Port-Security in Cisco Switches

Posted on Updated on

In this article I am going to show you the effect of port-security on switch ports. The topology is very simple and I am using only one switch with a number of PCs.

PortSecurity

You use Port-Security

  • When you want to limit the number of devices that can connect to a port on your switch
  • When you want to explicitly tell your switch which devices can connect (based on MAC address of those devices)

To configure a switch port for port-security, first it should be in layer 2 mode (switchport mode). By default switch ports are in switchport mode. You can execute switchport command to change to layer 2 mode if you have changed it before.
Also the port should be in access mode. However, port-security can be configured on trunk ports, too.

Before doing this I check interface switchport status:

SW1#sh int e0/0 switchport | in Switchport
Switchport: Enabled

This interface is in switchport mode. To check port-security status I execute the following command:

SW1#sh port-security interface e0/0
Port Security              : Disabled
Port Status                : Secure-down
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 0
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 0000.0000.0000:0
Security Violation Count   : 0

And you can see that port-security is disabled by default. The port status is secure-down and no violation mode is configured.
First I check mac-address table:

SW1#sh mac address-table
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
SW1#sh mac address-table
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
   1    0050.7966.6800    DYNAMIC     Et0/0
   1    0050.7966.6801    DYNAMIC     Et0/0
   1    0050.7966.6802    DYNAMIC     Et0/3
Total Mac Addresses for this criterion: 3

I have 3 devices connected to this switch, two of them to the same port (via a hub). The hub is connected to E0 and I want to let only one device to be able to use this port at a time.

SW1(config)#int e0/0
SW1(config-if)#switchport port-security
Command rejected: Ethernet0/0 is a dynamic port.
SW1(config-if)#do sh int e0/0 trunk

Port        Mode             Encapsulation  Status        Native vlan
Et0/0       desirable        negotiate      not-trunking  1

Port        Vlans allowed on trunk
Et0/0       1

Port        Vlans allowed and active in management domain
Et0/0       1

Port        Vlans in spanning tree forwarding state and not pruned
Et0/0       1

Interesting! This port is in dynamic desirable mode and does not accept port-security that means it is actively looking forward to creating an ISL or Dot1q trunk link (based on negotiation result). I need to put this interface in access mode and then try again:

SW1(config-if)#swit mode access
SW1(config-if)#swit port-security

Now it works. I check the possibbilities:

SW1(config-if)#swit port-security ?
  aging        Port-security aging commands
  mac-address  Secure mac address
  maximum      Max secure addresses
  violation    Security violation mode
  <cr>

I can define an aging period, explicitly allow a MAC address to connect to and communicate through this port, set the number of devices that can use this port simultaneously and decide what happens when there is a violation to my rules.
For MAC address I have two options. I can type in the MAC address of the device allowed to use this port (this will be saved in switch’s configuration) or use sticky mode. The sticky mode saves the first MAC address received through this port in configuration and let’s only that device to use the port. I use the first option:

SW1(config-if)#swit port-security mac-address 0050.7966.6800

Now I check the interface status:

SW1(config-if)#do sh port-security interface e0/0
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 1
Configured MAC Addresses   : 1
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 0000.0000.0000:0
Security Violation Count   : 0

Port-security is enabled and violation mode is “shutdown” that means the port will be shut down if another device communicates through this port so when I ping those devices from PC3:

PC3> ping 10.10.10.101
84 bytes from 10.10.10.101 icmp_seq=1 ttl=64 time=2.500 ms
84 bytes from 10.10.10.101 icmp_seq=2 ttl=64 time=0.000 ms
84 bytes from 10.10.10.101 icmp_seq=3 ttl=64 time=2.500 ms
84 bytes from 10.10.10.101 icmp_seq=4 ttl=64 time=2.500 ms
84 bytes from 10.10.10.101 icmp_seq=5 ttl=64 time=0.000 ms

PC3> ping 10.10.10.102
host (10.10.10.102) not reachable

PC2 is not allowed to communicate and on SW1 a log message appears:

SW1(config-if)#
*Jun 30 12:22:12.236: %PM-4-ERR_DISABLE: psecure-violation error detected on Et0/0, putting Et0/0 in err-disable state
SW1(config-if)#
*Jun 30 12:22:12.237: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0050.7966.6801 on port Ethernet0/0.
*Jun 30 12:22:13.246: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/0, changed state to down
SW1(config-if)#
*Jun 30 12:22:14.246: %LINK-3-UPDOWN: Interface Ethernet0/0, changed state to down
SW1(config-if)#
SW1(config-if)#
SW1(config-if)#
SW1(config-if)#do sh ip int bri | in Ethernet0/0
Ethernet0/0            unassigned      YES unset  down                  down

I need to shut and no shut the interface to bring it up:

SW1(config-if)#shut
SW1(config-if)#
*Jun 30 12:25:26.443: %LINK-5-CHANGED: Interface Ethernet0/0, changed state to administratively down
SW1(config-if)#no shut
SW1(config-if)#
*Jun 30 12:25:32.873: %LINK-3-UPDOWN: Interface Ethernet0/0, changed state to up
*Jun 30 12:25:33.876: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/0, changed state to up
SW1(config-if)#do sh ip int bri | in Ethernet0/0
Ethernet0/0            unassigned      YES unset  up                    up

I can set violation mode to one of this modes:Udemy-CCNP ROUTE-Ad

  • Shutdown (default): Port enters err-disable mode and must be re-enabled.
  • Restrict: Port is up and the violating device cannot talk through the port. The number of violating packets can be logged.
  • Protect: Same as restrict mode but nothing is logged.

Of these, I prefer restrict mode.

SW1(config-if)#switchport port-security violation restrict

On PC3 I issue a ping to PC2 (the violating device):

PC3> ping 10.10.10.102
host (10.10.10.102) not reachable

And here is the log message on SW1:

SW1(config-if)#
*Jun 30 12:41:11.198: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0050.7966.6801 on port Ethernet0/0.

One last thing about port-security is aging. If you enable port-security without static MAC address, learnt MAC-addresses can be removed after a period of inactivity or even after a set amount of time (regardless of being active or inactive). The following commands configure port-security on E0/3 and sets an aging time of 10 minutes if the device is inactive.

SW1(config)#int e0/3
SW1(config-if)#swit mode access
SW1(config-if)#swit port-security
SW1(config-if)#switchport port-security aging time 10
SW1(config-if)#switchport port-security aging type inactivity
SW1(config-if)#switchport port-security maximum 1
SW1(config-if)#switchport port-security violation restrict

And final verification for E0/3:

SW1#sh port-security int e0/3
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Restrict
Aging Time                 : 10 mins
Aging Type                 : Inactivity
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 1
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 0050.7966.6802:1
Security Violation Count   : 0

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s