↪️
ccie.nyquist.eu
  • Table of Contents
  • Layer 2 Technologies
    • Ethernet Switching
      • L2 Switch Operations
      • Spanning Tree
        • 802.1d – STP
        • 802.1w – RSTP
        • 802.1s – MSTP
      • VTP 101
      • Private VLANs
      • VLANs
      • EtherChannel 101
    • Layer 2 WAN Protocols
      • HDLC
        • HDLC 101
      • PPP
        • PPP 101
        • PPP Authentication - PAP
        • PPP Authentication – CHAP
        • PPP Authentication – EAP
        • PPP Multilink
        • PPPoFR – PPP over Frame Relay
        • PPPoE – PPP over Ethernet
      • Frame Relay
        • Frame Relay 101
        • Frame Relay 102
        • Frame Relay Encapsulations – IETF vs Cisco
        • Multilink Frame Relay
        • Frame Relay Switching
        • Routing over Frame Relay
      • Bridging
        • Bridging on a router
        • MTU 101
    • Wireless
      • Wireless Principles
      • Wireless Implementations
      • Wireless Roaming
      • Wireless Authentication
        • WPA2 PSK
        • WPA2 802.1X
  • IPv4
    • IPv4 Addressing
      • Backup Interfaces
      • FHRP 101
      • DHCP 101
      • DNS 101
      • ARP 101
      • IPv4 101
      • Tunnel Interfaces
        • GRE Tunnels
      • BFD – Bidirectional Forwarding Detection
    • IPv4 Routing
      • How the routing table is built
        • How CEF works
        • Routing Order of Operations
        • NSF – Non Stop Forwarding
      • RIP
        • RIP 101
      • EIGRP
        • EIGRP 101
        • EIGRP Metric
        • More EIGRP Features
      • OSPF
        • OSPF 101
        • OSPF Areas
        • OSPF LSAs
        • OSPF Mechanics
      • IS-IS
        • IS-IS 101
        • IS-IS Mechanics – CLNP
      • BGP
        • BGP 101
        • BGP Attributes
        • More BGP
      • Route Redistribution
      • Policy based Routing
      • PfR 101 – Perfromance Routing
      • ODR
  • IPv6
    • IPv6-101
    • IPv6 Routing
    • Interconnecting IPv6 and IPv4
  • MPLS
    • MPLS 101
    • MPLS L3 VPN
  • Multicast
    • Multicast 101
    • PIM 101
    • IGMP 101
    • Inter Domain Multicast
    • IPv6 Multicast
    • Multicast features on switches
  • Security
    • NAT 101
    • NAT for Overlapping Networks
    • ACLs 101
    • ACLs 102
    • Cisco IOS Firewall
    • Zone Based Firewall
    • AAA 101
    • Controlling CLI Access
    • Control Plane
    • Switch Security
      • Switchport Traffic Control
      • Switchport Port Security
      • DHCP Snooping and DAI
      • 802.1x
      • Switch ACLs
    • IPSec VPN 101
      • IKE / ISAKMP 101
      • IPSEC Crypto Maps 101
      • IPSEC VTI 101
      • DMVPN 101
    • EAP 101
  • Network Services
    • NTP 101
    • HTTP 101
    • File Transfer 101 – TFTP & FTP
    • WCCP 101
  • QoS
    • QoS 101
    • Classification and Marking
    • Congestion Management
      • Legacy Congestion Management
      • SPD – Selective Packet Discard
      • CBWFQ
      • IP RTP Priority
    • Congestion Avoidance – WRED
    • Policing and Shaping
      • CAR 101
    • Compression and LFI
      • Header and Payload Compression
      • LFI for MultiLink PPP
    • Frame Relay QoS
      • Per VC Frame Relay QoS
    • RSVP 101
    • Switching QoS
  • Network Optimization
    • NetFlow 101 – TNF – Traditional NetFlow
    • NetFlow 102 – FNF – Flexible NetFlow
    • IP SLA 101
    • IP Accounting 101
    • Logging 101
    • SNMP and RMON 101
    • Cisco CLI Tips and Tricks
    • AutoInstall
    • Enhanced Object Tracking
    • Troubleshooting 101
    • SPAN, RSPAN, ERSPAN
  • Network Architecture
    • Hierarchical Network Architecture
    • SD Access
    • SD WAN
Powered by GitBook
On this page
  • Define allowed hosts
  • Enable port-security
  • Security Violation
  • Clearing allowed hosts list
  • Manual
  • Auto
  • Verification

Was this helpful?

  1. Security
  2. Switch Security

Switchport Port Security

Port Security restricts the number of stations that are allowed to access a switch port.

Define allowed hosts

Each time a host attempts to send a frame, the source MAC address is added to the list of secure MACs. This list of secure MAC addresses has a limited size, and it can be configured with these types of secure MAC addresses:

  • Static: manually configured. Will appear in the running config.

    Sw(config-if)# switchport port-security mac-address MAC-ADDR

  • Dynamic: learned from the source MAC of the frames that enter the port. They are not part of the config and will be lost on reload

  • Sticky: When enabled, it converts dynamic addresses into static sticky addresses so they will appear in the running config.

    Sw(config-if)# switchport port-security mac-address sticky

    . Static sticky addresses can also be added using:

    Sw(config-if)# switchport port-security mac-address sticky MAC-ADDR

Enable port-security

To enable port security, the port must be statically set to access or trunk:

Sw(config-if)# switchport mode {access|trunk}

To enable port security, use:

Sw(config-if)# switchport port-security

By default, only 1 mac address will be allowed on this interface. You can modify the number of allowed mac addresses, using:

Sw(config-if)# switchport port-security maximum MAX

On trunk ports, the maximum value can be set per vlan:

Sw(config-if)# switchport port-security maximum MAX vlan [VLAN-LIST]

if VLAN-LIST is missing, then a maximum for each vlan is set.

Security Violation

A security violation occurs when the maximum number of secure MAC addresses have been added to the list and a new station attempts to send a frame, or when an address learned or configured on one secure interface attempts to send a frame on another secure interface in the same VLAN. The default security violation mode is “shutdown” but this can be changed with:

Sw(config-if)# switchport port-security violation {protect|restrict|shutdown [vlan]}

  • protect: Frames sent by hosts that are not in the secure list are dropped. No notification occurs

  • restrict: Just like protect, but also sends a SNMP trap, a syslog message is logged and a violation counter increments

  • shutdown: The interface is errdisabled. The switch sends a SNMP trap, a syslog message is logged and a violation counter increments

  • shutdown vlan: Only the offending vlan is errdisabled. The switch sends a SNMP trap, a syslog message is logged and a violation counter increments

Recovery from the errdisabled mode can be manually (shut/no shut) or automatically:

Sw(config)# errdisable recovery cause psecure-violation

Clearing allowed hosts list

Manual

The list of secure MAC addresses can be cleared manually, using:

Sw# clear port-security {all|configured|dynamic|sticky} [address MAC-ADDR|interface INTERFACE]

Auto

The addresses in the list of secure MAC addresses can be aged out if you set:

Sw(config-if)# switchport port-security aging time SEC

The aging can be absolute (the address will be aged out after the configured interval) or relative to inactivity (the address will be aged out after an interval of inactivity equal to the configured value).

Sw(config-if)# switchport port-security aging type {absolute|inactivty}

Normally, the aging process happens only for dynamic addresses. It cannot be used for sticky addresses, but it can be used for static addresses, using:

Sw(config-if)# switchport port-security aging static

Verification

To verify port-security status, you can use:

Sw# show port-security [address MAC-ADDR|interface INTEFACE]
PreviousSwitchport Traffic ControlNextDHCP Snooping and DAI

Last updated 3 years ago

Was this helpful?