Port security to filter traffic that is destined to or received from a specific host that is based on the host MAC address.
Port Security feature remembers the Ethernet MAC address connected to the switch port and allows only that MAC address to communicate on that port. If any other MAC address tries to communicate through the port, port security will disable the port. and also you can use logging traps which will notify you that the violation has occurred.
By default there is no limit to the number of MAC addresses a switch can learn on an interface and all MAC addresses are allowed. If we want we can change this behavior with port security.
- By default, routers and switches do not perform security checks against any device that connects to them.
- By default, routers and switches will forward any frame/packet received on an interface if:
- The appropriate protocol is enabled on the ingress interface
- The appropriate forwarding tables or trees exist
After you allocate the maximum number of MAC addresses on a port, you can either specify the secure MAC address for the port manually or have the port dynamically configure the MAC address of the connected devices. Out of a maximum allocated number of MAC addresses on a port, you can manually configure all, allow all to be autoconfigured, or configure some manually and allow the rest to be autoconfigured. Once you manually configure or autoconfigure the addresses, they are stored in nonvolatile RAM (NVRAM) and are maintained after a reset.
When you manually change the maximum number of MAC addresses that are associated to a port greater than the default value and then manually enter the authorized MAC addresses, any remaining MAC addresses are automatically configured. For example, if you configure the port security for a port to have a maximum of ten MAC addresses but add only two MAC addresses, the next eight new source MAC addresses that are received on that port are added to the secured MAC address list for the port.
After you allocate a maximum number of MAC addresses on a port, you can also specify how long the addresses on the port will remain secure. After the age time expires, the MAC addresses on the port become insecure. By default, all addresses on a port are secured permanently.
Port security Violation.
If a security violation occurs, you can configure the port to go either into shutdown mode or restrictive mode or Protect.
- Protect: Ethernet frames from MAC addresses that are not allowed will be dropped but you won’t receive any logging information.
- Restrict: Ethernet frames from MAC addresses that are not allowed will be dropped but you will see logging information and an SNMP trap is sent.
- Shutdown: Ethernet frames from MAC addresses that are not allowed will cause the interface to go to an err-disable state. You will see logging information and an SNMP trap is sent. For recovery you have two options:
- Manual: recover the interface yourself with a “shutdown” and “no shutdown”.
- Automatic: use the errdisable recovery commands to enable and tune automatic recovery.
Port security Configuration.
Example-1, let’s say we want to allow only one MAC address from a port .
Switch(config)#interface fa0/10 Switch(config-if)#switchport port-security Switch(config-if)#switchport port-security maximum 1
As you can see above, we are having 2 PC connected on fa0/10 but as soon as I will configure this command it will shut down the port and it will show me the error because we have allowed only one MAC address.
SwitchA# %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/10, putting Fa0/10 in err-disable state %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0e90.ca0d.96dc on port FastEthernet0/10. %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/10, changed state to down %LINK-3-UPDOWN: Interface FastEthernet0/10, changed state to down
Example-2, let’s say we want to bind one MAC address on a port .
Switch(config)#interface fa0/10 Switch(config-if)#switchport port-security maximum 1 Switch(config-if)#switchport port-security mac-address adbc:bcde:3acb
The MAC address I bind on the fa0/10 is for testing purposes and it does not belong to any of the real devices in my diagram (PC-A & PC-B).now let’s see what happens, in this case, my port will go into error disable because the violation has occurred due to mac address not found what we have configured on the fa0/10.
Switch#show port-security interface fa0/10 Port Security : Enabled Port Status : Secure-shutdown Violation Mode : Shutdown Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 1 Total MAC Addresses : 1 Configured MAC Addresses : 1 Sticky MAC Addresses : 0 Last Source Address:Vlan : 0d00.ce0e.50a3 Security Violation Count : 1
Switch#show interfaces fa0/10 FastEthernet0/10 is down, line protocol is down (err-disabled)
As you can see above the port is shut down and has been put in the error-disabled state. there are 2 ways we can make the port up.
Manual means you have to make your port no shut down manually, The example is given below.
Switch(config)#interface fa0/10 Switch(config-if)#shutdown Switch(config-if)#no shutdown
Automatic means we can configure the error disable recovery for automatic restores the port to upstate You can enable this with the following command:
Switch(config)#errdisable recovery cause psecure-violation
After 5 minutes (300 seconds) it will automatically recover from err-disable state. Make sure you solve the root cause behind the violation otherwise it will just have another violation and end up in err-disable state again. You can speed this up by changing the timer. Let’s set it to 10 seconds:
SW1(config)#errdisable recovery interval 10
MAC Address Sticky.
- Allows dynamic learning of allowed MAC addresses.
- MACs learned become part of the Running-Config
- If saved (write memory) sticky MACs become static, authorized MACs upon a reload or power-cycle.
Instead of typing in the MAC address ourselves, we can also make the switch and learn a MAC address for port security:
Switch(config)#interface fa0/10 Switch(config-if)#switchport port-security maximum 1 Switch(config-if)#switchport port-security mac-address sticky
The sticky keyword will make sure that the switch uses the first MAC address that it learns on the interface for port security.
As you can see below that it will save the MAC address in the running configuration by itself. Let’s verify.
Switch#show run interface fa0/10 Building configuration... Current configuration : 228 bytes ! interface FastEthernet0/10 switchport mode access switchport port-security switchport port-security mac-address sticky switchport port-security mac-address sticky adbc:bcde:3acb
The complete Configuration is given below.
Switch#show run interface fa0/10 interface fastEthernet0/10 switchport port-security switchport port-security maximum 1 switchport port-security mac-address sticky switchport port-security violation shutdown ! errdisable recovery cause psecure-violation ! end
Port Security Aging Time.
Port security aging can be used to set the aging time for static and dynamic secure addresses on a port. Two types of aging are supported per port:
Absolute: The secure addresses on that port are deleted after the specified aging time.
Inactivity: The secure addresses on this port are deleted only if the secure addresses are inactive for the specified aging time. This feature is useful if you want to grant access only for a certain time.
Use the aging time to remove secure MAC addresses on a secure port without deleting them manually to existing secure MAC addresses. Aging time limits can also be increased to ensure past secure MAC addresses remain, even while new MAC addresses are added. Aging of statically configured secure addresses can be enabled or disabled on a per-port basis.
Now let’s see how we can configure it.
Switch(config)#interface fa0/10 Switch(config-if)#switchport port-security aging type absolute Switch(config-if)#switchport port-security aging time 4