-
Catalyst 4000 Family Software Configuration Guide, 6.2
-
Preface
-
Product Overview
-
Using the Command-Line Interface
-
Configuring the Switch IP Address and Default Gateway
-
Configuring Ethernet and Fast Ethernet Switching
-
Configuring Gigabit Ethernet Switching
-
Configuring Fast EtherChannel and Gigabit EtherChannel
-
Configuring Spanning tree
-
Configuring Spanning-Tree PortFast, UplinkFast, and BackboneFast
-
Configuring VTP
-
Configuring VLANs
-
Configuring VLAN Trunks on Fast Ethernet and Gigabit Ethernet Ports
-
Configuring Dynamic Port VLAN Membership with VMPS
-
Configuring GVRP
-
Configuring Quality of Service
-
Configuring Multicast Services
-
Configuring Port Security
-
Configuring the IP Permit List
-
Configuring Protocol Filtering
-
Checking Port Status and Connectivity
-
Configuring CDP
-
Using Switch TopN Reports
-
Configuring UDLD
-
Configuring SNMP
-
Configuring RMON
-
Configuring SPAN
-
Administering the Switch
-
Switch Access: Using Authentication, Authorization, and Accounting
-
Modifying the Switch Boot Configuration
-
Working with System Software Images
-
Using the Flash File System
-
Working with Configuration Files
-
Configuring Switch Acceleration
-
Configuring System Message Logging
-
Configuring DNS
-
Configuring NTP
-
Acronyms
-
Reader Response Card
-
Index
-
Table Of Contents
Understanding How Port Security Works
Allowing Traffic Based on the Host MAC Address
Restricting Traffic Based on the Host MAC Address
Port Security Configuration Guidelines
Specifying the Maximum Number of Secure MAC Addresses
Specifying the Port Security Age Time
Specifying Security Violation Action
Restricting Traffic Based on Host MAC Address
Configuring Port Security
This chapter describes how to configure port security on the Catalyst enterprise LAN switches.
Note
For complete syntax and usage information for the commands used in this chapter, refer to the Command Reference—Catalyst 4000 Family, Catalyst 2948G, and Catalyst 2980G Switches.
This chapter consists of these sections:
•
•
Understanding How Port Security Works
You can use port security to block input to an Ethernet, Fast Ethernet, or Gigabit Ethernet port when the MAC address of the station attempting to access the port is different from any of the MAC addresses specified for that port. Alternatively, you can use port security to filter traffic destined to or received from a specific host based on the host MAC address.
This section describes the following traffic filtering methods:
•
•
Allowing Traffic Based on the Host MAC Address
The total number of MAC addresses that can be specified per port is limited to the global resource of 1024 plus one default MAC address. That is, the total number of MAC addresses on any port cannot exceed 1025.
Allocation of the maximum number of MAC addresses for each port depends on your network configuration. The following combinations are examples of valid allocations:
•
•
•
After you allocate the maximum number of MAC addresses on a port, you can either specify the secure MAC address for the port manually or have the port dynamically configure the MAC address of the connected devices. Out of a maximum allocated number of MAC addresses on a port, you can manually configure all, allow all to be autoconfigured, or configure some manually and allow the rest to be autoconfigured. Once you manually configure or autoconfigure the addresses, they are stored in NVRAM and are maintained after a reset.
After you allocate a maximum number of MAC addresses on a port, you can also specify how long the addresses on the port will remain secure. After the age time expires, the MAC addresses on the port become insecure. By default, all addresses on a port are secured permanently.
If a security violation occurs, you can configure the port to go either into shutdown mode or restrictive mode. The shutdown mode option allows you to specify whether the port is permanently disabled or disabled for only a specified time. The default is for the port to shut down permanently. The restrictive mode allows you to configure the port to remain enabled during a security violation and drop only packets that are coming in from insecure hosts.
Note
When a secure port receives a packet, the source MAC address of the packet is compared to the list of secure source addresses that were manually configured or autoconfigured (learned) on the port. If a MAC address of a device attached to the port differs from the list of secure addresses, the port either shuts down permanently (default mode), shuts down for the time you have specified, or drops incoming packets from the insecure host.
The behavior of a port depends on how you configure it to respond to a security violation. If a security violation occurs, the Link LED for that port turns orange, and a link-down trap is sent to the Simple Network Management Protocol (SNMP) manager. An SNMP trap is not sent if you configure the port for restrictive violation mode. A trap is sent only if you configure the port to shut down during a security violation.
Restricting Traffic Based on the Host MAC Address
You can filter traffic based on a host MAC address, so that packets tagged with a specific source MAC address are discarded. When you specify a MAC address filter with the set cam filter command, incoming traffic from that host MAC address is dropped, and packets addressed to that host are not forwarded.
Note
Port Security Configuration Guidelines
Follow these guidelines when configuring port security:
•
•
•
Configuring Port Security
These sections describe how to configure port security:
•
•
•
•
Enabling Port Security
To enable port security, perform this task in privileged mode:
This example shows how to enable port security using the learned MAC address on a port and verify the configuration:
Console> (enable) set port security 2/1 enablePort 2/1 port security enabled with the learned mac address.Trunking disabled for Port 2/1 due to Security ModeConsole> (enable) show port 2/1Port Name Status Vlan Level Duplex Speed Type----- ------------------ ---------- ---------- ------ ------ ----- ------------2/1 connected 522 normal half 100 100BaseTXPort Security Secure-Src-Addr Last-Src-Addr Shutdown Trap IfIndex----- -------- ----------------- ----------------- -------- -------- -------2/1 enabled 00-90-2b-03-34-08 00-90-2b-03-34-08 No disabled 1081Port Broadcast-Limit Broadcast-Drop-------- --------------- --------------2/1 - 0Port Align-Err FCS-Err Xmit-Err Rcv-Err UnderSize----- ---------- ---------- ---------- ---------- ---------2/1 0 0 0 0 0Port Single-Col Multi-Coll Late-Coll Excess-Col Carri-Sen Runts Giants----- ---------- ---------- ---------- ---------- --------- --------- ---------2/1 0 0 0 0 0 0 0Last-Time-Cleared--------------------------Fri Jul 10 1998, 17:53:38This example shows how to enable port security on a port and manually specify the secure MAC address:
Console> (enable) set port security 2/1 enable 00-90-2b-03-34-08Port 2/1 port security enabled with 00-90-2b-03-34-08 as the secure mac addressTrunking disabled for Port 2/1 due to Security ModeConsole> (enable)Specifying the Maximum Number of Secure MAC Addresses
You can specify the number of MAC addresses to secure on a port. By default, at least one MAC address per port can be secured. In addition to this default, a global resource of up to 1024 MAC addresses is available to be shared by the ports. This means that if the entire global resource of 1024 MAC addresses is used on some ports, you can still enable port security on the rest of the ports with a maximum of one MAC per port.
If you reduce the maximum number of MAC addresses, the system clears the specified number of MAC addresses and displays the list of removed addresses.
To set a number of MAC addresses to be secured for a particular port, perform this task in privileged mode:
Set the number of MAC addresses to be secured on a port.
set port security mod_num/port_num maximum num_of_mac
This example shows how to set the number of MAC addresses to be secured:
Console> (enable) set port security 4/7 maximum 20Maximum number of secure addresses set to 20 for port 4/7.Console> (enable)This example shows how to reduce the number of MAC addresses and the list that displays the cleared MAC addresses:
Console> (enable) set port security 4/7 maximum 18Maximum number of secure addresses set to 18 for port 4/700-11-22-33-44-55 cleared from secure address list for port 4/700-11-22-33-44-66 cleared from secure address list for port 4/7Console> (enable)Specifying the Port Security Age Time
The age time on a port specifies how long all addresses on that port will be secured. This age time is activated when a MAC address initiates traffic on the port. After the age time expires for a MAC address, the entry for that MAC address on the port is removed from the secure address list. The valid range is 10 to 1440 minutes. Setting the age time to zero disables aging of secure addresses.
To set the age time on a port, perform this task in privileged mode:
Set the age time for which addresses on a port will be secured.
set port security mod_num/port_num age time
Console> (enable) set port security 4/7 age 600Secure address age time set to 600 minutes for port 4/7.Console> (enable)Clearing MAC Addresses
Enter the clear port security command to clear MAC addresses from a list of secure addresses on a port.
Note
To clear all or a particular MAC address from the list of secure MAC addresses, perform this task in privileged mode:
Clear all or a particular MAC address from the list of secure MAC addresses.
clear port security mod_num/port_num {mac_addr | all}
This example removes one MAC address from the secure address list on port 4/7:
Console> (enable) clear port security 4/7 00-11-22-33-44-5500-11-22-33-44-55 cleared from secure address list for port 4/7Console> (enable)This example removes all MAC addresses from ports 4/5-7:
Console> (enable) clear port security 4/5-7 allAll addresses cleared from secure address list for ports 4/5-7Console> (enable)Specifying Security Violation Action
The port can be set for the following two modes to handle a security violation:
•
•
To specify the security violation action to be taken, perform this task in privileged mode:
Set the violation action on a port.
set port security mod_num/port_num violation {shutdown | restrict}
This example sets the port to drop all packets that are coming in on the port from insecure hosts:
Console> (enable) set port security 4/7 violation restrictPort security violation on port 4/7 will cause insecure packets to be dropped.Console> (enable)
Note
Specifying Shutdown Time
You can specify how long a port remains disabled in case of a security violation. By default, the port is shut down permanently. The valid range is 10 to 1440 minutes.
If the time is set to zero, the shutdown is disabled for this port.
Note
To set the shutdown timeout, perform this task in privileged mode:
This example sets the shutdown time to 600 minutes on port 4/7:
Console> (enable) set port security 4/7 shutdown 600Secure address shutdown time set to 600 minutes for port 4/7.Console> (enable)Disabling Port Security
To disable port security, perform this task in privileged mode:
Step 1
Disable port security on the desired ports.
set port security mod_num/port_num disable
Step 2
Verify the configuration.
show port security [mod_num/port_num]
This example shows how to disable security on a port:
Console> (enable) set port security 2/1 disablePort 2/1 port security disabled.Console> (enable)Console> (enable) show port security 2/1Port Security Violation Shutdown-Time Age-Time Max-Addr Trap IfIndex----- -------- --------- ------------- -------- -------- -------- -------3/24 disabled restrict 20 300 10 disabled 921Port Num-Addr Secure-Src-Addr Age-Left Last-Src-Addr Shutdown/Time-Left----- -------- ----------------- -------- ----------------- ------------------3/24 1 00-e0-4f-ac-b4-00 - - - -Console> (enable)Restricting Traffic Based on Host MAC Address
To restrict incoming or outgoing traffic for a specific MAC address, perform this task in privileged mode:
This example shows how to create a filter for a specific MAC address:
Console> (enable) set cam static filter 00-02-03-04-05-06 1Filter entry added to CAM table.Console> (enable)This example shows how to clear the filter:
Console> (enable) clear cam 00-02-03-04-05-06 1CAM entry cleared.Console> (enable)This example shows how to display the static CAM entries:
Console> show cam staticVLAN Dest MAC/Route Des [CoS] Destination Ports or VCs / [Protocol Type]---- ------------------ ----- -------------------------------------------3 04-04-05-06-07-08 * FILTERMonitoring Port Security
You can view the following port security information:
•
•
•
•
•
•
•
To display port security configuration information and statistics, perform this task in privileged mode:
Step 1
Display the configuration.
show port security [statistics] mod_num/ port_num
Step 2
Display the port security statistics.
show port security statistics [system] [mod_num/port_num]
This example shows how to display port security configuration information and statistics:
Console> (enable) show port security 3/24Port Security Violation Shutdown-Time Age-Time Max-Addr Trap IfIndex----- -------- --------- ------------- -------- -------- -------- -------3/24 enabled shutdown 300 60 10 disabled 921Port Num-Addr Secure-Src-Addr Age-Left Last-Src-Addr Shutdown/Time-Left----- -------- ----------------- -------- ----------------- ------------------3/24 4 00-e0-4f-ac-b4-00 60 00-e0-4f-ac-b4-00 no -00-11-22-33-44-55 000-11-22-33-44-66 000-11-22-33-44-77 0Console> (enable) show port security statistics 3/24Port Total-Addrs Maximum-Addrs----- ----------- -------------3/24 4 10Console> (enable)Port Total-Addrs Maximum-Addrs----- ----------- -------------3/24 1 10Console> (enable)This example shows how to display port security statistics on a module:
Console> (enable) show port security statistics 3Port Total-Addrs Maximum-Addrs----- ----------- -------------3/1 0 13/2 0 13/3 0 13/4 0 13/5 0 13/6 0 1Module 3:Total ports: 6Total secure ports: 0Total MAC addresses: 6Total global address space used (out of 1024): 0Status: installedConsole> (enable)This example shows how to display port security statistics on the system:
Console> (enable) show port security statistics systemModule 1:Total ports: 2Total MAC address(es): 2Total global address space used (out of 1024): 0Status: installedModule 3:Module does not support port security featureModule 6:Total ports: 48Total MAC address(es): 48Total global address space used (out of 1024): 0Status: installedConsole> (enable)
