Cisco Port Security Basics and configurations
Today I am going to talk about the Switching topic and that topic is Port Security. Port security is required in the case you want to control the traffic by allowing Specific MAC address entries, which means if the invalid MAC addresses traffic comes, it will be blocked or dropped.
Lets talk about the port security and the modes of port security. So the question is why port security required, may be want to safe from the attacks as well.
Why Port Security is important ?
Well port security is generally used so that you can easily prevent the unwanted MAC address traffic from the external or the internal network.
Port security can be enabled in three different ways are defined as below:
Lets talk about the port security and the modes of port security. So the question is why port security required, may be want to safe from the attacks as well.
Why Port Security is important ?
Well port security is generally used so that you can easily prevent the unwanted MAC address traffic from the external or the internal network.
Port security can be enabled in three different ways are defined as below:
- Protect : In the protected state, switch port will drops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value.
- Restrict : In the restrict state, switch port will drops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value and causes the SecurityViolation counter to increment
- Shutdown : In the shutdown state, switch port will puts the interface into the error-disabled state immediately and sends an SNMP trap notification.
 |
| Fig 1.1- Port Security modes and messages |
Below is the basic configuration for port security on the switches where you want traffic to be dropped
Port Security Configuration
NB_Switch(config)# interface f0/20
NB_Switch(config-if)# switchport port-security
Show Commands for checking the port security
NB_Switch# show port-security interface f0/20
Port Security : Enabled
Port Status : Secure-down
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0000.0000.0000:0
Security Violation Count : 0
In the above example, the port is configured as shut down state as you found the violation mode configuration.
Below is the changes after the violation happens on the switch:
%PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/20, putting Fa0/20 in err-disable state
%PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0091.35c1.f17c on port FastEthernet0/20.
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/20, changed state to down
%LINK-3-UPDOWN: Interface FastEthernet0/20, changed state to down.
Well there are other two different violation mode as well where switch just dropped the packets without making the port in the shut state. Hope you are clear now with the concept of the port security now.
