Port Security Overview
The port security feature allows you to restrict input to an interface by limiting and identifying MAC addresses of the workstations that are allowed to access the port. It helps you to control the learning and storing of MAC addresses for each interface. It is used to protect against CAM overflow attacks and rogue equipment, such as hubs and switches, being plugged in. A port security enabled port is called a secure port, and the MAC addresses allowed on that port are called secure MAC addresses.When you assign secure MAC addresses to a secure port, the port does not forward packets with source addresses outside the group of defined addresses. If you limit the number of secure MAC addresses to one and assign a single secure MAC address to a secure port, the workstation attached to that port is assured the full bandwidth of the port.
After you have set the maximum number of secure MAC addresses on a port, you can include secure MAC addresses in an address table in one of these ways:
-
Configure all secure MAC addresses by using the switchport port-security mac-address mac_address interface configuration command.
-
Allow the port to dynamically configure secure MAC addresses with the MAC addresses of connected devices.
-
Configure a number of addresses and allow the rest to be dynamically configured.
Note
If the port shuts down, all dynamically learned addresses are removed.
-
Configure MAC addresses to be sticky. These can be dynamically learned or manually configured, stored in the address table, and added to the running configuration. If these addresses are saved in the configuration file, the interface does not need to dynamically relearn them when the switch restarts. Although sticky secure addresses can be manually configured, it is not recommended.
MAC Learning
After port security is enabled on an interface and a new MAC address is seen on the interface, a security validation is done for the new MAC address. Based on this validation, the MAC address will be added to the address table - either as a normal entry or a drop entry.