Contents

Introduction
Enable Port Security
  Protect
  Restrict
  Shutdown

Introduction

As the name says, Port Security provides security to the ports of a switch. Switch use Port Security to record the MAC address of hosts. It only allows known hosts to attach to the ports and denies unauthorized hosts to access the network.

Enable Port Security

Use command switchport port-security to enable Port Security. Before entering the command, set the port to access mode, otherwise error messages is prompted.

Switch(config)#interface fastEthernet 0/1
Switch(config-if)#switchport port-security
Command rejected: FastEthernet0/1 is a dynamic port.
Switch(config-if)#
Switch(config-if)#switchport mode access
Switch(config-if)#switchport port-security

Use show port-security interface <interface> to check the status. Since no host is connected to the port yet, it shows Secure-down. No MAC Addresses are recorded.

Switch#show port-security interface fastEthernet 0/1
Port Security              : Enabled
Port Status                : Secure-down
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 0
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 0000.0000.0000:0
Security Violation Count   : 0

Connect a host to the port. The MAC address of the host is recorded. The status becomes Secure-up.

Switch#show port-security interface fastEthernet 0/1
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 1
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 18a9.05e7.a35c:1
Security Violation Count   : 0

We can use switchport port-security mac-address <MAC> to add MAC Address manually. From now on, only hosts with the added MAC Address can connect to this port. Shutdown the port before entering this command, otherwise error message is prompted.

Switch(config-if)#switchport port-security mac-address 18a9.05e7.a35c
Found duplicate mac-address 18a9.05e7.a35c.
Switch(config-if)#shutdown
Switch(config-if)#
*Mar  1 00:18:00.989: %LINK-5-CHANGED: Interface FastEthernet0/1, changed state to administratively down
*Mar  1 00:18:01.996: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down
Switch(config-if)#switchport port-security mac-address 18a9.05e7.a35c
Switch(config-if)#no shutdown
Switch(config-if)#
*Mar  1 00:18:13.320: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
*Mar  1 00:18:14.327: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up

Check the status again.

Switch#show port-security interface fastEthernet 0/1
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 1
Configured MAC Addresses   : 1
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 18a9.05e7.a35c:1
Security Violation Count   : 0

If another host is connected to the port, it will becomes Error Disable (err-disable) since the MAC Address is different to the setting.

Switch#
*Mar  1 00:19:23.013: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down
*Mar  1 00:19:24.019: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to down
*Mar  1 00:19:24.967: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/1, putting Fa0/1 in err-disable state
*Mar  1 00:19:24.967: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 18a9.05e7.5d70 on port FastEthernet0/1.
Switch#
Switch#show port-security interface fastEthernet 0/1
Port Security              : Enabled
Port Status                : Secure-shutdown
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 1
Configured MAC Addresses   : 1
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 18a9.05e7.5d70:1
Security Violation Count   : 1

Switch#show interfaces fastEthernet 0/1 | include down
FastEthernet0/1 is down, line protocol is down (err-disabled)

If you confirm this host is an authorized host, change the maximum of port security to 2 and add the new MAC Address. Then, the second host are allowed to connect to the network as well as the first one.

Switch(config-if)#switchport port-security maximum 2
Switch(config-if)#switchport port-security mac-address 18a9.05e7.5d70
Switch(config-if)#shutdown
Switch(config-if)#no shutdown
Switch(config-if)#end
Switch#show port-security interface fastEthernet 0/1
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 2
Total MAC Addresses        : 2
Configured MAC Addresses   : 2
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 18a9.05e7.5d70:1
Security Violation Count   : 0

But it is so trouble to enter the MAC Address manually one by one. We can use the option sticky to allow the port to record the MAC Address automatically.

interface FastEthernet0/1
 switchport mode access
 switchport port-security maximum 2
 switchport port-security
 switchport port-security mac-address sticky

When a host is connected to the port, the MAC Address is automatically added to the configuration.

interface FastEthernet0/1
 switchport mode access
 switchport port-security maximum 2
 switchport port-security
 switchport port-security mac-address sticky
 switchport port-security mac-address sticky 18a9.05e7.5d70 vlan access
 switchport port-security mac-address sticky 18a9.05e7.a35c vlan access

The record is permanently saved in the configuration even the host is turned off. If we want the switch clear the MAC Address and learn it again after sometime, use switchport port-security aging type <type> and switchport port-security aging time <time>.

Switch(config-if)#switchport port-security aging type ?
  absolute    Absolute aging (default)
  inactivity  Aging based on inactivity time period

absolute

Clear the record after the aging time no matter the hosts are connected or disconnected. It is the default setting.

inactivity

Clear the record after the host disconnected for sometime. Aging time is needed to enter in seconds.

Switch(config-if)#switchport port-security aging type inactivity
Switch(config-if)#switchport port-security aging time 600

If the switch Err-disable the port everytime when someone plug an unauthorized device to the network, the network administrator will be very busy. Because after the port entering Err-disable status, shutdown and then no shutdown command is needed to reset the port. Actually, we can have other option beside Err-disable.

Switch(config-if)#switchport port-security violation ?
  protect   Security violation protect mode
  restrict  Security violation restrict mode
  shutdown  Security violation shutdown mode

Protect

Drop the incoming frame of unauthorized host.

Restrict

Drop the incoming frame of unauthorized host and log the event.

Shutdown

Put the port in Err-disable. It is the default setting.

But we can also tell the switch to recover the Err-disable port automatically after some time.

Switch(config)# errdisable recovery cause psecure-violation
Switch(config)# errdisable recovery interval 600