Cisco Basics: Port Security

Port Security is a feature of Cisco Catalyst switches which restricts the number of MAC addresses per port. The intention is to prevent users plugging in unmanaged switches to extend the network by sharing a single port. Whilst not a perfect solution as MAC addresses can be spoofed, it deters the average user.

When a device is connected to a switch port the Ethernet frame is examined and the source MAC address is recorded. If a second source MAC address is detected the switch will shut down the port to prevent multiple devices accessing the network.

Port security is enabled on a per-port basis, usually on all access ports. Enabling port security with the default options takes a single command:

Switch(config)# int fa0/1
Switch(config-if)# switchport port-security


Once enabled we can view the current state of the port:

Switch# sh port-security int fa0/1
Port Security              : Enabled
Port Status                : Secure-down
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 0
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 0000.0000.0000:0
Security Violation Count   : 0

Once a device is connected and the first Ethernet frame is received the source MAC address will be recorded (learned) by the switch:

Switch# sh port-security int fa0/1
...
Last Source Address:Vlan   : 009c.02a0.4a3e:99
...

If we connect up a switch to a port with port-security enabled and add a second host the port will change to an “err-disable” state, blocking all traffic. If we check the state again two values will have changed:

Switch# sh port-security int fa0/1
...
Port Status                : Secure-shutdown
...
Security Violation Count   : 1

Once the offending device has been removed the port must be re-enabled by issuing the “shutdown” command followed by “no shutdown”.

Changing Port Security Behaviour

The default configuration options don’t suit everyone, thankfully we can adjust the way port security behaves. Cisco provide the ability to adjust the following:

  • Violation Mode
    What happens when a port violation occurs
  • Maximum MAC addresses
    The number of allowed MAC addresses before a violation occurs
  • MAC address ageing
    How long we to wait before forgetting a learned MAC address
  • Auto Recovery
    Re-enable a port after a certain period of time

Violation Mode

Configuring the violation mode allows us to tweak what happens when the number of detected MAC addresses exceeds the number we allow. We have three options:

  • shutdown is the default, which err-disable and blocks all traffic
  • protect allows traffic for the allowed MAC addresses but blocks all traffic from the violating MAC addresses
  • restrict is as per “protect” but also generates SYSLOG messages and increases the “Security Violation Count”

Violation mode is configured on a per-port basis.

Switch(config)# int fa0/1
Switch(config-if)# switchport port-security violation restrict

Maximum MAC addresses

We can allow more than just a single MAC address on a per-port basis, this is useful if devices like computers and IP phones use the same access port.

Switch(config)# int fa0/1
Switch(config-if)# switchport port-security maximum 2

MAC address ageing

When a switch with port security receives an Ethernet frame the MAC address is recorded forever. In some situations (meeting rooms etc) you may want the MAC address to be forgotten after a period of time. Ageing (specified in minutes) is configured as follows:

Switch(config)# int fa0/1
Switch(config-if)# switchport port-security aging time 5

Auto Recovery

It can be a pain having to contact IT to shutdown and re-enable a port after a violation, so we can allow the switch to auto recover after a brief period of time. Configured at a switch level rather than per-port, automatic recovery (specified in seconds) is configured as follows:

Switch(config)# errdisable recovery cause psecure-violation
Switch(config)# errdisable recovery interval 600

Published by

Dave Hope

Dave is a Principal Software Analyst for a UK based retirement developer, in his spare time he enjoys digital photography and rock climbing.

2 thoughts on “Cisco Basics: Port Security”

Leave a Reply

Your email address will not be published. Required fields are marked *