Port Security is a feature of Cisco Catalyst switches which restricts the number of MAC addresses per port. The intention is to prevent users plugging in unmanaged switches to extend the network by sharing a single port. Whilst not a perfect solution as MAC addresses can be spoofed, it deters the average user.
When a device is connected to a switch port the Ethernet frame is examined and the source MAC address is recorded. If a second source MAC address is detected the switch will shut down the port to prevent multiple devices accessing the network.
Port security is enabled on a per-port basis, usually on all access ports. Enabling port security with the default options takes a single command:
Switch(config)# int fa0/1 Switch(config-if)# switchport port-security
Once enabled we can view the current state of the port:
Switch# sh port-security int fa0/1 Port Security : Enabled Port Status : Secure-down Violation Mode : Shutdown Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 1 Total MAC Addresses : 0 Configured MAC Addresses : 0 Sticky MAC Addresses : 0 Last Source Address:Vlan : 0000.0000.0000:0 Security Violation Count : 0
Once a device is connected and the first Ethernet frame is received the source MAC address will be recorded (learned) by the switch:
Switch# sh port-security int fa0/1 ... Last Source Address:Vlan : 009c.02a0.4a3e:99 ...
If we connect up a switch to a port with port-security enabled and add a second host the port will change to an “err-disable” state, blocking all traffic. If we check the state again two values will have changed:
Switch# sh port-security int fa0/1 ... Port Status : Secure-shutdown ... Security Violation Count : 1
Once the offending device has been removed the port must be re-enabled by issuing the “shutdown” command followed by “no shutdown”.
Changing Port Security Behaviour
The default configuration options don’t suit everyone, thankfully we can adjust the way port security behaves. Cisco provide the ability to adjust the following:
- Violation Mode
What happens when a port violation occurs
- Maximum MAC addresses
The number of allowed MAC addresses before a violation occurs
- MAC address ageing
How long we to wait before forgetting a learned MAC address
- Auto Recovery
Re-enable a port after a certain period of time
Configuring the violation mode allows us to tweak what happens when the number of detected MAC addresses exceeds the number we allow. We have three options:
- shutdown is the default, which err-disable and blocks all traffic
- protect allows traffic for the allowed MAC addresses but blocks all traffic from the violating MAC addresses
- restrict is as per “protect” but also generates SYSLOG messages and increases the “Security Violation Count”
Violation mode is configured on a per-port basis.
Switch(config)# int fa0/1 Switch(config-if)# switchport port-security violation restrict
Maximum MAC addresses
We can allow more than just a single MAC address on a per-port basis, this is useful if devices like computers and IP phones use the same access port.
Switch(config)# int fa0/1 Switch(config-if)# switchport port-security maximum 2
MAC address ageing
When a switch with port security receives an Ethernet frame the MAC address is recorded forever. In some situations (meeting rooms etc) you may want the MAC address to be forgotten after a period of time. Ageing (specified in minutes) is configured as follows:
Switch(config)# int fa0/1 Switch(config-if)# switchport port-security aging time 5
It can be a pain having to contact IT to shutdown and re-enable a port after a violation, so we can allow the switch to auto recover after a brief period of time. Configured at a switch level rather than per-port, automatic recovery (specified in seconds) is configured as follows:
Switch(config)# errdisable recovery cause psecure-violation Switch(config)# errdisable recovery interval 600