Guest

Cisco Catalyst 6000 Series Switches

Catalyst 6500 Series Switches CatOS Port Security Configuration Example

Cisco - Catalyst 6500 Series Switches CatOS Port Security Configuration Example

Document ID: 113154

Updated: Aug 01, 2011

   Print

Introduction

This document provides a sample configuration for port security on a Cisco Catalyst 6500 Series Switch that runs Catalyst OS (CatOS).

Prerequisites

Requirements

Ensure that you meet these requirements before you attempt this configuration:

  • Basic knowledge of configuration on Cisco Catalyst 6500 Series Switches

  • Basic understanding of port security

Components Used

The information in this document is based on a Cisco Catalyst 6500 Series switch that runs CatOS.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

Refer to the Cisco Technical Tips Conventions for more information on document conventions.

Port Security Overview

Use port security to restrict the input to Ethernet interfaces based on host MAC addresses. You can define the secure MAC addresses to the port; however, the port does not forward packets with source addresses that are not specified for that port.

You can assign the secure MAC addresses for a port manually or allow the port to learn dynamically. (The MAC addresses are stored in nonvolatile RAM (NVRAM).) You can specify the age time for MAC address on a port that tells how long the MAC address will remain secure. By default, all addresses on a port are secured permanently.

The packet with the MAC address of a host that is not specified in the secure MAC addresses list is trying to access that port will cause security violation. As a result of the security violation, the port goes into shutdown mode or restrictive mode. In shutdown mode, you can configure the port to be in a shutdown state for a time period or permanently. By default, when a security violation happens, the port goes into shutdown mode permanently. In restrictive mode, the port drops the packets in from an insecure host. If a host whose MAC address is already configured as a secure MAC address on another port connects to a port in restrictive mode, then that port goes into shutdown mode instead of restricting the traffic from that host.

Configure

In this section, you are presented with the information to configure port security on a Cisco Catalyst 6500 Series switch that runs CatOS.

Note: Use the Command Lookup Tool (registered customers only) to obtain more information on the commands used in this section.

Network Diagram

This document uses this network setup:

port-security-6500-01.gif

Configurations

This section describes how to configure port security on a Cisco Catalyst 6500 Series switch that runs CatOS.

In this example, port 4/21 is connected to the switch, and port security is configured with the maximum number of MAC addresses, which is limited to 50. The aging timer is set to 500 minutes, and restrictive mode is set for violation. Age time specifies how long the MAC addresses will be secured; age time restarts whenever traffic is generated with the MAC address on a port. If a violation occurs, only the packets that are coming in from an insecure MAC address are dropped.

Port 4/22 is connected to the server, and port security is configured with the maximum number of MAC addresses, which is limited to 3. Restrictive mode set for violation. This configuration can be used for most secure situations. MAC addresses are specified manually.

Port 4/23 is connected to the IP phone, and port security is configured with a shutdown timer of 600 minutes. If a violation occurs, the port goes into shutdown state for the time specified. The port is enabled after the shutdown time expires.

This document uses these configurations:

Cisco Catalyst 6500 Switch
Console> (enable)set port security 4/21 enable


!--- Use this command in order to set the number of MAC addresses to be secured.

Console> (enable)set port security 4/21 maximum 50


!--- Use this command in order to set the age timer.

Console> (enable)set port security 4/21 age 500
Console> (enable)set port security 4/21 violation restrict



Console> (enable)set port security 4/22 enable D4-85-64-A5-35-5C
Console> (enable)set port security 4/22 maximum 3


!--- Use this command in order to add MAC addresses manually to the secure address list.

Console> (enable)set port security 4/22 D4-85-64-15-15-5A
Console> (enable)set port security 4/22 00-23-04-33-E4-0D
Console> (enable)set port security 4/22 violation restrict


!--- Use this command in order to clear one MAC address from the secure address list.

Console> (enable)clear port security 4/22 00-23-04-33-E4-0D



Console> (enable)set port security 4/23 enable 00-0c-29-a5-fa-d5


!--- Use this command in order to set the shutdown timer.

Console> (enable)set port security 4/23 shutdown 600

Verify

Use this section to confirm that your configuration works properly.

The Output Interpreter Tool (registered customers only) (OIT) supports certain show commands. Use the OIT to view an analysis of show command output.

Use the show port security mod/port command in order to display the port security configuration related information.

Console> (enable)show port security 4/21
* = Configured MAC Address 

Port  Security Violation Shutdown-Time Age-Time Max-Addr Trap     IfIndex
----- -------- --------- ------------- -------- -------- -------- -------
 4/21  enabled  restrict             0      500       50 disabled      87

Port  Num-Addr Secure-Src-Addr     Age-Left Last-Src-Addr     Shutdown/Time-Left
----- -------- -----------------   -------- ----------------- ------------------
 4/21       11 00-12-43-06-95-83        475 00-09-e9-19-98-7f       no         -
               00-0b-85-48-53-c0        475
               00-1a-a2-19-ad-44        475
               02-01-00-00-00-00        475
               00-17-59-e7-49-2c        475
               00-0d-9d-93-8b-55        475
               00-0b-85-33-84-a0        475
               00-12-44-0d-89-40        475
               00-16-35-66-c2-d6        476
               00-17-94-06-62-88        478
               00-09-e9-19-98-7f        494

Port  Flooding on Address Limit
----- -------------------------
 4/21                   Enabled

Use the show port mod/port command in order to verify the configuration of the port.

Console> (enable)show port 4/21

* = Configured MAC Address 

Port  Name                 Status     Vlan       Duplex Speed Type
----- -------------------- ---------- ---------- ------ ----- ------------
 4/21                      connected  1          a-full a-100 10/100BaseTX

Port  AuxiliaryVlan AuxVlan-Status
----- ------------- --------------
 4/21 none          none          

Port      InlinePowered      PowerAllocated Device     IEEE class DiscoverMode
      Admin  Oper   Detected mWatt mA @42V
----- ------ ------ -------- ----- -------- ---------- ---------- ------------
 4/21 auto   off    no       0     0        none       none       cisco       

Port  Maximum Power    Actual Consumption  absentCounter  OverCurrent
      mWatt   mA @42V   mWatt   mA @42V  
----- -----   -------  ------   ---------  -------------  -----------
 4/21 7000    166      0        0          0              0           


Port  Security Violation Shutdown-Time Age-Time Max-Addr Trap     IfIndex
----- -------- --------- ------------- -------- -------- -------- -------
4/21  enabled  restrict             0      500       50 disabled      87

Port  Num-Addr Secure-Src-Addr     Age-Left Last-Src-Addr     Shutdown/Time-Left
----- -------- -----------------   -------- ----------------- ------------------
 4/21       11 00-12-43-06-95-83        474 00-09-e9-19-98-7f       no         -
               00-0b-85-48-53-c0        474
               00-1a-a2-19-ad-44        474
               02-01-00-00-00-00        474
               00-17-59-e7-49-2c        474
               00-0d-9d-93-8b-55        474
               00-0b-85-33-84-a0        474
               00-12-44-0d-89-40        474
               00-16-35-66-c2-d6        475
               00-17-94-06-62-88        477
               00-09-e9-19-98-7f        493

Port  Flooding on Address Limit
----- -------------------------
 4/21                   Enabled

Port     Broadcast-Limit Multicast Unicast Total-Drop           Action      
-------- --------------- --------- ------- -------------------- ------------
 4/21                  -         -       -                    0 drop-packets

Port  Send FlowControl  Receive FlowControl   RxPause    TxPause
      admin    oper     admin     oper
----- -------- -------- --------- ---------   ---------- ----------
 4/21 off      off      off       off         0          0          

Port  Status     Channel              Admin Ch
                 Mode                 Group Id
----- ---------- -------------------- ----- -----
 4/21 connected  auto silent             53     0

Port  Status      ErrDisable Reason    Port ErrDisableTimeout  Action on Timeout
----  ----------  -------------------  ----------------------  -----------------
 4/21 connected                     -  Enable                  No Change

Port  Align-Err  FCS-Err    Xmit-Err   Rcv-Err    UnderSize
----- ---------- ---------- ---------- ---------- ---------
 4/21          0          0          0          0         0

Port  Single-Col Multi-Coll Late-Coll  Excess-Col Carri-Sen Runts     Giants
----- ---------- ---------- ---------- ---------- --------- --------- ---------
 4/21          0          0          0          0         0         0         0

Port  Last-Time-Cleared
----- --------------------------
 4/21 Wed Jul 13 2011, 21:40:21

Idle Detection
--------------
   --

Use the show port security statistics system command in order to display the port security statistics on the system.

Console> (enable)show port security statistics system

Module 1:
  Module does not support port security feature
Module 2:
  Total ports: 2
  Total secure ports: 0
  Total MAC addresses: 2
  Total global address space used (out of 4096): 0
  Status: installed
Module 4:
  Total ports: 48
  Total secure ports: 3
  Total MAC addresses: 99
  Total global address space used (out of 4096): 51
  Status: installed
Module 5:
  Total ports: 48
  Total secure ports: 0
  Total MAC addresses: 48
  Total global address space used (out of 4096): 0
  Status: installed
Module 16:
  Module does not support port security feature
Total secure ports in the system: 3
Total secure MAC addresses in the system: 149
Total global MAC address resource used in the system (out of 4096): 51

Related Information

Updated: Aug 01, 2011
Document ID: 113154