Switchport Security Configuration

Tuesday, September 28, 2021 2:44 PM

  • switchport port - predefine any allowed source MAC addresses for this interface. - security mac-address mac-address
(Optional)
  • tell the switch to “sticky learn” dynamically learned MAC addresses.
(Optional)- switchport port-security mac-address sticky
switchport port - enables port security, with all defaults - security
defines a specific source MAC address. With the default maximum source address setting of
1
switchport port - - security mac-address 0200.1111.1111
default violation action disable the interface.
  • Port security does not save the configuration of the sticky addresses - use the copy running-config startup-config command if desired.
make sure to configure the maximum MAC address to at least two (one for the phone,
or for a PC connected to the phone)
  • voice ports-
    • the port security configuration should be placed on the portthan the individual physical interfaces in the channel. -channel interface, rather
  • EtherChannels
voice ports and EtherChannels

Verifying Port Security

  • provides the most insight to how port security operates
  • lists the configuration settings for port security on an interface
      • Port Security: EnabledPort Status: Secure-shutdown
      • Violation mode: shutdownMaximum MAC Addresses : 1
    • Last source Address:VLAN: 0013:197b:5004 1
  • includes information about any security violations
Show port-security interface
    • Port Security: EnabledPort Status: Secure-shutdown
    • Violation Mode: ShutdownMaximum MAC Addresses: 1
  • Sticky MAC Addresses: 1
  • Last Source Address: Vlan 0013:197b:5004 1
Show port-security interface fastEthernet 0/2
secure- the interface has been disabled because of port security-shutdown state

Port Security MAC Addresses

No longer listed as dynamic entries- Do not show up in the results from show mac address-table dynamic EXEC command.
-
you need to use one of these options to see the MAC table entries associated with ports
using port security:
-
  • Port security ports
show mac address - Lists MAC addresses associated with ports that use port security - table secure :
Lists MAC addresses associated with ports that use port security, as well as any
other statically defined MAC addresses
show mac address - - table static:
show mac address-table secure interface F0/2
(All three options cause the switch to discard the offending frame)
  • Discard frame
Protect
    • Discard frameSend log and snmp messages
  • increment violation counter
Restrict
  • Discard frame
    • Send log and snmp messagesincrement violation counter
  • Puts interface into err-disabled state, discarding all traffic
Shutdown

Port Security Violation Modes

Shutdown Mode

  • interface must be shut down with the shutdown command and then enabled with the no shutdown command.
  • recover from an err-disabled state
  • automatically recover from the err-disabled state:
  • automatic recovery for interfaces in an err-disabled state caused by port security
errdisable recovery cause psecure-violation
errdisable recovery interval - set the time to wait before recovering the interface seconds
lists the current port-security status (secure-shutdown) as well as the configured mode
(shutdown)
-
last line of output lists the number of violations that caused the interface to fail to an err-
disabled state
-
show port-security interface
disabled statesecond-to-last line identifies the MAC address and VLAN of the device that caused the
violation.
-
  • notes the number of times the interface has been moved to the errshutdown) state. -disabled (secure-
  • while errafter shutdown/no shutdown, another violation that causes the interface to fail to an err-disabled, many frames can arrive, but the counter remains at 1. -
    disabled state will cause the counter to increment to 2.
-
violations counter

Protect and Restrict Modes
still discard offending traffic, but the interface remains in a connected (up/up) state and in a port
security state of secure-up.

-
  • port continues to forward good traffic but discards offending traffic.
      • discard the frame.does not change the port to an err-disabled state
    • does not generate messages
    • does not even increment the violations counter
protect