Document ID: 113154
Updated: Aug 01, 2011
Contents
Introduction
This document provides a sample configuration for port security on a Cisco Catalyst 6500 Series Switch that runs Catalyst OS (CatOS).
Prerequisites
Requirements
Ensure that you meet these requirements before you attempt this configuration:
-
Basic knowledge of configuration on Cisco Catalyst 6500 Series Switches
-
Basic understanding of port security
Components Used
The information in this document is based on a Cisco Catalyst 6500 Series switch that runs CatOS.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Conventions
Refer to the Cisco Technical Tips Conventions for more information on document conventions.
Port Security Overview
Use port security to restrict the input to Ethernet interfaces based on host MAC addresses. You can define the secure MAC addresses to the port; however, the port does not forward packets with source addresses that are not specified for that port.
You can assign the secure MAC addresses for a port manually or allow the port to learn dynamically. (The MAC addresses are stored in nonvolatile RAM (NVRAM).) You can specify the age time for MAC address on a port that tells how long the MAC address will remain secure. By default, all addresses on a port are secured permanently.
The packet with the MAC address of a host that is not specified in the secure MAC addresses list is trying to access that port will cause security violation. As a result of the security violation, the port goes into shutdown mode or restrictive mode. In shutdown mode, you can configure the port to be in a shutdown state for a time period or permanently. By default, when a security violation happens, the port goes into shutdown mode permanently. In restrictive mode, the port drops the packets in from an insecure host. If a host whose MAC address is already configured as a secure MAC address on another port connects to a port in restrictive mode, then that port goes into shutdown mode instead of restricting the traffic from that host.
Configure
In this section, you are presented with the information to configure port security on a Cisco Catalyst 6500 Series switch that runs CatOS.
Note: Use the Command Lookup Tool (registered customers only) to obtain more information on the commands used in this section.
Network Diagram
This document uses this network setup:
Configurations
This section describes how to configure port security on a Cisco Catalyst 6500 Series switch that runs CatOS.
In this example, port 4/21 is connected to the switch, and port security is configured with the maximum number of MAC addresses, which is limited to 50. The aging timer is set to 500 minutes, and restrictive mode is set for violation. Age time specifies how long the MAC addresses will be secured; age time restarts whenever traffic is generated with the MAC address on a port. If a violation occurs, only the packets that are coming in from an insecure MAC address are dropped.
Port 4/22 is connected to the server, and port security is configured with the maximum number of MAC addresses, which is limited to 3. Restrictive mode set for violation. This configuration can be used for most secure situations. MAC addresses are specified manually.
Port 4/23 is connected to the IP phone, and port security is configured with a shutdown timer of 600 minutes. If a violation occurs, the port goes into shutdown state for the time specified. The port is enabled after the shutdown time expires.
This document uses these configurations:
| Cisco Catalyst 6500 Switch |
|---|
Console> (enable)set port security 4/21 enable !--- Use this command in order to set the number of MAC addresses to be secured. Console> (enable)set port security 4/21 maximum 50 !--- Use this command in order to set the age timer. Console> (enable)set port security 4/21 age 500 Console> (enable)set port security 4/21 violation restrict Console> (enable)set port security 4/22 enable D4-85-64-A5-35-5C Console> (enable)set port security 4/22 maximum 3 !--- Use this command in order to add MAC addresses manually to the secure address list. Console> (enable)set port security 4/22 D4-85-64-15-15-5A Console> (enable)set port security 4/22 00-23-04-33-E4-0D Console> (enable)set port security 4/22 violation restrict !--- Use this command in order to clear one MAC address from the secure address list. Console> (enable)clear port security 4/22 00-23-04-33-E4-0D Console> (enable)set port security 4/23 enable 00-0c-29-a5-fa-d5 !--- Use this command in order to set the shutdown timer. Console> (enable)set port security 4/23 shutdown 600 |
Verify
Use this section to confirm that your configuration works properly.
The Output Interpreter Tool (registered customers only) (OIT) supports certain show commands. Use the OIT to view an analysis of show command output.
Use the show port security mod/port command in order to display the port security configuration related information.
Console> (enable)show port security 4/21
* = Configured MAC Address
Port Security Violation Shutdown-Time Age-Time Max-Addr Trap IfIndex
----- -------- --------- ------------- -------- -------- -------- -------
4/21 enabled restrict 0 500 50 disabled 87
Port Num-Addr Secure-Src-Addr Age-Left Last-Src-Addr Shutdown/Time-Left
----- -------- ----------------- -------- ----------------- ------------------
4/21 11 00-12-43-06-95-83 475 00-09-e9-19-98-7f no -
00-0b-85-48-53-c0 475
00-1a-a2-19-ad-44 475
02-01-00-00-00-00 475
00-17-59-e7-49-2c 475
00-0d-9d-93-8b-55 475
00-0b-85-33-84-a0 475
00-12-44-0d-89-40 475
00-16-35-66-c2-d6 476
00-17-94-06-62-88 478
00-09-e9-19-98-7f 494
Port Flooding on Address Limit
----- -------------------------
4/21 Enabled
Use the show port mod/port command in order to verify the configuration of the port.
Console> (enable)show port 4/21
* = Configured MAC Address
Port Name Status Vlan Duplex Speed Type
----- -------------------- ---------- ---------- ------ ----- ------------
4/21 connected 1 a-full a-100 10/100BaseTX
Port AuxiliaryVlan AuxVlan-Status
----- ------------- --------------
4/21 none none
Port InlinePowered PowerAllocated Device IEEE class DiscoverMode
Admin Oper Detected mWatt mA @42V
----- ------ ------ -------- ----- -------- ---------- ---------- ------------
4/21 auto off no 0 0 none none cisco
Port Maximum Power Actual Consumption absentCounter OverCurrent
mWatt mA @42V mWatt mA @42V
----- ----- ------- ------ --------- ------------- -----------
4/21 7000 166 0 0 0 0
Port Security Violation Shutdown-Time Age-Time Max-Addr Trap IfIndex
----- -------- --------- ------------- -------- -------- -------- -------
4/21 enabled restrict 0 500 50 disabled 87
Port Num-Addr Secure-Src-Addr Age-Left Last-Src-Addr Shutdown/Time-Left
----- -------- ----------------- -------- ----------------- ------------------
4/21 11 00-12-43-06-95-83 474 00-09-e9-19-98-7f no -
00-0b-85-48-53-c0 474
00-1a-a2-19-ad-44 474
02-01-00-00-00-00 474
00-17-59-e7-49-2c 474
00-0d-9d-93-8b-55 474
00-0b-85-33-84-a0 474
00-12-44-0d-89-40 474
00-16-35-66-c2-d6 475
00-17-94-06-62-88 477
00-09-e9-19-98-7f 493
Port Flooding on Address Limit
----- -------------------------
4/21 Enabled
Port Broadcast-Limit Multicast Unicast Total-Drop Action
-------- --------------- --------- ------- -------------------- ------------
4/21 - - - 0 drop-packets
Port Send FlowControl Receive FlowControl RxPause TxPause
admin oper admin oper
----- -------- -------- --------- --------- ---------- ----------
4/21 off off off off 0 0
Port Status Channel Admin Ch
Mode Group Id
----- ---------- -------------------- ----- -----
4/21 connected auto silent 53 0
Port Status ErrDisable Reason Port ErrDisableTimeout Action on Timeout
---- ---------- ------------------- ---------------------- -----------------
4/21 connected - Enable No Change
Port Align-Err FCS-Err Xmit-Err Rcv-Err UnderSize
----- ---------- ---------- ---------- ---------- ---------
4/21 0 0 0 0 0
Port Single-Col Multi-Coll Late-Coll Excess-Col Carri-Sen Runts Giants
----- ---------- ---------- ---------- ---------- --------- --------- ---------
4/21 0 0 0 0 0 0 0
Port Last-Time-Cleared
----- --------------------------
4/21 Wed Jul 13 2011, 21:40:21
Idle Detection
--------------
--
Use the show port security statistics system command in order to display the port security statistics on the system.
Console> (enable)show port security statistics system Module 1: Module does not support port security feature Module 2: Total ports: 2 Total secure ports: 0 Total MAC addresses: 2 Total global address space used (out of 4096): 0 Status: installed Module 4: Total ports: 48 Total secure ports: 3 Total MAC addresses: 99 Total global address space used (out of 4096): 51 Status: installed Module 5: Total ports: 48 Total secure ports: 0 Total MAC addresses: 48 Total global address space used (out of 4096): 0 Status: installed Module 16: Module does not support port security feature Total secure ports in the system: 3 Total secure MAC addresses in the system: 149 Total global MAC address resource used in the system (out of 4096): 51
Related Information
Open a Support Case 
(Requires a Cisco Service Contract.)
Related Cisco Support Community Discussions
The Cisco Support Community is a forum for you to ask and answer questions, share suggestions, and collaborate with your peers.
Refer to Cisco Technical Tips Conventions for information on conventions used in this document.