- Preface
- Product Overview
- Command-Line Interfaces
- Configuring the Switch for the First Time
- Administering the Switch
- Configuring Virtual Switching Systems
- Configuring the Cisco IOS In-Service Software Upgrade Process
- Configuring the Cisco IOS XE In Service Software Upgrade Process
- Configuring Interfaces
- Checking Port Status and Connectivity
- Configuring RPR
- Configuring Supervisor Engine Redundancy Using RPR and SSO on Supervisor Engine 7-E and Supervisor Engine 7L-E
- Configuring Cisco NSF with SSO Supervisor Engine Redundancy
- Environmental Monitoring and Power Management
- Configuring Power over Ethernet
- Configuring the Catalyst 4500 Series Switch with Cisco Network Assistant
- Configuring VLANs, VTP, and VMPS
- Configuring IP Unnumbered Interface
- Configuring Layer 2 Ethernet Interfaces
- Configuring EVC-Lite
- Configuring SmartPort Macros
- Configuring Cisco IOS Auto Smartport Macros
- Configuring STP and MST
- Configuring Flex Links and MAC Address-Table Move Update
- Configuring Resilient Ethernet Protocol
- Configuring Optional STP Features
- Configuring EtherChannel and Link State Tracking
- Configuring IGMP Snooping and Filtering,
- Configuring IPv6 Multicast Listener Discovery Snooping
- Configuring 802.1Q Tunneling, VLAN Mapping, and Layer 2 Protocol Tunneling
- Configuring Cisco Discovery Protocol
- Configuring LLDP, LLDP-MED, and Location Service
- Configuring UDLD
- Configuring Unidirectional Ethernet
- Configuring Layer 3 Interfaces
- Configuring Cisco Express Forwarding
- Configuring Unicast Reverse Path Forwarding
- Configuring IP Multicast
- Configuring ANCP Client
- Configuring Bidirectional Forwarding Detection
- Configuring Policy-Based Routing
- Configuring VRF-lite
- Configuring Quality of Service
- Configuring Voice Interfaces
- Configuring Private VLANs
- Configuring MACsec Encryption
- Configuring 802.1X Port-Based Authentication
- Configuring the PPPoE Intermediate Agent
- Configuring Web-Based Authentication
- Configuring Port Security
- Configuring Auto Security
- Configuring Control Plane Policing and Layer 2 Control Packet QoS
- Configuring Dynamic ARP Inspection
- Configuring DHCP Snooping, IP Source Guard, and IPSG for Static Hosts
- Configuring Network Security with ACLs
- Support for IPv6
- Configuring Port Unicast and Multicast Flood Blocking
- Configuring Storm Control
- Configuring SPAN and RSPAN
- Configuring Wireshark
- Configuring Enhanced Object Tracking
- Configuring System Message Logging
- Onboard Failure Logging (OBFL)
- Configuring SNMP
- Configuring NetFlow-lite
- Configuring Flexible NetFlow
- Configuring Ethernet OAM and CFM
- Configuring Y.1731 (AIS and RDI)
- Configuring callhome
- Configuring Cisco IOS IP SLA Operations
- Configuring RMON
- Performing Diagnostics
- Configuring WCCP Version 2 Services
- Configuring MIB Support
- ROM Monitor
- Acronyms and Abbreviations
- Catalyst 4500 Series Switch SW Configuration Guide Index, IOS XE 3.6.0E and IOS 15.2(2)E
- Port Security Commands
- About Port Security
- Configuring Port Security on Access Ports
- Configuring Port Security on Access Ports
- Examples of Port Security on Access Ports
- Example 1: Setting Maximum Number of Secure Addresses
- Example 2: Setting a Violation Mode
- Example 3: Setting the Aging Timer
- Example 4: Setting the Aging Timer Type
- Example 5: Configuring a Secure MAC Address
- Example 6: Configuring Sticky Port Security
- Example 7: Setting a Rate Limit for Bad Packets
- Example 8: Clearing Dynamic Secure MAC Addresses
- Examples of Security Settings
- Example 1: Displaying Security Settings for the Entire Switch
- Example 2: Displaying Security Settings for an Interface
- Example 3: Displaying All Secure Addresses for the Entire Switch
- Example 4: Displaying a Maximum Number of MAC Addresses on an Interface
- Example 5: Displaying Security Settings on an Interface for a VLAN Range
- Example 6: Displaying Secured MAC Addresses and Aging Information on an Interface
- Example 7: Displaying Secured MAC Addresses for a VLAN Range on an Interface
Configuring Port Security
This chapter describes how to configure port security on the Catalyst 4500 series switch. It provides an overview of port security on the Catalyst 4500 series switch and details the configuration on various types of ports such as access, voice, trunk, and private VLAN (PVLAN).
This chapter consists of these sections:
- Port Security Commands
- About Port Security
- Configuring Port Security on Access Ports
- Configuring Port Security on PVLAN Ports
- Configuring Port Security on Trunk Ports
- Configuring Port Security on Voice Ports
- Displaying Port Security Settings
- Configuring Port Security with Other Features/Environments
- Port Security Configuration Guidelines and Restrictions
Note For complete syntax and usage information for the switch commands used in this chapter, see the Cisco Catalyst 4500 Series Switch Command Reference and related publications at this location:
http://www.cisco.com/en/US/products/hw/switches/ps4324/index.html
If a command is not in the Catalyst 4500 Series Switch Command Reference, you can locate it in the Cisco IOS library. See the Cisco IOS Command Reference and related publications at this location:
http://www.cisco.com/en/US/products/ps6350/index.html
Port Security Commands
This table lists the commands most commonly used with port security.
|
|
|
---|---|---|
Customizes the time to recover from a specified error disable cause. |
||
Configures a maximum number of MAC addresses on an interface. |
||
Creates an association between a secondary VLAN and a primary VLAN. |
Example of Port Security on an Isolated Private VLAN Host Port |
|
Configuring Port Security on an Isolated Private VLAN Host Port |
||
Configuring Port Security on an Isolated Private VLAN Host Port |
||
Specifies that ports with valid private VLAN trunk association become active host private VLAN trunk ports. |
Configuring Port Security on an Isolated Private VLAN Host Port |
|
Configuring Port Security on an Isolated Private VLAN Host Port |
||
Configuring Port Security on an Isolated Private VLAN Host Port |
||
Converts a sticky secure MAC address to a dynamic MAC secure address. |
||
Sets the maximum number of secure MAC addresses for an interface. |
||
Example 1: Configuring a Maximum Limit of Secure MAC Addresses for All VLANs |
About Port Security
Port security enables you to restrict the number of MAC addresses (termed secure MAC addresses) on a port, allowing you to prevent access by unauthorized MAC addresses. It also allows you to configure a maximum number of secure MAC addresses on a given port (and optionally for a VLAN for trunk ports). When a secure port exceeds the maximum, a security violation is triggered, and a violation action is performed based on the violation action mode configured on the port.
If you configure the maximum number of secure MAC addresses as 1 on the port, the device attached to the secure port is assured sole access to the port.
If a secure MAC address is secured on a port, that MAC address is not allowed to enter on any other port off that VLAN. If it does, the packet is dropped unnoticed in the hardware. Other than using the interface or port counters, you do not receive a log message reflecting this fact. Be aware that this condition does not trigger a violation. Dropping these packets in the hardware is more efficient and can be done without putting additional load on the CPU.
Port security has the following characteristics:
- It allows you to age out secure MAC addresses. Two types of aging are supported: inactivity and absolute.
- It supports a sticky feature whereby the secure MAC addresses on a port are retained through switch reboots and link flaps.
- It can be configured on various types of ports such as access, voice, trunk, EtherChannel, and private VLAN ports.
This overview contains the following topics:
- Secure MAC Addresses
- Maximum Number of Secure MAC Addresses
- Aging Secure MAC Addresses
- Sticky Addresses on a Port
- Violation Actions
Secure MAC Addresses
Port security supports the following types of secure MAC addresses:
- Dynamic or Learned—Dynamic secure MAC addresses are learned when packets are received from the host on the secure port. You might want to use this type if the user’s MAC address is not fixed (laptop).
- Static or configured—Static secure MAC addresses are configured by the user through CLI or SNMP. You might want to use this type if your MAC address remains fixed (PC).
- Sticky—Sticky addresses are learned such as dynamic secure MAC addresses, but persist through switch reboots and link flaps such as static secure MAC addresses. You might want to use this type if a large number of fixed MAC addresses exist and you do not want to configure MAC addresses manually (100 PCs secured on their own ports).
If a port has reached its maximum number of secure MAC addresses and you try to configure a static secure MAC address, your configuration is rejected and an error message displays. If a port has reached its maximum number of secure MAC addresses and a new dynamic secure MAC address is added, a violation action is triggered.
You can clear dynamic secure MAC addresses with the clear port-security command. You can clear sticky and static secure MAC addresses one at a time with the no form of the
switchport port-security mac-address command.
Maximum Number of Secure MAC Addresses
A secure port has a default of one MAC address. You can change the default to any value between 1 and 3,000. The upper limit of 3,000 guarantees one MAC address per-port and an additional 3,000 across all ports in the system.
After you have set the maximum number of secure MAC addresses on a port, you can include the secure addresses in an address table in one of the following ways:
- You can configure the secure MAC addresses with the switchport port-security mac-address mac_address interface configuration command.
- You can configure all secure MAC addresses on a range of VLANs with the port-security mac-address VLAN range configuration command for trunk ports.
- You can allow the port to dynamically configure secure MAC addresses with the MAC addresses of connected devices.
- You can configure some of the addresses and allow the rest to be dynamically configured.
Note If a port’s link goes down, all dynamically secured addresses on that port are no longer secure.
- You can configure MAC addresses to be sticky. These can be dynamically learned or manually configured, stored in the address table, and added to the running configuration. After these addresses are saved in the configuration file, the interface does not need to dynamically relearn them when the switch restarts. Although you can manually configure sticky secure addresses, this action is not recommended.
Note On a trunk port, a maximum number of secure MAC addresses can be configured on both the port and port VLAN. The port’s maximum value can be greater than or equal to the port VLAN maximum(s) but not less than the port VLAN maximum(s). If the port’s maximum value is less than at least one of the port VLAN’s maximum (for example, if we have max set to 3 on VLAN 10 while no “sw port max” is set (defaults to 1)), the port shuts down when dynamic adds reaches 2 on VLAN 10 (see “Port Security Configuration Guidelines and Restrictions” section). The port VLAN maximum enforces the maximum allowed on a given port on a given VLAN. If the maximum is exceeded on a given VLAN but the port’s maximum is not exceeded, the port still shuts down. The entire port is shut down even if one of the VLANs on the port has actually caused the violation.
Aging Secure MAC Addresses
You might want to age secure MAC addresses when the switch may be receiving more than 3,000 MAC addresses ingress.
Note Aging of sticky addresses is not supported.
By default, port security does not age out the secure MAC addresses. After learned, the MAC addresses remain on the port until either the switch reboots or the link goes down (unless the sticky feature is enabled). However, port security does allow you to configure aging based on the absolute or inactivity mode and aging interval (in minutes, from 1 to n).
Use this feature to remove and add PCs on a secure port without manually deleting the existing secure MAC addresses, while still limiting the number of secure addresses on a port.
Unless static aging is explicitly configured with the switchport port-security aging static command, static addresses are not aged even if aging is configured on the port.
Note The aging increment is one minute.
Sticky Addresses on a Port
By enabling sticky port security, you can configure an interface to convert the dynamic MAC addresses to sticky secure MAC addresses and to add them to the running configuration. You might want to do this if you do not expect the user to move to another port, and you want to avoid statically configuring a MAC address on every port.
Note If you use a different chassis, you might need another MAC address.
To enable sticky port security, enter the switchport port-security mac-address sticky command. When you enter this command, the interface converts all the dynamic secure MAC addresses, including those that were dynamically learned before sticky learning was enabled, to sticky secure MAC addresses.
The sticky secure MAC addresses do not automatically become part of the configuration file, which is the startup configuration used each time the switch restarts. If you save the running config file to the configuration file, the interface does not need to relearn these addresses when the switch restarts. If you do not save the configuration, they are lost.
If sticky port security is disabled, the sticky secure MAC addresses are converted to dynamic secure addresses and are removed from the running configuration.
After the maximum number of secure MAC addresses is configured, they are stored in an address table. To ensure that an attached device has sole access of the port, configure the MAC address of the attached device and set the maximum number of addresses to one, which is the default.
A security violation occurs if the maximum number of secure MAC addresses to a port has been added to the address table and a workstation whose MAC address is not in the address table attempts to access the interface.
Violation Actions
A security violation is triggered in these situations:
- When the number of secure MAC addresses on the port exceeds the maximum number of secure MAC addresses allowed on the port.
Note A secure violation is not triggered if the host secured on one port shows up on another port. The Catalyst 4500 series switch drops such packets on the new port silently in the hardware and does not overload the CPU.
You can configure the interface for one of following violation modes, which are based on the response to the violation:
- Restrict—A port security violation restricts data (that is, packets are dropped in software), causes the SecurityViolation counter to increment, and causes an SNMP Notification to be generated. You might want to configure this mode in order to provide uninterrupted service/access on a secure port.
The rate at which SNMP traps are generated can be controlled by the
snmp-server enable traps port-security trap-rate command. The default value (“0”) causes an SNMP trap to be generated for every security violation.
- Shutdown—A port security violation causes the interface to shut down immediately. You might want to configure this mode in a highly secure environment, where you do not want unsecured MAC addresses to be denied in software and service interruption is not an issue.
- Shutdown VLAN—Use to set the security violation mode for each VLAN. In this mode, the offending VLAN is error disabled instead of the entire port when a violation occurs.
When a secure port is in the error-disabled state, you can bring it out of this state automatically by configuring the errdisable recovery cause psecure-violation global configuration command or you can manually reenable it by entering the shutdown and no shut down interface configuration commands. it is the default mode. If a port is in per-VLAN errdisable mode, you can also use clear errdisable interface name vlan range command to reenable the VLAN on the port.
You can also customize the time to recover from the specified error disable cause (default is 300 seconds) by entering the errdisable recovery interval interval command.
Invalid Packet Handling
You might want to rate limit invalid source MAC address packets on a secure port if you anticipate that a device will send invalid packets (such as traffic generator, sniffer, and bad NICs).
The port security feature considers the following as “invalid frames”:
– Packets with a source or destination MAC address that is all zero
– Packets with a multicast or broadcast source MAC address
– Packets from an address either learned or configured on a secure interface that are observed on another secure interface in the same VLAN
You can chose to rate limit these packets. If the rate is exceeded, you can trigger a violation action for the port.
Configuring Port Security on Access Ports
These sections describe how to configure port security:
Note Port security can be enabled on a Layer 2 port channel interface configured in access mode. The port security configuration on an EtherChannel is independent of the configuration of any member ports.
Configuring Port Security on Access Ports
To restrict traffic through a port by limiting and identifying MAC addresses of the stations allowed to the port, perform this task:
|
|
|
---|---|---|
interface port-channel port_channel_number |
Enters interface configuration mode and specifies the interface to configure. Note The interface can be a Layer 2 port channel logical interface. |
|
|
Note An interface in the default mode (dynamic auto) cannot be configured as a secure port. |
|
|
Enables port security on the interface. To return the interface to the default condition as a not secured, use the no switchport port-security command. |
|
|
(Optional) Sets the maximum number of secure MAC addresses for the interface. The range is 1 to 3072; the default is 1. To return the interface to the default number of secure MAC addresses, use the no switchport port-security maximum value. |
|
[ aging {static | time aging_time | type {absolute | inactivity}] |
Sets the aging time and aging type for all secure addresses on a port. Use this feature to remove and add PCs on a secure port without manually deleting the existing secure MAC addresses while still limiting the number of secure addresses on a port. The static keyword enables aging for statically configured secure addresses on this port. The time aging_time value specifies the aging time for this port. Valid range for aging_time is from 0 to 1440 minutes. If the time is equal to 0, aging is disabled for this port. The type keyword sets the aging type as absolute or inactive.
To disable port security aging for all secure addresses on a port, use the no switchport port-security aging time interface configuration command. |
|
|
(Optional) Sets the violation mode, the action to be taken when a security violation is detected, as one of these:
Note When a secure port is in the error-disabled state, you can bring it out of this state by entering the errdisable recovery cause psecure-violation global configuration command or you can manually reenable it by entering the shutdown and no shut down interface configuration commands. To return the violation mode to the default condition (shutdown mode), use the |
|
|
||
|
(Optional) Enters a secure MAC address for the interface. You can use this command to configure a secure MAC addresses. If you configure fewer secure MAC addresses than the maximum, the remaining MAC addresses are dynamically learned. To delete a MAC address from the address table, use the no switchport port-security mac-address mac_address command. Note This command only applies to access, PVLAN host, and PVLAN promiscuous mode. For more details on PVLAN, trunk, or regular trunk mode, refer to the “Configuring Port Security on Trunk Ports” section. |
|
|
(Optional) Enables sticky learning on the interface. To disable sticky learning on an interface, use the |
|
|
Specifies the sticky mac-address for the interface. When you specify the vlan keyword, the mac-address becomes sticky in the specified VLAN. To delete a sticky secure MAC addresses from the address table, use the Note This command only applies to access, PVLAN host, and PVLAN promiscuous mode. For more details on PVLAN or trunk or regular trunk mode, refer to the “Configuring Port Security on Trunk Ports” section. |
|
|
||
interface interface_id |
Note To clear dynamically learned port security MAC addresses in the CAM table, use the clear port-security dynamic command. The address keyword enables you to clear a secure MAC addresses. The interface keyword enables you to clear all secure addresses on any interface (including any port channel interface). The VLAN keyword allows you to clear port security MACs on a per-VLAN per-port basis.
Examples of Port Security on Access Ports
The following examples are provided:
- Example 1: Setting Maximum Number of Secure Addresses
- Example 2: Setting a Violation Mode
- Example 3: Setting the Aging Timer
- Example 4: Setting the Aging Timer Type
- Example 5: Configuring a Secure MAC Address
- Example 6: Configuring Sticky Port Security
- Example 7: Setting a Rate Limit for Bad Packets
- Example 8: Clearing Dynamic Secure MAC Addresses
Example 1: Setting Maximum Number of Secure Addresses
This example shows how to enable port security on the Fast Ethernet interface 3/12 and how to set the maximum number of secure addresses to 5. The violation mode is the default, and no secure MAC addresses are configured.
Example 2: Setting a Violation Mode
This example shows how to set the violation mode on the Fast Ethernet interface 3/12 to restrict.
SNMP traps can be enabled with a rate-limit to detect port-security violations due to restrict mode. The following example shows how to enable traps for port-security with a rate of 5 traps per second:
Example 3: Setting the Aging Timer
This example shows how to set the aging time to 2 hours (120 minutes) for the secure addresses on the Fast Ethernet interface 5/1:
This example shows how to set the aging time to 2 minutes:
You can verify the previous commands with the show port-security interface command.
Example 4: Setting the Aging Timer Type
This example shows how to set the aging timer type to Inactivity for the secure addresses on the Fast Ethernet interface 3/5:
Example 5: Configuring a Secure MAC Address
This example shows how to configure a secure MAC address on Fast Ethernet interface 5/1 and to verify the configuration:
Example 6: Configuring Sticky Port Security
This example shows how to configure a sticky MAC address on Fast Ethernet interface 5/1 and to verify the configuration:
Note Sending traffic to the ports causes the system to configure the port with sticky secure addresses.
Example 7: Setting a Rate Limit for Bad Packets
The following example shows how to configure rate limit for invalid source packets on Fast Ethernet interface 5/1:
The following example shows how to configure rate limit for invalid source packets on Fast Ethernet interface 5/1:
Example 8: Clearing Dynamic Secure MAC Addresses
The following example shows how to clear a dynamic secure MAC address:
The following example shows how to clear all dynamic secure MAC addresses on Fast Ethernet interface 2/1:
The following example shows how to clear all dynamic secure MAC addresses in the system:
Configuring Port Security on PVLAN Ports
You can configure port security on a private VLAN port to take advantage of private VLAN functionality as well as to limit the number of MAC addresses.
Note This section follows the same configuration model that was presented for access ports.
These sections describe how to configure trunk port security on host and promiscuous ports:
- Configuring Port Security on an Isolated Private VLAN Host Port
- Example of Port Security on an Isolated Private VLAN Host Port
- Configuring Port Security on a Private VLAN Promiscuous Port
- Example of Port Security on a Private VLAN Promiscuous Port
Configuring Port Security on an Isolated Private VLAN Host Port
Figure 49-1 illustrates a typical topology for port security implemented on private VLAN host ports. In this topology, the PC connected through port a on the switch can communicate only with the router connected using the promiscuous port on the switch. The PC connected through port a cannot communicate with the PC connected through port b.
Figure 49-1 Port Security on Isolated Private VLAN Host Ports
Note Dynamic addresses secured on an isolated private VLAN host port on private VLANs are secured on the secondary VLANs, and not primary VLANs.
To configure port security on an isolated private VLAN host port, perform this task:
Example of Port Security on an Isolated Private VLAN Host Port
The following example shows how to configure port security on an isolated private VLAN host port, Fast Ethernet interface 3/12:
Configuring Port Security on a Private VLAN Promiscuous Port
To configure port security on a private VLAN promiscuous port, perform this task:
Example of Port Security on a Private VLAN Promiscuous Port
The following example shows how to configure port security on a private VLAN promiscuous port, Fast Ethernet interface 3/12:
Configuring Port Security on Trunk Ports
You might want to configure port security on trunk ports in metro aggregation to limit the number of MAC addresses per-VLAN. Trunk port security extends port security to trunk ports. It restricts the allowed MAC addresses or the maximum number of MAC addresses to individual VLANs on a trunk port. Trunk port security enables service providers to block the access from a station with a different MAC address than the ones specified for that VLAN on that trunk port. Trunk port security is also supported on private VLAN trunk ports.
Note Port security can be enabled on a Layer 2 port channel interface configured in mode. The port security configuration on an EtherChannel is kept independent of the configuration of any physical member ports.
These sections describe how to configure trunk port security:
- Configuring Trunk Port Security
- Examples of Trunk Port Security
- Trunk Port Security Configuration Guidelines and Restrictions
Configuring Trunk Port Security
Trunk port security is used when a Catalyst 4500 series switch has a dot1q or isl trunk attached to a neighborhood Layer 2 switch. This may be used, for example, in metro aggregation networks (Figure 49-2).
Figure 49-2 Trunk Port Security
You can configure various port security related parameters on a per-port per-VLAN basis.
Note The steps involved in configuring port security parameters is similar to those for access ports. In addition to those steps, the following per-port per-VLAN configuration steps are supported for trunk ports.
To configure port security related parameters on a per-VLAN per-port basis, perform this task:
|
|
|
---|---|---|
interface port-channel port_channel_number |
Enters interface configuration mode and specifies the interface to configure. Note The interface can be a Layer 2 port channel logical interface. |
|
|
||
|
Note An interface in the default mode (dynamic auto) cannot be configured as a secure port. |
|
|
Configures a maximum number of secure mac-addresses for each VLAN on the interface that are not explicitly configured with a maximum mac-address limit. See the “Maximum Number of Secure MAC Addresses” section. |
|
|
||
port-security maximum value |
Configures a maximum number of secure MAC addresses for each VLAN. |
|
no port-security maximum |
Removes a maximum number of secure MAC addresses configuration for all the VLANs. Subsequently, the maximum value configured on the port will be used for all the VLANs. |
|
|
||
|
||
|
||
|
Examples of Trunk Port Security
Example 1: Configuring a Maximum Limit of Secure MAC Addresses for All VLANs
This example shows how to configure a secure MAC-address and a maximum limit of secure MAC addresses on Gigabit Ethernet interface 1/1 for all VLANs:
Example 2: Configuring a Maximum Limit of Secure MAC Addresses for Specific VLANs
This example shows how to configure a secure MAC-address on interface g1/1 in a specific VLAN or range of VLANs:
Example 3: Configuring Secure MAC Addresses in a VLAN Range
This example shows how to configure a secure MAC-address in a VLAN on interface g1/1:
Trunk Port Security Configuration Guidelines and Restrictions
When configuring port security related parameters on a per-port per-VLAN basis, consider these guidelines and restrictions:
- A secure MAC-address cannot be configured on a VLAN that is not allowed on a regular trunk port.
- The configuration on the primary VLAN on the private VLAN trunk is not allowed. The CLI is rejected and an error message is displayed.
- If a specific VLAN on a port is not configured with a maximum value (directly or indirectly), the maximum configured for the port is used for that VLAN. In this situation, the maximum number of addresses that can be secured on this VLAN is limited to the maximum value configured on the port.
Each VLAN can be configured with a maximum count that is greater than the value configured on the port. Also, the sum of the maximum configured values for all the VLANs can exceed the maximum configured for the port. In either of these situations, the number of MAC addresses secured on each VLAN is limited to the lesser of the VLAN configuration maximum and the port configuration maximum. Also, the number of addresses secured on the port across all VLANs cannot exceed a maximum that is configured on the port.
- For private VLAN trunk ports, the VLAN on which the configuration is being performed must be in either the allowed VLAN list of the private VLAN trunk or the secondary VLAN list in the association pairs. (The CLI is rejected if this condition is not met.) The allowed VLAN list on a private VLAN trunk is intended to hold the VLAN-IDs of all the regular VLANs that are allowed on the private VLAN trunk.
- Removal of an association pair from a PVLAN trunk causes all static and sticky addresses associated with the secondary VLAN of the pair to be removed from the running configuration. Dynamic addresses associated with the secondary VLAN are deleted from the system.
Similarly, when a VLAN is removed from the list of allowed PVLAN trunks, the addresses associated with that VLAN are removed.
Note For a regular or private VLAN trunk port, if the VLAN is removed from the allowed VLAN list, all the addresses associated with that VLAN are removed.
Port Mode Changes
Generally, when a port mode changes, all dynamic addresses associated with that port are removed. All static or sticky addresses and other port security parameters configured on the native VLAN are moved to the native VLAN of the port in the new mode. All the addresses on the non-native VLANs are removed.
The native VLAN refers to the following VLAN on the specified port type:
|
|
---|---|
For example, when the mode changes from access to private VLAN trunk, all the static or sticky addresses configured on the access VLAN of the access port are moved to the private VLAN native VLAN of the private VLAN trunk port. All other addresses are removed.
Similarly, when the mode changes from private VLAN trunk to access mode, all the static or sticky addresses configured on the private VLAN native VLAN are moved to the access VLAN of the access port. All other addresses are removed.
When a port is changed from trunk to private VLAN trunk, addresses associated with a VLAN on the trunk are retained if that VLAN is present in the allowed list of private VLAN trunk or the secondary VLAN of an association on the private VLAN trunk. If the VLAN is not present in either of them, the address is removed from the running configuration.
When a port is changed from private VLAN trunk to trunk, a static or sticky address is retained if the VLAN associated with the address is present in the allowed VLAN list of the trunk. If the VLAN is not present in the allowed list, the address is removed from running configuration.
Configuring Port Security on Voice Ports
You might want to configure port security in an IP phone environment when a port is configured with a data VLAN for a PC and a voice VLAN for a Cisco IP Phone.
These sections describe how to configure port security on voice ports:
- Configuring Port Security on Voice Ports
- Examples of Voice Port Security
- Voice Port Security Configuration Guidelines and Restrictions
Configuring Port Security on Voice Ports
To configure port security on a voice port, perform this task:
|
|
|
---|---|---|
|
Enters interface configuration mode and specifies the physical interface to configure. |
|
|
Note An interface in the default mode (dynamic auto) cannot be configured as a secure port. |
|
|
Enables port security on the interface. To return the interface to the default condition as not secured, use the no switchport port-security command. |
|
|
(Optional) Sets the violation mode, the action to be taken when a security violation is detected, as one of these:
Note When a secure port is in the error-disabled state, you can bring it out of this state by entering the errdisable recovery cause psecure-violation global configuration command or you can manually reenable it by entering the shutdown and no shut down interface configuration commands. To return the violation mode to the default condition (shutdown mode), use the no switchport port-security violation shutdown command. |
|
|
||
|
(Optional) Specifies a secure MAC address for the interface. When you specify the vlan keyword, addresses are configured in the specified VLAN.
You can use this command to configure secure MAC addresses. If you configure fewer secure MAC addresses than the maximum, the remaining MAC addresses are dynamically learned. To delete a MAC address from the address table, use the no switchport port-security mac-address mac_address command. Note This command only applies to access, PVLAN host, and PVLAN promiscuous mode. For more details on PVLAN, trunk, or regular trunk mode, refer to the “Configuring Port Security on Trunk Ports” section. |
|
|
(Optional) Enables sticky learning on the interface. To disable sticky learning on an interface, use the |
|
|
Specifies the sticky mac-address for the interface. When you specify the vlan keyword, the mac-address becomes sticky in the specified VLAN.
To delete a sticky secure MAC addresses from the address table, use the no switchport port-security mac-address mac_address sticky command. To convert sticky to dynamic addresses, use the no switchport port-security mac-address sticky command. Note This command only applies to access, PVLAN host, and PVLAN promiscuous mode. For more details on PVLAN or trunk or regular trunk mode, refer to the “Configuring Port Security on Trunk Ports” section. |
|
|
||
interface interface_id |
Note To clear dynamically learned port security MAC addresses in the CAM table, use the
clear port-security dynamic command. The address keyword enables you to clear a secure MAC addresses. The interface keyword enables you to clear all secure addresses on an interface (including any port channel interface). The VLAN keyword allows you to clear port security MACs on a per-VLAN per-port basis.
Note Each port security-configured interface accepts one MAC-address by default. With port security port level port-security configuration takes precedence over VLAN level port-security configuration. To allow one MAC-address each for voice and data VLAN, configure the port for a maximum of greater than or equal to two addresses.
Examples of Voice Port Security
Example 1: Configuring Maximum MAC Addresses for Voice and Data VLANs
This example shows how to designate a maximum of one MAC address for a voice VLAN (for a Cisco IP Phone, let’s say) and one MAC address for the data VLAN (for a PC, let’s say) on Fast Ethernet interface 5/1 and to verify the configuration:
Note Sending traffic to the ports causes the system to configure the port with sticky secure addresses.
Example 2: Configuring Sticky MAC Addresses for Voice and Data VLANs
This example shows how to configure sticky MAC addresses for voice and data VLANs on Fast Ethernet interface 5/1 and to verify the configuration:
Note Sending traffic to the ports causes the system to configure the port with sticky secure addresses.
Voice Port Security Configuration Guidelines and Restrictions
Note Port security as implemented on voice ports functions the same as port security on access ports.
When using (or configuring) voice port security, consider these guidelines and restrictions:
- You can configure sticky port security on voice ports. If sticky port security is enabled on a voice port, addresses secured on data and voice VLANs are secured as sticky addresses.
- You can configure maximum secure addresses per-VLAN. You can set a maximum for either the data VLAN or the voice VLAN. You can also set a maximum per-port, just as with access ports.
- You can configure port security MAC addresses on a per-VLAN basis on either the data or voice VLANs.
- Prior to Cisco IOS Release 12.2(31)SG, you required three MAC addresses as the maximum parameter to support an IP phone and a PC. With Cisco IOS Release 12.2(31)SG and later releases, the maximum parameter must be configured to two, one for the phone and one for the PC.
Displaying Port Security Settings
Use the show port-security command to display port security settings for an interface or for the switch.
To display traffic control information, perform one or more of these tasks:
Examples of Security Settings
The following examples are provided:
- Example 1: Displaying Security Settings for the Entire Switch
- Example 2: Displaying Security Settings for an Interface
- Example 3: Displaying All Secure Addresses for the Entire Switch
- Example 4: Displaying a Maximum Number of MAC Addresses on an Interface
- Example 5: Displaying Security Settings on an Interface for a VLAN Range
- Example 6: Displaying Secured MAC Addresses and Aging Information on an Interface
- Example 7: Displaying Secured MAC Addresses for a VLAN Range on an Interface
Example 1: Displaying Security Settings for the Entire Switch
This example shows how to display port security settings for the entire switch:
Example 2: Displaying Security Settings for an Interface
This example shows how to display port security settings for Fast Ethernet interface 5/1:
Example 3: Displaying All Secure Addresses for the Entire Switch
This example shows how to display all secure MAC addresses configured on all switch interfaces:
Example 4: Displaying a Maximum Number of MAC Addresses on an Interface
This example shows how to display the maximum allowed number of secure MAC addresses and the current number of secure MAC addressees on Gigabit Ethernet interface 1/1:
Example 5: Displaying Security Settings on an Interface for a VLAN Range
This example shows how to display the port security settings on Gigabit Ethernet interface 1/1 for VLANs 2 and 3:
Example 6: Displaying Secured MAC Addresses and Aging Information on an Interface
This example shows how to display all secure MAC addresses configured on Gigabit Ethernet
interface 1/1 with aging information for each address.
Example 7: Displaying Secured MAC Addresses for a VLAN Range on an Interface
This example shows how to display all secure MAC addresses configured on VLANs 2 and 3 on
Gigabit Ethernet interface 1/1 with aging information for each address:
Configuring Port Security with Other Features/Environments
The following topics are discussed:
DHCP and IP Source Guard
You might want to configure port security with DHCP and IP Source Guard to prevent IP spoofing by unsecured MAC addresses. IP Source Guard supports two levels of IP traffic filtering:
When used in source IP and MAC address filtering, IP Source Guard uses private ACLs to filter traffic based on the source IP address, and uses port security to filter traffic based on the source MAC address. Port security must be enabled on the access port in this mode.
When both features are enabled, the following limitations apply:
- The DHCP packet is not subject to port security dynamic learning.
- If multiple IP clients are connected to a single access port, port security cannot enforce exact binding of source IP and MAC address for each client.
For example, these clients reside on an access port with the following IP and MAC address:
– client2: MAC2 <---> IP2e bAny combination of the source MAC and IP address traffic will be allowed as shown here:
IP traffic with the correct source IP and MAC address binding will be permitted and port security will dynamically learn its MAC address. IP traffic with source addresses that are not in the binding will be treated as invalid packets and dropped by port security. To prevent a denial of service attack, you must configure port security rate limiting for the invalid source MAC address.
802.1X Authentication
You might want to configure port security with 802.1X authentication to prevent MAC spoofing. 802.1X is not supported on regular or private VLAN trunks. On access ports and PVLAN host or promiscuous ports, both port security and 802.1X can be configured simultaneously. When both are configured, hosts must be 802.1X authenticated before port security can secure the MAC address of the host. Both 802.1X and port security must approve of the host or a security violation will be triggered. The type of security violation will depend on which feature rejects the port: if the host is allowed by 802.1X (for example, because the port is in multihost mode) but is disallowed by port security, the port-security violation action will be triggered. If the host is allowed by port security but rejected by 802.1X (for example, because the host is not authorized on a single-host mode port) then the 802.1X security violation action will be triggered.
Note 802.1X, port-security and VVID can all be configured on the same port.
For more information on the interaction between 802.1X and port security, see “Using 802.1X with Port Security” section.
Configuring Port Security in a Wireless Environment
If access points are connected to a secure port, do not configure a static MAC address for your users. A MAC address might move from one access point to another and might cause security violations if both the access points are connected on the same switch.
Figure 49-3 illustrates a typical topology of port security in a wireless environment.
Figure 49-3 Port Security in a Wireless Environment
Port Security Configuration Guidelines and Restrictions
When using (or configuring) port security, consider these guidelines and restrictions:
- After port security is configured on a port along with a "denying" PACL, the CPU will neither see any of the PACL packets denied from the given port nor learn the source MAC addresses from the denied packets. Therefore, the port security feature will not be aware of such packets.
- A secure port cannot be a destination port for the Switch Port Analyzer (SPAN).
- A secure port and a static MAC address configuration for an interface are mutually exclusive.
- When you enter a maximum secure address value for an interface, and the new value is greater than the previous value, the new value overwrites the previously configured value. If the new value is less than the previous value and the number of configured secure addresses on the interface exceeds the new value, the command is rejected.
- While configuring trunk port security on a trunk port, you do not need to account for the protocol packets such as CDP and BPDU) because they are not learned and secured.
- You cannot enable port security aging on sticky secure MAC addresses.
- To restrict MAC spoofing using port security, you must enable 802.1X authentication.
- You cannot configure port security on dynamic ports. You must change the mode to access before you enable port security.
- Port Security over EtherChannels is not supported.