Configuring Port Security
Summary: Networking › Switching › Edge › Synapse
Overview of Port Security
You can use port security to block input to a Fast Ethernet, or Gigabit Ethernet port when the MAC address of the station attempting to access the port is different from any of the MAC addresses that are specified for that port. Alternatively, you can use port security to filter traffic that is destined to or received from a specific host that is based on the host MAC address. The maximum number of MAC addresses that you can allocate for each port depends on your network configuration. After you allocate the maximum number of MAC addresses on a port, you can either specify the secure MAC address for the port manually or have the port dynamically configure the MAC address of the connected devices. When a secure port receives a packet, the source MAC address of the packet is compared to the list of secure source addresses that were manually configured or autoconfigured (learned) on the port. If a MAC address of a device that is attached to the port differs from the list of secure addresses, A violation occurs. Users can set a port to the following two modes to handle a security violation: Restrict: Drops all packets from insecure hosts, but remains enabled, until the MAC of the host aged out dynamic. You can manually shutdown and no-shutdown the interface to recover from violation. Shutdown: The shutdown mode option allows you to specify whether the port is to be permanently disabled or disabled for only a specified time. The default is for the port to shut down permanently. You can manually shutdown and no-shutdown the interface to recover from violation. If you want to convert dynamic security users to static security users, you can enable the sticky function on the port. If the sticky function is enabled, the dynamic users learned on the port will exist as static users. If the configuration is saved, it will still exist after the device restarts.
Note
- Only support L2 port for port security, such as physical port and L2 AP port.
- Only supports configuring port security function in access mode.
- Do not support AP member port configuration port security function.
- The destination port of the SPAN does not support the port security function.
- Does not support the port security function on ports that have been configured with static MAC addresses.
Configuring
- Enable Port Security
SWITCH(config-if)#switchport port-securitySWITCH(config-if)#no switchport port-securityEnable Port Security on the interface.
SWITCH(config-if)#switchport port-security maximum VALUESWITCH(config-if)#no switchport port-security maximumThe default maximum number of secure addresses is 1 VALUE range from 1 to 1024.
SWITCH(config-if)#switchport port-security mac-address MAC_ADDRSWITCH(config-if)#no switchport port-security mac-address MAC_ADDREnters a secure MAC address for the interface. If you configure fewer secure MAC addresses than the maximum, the remaining MAC addresses will be dynamically learned.
SWITCH(config-if)# switchport port-security mac-address stickySWITCH(config-if)#no switchport port-security mac-address stickyEnable sticky learning on the interface.
SWITCH(config-if)#switchport port-security aging time MINUTESSWITCH(config-if)#no switchport port-security aging timeSets the aging time for the secure port. Valid range for aging_time is from 0 to 1440 minutes. If the time is equal to 0, aging is disabled for this port.
SWITCH(config-if)# switchport port-security aging staticSWITCH(config-if)#no switchport port-security aging staticenables aging for statically configured secure addresses on this port.
SWITCH(config-if)# switchport port-security violation { strict | shutdown }SWITCH(config-if)#no switchport port-security violationSets the violation mode, the action to be taken when a security violation is detected, as one of these: Restrict: A port security violation restricts data and causes the SecurityViolation counter to increment and send an SNMP trap notification. Shutdown: The interface is error-disabled when a security violation occurs. You can manually reenable the by entering the shutdown and no shut down commands. When a secure port is in the error-disabled state, it will recover after errdisable recovery time.
Examples
Example 1:This is an example of Port Security typical application. Port Security is enabled on the interface gigabitEthernet0/1, the MAX secure Mac-address of the interface gigabitEthernet0/1 is 3, and we enter 3 secure Mac-address on the interface. When the interface gigabitEthernet0/1 receives a packet, If the SRC MAC-address of the packet differs from the list of secure Mac-addresses, the packet will be dropped.
SWITCH(config-if)#switchport port-securitySWITCH(config-if)#switchport port-security maximum 3SWITCH(config-if)#switchport port-security mac-address 0001.0001.0001SWITCH(config-if)#switchport port-security mac-address 0001.0001.0002SWITCH(config-if)#switchport port-security mac-address 0001.0001.0003Display Information
- Display Interfaces Port Security Brief
SWITCH#show port-security briefinterface mac-address mac-address violation violation maxinum count count action ————————————————————————————————- GiE0/1 10 3 0 shutdown GiE0/2 1 0 0 restrict GiE0/3 1 0 0 restrict GiE0/4 1 0 0 restrict GiE0/5 1 0 0 restrict GiE0/6 1 0 0 restrict GiE0/7 1 0 0 restrict GiE0/8 1 0 0 restrict
SWITCH#show port-security interface gigabitEthernet0/1Port Security : Enabled Maimum MAC Addresses : 10 Violation Mode : Shutdown Aging Time(mins) : 10 Aging static : Enabled Total MAC Addresses : 3 Configured MAC Addresses : 2 Security Violation Count : 0 Last Violate Address : —
SWITCH#show port-security Mac-addressinterface vlan mac-address type left-time(min) ———————————————————————————— GiE0/1 1 0001.0002.0004 static 10 GiE0/1 1 0001.0002.0003 static 10 GiE0/1 1 000e.c6c1.3a03 dynamic 10
SWITCH#show port-security mac-address interface gigabitEthernet0/1interface vlan mac-address type left-time(min) ———————————————————————————— GiE0/1 1 0001.0002.0004 static 10 GiE0/1 1 0001.0002.0003 static 10 GiE0/1 1 000e.c6c1.3a03 dynamic 10
