You can use port security to block input to a Fast Ethernet, or Gigabit Ethernet port when the MAC address of the station attempting to access the port is different from any of the MAC addresses that are specified for that port. Alternatively, you can use port security to filter traffic that is destined to or received from a specific host that is based on the host MAC address. The maximum number of MAC addresses that you can allocate for each port depends on your network configuration. After you allocate the maximum number of MAC addresses on a port, you can either specify the secure MAC address for the port manually or have the port dynamically configure the MAC address of the connected devices. When a secure port receives a packet, the source MAC address of the packet is compared to the list of secure source addresses that were manually configured or autoconfigured (learned) on the port. If a MAC address of a device that is attached to the port differs from the list of secure addresses, A violation occurs. Users can set a port to the following two modes to handle a security violation: Restrict: Drops all packets from insecure hosts, but remains enabled, until the MAC of the host aged out dynamic. You can manually shutdown and no-shutdown the interface to recover from violation. Shutdown: The shutdown mode option allows you to specify whether the port is to be permanently disabled or disabled for only a specified time. The default is for the port to shut down permanently. You can manually shutdown and no-shutdown the interface to recover from violation. If you want to convert dynamic security users to static security users, you can enable the sticky function on the port. If the sticky function is enabled, the dynamic users learned on the port will exist as static users. If the configuration is saved, it will still exist after the device restarts.<\/p>\n
SWITCH(config-if)#switchport port-security<\/code><\/pre>\nSWITCH(config-if)#no switchport port-security<\/code><\/pre>\nEnable Port Security on the interface.<\/p>\n
SWITCH(config-if)#switchport port-security maximum VALUE<\/code><\/pre>\nSWITCH(config-if)#no switchport port-security maximum<\/code><\/pre>\nThe default maximum number of secure addresses is 1 VALUE range from 1 to 1024.<\/p>\n
SWITCH(config-if)#switchport port-security mac-address MAC_ADDR<\/code><\/pre>\nSWITCH(config-if)#no switchport port-security mac-address MAC_ADDR<\/code><\/pre>\nEnters a secure MAC address for the interface. If you configure fewer secure MAC addresses than the maximum, the remaining MAC addresses will be dynamically learned.<\/p>\n
SWITCH(config-if)# switchport port-security mac-address sticky<\/code><\/pre>\nSWITCH(config-if)#no switchport port-security mac-address sticky<\/code><\/pre>\nEnable sticky learning on the interface.<\/p>\n
SWITCH(config-if)#switchport port-security aging time MINUTES<\/code><\/pre>\nSWITCH(config-if)#no switchport port-security aging time<\/code><\/pre>\nSets the aging time for the secure port. Valid range for aging_time is from 0 to 1440 minutes. If the time is equal to 0, aging is disabled for this port.<\/p>\n
SWITCH(config-if)# switchport port-security aging static<\/code><\/pre>\nSWITCH(config-if)#no switchport port-security aging static<\/code><\/pre>\nenables aging for statically configured secure addresses on this port.<\/p>\n
SWITCH(config-if)# switchport port-security violation { strict | shutdown }<\/code><\/pre>\nSWITCH(config-if)#no switchport port-security violation<\/code><\/pre>\nSets the violation mode, the action to be taken when a security violation is detected, as one of these: Restrict: A port security violation restricts data and causes the SecurityViolation counter to increment and send an SNMP trap notification. Shutdown: The interface is error-disabled when a security violation occurs. You can manually reenable the by entering the shutdown and no shut down commands. When a secure port is in the error-disabled state, it will recover after errdisable recovery time.<\/p>\n
Examples<\/h2>\n
Example 1\uff1aThis is an example of Port Security typical application. Port Security is enabled on the interface gigabitEthernet0\/1, the MAX secure Mac-address of the interface gigabitEthernet0\/1 is 3, and we enter 3 secure Mac-address on the interface. When the interface gigabitEthernet0\/1 receives a packet, If the SRC MAC-address of the packet differs from the list of secure Mac-addresses, the packet will be dropped.<\/p>\n
SWITCH(config-if)#switchport port-security<\/code><\/pre>\nSWITCH(config-if)#switchport port-security maximum 3<\/code><\/pre>\nSWITCH(config-if)#switchport port-security mac-address 0001.0001.0001<\/code><\/pre>\nSWITCH(config-if)#switchport port-security mac-address 0001.0001.0002<\/code><\/pre>\nSWITCH(config-if)#switchport port-security mac-address 0001.0001.0003<\/code><\/pre>\nDisplay Information<\/h2>\n\n- Display Interfaces Port Security Brief<\/li>\n<\/ul>\n
SWITCH#show port-security brief<\/code><\/pre>\ninterface mac-address mac-address violation violation maxinum count count action ————————————————————————————————- GiE0\/1 10 3 0 shutdown GiE0\/2 1 0 0 restrict GiE0\/3 1 0 0 restrict GiE0\/4 1 0 0 restrict GiE0\/5 1 0 0 restrict GiE0\/6 1 0 0 restrict GiE0\/7 1 0 0 restrict GiE0\/8 1 0 0 restrict<\/p>\n
SWITCH#show port-security interface gigabitEthernet0\/1<\/code><\/pre>\nPort Security : Enabled Maimum MAC Addresses : 10 Violation Mode : Shutdown Aging Time(mins) : 10 Aging static : Enabled Total MAC Addresses : 3 Configured MAC Addresses : 2 Security Violation Count : 0 Last Violate Address : —<\/p>\n
SWITCH#show port-security Mac-address<\/code><\/pre>\ninterface vlan mac-address type left-time(min) ———————————————————————————— GiE0\/1 1 0001.0002.0004 static 10 GiE0\/1 1 0001.0002.0003 static 10 GiE0\/1 1 000e.c6c1.3a03 dynamic 10<\/p>\n
SWITCH#show port-security mac-address interface gigabitEthernet0\/1<\/code><\/pre>\ninterface vlan mac-address type left-time(min) ———————————————————————————— GiE0\/1 1 0001.0002.0004 static 10 GiE0\/1 1 0001.0002.0003 static 10 GiE0\/1 1 000e.c6c1.3a03 dynamic 10<\/p>\n","protected":false},"excerpt":{"rendered":"
Networking \u203a Switching \u203a Edge \u203a Synapse<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":6349,"menu_order":22,"comment_status":"open","ping_status":"closed","template":"","doc_tag":[115,119,116],"class_list":["post-6371","docs","type-docs","status-publish","hentry","doc_tag-connexite","doc_tag-network","doc_tag-synapse-cli-documentation","no-post-thumbnail"],"acf":[],"_links":{"self":[{"href":"https:\/\/docs.connexite.co.uk\/index.php\/wp-json\/wp\/v2\/docs\/6371","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/docs.connexite.co.uk\/index.php\/wp-json\/wp\/v2\/docs"}],"about":[{"href":"https:\/\/docs.connexite.co.uk\/index.php\/wp-json\/wp\/v2\/types\/docs"}],"author":[{"embeddable":true,"href":"https:\/\/docs.connexite.co.uk\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/docs.connexite.co.uk\/index.php\/wp-json\/wp\/v2\/comments?post=6371"}],"version-history":[{"count":1,"href":"https:\/\/docs.connexite.co.uk\/index.php\/wp-json\/wp\/v2\/docs\/6371\/revisions"}],"predecessor-version":[{"id":6419,"href":"https:\/\/docs.connexite.co.uk\/index.php\/wp-json\/wp\/v2\/docs\/6371\/revisions\/6419"}],"up":[{"embeddable":true,"href":"https:\/\/docs.connexite.co.uk\/index.php\/wp-json\/wp\/v2\/docs\/6349"}],"wp:attachment":[{"href":"https:\/\/docs.connexite.co.uk\/index.php\/wp-json\/wp\/v2\/media?parent=6371"}],"wp:term":[{"taxonomy":"doc_tag","embeddable":true,"href":"https:\/\/docs.connexite.co.uk\/index.php\/wp-json\/wp\/v2\/doc_tag?post=6371"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}