- Index
- Preface
- Product Overview
- Command-Line Interfaces
- Configuring the Switch for the First Time
- Configuring Interfaces
- Checking Port Status and Connectivity
- Configuring Supervisor Engine Redundancy using RPR and SSO
- Managing a Network of Switches
- Understanding and Configuring VLANs
- Configuring Dynamic VLAN Membership
- Configuring Layer 2 Ethernet Interfaces
- Configuring SmartPort Macros
- Understanding and Configuring STP
- Configuring STP Features
- Understanding and Configuring Multiple Spanning Trees
- Understanding and Configuring EtherChannel
- Configuring IGMP Snooping and Filtering
- Configuring 802.1Q and Layer 2 Protocol Tunneling
- Understanding and Configuring CDP
- Configuring UDLD
- Configuring Unidirectional Ethernet
- Configuring Layer 3 Interfaces
- Configuring Cisco Express Forwarding
- Understanding and Configuring IP Multicast
- Configuring Policy-Based Routing
- Understanding and Configuring VTP
- Configuring VRF-lite
- Configuring QoS
- Configuring Voice Interfaces
- Understanding and Configuring 802.1X Port-Based Authentication
- Configuring Port Security
- Configuring DHCP Snooping and IP Source Guard
- Understanding and Configuring Dynamic ARP Inspection
- Configuring Network Security with ACLs
- Configuring Private VLANs
- Port Unicast and Multicast Flood Blocking
- Configuring Port-Based Traffic Control
- Environment Monitoring and Power Management
- Configuring SPAN and RSPAN
- Configuring NetFlow Statistics Collection
- Acronyms
Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide, 12.2(20)EWA
Bias-Free Language
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
- Updated:
- March 21, 2015
Chapter: Configuring Port Security
Configuring Port Security
This chapter describes how to configure port security on Catalyst 4500 series switches. It provides guidelines, procedures, and configuration examples.
Note 
For complete syntax and usage information for the switch commands used in this chapter, first look at the Cisco Catalyst 4500 Series Switch Command Reference and related publications at this location:
http://www.cisco.com/en/US/products//hw/switches/ps4324/index.html
If the command is not found in the Catalyst 4500 Command Reference, it will be found in the larger Cisco IOS library. Refer to the Catalyst 4500 Series Switch Cisco IOS Command Reference and related publications at this location:
http://www.cisco.com/en/US/products/ps6350/index.html
This chapter consists of these sections:
•Default Port Security Configuration
•Port Security Guidelines and Restrictions
•Displaying Port Security Settings
Overview of Port Security
You can use the port security feature to restrict input to an interface by limiting and identifying MAC addresses of the workstations that are allowed to access the port. When you assign secure MAC addresses to a secure port, the port does not forward packets with source addresses outside the group of defined addresses. If you limit the number of secure MAC addresses to one and assign a single secure MAC address, the workstation attached to that port is assured the full bandwidth of the port.
If a port is configured as a secure port and the maximum number of secure MAC addresses is reached, when the MAC address of a workstation attempting to access the port is different from any of the identified secure MAC addresses, a security violation occurs.
After you have set the maximum number of secure MAC addresses on a port, the secure addresses are included in an address table in one of these ways:
•You can configure all secure MAC addresses by using the switchport port-security mac-address mac_address interface configuration command.
•You can allow the port to dynamically configure secure MAC addresses with the MAC addresses of connected devices.
•You can configure a number of addresses and allow the rest to be dynamically configured.
Note If the port shuts down, all dynamically learned addresses are removed.
•You can configure MAC addresses to be sticky. These can be dynamically learned or manually configured, stored in the address table, and added to the running configuration. If these addresses are saved in the configuration file, the interface does not need to dynamically relearn them when the switch restarts. Although sticky secure addresses can be manually configured, it is not recommended.
You can configure an interface to convert the dynamic MAC addresses to sticky secure MAC addresses and to add them to the running configuration by enabling sticky learning. To enable sticky learning, enter the switchport port-security mac-address sticky command. When you enter this command, the interface converts all the dynamic secure MAC addresses, including those that were dynamically learned before sticky learning was enabled, to sticky secure MAC addresses.
The sticky secure MAC addresses do not automatically become part of the configuration file, which is the startup configuration used each time the switch restarts. If you save the sticky secure MAC addresses in the configuration file, when the switch restarts, the interface does not need to relearn these addresses. If you do not save the configuration, they are lost.
If sticky learning is disabled, the sticky secure MAC addresses are converted to dynamic secure addresses and are removed from the running configuration.
After the maximum number of secure MAC addresses is configured, they are stored in an address table. To ensure that an attached device has the full bandwidth of the port, configure the MAC address of the attached device and set the maximum number of addresses to one, which is the default.
Note When a Catalyst 4500 series switch port is configured to support voice as well as port security, the maximum number of allowable MAC addresses on this port should be changed to three.
A security violation occurs if the maximum number of secure MAC addresses has been added to the address table and a workstation whose MAC address is not in the address table attempts to access the interface.
You can configure the interface for one of these violation modes, based on the action to be taken if a violation occurs:
•Restrict—A port security violation restricts data, causes the SecurityViolation counter to increment, and causes an SNMP Notification to be generated. The rate at which SNMP traps are generated can be controlled by the snmp-server enable traps port-security trap-rate command. The default value ("0") causes an SNMP trap to be generated for every security violation.
•Shutdown—A port security violation causes the interface to shut down immediately. When a secure port is in the error-disabled state, you can bring it out of this state by entering the errdisable recovery cause psecure_violation global configuration command or you can manually reenable it by entering the shutdown and no shut down interface configuration commands. This is the default mode.
You can also customize the time to recover from the specified error disable cause (default is 300 seconds) by entering the errdisable recovery interval interval command.
Default Port Security Configuration
Table 30-1 shows the default port security configuration for an interface.
Port Security Guidelines and Restrictions
Follow these guidelines when configuring port security:
•A secure port cannot be a trunk port.
•A secure port cannot be a destination port for Switch Port Analyzer (SPAN).
•A secure port cannot belong to an EtherChannel port-channel interface.
•A secure port and static MAC address configuration are mutually exclusive.
Configuring Port Security
These sections describe how to configure port security:
•Configuring Port Security on an Interface
•Configuring Port Security Aging
Configuring Port Security on an Interface
To restrict traffic through a port by limiting and identifying MAC addresses of the stations allowed to access the port, perform this task:
•To return the interface to the default condition as not a secure port, use the no switchport port-security interface configuration command.
•To return the interface to the default number of secure MAC addresses, use the no switchport port-security maximum value.
•To delete a MAC address from the address table, use the no switchport port-security mac-address mac_address command.
•To return the violation mode to the default condition (shutdown mode), use the no switchport port-security violation {restrict | shutdown} command.
•To disable sticky learning on an interface, use the no switchport port-security mac-address sticky command. The interface converts the sticky secure MAC addresses to dynamic secure addresses.
•To delete a sticky secure MAC addresses from the address table, use the no switchport port-security sticky mac-address mac_address command. To delete all the sticky addresses on an interface or a VLAN, use the no switchport port-security sticky interface interface-id command.
•To clear dynamically learned port security MAC in the CAM table, use the clear port-security dynamic command. The address keyword enables you to clear a secure MAC addresses. The interface keyword enables you to clear all secure addresses on an interface.
This example shows how to enable port security on Fast Ethernet port 12 and how to set the maximum number of secure addresses to 5. The violation mode is the default, and no secure MAC addresses are configured.
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# interface fastethernet 3/12
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum 5
Switch(config-if)# switchport port-security mac-address sticky
Switch(config-if)# end
Switch# show port-security interface fastethernet 3/12
Port Security :Enabled
Port Status :Secure-up
Violation Mode :Shutdown
Aging Time :0
Aging Type :Absolute
SecureStatic Address Aging :Enabled
Maximum MAC Addresses :5
Total MAC Addresses :0
Configured MAC Addresses :0
Sticky MAC Addresses :11
Last Source Address :0000.0000.0401
Security Violation Count :0
This example shows how to configure a secure MAC address on Fast Ethernet port 5/1 and verify the configuration:
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# interface fastethernet 5/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum 10
Switch(config-if)# switchport port-security mac-address 0000.0000.0003 (Static secure MAC)
Switch(config-if)# switchport port-security mac-address sticky
Switch(config-if)# switchport port-security mac-address sticky 0000.0000.0001 (Sticky static MAC)
Switch(config-if)# switchport port-security mac-address sticky 0000.0000.0002
Switch(config-if)# end
Switch#show port address
Secure Mac Address Table
------------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- -------------
1 0000.0000.0001 SecureSticky Fa5/1 -
1 0000.0000.0002 SecureSticky Fa5/1 -
1 0000.0000.0003 SecureConfigured Fa5/1 -
------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 2
Max Addresses limit in System (excluding one mac per port) : 1024
Configuring Port Security Aging
You can use port security aging to set the aging time and aging type for all secure addresses on a port.
Use this feature to remove and add PCs on a secure port without manually deleting the existing secure MAC addresses while still limiting the number of secure addresses on a port.
To configure port security aging, perform this task:
To disable port security aging for all secure addresses on a port, use the no switchport port-security aging time interface configuration command.
This example shows how to set the aging time as 2 hours for the secure addresses on the Fast Ethernet interface 5/1:
Switch(config)# interface fastethernet 5/1
Switch(config-if)# switchport port-security aging time 120
This example shows how to set the aging time as 2 minutes:
Switch(config-if)# switchport port-security aging time 2
You can verify the previous commands by entering the show port-security interface interface_id command.
Displaying Port Security Settings
Use the show port-security command to display port-security settings for an interface or for the switch.
To display traffic control information, perform one or more of these tasks:
This example displays output from the show port-security command when you do not enter an interface:
Switch# show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
---------------------------------------------------------------------------
Fa3/1 2 2 0 Restrict
Fa3/2 2 2 0 Restrict
Fa3/3 2 2 0 Shutdown
Fa3/4 2 2 0 Shutdown
Fa3/5 2 2 0 Shutdown
Fa3/6 2 2 0 Shutdown
Fa3/7 2 2 0 Shutdown
Fa3/8 2 2 0 Shutdown
Fa3/10 1 0 0 Shutdown
Fa3/11 1 0 0 Shutdown
Fa3/12 1 0 0 Restrict
Fa3/13 1 0 0 Shutdown
Fa3/14 1 0 0 Shutdown
Fa3/15 1 0 0 Shutdown
Fa3/16 1 0 0 Shutdown
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) :8
Max Addresses limit in System (excluding one mac per port) :1024
Global SNMP trap control for port-security :20 (traps per second)
This example displays output from the show port-security command for a specified interface:
Switch# show port-security interface fastethernet 5/1
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 1
Last Source Address : 0000.0001.001a
Security Violation Count : 0
This example displays output from the show port-security address command:
Switch#sh port-security address
Secure Mac Address Table
-------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- -------------
1 0000.0001.0000 SecureConfigured Fa3/1 15 (I)
1 0000.0001.0001 SecureConfigured Fa3/1 14 (I)
1 0000.0001.0100 SecureConfigured Fa3/2 -
1 0000.0001.0101 SecureConfigured Fa3/2 -
1 0000.0001.0200 SecureConfigured Fa3/3 -
1 0000.0001.0201 SecureConfigured Fa3/3 -
1 0000.0001.0300 SecureConfigured Fa3/4 -
1 0000.0001.0301 SecureConfigured Fa3/4 -
1 0000.0001.1000 SecureDynamic Fa3/5 -
1 0000.0001.1001 SecureDynamic Fa3/5 -
1 0000.0001.1100 SecureDynamic Fa3/6 -
1 0000.0001.1101 SecureDynamic Fa3/6 -
1 0000.0001.1200 SecureSticky Fa3/7 -
1 0000.0001.1201 SecureSticky Fa3/7 -
1 0000.0001.1300 SecureSticky Fa3/8 -
1 0000.0001.1301 SecureSticky Fa3/8 -
-------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) :8
Max Addresses limit in System (excluding one mac per port) :1024
Feedback