Switch Port Security - Part 1 - www.ipcisco.com : www.ipcisco.com

Switch Port Security – Part 1

Author: gokhankosem, on 04 Apr 15 - 0 Comments
You can Reach Our "CCNA Lab Courses with Packet Tracer" on Udemy.!!!
cisco-packet-tracer-ccna-adventure-1- cisco-packet-tracer-ccna-adventure-2-
Content Protection by DMCA.com

Switch Port Security

Port Security is the security mechanism used in switches. With Port Security mechanism, a specific port of a switch can be protected with undesirable access.

The MAC address numbers connected to port or the specific MAC addresses can be configured on a swithport with Port Security. By doing this configuration, desired numbered of devices can connect to the switch over one port. And also a specific MAC addressed device can be allowed to access this port.

The number of desired device number is mentioned. After that the MAC address of this devices configured either statically or dynamically(sticky). If a manual MAC address is configured, then a device with this MAC address is waited and allowed to access. If there is no manual configuration, then dynamic(sticky) MAC adress learning is configured. Andthe first connected devices’s MAC address are registered up to the configured max accepted device value.

You can see the below shape as a little referance for port security. In this topology in switch maximum 2 allowed MAC is configured.And the allowed MAC adresses are mentined statically. So, the Host A and Host C is allowed, but Host be is not allowed for this port.

switch port security

Switch Port Security


On Cisco Catalyst Switches to enable Port Security…

Switch(config)# interface fastEthernet 0/1
Switch(config-if)# switchport port-security

Maximum Number of MAC addresses allowed on the port…

Switch(config-if)# switchport port-security maximum 10

Statically configuration of allowed MAC addresses on the port…

Switch(config-if)# switchport port-security mac-address AAAA.BBBB.CCCC

This can be done for a VLAN also…

Switch(config-if)# switchport port-security mac-address AAAA.BBBB.CCCC vlan 10

Dynamically configured MAC addresses…

Switch(config-if)# switchport port-security mac-address sticky

To clear the dynamically learned MAC addresses…

Switch(config)#clear port-security dynamic

If a violation occurs, devices more than the configured max value tries to connect on that port or in a static configuration, a diffired MAC addressed device tries to connect to that port, then it is not allowed. This prevent process is done in three ways: protect, restrcit and shutdown.

Port Security Violation mode configuration…

Switch(config-if)# switchport port-security violation {protect | restrict | shutdown}

The violation modes are mentioned below detailly:

Shutdown : The default behaviour of Port Security. After getting a violation, port become an error-disabled state and stops forwarding any of the traffic.

Restrict : After a violation, the interface is online. The unallowed traffic is dropped and the normal traffic allowed. Logging works.

Protect : After a violation, the interface is online. The unallowed traffic is dropped and the normal traffic allowed. There is no logging.

As we say above, in shutdown mode, the port is closed and there is no traffic. No there is no CPU overload risk. But with Restrict and Protect there is CPU overload risk, because they are not closed with violation. To avoid this CPU overload, use the “rate limiter” (10 through 1,000,000). The lower value is better, especialy lower than 1000 is better choice.

To configure Port Security rate limiter…

Switch(config)# mls rate-limit layer2 port-security rate_in_pps [burst_size]

As we say above, the allowed MAC addresses can be configured statically or ports learn them dynamically. After learning and writing them to the database, they are valid till the configured “aging time” expires. This aging time is configured like below:

Switch(config-if)# switchport port-security aging type {absolute | inactivity}

AS you can see there are two types for aging time. One is absolute and the other is inactivity. The default one is inactivity. In the port configured with “absolute”, secure addresses age out exactly after the specified aging time expires and they are removed from the secure address list. But with “inactivity” type, secure addresses age out only if there is no data traffic from the secure source addresses for the aging time period.

The Port Security verification commands are below:

show port-security

show port-security address

show port-security [interface {{vlan vlan_ID} | {type1 slot/port}}] [address]

Switch Port Security – Part 1
Switch Port Security – Part 2 (Packet Tracer Port Security Configuration Example)

You can Reach Our "CCNA Lab Courses with Packet Tracer" on Udemy.!!!
cisco-packet-tracer-ccna-adventure-1- cisco-packet-tracer-ccna-adventure-2-



About the Author
Gokhan Kosem is a telecommunation and network engineer. His ambition to IP networks and end-to-end system installation made him to prepare this web-site. By sharing his experiences about various networking protocols beside different system installation experiences and Cisco, Juniper, Alcatel-Lucent devices configurations, he is aimed to be helpful for his collegues in all over the world. He is currently lives in Istanbul, Turkey.

Leave a Reply


Copy Protected by Chetan's WP-Copyprotect.