Configuring Port Security

Configuring Port Security

This module contains the following topics:

Prerequisites for Port Security


Note


If you try to set the maximum value to a number less than the number of secure addresses already configured on an interface, the command is rejected.


Restrictions for Port Security

The maximum number of secure MAC addresses that you can configure on a switch or switch stack is set by the maximum number of available MAC addresses allowed in the system. This number is determined by the active Switch Database Management (SDM) template. This number is the total of available MAC addresses, including those used for other Layer 2 functions and any other secure MAC addresses configured on interfaces.

Information About Port Security

Port Security

You can use the port security feature to restrict input to an interface by limiting and identifying MAC addresses of the stations allowed to access the port. When you assign secure MAC addresses to a secure port, the port does not forward packets with source addresses outside the group of defined addresses. If you limit the number of secure MAC addresses to one and assign a single secure MAC address, the workstation attached to that port is assured the full bandwidth of the port.

If a port is configured as a secure port and the maximum number of secure MAC addresses is reached, when the MAC address of a station attempting to access the port is different from any of the identified secure MAC addresses, a security violation occurs. Also, if a station with a secure MAC address configured or learned on one secure port attempts to access another secure port, a violation is flagged.

Types of Secure MAC Addresses

The switch supports these types of secure MAC addresses:

  • Static secure MAC addresses—These are manually configured by using the switchport port-security mac-address mac-address interface configuration command, stored in the address table, and added to the switch running configuration.
  • Dynamic secure MAC addresses—These are dynamically configured, stored only in the address table, and removed when the switch restarts.
  • Sticky secure MAC addresses—These can be dynamically learned or manually configured, stored in the address table, and added to the running configuration. If these addresses are saved in the configuration file, when the switch restarts, the interface does not need to dynamically reconfigure them.

Sticky Secure MAC Addresses

You can configure an interface to convert the dynamic MAC addresses to sticky secure MAC addresses and to add them to the running configuration by enabling sticky learning. The interface converts all the dynamic secure MAC addresses, including those that were dynamically learned before sticky learning was enabled, to sticky secure MAC addresses. All sticky secure MAC addresses are added to the running configuration.

The sticky secure MAC addresses do not automatically become part of the configuration file, which is the startup configuration used each time the switch restarts. If you save the sticky secure MAC addresses in the configuration file, when the switch restarts, the interface does not need to relearn these addresses. If you do not save the sticky secure addresses, they are lost.

If sticky learning is disabled, the sticky secure MAC addresses are converted to dynamic secure addresses and are removed from the running configuration.

Security Violations

It is a security violation when one of these situations occurs:

  • The maximum number of secure MAC addresses have been added to the address table, and a station whose MAC address is not in the address table attempts to access the interface.
  • An address learned or configured on one secure interface is seen on another secure interface in the same VLAN.

You can configure the interface for one of three violation modes, based on the action to be taken if a violation occurs:

  • protect—when the number of secure MAC addresses reaches the maximum limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses to drop below the maximum value or increase the number of maximum allowable addresses. You are not notified that a security violation has occurred.

    Note


    We do not recommend configuring the protect violation mode on a trunk port. The protect mode disables learning when any VLAN reaches its maximum limit, even if the port has not reached its maximum limit.


  • restrict—when the number of secure MAC addresses reaches the maximum limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses to drop below the maximum value or increase the number of maximum allowable addresses. In this mode, you are notified that a security violation has occurred. An SNMP trap is sent, a syslog message is logged, and the violation counter increments.
  • shutdown—a port security violation causes the interface to become error-disabled and to shut down immediately, and the port LED turns off. When a secure port is in the error-disabled state, you can bring it out of this state by entering the errdisable recovery cause psecure-violation global configuration command, or you can manually re-enable it by entering the shutdown and no shut down interface configuration commands. This is the default mode.
  • shutdown vlan—Use to set the security violation mode per-VLAN. In this mode, the VLAN is error disabled instead of the entire port when a violation occurs
This table shows the violation mode and the actions taken when you configure an interface for port security.

Table 1 Security Violation Mode Actions

Violation Mode

Traffic is forwarded

1

Sends SNMP trap

Sends syslog message

Displays error message

2

Violation counter increments

Shuts down port

protect

No

No

No

No

No

No

restrict

No

Yes

Yes

No

Yes

No

shutdown

No

No

No

No

Yes

Yes

shutdown vlan

No

No

Yes

No

Yes

No

3
1 Packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses.
2 The switch returns an error message if you manually configure an address that would cause a security violation.
3 Shuts down only the VLAN on which the violation occurred.

Port Security Aging

You can use port security aging to set the aging time for all secure addresses on a port. Two types of aging are supported per port:

  • Absolute—The secure addresses on the port are deleted after the specified aging time.
  • Inactivity—The secure addresses on the port are deleted only if the secure addresses are inactive for the specified aging time.

Port Security and Switch Stacks

When a switch joins a stack, the new switch will get the configured secure addresses. All dynamic secure addresses are downloaded by the new stack member from the other stack members.

When a switch (either the active switch or a stack member) leaves the stack, the remaining stack members are notified, and the secure MAC addresses configured or learned by that switch are deleted from the secure MAC address table.

Default Port Security Configuration

Table 2 Default Port Security Configuration

Feature

Default Setting

Port security

Disabled on a port.

Sticky address learning

Disabled.

Maximum number of secure MAC addresses per port

1.

Violation mode

Shutdown. The port shuts down when the maximum number of secure MAC addresses is exceeded.

Port security aging

Disabled. Aging time is 0.

Static aging is disabled.

Type is absolute.

Port Security Configuration Guidelines

  • Port security can only be configured on static access ports or trunk ports.
  • A secure port cannot be a destination port for Switched Port Analyzer (SPAN).
  • A secure port cannot belong to a Gigabit EtherChannel port group.

    Note


    Voice VLAN is only supported on access ports and not on trunk ports, even though the configuration is allowed.


  • When you enable port security on an interface that is also configured with a voice VLAN, set the maximum allowed secure addresses on the port to two. When the port is connected to a Cisco IP phone, the IP phone requires one MAC address. The Cisco IP phone address is learned on the voice VLAN, but is not learned on the access VLAN. If you connect a single PC to the Cisco IP phone, no additional MAC addresses are required. If you connect more than one PC to the Cisco IP phone, you must configure enough secure addresses to allow one for each PC and one for the phone.
  • When a trunk port configured with port security and assigned to an access VLAN for data traffic and to a voice VLAN for voice traffic, entering the switchport voice and switchport priority extend interface configuration commands has no effect. When a connected device uses the same MAC address to request an IP address for the access VLAN and then an IP address for the voice VLAN, only the access VLAN is assigned an IP address.
  • When you enter a maximum secure address value for an interface, and the new value is greater than the previous value, the new value overwrites the previously configured value. If the new value is less than the previous value and the number of configured secure addresses on the interface exceeds the new value, the command is rejected.
  • The switch does not support port security aging of sticky secure MAC addresses.
This table summarizes port security compatibility with other port-based features.

Table 3 Port Security Compatibility with Other Switch Features

Type of Port or Feature on Port

Compatible with Port Security

DTP 4 port 5

No

Trunk port

Yes

Routed port

No

SPAN source port

Yes

SPAN destination port

No

EtherChannel

No

Tunneling port

Yes

Protected port

Yes

IEEE 802.1x port

Yes

Voice VLAN port 6

Yes

IP source guard

Yes

Dynamic Address Resolution Protocol (ARP) inspection

Yes

Flex Links

Yes

4 DTP=Dynamic Trunking Protocol
5 A port configured with the switchport mode dynamic interface configuration command.
6 You must set the maximum allowed secure addresses on the port to two plus the maximum number of secure addresses allowed on the access VLAN.

How to Configure Port Security

Enabling and Configuring Port Security

Before You Begin

This task restricts input to an interface by limiting and identifying MAC addresses of the stations allowed to access the port:

SUMMARY STEPS

    1.    configure terminal

    2.    interface interface-id

    3.    switchport mode {access | trunk}

    4.    switchport voice vlan vlan-id

    5.    switchport port-security

    6.    switchport port-security [maximum value [vlan {vlan-list | {access | voice}}]]

    7.    switchport port-security violation {protect | restrict | shutdown | shutdown vlan}

    8.    switchport port-security [mac-address mac-address [vlan {vlan-id | {access | voice}}]

    9.    switchport port-security mac-address sticky

    10.    switchport port-security mac-address sticky [mac-address | vlan {vlan-id | {access | voice}}]

    11.    end

    12.    show port-security

    13.    copy running-config startup-config


DETAILED STEPS
     Command or ActionPurpose
    Step 1configure terminal


    Example:
    
    Switch# configure terminal
    
    
     

    Enters global configuration mode.

     
    Step 2interface interface-id


    Example:
    
    Switch(config)# interface gigabitethernet1/0/1
    
    
     

    Specifies the interface to be configured, and enter interface configuration mode.

     
    Step 3switchport mode {access | trunk}


    Example:
    
    Switch(config-if)# switchport mode access
    
    
     

    Sets the interface switchport mode as access or trunk; an interface in the default mode (dynamic auto) cannot be configured as a secure port.

     
    Step 4switchport voice vlan vlan-id


    Example:
    
    Switch(config-if)# switchport voice vlan 22
    
    
     

    Enables voice VLAN on a port.

    vlan-id—Specifies the VLAN to be used for voice traffic.

     
    Step 5switchport port-security


    Example:
    
    Switch(config-if)# switchport port-security
    
    
     

    Enable port security on the interface.

     
    Step 6switchport port-security [maximum value [vlan {vlan-list | {access | voice}}]]


    Example:
    
    Switch(config-if)# switchport port-security maximum 20
    
    
     

    (Optional) Sets the maximum number of secure MAC addresses for the interface. The maximum number of secure MAC addresses that you can configure on a switch or switch stack is set by the maximum number of available MAC addresses allowed in the system. This number is set by the active Switch Database Management (SDM) template. This number is the total of available MAC addresses, including those used for other Layer 2 functions and any other secure MAC addresses configured on interfaces.

    (Optional) vlan—sets a per-VLAN maximum value

    Enter one of these options after you enter the vlan keyword:

    • vlan-list—On a trunk port, you can set a per-VLAN maximum value on a range of VLANs separated by a hyphen or a series of VLANs separated by commas. For nonspecified VLANs, the per-VLAN maximum value is used.
    • access—On an access port, specifies the VLAN as an access VLAN.
    • voice—On an access port, specifies the VLAN as a voice VLAN.
    Note   

    The voice keyword is available only if a voice VLAN is configured on a port and if that port is not the access VLAN. If an interface is configured for voice VLAN, configure a maximum of two secure MAC addresses.

     
    Step 7switchport port-security violation {protect | restrict | shutdown | shutdown vlan}


    Example:
    
    Switch(config-if)# switchport port-security violation restrict
    
    
     

    (Optional) Sets the violation mode, the action to be taken when a security violation is detected, as one of these:

    • protect—When the number of port secure MAC addresses reaches the maximum limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses to drop below the maximum value or increase the number of maximum allowable addresses. You are not notified that a security violation has occurred.
      Note   

      We do not recommend configuring the protect mode on a trunk port. The protect mode disables learning when any VLAN reaches its maximum limit, even if the port has not reached its maximum limit.

    • restrict—When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. An SNMP trap is sent, a syslog message is logged, and the violation counter increments.
    • shutdown—The interface is error-disabled when a violation occurs, and the port LED turns off. An SNMP trap is sent, a syslog message is logged, and the violation counter increments.
    • shutdown vlan—Use to set the security violation mode per VLAN. In this mode, the VLAN is error disabled instead of the entire port when a violation occurs.
      Note   

      When a secure port is in the error-disabled state, you can bring it out of this state by entering the errdisable recovery cause psecure-violation global configuration command. You can manually re-enable it by entering the shutdown and no shutdown interface configuration commands or by using the clear errdisable interface vlan privileged EXEC command.

     
    Step 8switchport port-security [mac-address mac-address [vlan {vlan-id | {access | voice}}]


    Example:
    
    Switch(config-if)# switchport port-security mac-address 00:A0:C7:12:C9:25 vlan 3 voice
    
    
     

    (Optional) Enters a secure MAC address for the interface. You can use this command to enter the maximum number of secure MAC addresses. If you configure fewer secure MAC addresses than the maximum, the remaining MAC addresses are dynamically learned.

    Note   

    If you enable sticky learning after you enter this command, the secure addresses that were dynamically learned are converted to sticky secure MAC addresses and are added to the running configuration.

    (Optional) vlan—sets a per-VLAN maximum value.

    Enter one of these options after you enter the vlan keyword:

    • vlan-id—On a trunk port, you can specify the VLAN ID and the MAC address. If you do not specify a VLAN ID, the native VLAN is used.
    • access—On an access port, specifies the VLAN as an access VLAN.
    • voice—On an access port, specifies the VLAN as a voice VLAN.
    Note   

    The voice keyword is available only if a voice VLAN is configured on a port and if that port is not the access VLAN. If an interface is configured for voice VLAN, configure a maximum of two secure MAC addresses.

     
    Step 9switchport port-security mac-address sticky


    Example:
    
    Switch(config-if)# switchport port-security mac-address sticky
    
     

    (Optional) Enables sticky learning on the interface.

     
    Step 10switchport port-security mac-address sticky [mac-address | vlan {vlan-id | {access | voice}}]


    Example:
    
    Switch(config-if)# switchport port-security mac-address sticky 00:A0:C7:12:C9:25 vlan voice
    
    
     

    (Optional) Enters a sticky secure MAC address, repeating the command as many times as necessary. If you configure fewer secure MAC addresses than the maximum, the remaining MAC addresses are dynamically learned, are converted to sticky secure MAC addresses, and are added to the running configuration.

    Note   

    If you do not enable sticky learning before this command is entered, an error message appears, and you cannot enter a sticky secure MAC address.

    (Optional) vlan—sets a per-VLAN maximum value.

    Enter one of these options after you enter the vlan keyword:

    • vlan-id—On a trunk port, you can specify the VLAN ID and the MAC address. If you do not specify a VLAN ID, the native VLAN is used.
    • access—On an access port, specifies the VLAN as an access VLAN.
    • voice—On an access port, specifies the VLAN as a voice VLAN.
    Note   

    The voice keyword is available only if a voice VLAN is configured on a port and if that port is not the access VLAN.

     
    Step 11end


    Example:
    
    Switch(config-if)# end
    
    
     

    Returns to privileged EXEC mode.

     
    Step 12show port-security


    Example:
    
    Switch# show port-security
    
    
     

    Verifies your entries.

     
    Step 13copy running-config startup-config


    Example:
    
    Switch# copy running-config startup-config
    
    
     

    (Optional) Saves your entries in the configuration file.

     
    Related Concepts

    Enabling and Configuring Port Security Aging

    Use this feature to remove and add devices on a secure port without manually deleting the existing secure MAC addresses and to still limit the number of secure addresses on a port. You can enable or disable the aging of secure addresses on a per-port basis.

    SUMMARY STEPS

      1.    configure terminal

      2.    interface interface-id

      3.    switchport port-security aging {static | time time | type {absolute | inactivity}}

      4.    end

      5.    show port-security [interface interface-id] [address]

      6.    copy running-config startup-config


    DETAILED STEPS
       Command or ActionPurpose
      Step 1configure terminal


      Example:
      
      Switch# configure terminal
      
      
       

      Enters global configuration mode.

       
      Step 2interface interface-id


      Example:
      
      Switch(config)# interface gigabitethernet1/0/1
      
      
       

      Specifies the interface to be configured, and enter interface configuration mode.

       
      Step 3switchport port-security aging {static | time time | type {absolute | inactivity}}


      Example:
      
      Switch(config-if)# switchport port-security aging time 120
      
      
       

      Enables or disable static aging for the secure port, or set the aging time or type.

      Note   

      The switch does not support port security aging of sticky secure addresses.

      Enter static to enable aging for statically configured secure addresses on this port.

      For time, specifies the aging time for this port. The valid range is from 0 to 1440 minutes.

      For type, select one of these keywords:

      • absolute—Sets the aging type as absolute aging. All the secure addresses on this port age out exactly after the time (minutes) specified lapses and are removed from the secure address list.
      • inactivity—Sets the aging type as inactivity aging. The secure addresses on this port age out only if there is no data traffic from the secure source addresses for the specified time period.
       
      Step 4end


      Example:
      
      Switch(config)# end
      
       

      Returns to privileged EXEC mode.

       
      Step 5show port-security [interface interface-id] [address]


      Example:
      
      Switch# show port-security interface gigabitethernet1/0/1
      
       

      Verifies your entries.

       
      Step 6copy running-config startup-config


      Example:
      
      Switch# copy running-config startup-config
      
       

      (Optional) Saves your entries in the configuration file.

       
      Related Concepts

      Monitoring Port Security

      This table displays port security information.

      Table 4 Commands for Displaying Port Security Status and Configuration

      Command

      Purpose

      show port-security [interface interface-id]

      Displays port security settings for the switch or for the specified interface, including the maximum allowed number of secure MAC addresses for each interface, the number of secure MAC addresses on the interface, the number of security violations that have occurred, and the violation mode.

      show port-security [interface interface-id] address

      Displays all secure MAC addresses configured on all switch interfaces or on a specified interface with aging information for each address.

      show port-security interface interface-id vlan

      Displays the number of secure MAC addresses configured per VLAN on the specified interface.

      Configuration Examples for Port Security

      This example shows how to enable port security on a port and to set the maximum number of secure addresses to 50. The violation mode is the default, no static secure MAC addresses are configured, and sticky learning is enabled.

      
      Switch(config)# interface gigabitethernet1/0/1
      Switch(config-if)# switchport mode access
      Switch(config-if)# switchport port-security
      Switch(config-if)# switchport port-security maximum 50
      Switch(config-if)# switchport port-security mac-address sticky
      
      

      This example shows how to configure a static secure MAC address on VLAN 3 on a port:

      
      Switch(config)# interface gigabitethernet1/0/2
      Switch(config-if)# switchport mode trunk
      Switch(config-if)# switchport port-security
      Switch(config-if)# switchport port-security mac-address 0000.02000.0004 vlan 3
      
      

      This example shows how to enable sticky port security on a port, to manually configure MAC addresses for data VLAN and voice VLAN, and to set the total maximum number of secure addresses to 20 (10 for data VLAN and 10 for voice VLAN).

      
      Switch(config)# interface tengigabitethernet1/0/1
      Switch(config-if)# switchport access vlan 21
      Switch(config-if)# switchport mode access
      Switch(config-if)# switchport voice vlan 22
      Switch(config-if)# switchport port-security
      Switch(config-if)# switchport port-security maximum 20
      Switch(config-if)# switchport port-security violation restrict
      Switch(config-if)# switchport port-security mac-address sticky
      Switch(config-if)# switchport port-security mac-address sticky 0000.0000.0002
      Switch(config-if)# switchport port-security mac-address 0000.0000.0003
      Switch(config-if)# switchport port-security mac-address sticky 0000.0000.0001 vlan voice
      Switch(config-if)# switchport port-security mac-address 0000.0000.0004 vlan voice
      Switch(config-if)# switchport port-security maximum 10 vlan access
      Switch(config-if)# switchport port-security maximum 10 vlan voice
      
      
      Related Concepts