- COURSES
- SPECIALS
- BLOG
- MEMBERS
- SHOP
- ABOUT
- ENROLL HERE
Port Security is the security mechanism used in switches. With this mechanism, a specific port of a switch can be protected with undesirable access. Here, we will learn the theory of this lesson. We will focus on the properties of this mechanism and some of the Cisco configuration commands. For example configuration, you can view Cisco Port Security Configuration and Huawei Configuration with eNSP. You can also check Cisco website for this configuration, here.
The MAC address numbers connected to a port or the specific MAC addresses can be configured on a swithport with this technology. By doing this configuration, desired numbered of devices can connect to the switch over one port. And also a specific MAC addressed device can be allowed to access this port.
The number of desired device number is mentioned. After that the MAC address of this devices configured either statically or dynamically (sticky). If a manual MAC address is configured, then a device with this MAC address is waited and allowed to access. If there is no manual configuration, then dynamic (sticky) MAC adress learning is configured. And the first connected devices’s MAC address are registered up to the configured max accepted device value.
You can see the below shape as a little referance for Port Security. In this topology in switch maximum 2 allowed MAC is configured.And the allowed MAC adresses are mentined statically. So, the Host A and Host C is allowed, but Host be is not allowed for this port.
On Cisco Catalyst Switches to enable this security functionality, we use the below command as below:
Switch(config)# interface fastEthernet 0/1
Switch(config-if)# switchport port-security
On Cisco switches, to determine the Maximum Number of allowed MAC addresses are can be set with the below command. For example, if we would like to limit these MAC addresses as maximum 10, we will use he below command:
Switch(config-if)# switchport port-security maximum 10
MAC addresses can be learned Dynamically and Statically. For Static MAC learning we can use the below command with MAC address.
Switch(config-if)# switchport port-security mac-address AAAA.BBBB.CCCC
This configuration can be done also with a specific VLAN as below:
Switch(config-if)# switchport port-security mac-address AAAA.BBBB.CCCC vlan 10
Beside Static configuration, we can set MAC learning as Dynamically like below:
Switch(config-if)# switchport port-security mac-address sticky
We can clear all learned Dynamic MAC addresses with the below command:
Switch(config)# clear port-security dynamic
If a violation occurs, devices more than the configured max value tries to connect on that port or in a static configuration, a diffired MAC addressed device tries to connect to that port, then it is not allowed. This prevent process is done in three ways:
We can set Port Security Violation mode with the below command:
Switch(config-if)# switchport port-security violation {protect | restrict | shutdown}
The Violation Modes are mentioned below detailly:
Shutdown : The default behaviour. After getting a violation, port become an error-disabled state and stops forwarding any of the traffic.
Restrict : After a violation, the interface is online. The unallowed traffic is dropped and the normal traffic allowed. Logging works.
Protect : After a violation, the interface is online. The unallowed traffic is dropped and the normal traffic allowed. There is no logging.
As we say above, in Shutdown mode, the port is closed and there is no traffic. No there is no CPU overload risk. But with Restrict and Protect there is CPU overload risk, because they are not closed with violation. To avoid this CPU overload, use the “rate limiter” (10 through 1,000,000). The lower value is better, especialy lower than 1000 is better choice.
We can configure Rate Limiter with “mls rate-limit layer2 port-security rate_in_pps [burst_size]” command:
Switch(config)# mls rate-limit layer2 port-security rate_in_pps [burst_size]
Switch(config-if)# switchport port-security aging type {absolute | inactivity}
AS you can see there are two types for aging time. One is absolute and the other is inactivity. The default one is inactivity. In the port configured with “absolute”, secure addresses age out exactly after the specified aging time expires and they are removed from the secure address list. But with “inactivity” type, secure addresses age out only if there is no data traffic from the secure source addresses for the aging time period.
There are various configuration verification commands are used on Cisco switches for this security feature. You find some of them below:
Here, we have talked about the basic of this security mechanism. If you would like to configure it, you can follow Cisco Configuration Example with Packet Tracer.
Leave a Reply