Port Security on Switches

A growing challenge facing network administrators is determining how to control who can access the
organization's internal network--and who can't.

Understand the basics

In its most basic form, the Port Security feature remembers the Ethernet MAC address connected to the
switch port and allows only that MAC address to communicate on that port. If any other MAC address
tries to communicate through the port, port security will disable the port. Most of the time, network
administrators configure the switch to send a SNMP trap to their network monitoring solution that the
port's disabled for security reasons.

You can use the port security feature to restrict input to an interface by limiting and identifying MAC
addresses of the workstations that are allowed to access the port. When you assign secure MAC
addresses to a secure port, the port does not forward packets with source addresses outside the group of
defined addresses. If you limit the number of secure MAC addresses to one and assign a single secure
MAC address, the workstation attached to that port is assured the full bandwidth of the port.

If a port is configured as a secure port and the maximum number of secure MAC addresses is reached,
when the MAC address of a workstation attempting to access the port is different from any of the
identified secure MAC addresses, a security violation occurs. Also, if a station with a secure MAC address
configured or learned on one secure port attempts to access another secure port, a violation is flagged.

Secure MAC Addresses

• Static secure MAC addresses—These are manually configured by using the switchport port-
security mac-address mac-address interface configuration command, stored in the address
table, and added to the switch running configuration.

• Dynamic secure MAC addresses—These are dynamically configured, stored only in the address
table, and removed when the switch restarts.

• Sticky secure MAC addresses—These can be dynamically learned or manually configured,

stored in the address table, and added to the running configuration. If these addresses are saved
in the configuration file, when the switch restarts, the interface does not need to dynamically
reconfigure them.
Security Violations

It is a security violation when one of these situations occurs:

• The maximum number of secure MAC addresses have been added to the address table and a station
whose MAC address is not in the address table attempts to access the interface.

• An address learned or configured on one secure interface is seen on another secure interface in the
same VLAN.

When configuring port security violation modes, note the following information:

• protect—Drops packets with unknown source addresses until you remove a sufficient number of secure
MAC addresses to drop below the maximum value.

• restrict—Drops packets with unknown source addresses until you remove a sufficient number of secure
MAC addresses to drop below the maximum value and causes the SecurityViolation counter to
increment.

• shutdown—Puts the interface into the error-disabled state immediately and sends an SNMP trap
notification.

Table 1 Security Violation Mode Actions

Sends Sends Displays Violation Shuts

Violation Traffic is SNMP Syslog Error counter down
Mode forwarded traps msg Msg increments ports
protect No No No No No No
restrict No Yes Yes No Yes No
shutdown No Yes Yes No Yes Yes

Port security Guidelines & Restrictions

Follow these guidelines when configuring port security:

• A secure port cannot be a trunk port.

• A secure port cannot be a destination port for Switch Port Analyzer (SPAN).

• A secure port cannot belong to an EtherChannel port-channel interface.

• A secure port cannot be an 802.1X port. If you try to enable 802.1X on a secure port, an error
message appears, and 802.1X is not enabled. If you try to change an 802.1X-enabled port to a secure
port, an error message appears, and the security settings are not changed.

• A secure port and static MAC address configuration are mutually exclusive.
Configuring Port Security

• Static

Switch(config)# interface gigabitethernet0/2

Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 21
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security mac-address 0000.02000.0004

• Dynamic

For Single Vlan

Switch(config)# interface FastEthernet0/1

Switch(config-if)# switchport access vlan 21
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum 20
Switch(config-if)# switchport port-security violation restrict
Switch(config-if)# switchport port-security mac-address sticky

For Multiple Vlans

Switch(config)# interface FastEthernet0/1

Switch(config-if)# switchport access vlan 21
Switch(config-if)# switchport mode access
Switch(config-if)# switchport voice vlan 22
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum 20
Switch(config-if)# switchport port-security violation restrict
Switch(config-if)# switchport port-security mac-address sticky
Switch(config-if)# switchport port-security maximum 10 vlan access
Switch(config-if)# switchport port-security maximum 10 vlan voice

Note

I have extracted this white paper from various technical documents and blogs for knowledge
sharing purpose. Please use and share it judiciously.