that port and then set the port security settings to dynamically learn 3 MAC addresses (using sticky command) and then add another PC to the mix.
Switch(config-if)#no switchport port-security
Switch(config-if)#do sh port-security int fa0/1
Port Security : Disabled
Port Status : Secure-down
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 2
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 00D0.973E.4001:1
Security Violation Count : 0
Switch(config-if)#switchport port-security maximum 3
Switch(config-if)#switchport port-security ?
aging Port-security aging commands
mac-address Secure mac address
maximum Max secure addresses
violation Security violation mode
<cr>
Switch(config-if)#switchport port-security mac-address ?
H.H.H 48 bit mac address
sticky Configure dynamic secure addresses as sticky
Switch(config-if)#switchport port-security mac-address sticky
Switch(config-if)#do sh port-security int fa0/1
Port Security : Disabled
Port Status : Secure-down
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 3
Total MAC Addresses : 3
Configured MAC Addresses : 0
Sticky MAC Addresses : 3
Last Source Address:Vlan : 00D0.973E.4001:1
Security Violation Count : 0
Switch(config-if)#switchport port-security
Now we have allowed a max of 3 MAC addresses on Fa0/1 on Switch1. We have configured the switch to dynamically learn the 3 MAC addresses allowed to communicate on that port.
Restrict and Protect Modes
Instead of setting the violation mode to shutdown mode, we can use two other modes called restrict mode and protect modes. Protect mode simply discards offending traffic and does not log SNMP messages, it doesn’t increment the violation counter on show port-security and it doesn’t put the interface in an err-disabled state (only shutdown mode does this).
Restrict mode also discards offending traffic but it logs violations. Restrict mode is good if you want visibility over what violations are taking place on an interface and protect mode is if you want to set it and forget it. Once you are on interface configuration mode you can set the violation sub command as shown below:
Switch(config-if)#switchport port-security violation ?
protect Security violation protect mode
restrict Security violation restrict mode
shutdown Security violation shutdown mode
Switch(config-if)#switchport port-security violation