Port Security as the name of the feature states, is security of the port. It limits the number of MAC address that can be learned and how they are learned. By default there is no port security enabled on a Cisco Catalyst switch. It first has to be enabled and then the different attributes that can be configured can be applied.
Operationally whenever a switch port learns a MAC address, whether through normal ARP or Gratuitous ARP, the MAC address is stored in the CAM table. This table builds a binding for the MAC to Port, so whenever traffic is forwarded and the MAC address is the destination MAC, the CAM table is referenced to determine which port forward the traffic out of. This covers why a MAC address is needed. Why would we ever needed to enable a feature to control how many MAC addresses could be learned?
A practical deployment would be a conference room switchport that has a switch plugged into one of the wall jacks. If the wall jack port is an access port, then multiple MAC addresses could be learned in on that port. This maybe acceptable for some networks but not others. Port Security could be used to limit how many MAC addresses are learned and how they are learned. Then apply some enforcement if a violation occurs. Depending on the violation, re-enabling a port maybe required.
To enable Port Security use the following commands: - Caveat, the port must be static Access
SW1(config-if)#switchport port-security
Command rejected: GigabitEthernet0/0 is a dynamic port.
interface GigabitEthernet0/0
switchport mode access
switchport port-security mac-address sticky
switchport port-security mac-address sticky ca01.133c.0000
switchport port-security
Step 1 is enable the port as an access port.
Step 2 is enable the port-security feature under the interface
Step 3 is enable the MAC address learning mechanism, in this case we used "sticky"
Do this on all the interfaces that you want to enable this feature on, if enabled with the "sticky" feature, the learned MAC address will be treated as a "static" MAC entry.
interface range g0/0 - 3
switchport mode access
switchport port-security mac-address sticky
switchport port-security
SW1#sh mac address-table
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
1 ca01.133c.0000 STATIC Gi0/0
1 ca02.05f8.0000 STATIC Gi0/1
1 ca03.13e8.0000 STATIC Gi0/2
1 ca04.0cb4.0000 STATIC Gi0/3
Total Mac Addresses for this criterion: 4
Since we enabled the port security feature on the interfaces listed above, the learned MAC addresses are learned and stored as static MACs.
SW1#sh run | in interface|ca
interface GigabitEthernet0/0
switchport port-security mac-address sticky ca01.133c.0000
interface GigabitEthernet0/1
switchport port-security mac-address sticky ca02.05f8.0000
interface GigabitEthernet0/2
switchport port-security mac-address sticky ca03.13e8.0000
interface GigabitEthernet0/3
switchport port-security mac-address sticky ca04.0cb4.0000
So now that we have it enabled and ports have learned MACs, let's verify everything.
SW1#show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
---------------------------------------------------------------------------
Gi0/0 1 1 0 Shutdown
Gi0/1 1 1 0 Shutdown
Gi0/2 1 1 0 Shutdown
Gi0/3 1 1 0 Shutdown
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 4096
This output lists the MAC addresses that have been learned and how many have been learned.
SW1#show port-security address
Secure Mac Address Table
-----------------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- -------------
1 ca01.133c.0000 SecureSticky Gi0/0 -
1 ca02.05f8.0000 SecureSticky Gi0/1 -
1 ca03.13e8.0000 SecureSticky Gi0/2 -
1 ca04.0cb4.0000 SecureSticky Gi0/3 -
-----------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 4096
This output lists the addresses learned, the method they were learned by and the port they were learned in on.
SW1#show port-security address forbidden
----------------------------------
Globally Forbidden MAC Addresses
----------------------------------
-----------------------------------------
No of Global Forbidden Addresses : 0
-------------------------------------
Forbidden Mac Addresses
------------------------------------------
Mac Address Ports
----------- -----
-----------------------------------------
Total Forbidden Addresses in System : 0
This output identifies any MACs that are not allowed to be learned by the switch.
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 1
Last Source Address:Vlan : ca01.133c.0000:1
Security Violation Count : 0
This output shows the details of a given interface, G0/0 here, and the specifics of the port security implementation.
This port has port security enabled.
The status is secure-up meaning that port is security and operationally up.
The violation mode is shutdown meaning that if a violation were to occur, the port would be shutdown.
The total amount of MAC addresses that can be learned in on this interface is 1 which is the configured default once port security is enabled.
The total MAC address is how many MACs have been learned.
Configured MAC addresses is if you manually entered a MAC at the port level.
Sticky MAC addresses is our deployment and we have 1.
The Last Source Address:VLAN, this shows the MAC learned in on the port and the VLAN that port is currently in.
What happens when there is a violation?
R1(config-if)#mac-address 0000.0000.0001
R1(config-if)#do sh int f0/0 | in bia
Hardware is DEC21140, address is 0000.0000.0001 (bia ca01.133c.0000)
We configure a new MAC on the F0/0 interface of R1. Any traffic that is generated by this router on this interface will be seen with MAC 0000.0000.0001, which will cause an issue. The issue is SW1 on G0/0 has learned a different MAC, the BIA address in (Parenthesis).
*Sep 22 00:21:21.865: %PM-4-ERR_DISABLE: psecure-violation error detected on Gi0/0, putting Gi0/0 in err-disable state
*Sep 22 00:21:21.873: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0000.0000.0001 on port GigabitEthernet0/0.
*Sep 22 00:21:22.866: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to down
*Sep 22 00:21:23.868: %LINK-3-UPDOWN: Interface GigabitEthernet0/0, changed state to down
This output show that a new MAC address was learned in on G0/0 and is a violation, the violation enforcement is to shutdown the port and place the port into err-disable mode.
SW1#sh port-security interface g0/0
Port Security : Enabled
Port Status : Secure-shutdown
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 1
Last Source Address:Vlan : 0000.0000.0001:1
Security Violation Count : 1
The port is now secure-shutdown. It can not be used currently.
SW1#sh int status
Port Name Status Vlan Duplex Speed Type
Gi0/0 err-disabled 1 auto auto unknown
To fix this issue we will have to remove the manually configured MAC on R1, shutdown and then no shutdown the G0/0 interface on SW1.
R1(config-if)#no mac-address 0000.0000.0001
R1(config-if)#do sh int f0/0 | in bia
Hardware is DEC21140, address is ca01.133c.0000 (bia ca01.133c.0000)
SW1(config)#int g0/0
SW1(config-if)#shut
SW1(config-if)#
*Sep 22 00:26:59.642: %LINK-5-CHANGED: Interface GigabitEthernet0/0, changed state to administratively down
SW1(config-if)#no shut
*Sep 22 00:27:06.441: %LINK-3-UPDOWN: Interface GigabitEthernet0/0, changed state to up
*Sep 22 00:27:07.441: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to up
SW1#sh port-security interface g0/0
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 1
Last Source Address:Vlan : 0000.0000.0000:0
Security Violation Count : 0
We can now see that the interface has recovered and no MAC info, Last Source, has been learned. We can generate some traffic from R1 and now populate that field.
R1(config-if)#do ping 10.10.20.20
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.20.20, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 24/69/144 ms
SW1#sh port-security interface g0/0
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 1
Last Source Address:Vlan : ca01.133c.0000:1
Security Violation Count : 0
Now the field is populated and all is well.
Thanks for stopping by!
Rob Riker, CCIE #50693