Understanding Port Security
Someone goes on-site for maintenance. Server1 is currently plugged into a switchport int fa 1/0/1. The tech has unplugged server1 and forgotten where it should go. Instead they accidentally plug Bob from HR’s patch into switchport int fa 1/0/1. You are calledto sort this out – they have left the site so they are unable to plug Server1 back into the proper port and Bob is calling because he needs to do some work but his PC is not connected to the network!
Port Security Guidelines and Restrictions:
- A secure port cannot be a trunk port.
- A secure port cannot be a destination port for Switch Port Analyzer (SPAN).
- A secure port cannot belong to an EtherChannel port-channel interface.
- A secure port and static MAC address configuration are mutually exclusive.
Protect – Drops all the packets from the insecure hosts at the port-security process level but does not increment the security-violation count.
Restrict – Drops all the packets from the insecure hosts at the port-security process level and increments the security-violation count.
Shutdown – The interface is error-disabled when a security violation occurs.
***This is the default behavior is to disable the port when the MAC changes or if the number of concurrent MAC’s exceeds the maximum.
NOTE: When a secure port is in the error-disabled state, you can bring it out of this state by entering the errdisable recovery cause psecure-violation global configuration command or you can manually reenable it by entering the shutdown and no shut down interface configuration commands.
- switchport port-security – enables port security, optional “maximum <n>” to set the max greater than 1
- switchport port-security mac-address sticky – turns on the sticky MAC feature
After enabling, you will notice the currently connected MAC address(es) will appear in the running config:
switchport port-security mac-address sticky
switchport port-security mac-address sticky xxxx.xxxx.xxxx
***This will stay in the config until the switch is rebooted, so it’s important to write the config.
Other related commands:
- show port-security address – lists all the learned MAC addresses by interface
- show port-security interface fa1/0/1– shows the detailed port security settings for an interface, including enable/disable status
- clear port-security sticky interface fa1/0/1 – clears the learned sticky MAC addresses, must be done prior to a shut/no shut to re-enable a port disabled due to port security
Default MAC on int gi 0/0 on Router interface. Port-security is turned on for interface gi 0/0 on Switch.
Change interface gi 0/0 on Router to have a different MAC address since our switch has dynamically learned the default MAC and we have 1 maximum MAC address allowed on interface gi 0/0 on Switch.
Port-security debug turned on we can see the interface is put into error disable mode by port-security and shuts down.
Show command on the interface to see their is indeed a violation on access port that was created by MAC 0000.0000.1234
NOTE: %PORT_SECURITY-2-PSECURE_VIOLATION:error is caused not only when mac addresses are exceeded but also when same mac-address being learnt on two ports.
Use the show command to see which MAC addresses are considered as ‘secure’ for ports on the Switch.