Port Security

Note	Port security cannot be enabled on ports on which 802.1X is enabled or on ports that defined as SPAN destination.

Network security can be increased by limiting access on a port to users with specific MAC addresses. The MAC addresses can be either dynamically learned or statically configured.

Port security monitors received and learned packets. Access to locked ports is limited to users with specific MAC addresses.

Port Security has four modes:

Classic Lock—All learned MAC addresses on the port are locked, and the port doesn’t learn any new MAC addresses. The learned addresses aren’t subject to aging or relearning.
Limited Dynamic Lock—The device learns MAC addresses up to the configured limit of allowed addresses. After the limit is reached, the device doesn’t learn additional addresses. In this mode, the addresses are subject to aging and relearning.
Secure Permanent—Keeps the current dynamic MAC addresses associated with the port (as long as the configuration was saved to the Start configuration file). New MAC addresses can be learned as Permanent Secure ones up to the maximum addresses allowed on the port. Relearning and aging are disabled.
Secure Delete on Reset—Deletes the current dynamic MAC addresses associated with the port after reset. New MAC addresses can be learned as Delete-On-Reset ones up to the maximum addresses allowed on the port. Relearning and aging are disabled.

When a frame from a new MAC address is detected on a port where it’s not authorized (the port is classically locked, and there’s a new MAC address, or the port is dynamically locked, and the maximum number of allowed addresses has been exceeded), the protection mechanism is invoked, and one of the following actions can take place:

Frame is discarded.
Frame is forwarded.
Port is shut down.

When the secure MAC address is seen on another port, the frame is forwarded, but the MAC address isn’t learned on that port.

In addition to one of these actions, you can also generate traps, and limit their frequency and number to avoid overloading the devices.

To configure port security, complete the following:

Procedure

Step 1	Click Security > Port Security.
Step 2	Select an interface to be modified, and click Edit.
Step 3	Enter the parameters. Interface—Select the interface name. Interface Status—Select to lock the port. Learning Mode—Select the type of port locking. To configure this field, the Interface Status must be unlocked. The Learning Mode field is enabled only if the Interface Status field is locked. To change the Learning Mode, the Lock Interface must be cleared. After the mode is changed, the Lock Interface can be reinstated. The options are: Classic Lock—Locks the port immediately, regardless of the number of addresses that have already been learned. Limited Dynamic Lock—Locks the port by deleting the current dynamic MAC addresses associated with the port. The port learns up to the maximum addresses allowed on the port. Both relearning and aging of MAC addresses are enabled. Secure Permanent—Keeps the current dynamic MAC addresses associated with the port and learns up to the maximum number of addresses allowed on the port (set by Max No. of Addresses Allowed). Relearning and aging are disabled. Secure Delete on Reset—Deletes the current dynamic MAC addresses associated with the port after reset. New MAC addresses can be learned as Delete-On-Reset ones up to the maximum addresses allowed on the port. Relearning and aging are disabled. Max No. of Addresses Allowed—Enter the maximum number of MAC addresses that can be learned on the port if Limited Dynamic Lock learning mode is selected. The number 0 indicates that only static addresses are supported on the interface. Action on Violation—Select an action to be applied to packets arriving on a locked port. The options are: Discard—Discards packets from any unlearned source Forward—Forwards packets from an unknown source without learning the MAC address Shutdown—Discards packets from any unlearned source, and shuts down the port The port remains shut down until reactivated, or until the device is rebooted. Trap—Select to enable traps when a packet is received on a locked port. This is relevant for lock violations. For Classic Lock, this is any new address received. For Limited Dynamic Lock, this is any new address that exceeds the number of allowed addresses. Trap Frequency—Enter minimum time (in seconds) that elapses between traps.
Step 4	Click Apply. Port security is modified, and the Running Configuration file is updated.