Home / Basics / Cisco R&S / Cisco CCNA Basics X: Introduction to Port Security

Cisco CCNA Basics X: Introduction to Port Security

,
Today I am going to talk about the basics of Port security used in the switched network. Port Security feature is to limit involvement to an interface by restrictive and recognizing MAC addresses of the destinations permitted to access the port. When we allocate protected MAC addresses to a safe port, the port does not forward packets with source addresses outside the group of defined addresses. 

If we limit the number of secure MAC addresses to one and assign a single secure MAC address, the workstation attached to that port is secure the full bandwidth of the port.

If a port is configured as a secure port and the maximum number of secure MAC addresses is reached, when the MAC address of a station attempting to access the port is different from any of the identified secure MAC addresses, a security violation occurs. Likewise, if a destination with a secure MAC address configured or learned on one secure port attempts to access another secure port, a violation is flagged.
Fig 1.1- Port Security
What are the various violation modes on the switch port?
We have three different modes used on the switch port and these modes are defined as below. We can configure the interface for one of three violation modes, based on the action to be taken if a violation occurs.
Protect: Here in the protect mode, when the number of secure MAC addresses touches the extreme limit permitted on the port, packets with unknown source addresses are declined until we eliminate an enough number of secure MAC addresses to decline below the maximum value or increase the number of maximum allowable addresses. There is no notification for this mode.

·      Traffic is forwarded in the Protect mode: No
·      Sends SNMP Traps for notification: No
·      Sends Syslog message: No
·      Display Error message: No
·      Violation counter increment: No
·      Shutdown the port: No

Restrict: Here in the restrict mode, when the number of secure MAC addresses touches the maximum limit permitted on the port, packets with unknown source addresses are declined until we eliminate a sufficient number of secure MAC addresses to drop below the maximum value or increase the number of maximum allowable addresses. 

In this mode, we are notified that a security violation has occurred. An SNMP trap is sent, a syslog message is logged, and the violation counter increments.

·      Traffic is forwarded in the Protect mode: No
·      Sends SNMP Traps for notification: Yes
·      Sends Syslog message: Yes
·      Display Error message: No
·      Violation counter increment: yes
·      Shutdown the port: No

Shutdown: Here in this mode, a port security violation triggers the interface to become error-disabled and to shut down immediately, and the port LED turns off. When a secure port is in the error-disabled state, we can bring it out of this state by entering the err disable recovery cause secure-violation global configuration command, or we can manually re-enable it by entering the shutdown and no shut down interface configuration commands. This is the default mode.

Shutdown vlan: It is same as above described for shutdown mode but here the use to set the security violation mode per-VLAN. In this mode, the VLAN is error disabled instead of the entire port when a violation occurs

·      Traffic is forwarded in the Protect mode: No
·      Sends SNMP Traps for notification: No
·      Sends Syslog message: Yes
·      Display Error message: No
·      Violation counter increment: Yes
·      Shutdown the port: No


Configuration Examples for Port Security

Case-1:Enable port security on a port and to set the maximum number of secure addresses to 50. The violation mode is the default

RouteXP (config) # interface Ga 0/1
RouteXP (config-if) # switchport mode access
RouteXP (config-if) # switchport port-security
RouteXP (config-if) # switchport port-security maximum 50
RouteXP (config-if) # switchport port-security mac-address sticky

Case-2: Configure a static secure MAC address on VLAN 10 on a port

RouteXP (config) # interface Ga0/2
RouteXP (config-if) # switchport mode trunk
RouteXP (config-if) # switchport port-security
RouteXP (config-if) # switchport port-security mac-address 0000.0300.0504 vlan 10

Case-3: Enable sticky port security on a port, to manually configure MAC addresses for data VLAN and voice VLAN, and to set the total maximum number of secure addresses to 30 (15 for data VLAN and 15 for voice VLAN).

RouteXP (config) # interface Fa1/0
RouteXP (config-if) # switchport access vlan 11
RouteXP (config-if) # switchport mode access
RouteXP (config-if) # switchport voice vlan 12
RouteXP (config-if) # switchport port-security
RouteXP (config-if) # switchport port-security maximum 30
RouteXP (config-if) # switchport port-security violation restrict
RouteXP (config-if) # switchport port-security mac-address sticky
RouteXP (config-if) # switchport port-security mac-address sticky 0000.0500.0002
RouteXP (config-if) # switchport port-security mac-address 0000.0500.0003
RouteXP (config-if) # switchport port-security mac-address sticky 0000.0500.0001 vlan voice
RouteXP (config-if) # switchport port-security mac-address 0000.0500.0004 vlan voice
RouteXP (config-if) # switchport port-security maximum 15 vlan access
RouteXP (config-if) # switchport port-security maximum 15 vlan voice