Cisco Switch How To - Secure a Switch Port

To learn more about this tutorial contact us info_ipmax@ipmax.it
or visit our site www.ipmax.it/support WWW.IPMAX.IT
Secure a
Switch Port
CISCO
Switch

Next, you must identify a set of allowed MAC addresses so that the port can grant them access. You can
explicitly configure addresses or they can be learned dynamically from port traffic. On each interface that
uses port security, specify the maximum number of MAC addresses that will be allowed access using the
following interface configuration command:
Switch(config-if)#switchport port-security maximum max-addr
01
In some environments, a network must be secured by controlling what stations can gain access to the network
itself. Where user workstations are stationary, their MAC addresses always can be expected to connect to the
same access-layer switch ports. If stations are mobile, their MAC addresses can be learned dynamically or
added to a list of addresses to expect on a switch port.
Catalyst switches offer the port security feature to control port access based on MAC addresses. To configure
port security on an access-layer switch port, begin by enabling it with the following interface-configuration
command:
Switch(config-if)#switchport port-security
Secure a Switch Port
CISCO Switch
1. Port security
By default, only one MAC address will be allowed access on each switch port. You can set the maximum
number of addresses in the range of 1 to 1,024.

You also can statically define one or more MAC addresses on an interface. Any of these addresses are
allowed to access the network through the port. Use the following interface configuration command to define
a static address:
Switch(config-if)#switchport port-security mac-address mac-addr
02
Each interface using port security dynamically learns MAC addresses by default and expects those addresses
to appear on that interface in the future. These are called sticky MAC addresses. MAC addresses are learned
as hosts transmit frames on an interface. The interface learns up to the maximum number of addresses
allowed. Learned addresses also can be aged out of the table if those hosts are silent for a period of time.
By default, no aging occurs.
For example, to set the maximum number of MAC addresses that can be active on a switch port at any time to
two, you could use the following command:
Switch(config-if)#switchport port-security maximum 2
CISCO Switch
2. Set maximum mac address

Finally, you must define how each interface using port security should react if a MAC address is in violation
by using the following interface-configuration command:
Switch(config-if)# switchport port-security violation {shutdown | restrict |protect}
03
The MAC address is given in dotted-triplet format. If the number of static addresses configured is less than the
maximum number of addresses secured on a port, the remaining addresses are learned dynamically. Be sure
to set the maximum number appropriately.
You can use the following command to configure a static address entry on an interface:
Switch(config-if)#switchport port-security mac-address 0006.5b02.a841
CISCO Switch
3. Set reaction to violation
A violation occurs if more than the maximum number of MAC addresses are learned or if an unknown (not
statically defined) MAC address attempts to transmit on the port. The switch port takes one of the following
configured actions when a violation is detected:
• Shutdown - The port immediately is put into the errdisable state, which effectively shuts it down. It must be
re-enabled manually or through errdisable recovery to be used again.
• Restrict - The port is allowed to stay up, but all packets from violating MAC addresses are dropped.
The switch keeps a running count of the number of violating packets and can send an SNMP trap and a
syslog message as an alert of the violation.
• Protect - The port is allowed to stay up, as in the restrict mode. Although packets from violating addresses
are dropped, no record of the violation is kept.

When the default maximum of one MAC address is exceeded on this interface, the condition is logged but
the interface stays up. This is shown by the following syslog message:
Jun 3 17:18:41.888 EDT: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation
occurred, caused by MAC address 0000.5e00.0101 on port GigabitEthernet0/11
04
As an example of the restrict mode, a switch interface has received the following configuration commands:
interface GigabitEthernet0/11
switchport access vlan 991
switchport mode access
switchport port-security
switchport port-security violation restrict
spanning-tree portfast
CISCO Switch
3. Set reaction to violation
In the shutdown mode, the port security action is much more drastic. When the maximum number of MAC add
resses is exceeded, the following syslog messages indicate that the port has been shut down in the errdisable
state:
Jun 3 17:14:19.018 EDT: %PM-4-ERR_DISABLE: psecure-violation error detected on Gi0/11,
putting Gi0/11 in err-disable state
Jun 3 17:14:19.022 EDT: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation
occurred, caused by MAC address 0003.a089.efc5 on port GigabitEthernet0/11.
Jun 3 17:14:20.022 EDT: %LINEPROTO-5-UPDOWN: Line protocol on Interface Gigabit Ethernet0/
11, changed state to down
Jun 3 17:14:21.023 EDT: %LINK-3-UPDOWN: Interface GigabitEthernet0/11, changed state to
down

or visit our site www.ipmax.it/support WWW.IPMAX.IT 05
The command show port-security interface , shows port status as you can see in the following exemple
Switch#show port-security interface gigabitethernet 0/11
Port Security : Enabled
Port Status : Secure-shutdown
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address : 0003.a089.efc5
Security Violation Count : 1
CISCO Switch
4. Port Status
To see a quick summary of only ports in the errdisable state, along with the reason for errdisable, you can use
the show interfaces status err-disabled command, as demonstrated in Example
Switch#show interfaces status err-disabled
Port Name Status Reason
Gi0/11 Test port err-disabled psecure-violation

or visit our site www.ipmax.it/support WWW.IPMAX.IT 06
Finally, you can display a summary of the port-security status with the show port-security command, as
demonstrated in next Example
Switch#show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
---------------------------------------------------------------------------
Gi0/11 5 1 0 Restrict
Gi0/12 1 0 0 Shutdown
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 6176
CISCO Switch
4. Port Status

More Needs?
Services and
Solutions
Products
Remote
IpService
Security
Via Ponchielli, 4
20063 Cernusco sul Naviglio (MI) –
Italy
+39 02 9290 9171
info_ipmax@ipmax.it
About us
IPMAX is the ideal partner for companies
seeking quality in products and services.
IPMAX guarantees method and professionalism
to support its customers in selecting technologies
with the best quality / price ratio, in the design,
installation, commissioning and operation

Cisco Switch How To - Secure a Switch Port

More Related Content

What's hot

Similar to Cisco Switch How To - Secure a Switch Port

More from IPMAX s.r.l.

Recently uploaded

Cisco Switch How To - Secure a Switch Port