Advanced Port-Security
- By Joe Astorino
- June 21, 2011
- 6 Comments
Port-Security is one of those features that goes with you through your career as a Cisco network engineer from CCENT all the way up through the CCIE. Of course, at each level of expertise, you uncover a little bit more about this particular feature. In this article we will examine port-security and all the various features that go with it. Originally, I wanted this article to be quite basic, but things just kept building up and it has become quite an advanced article more suited to a CCNP or CCIE candidate.
Introduction To Port-security
Port-security is a layer 2 security feature on switches that gives us a little more control over what is allowed to connect to our switch ports from a layer 2 perspective. This feature allows us to secure a switch to a certain degree by limiting the number of MAC addresses seen on individual switch ports as well as limiting the specific MAC addresses allowed on individual switch ports. The feature is useful for many things including mitigating a CAM table overflow attack, enforcing a policy of not allowing rogue hubs and switches to be connected to your network, and generally just for having more control over what specifically is connecting to your network edge.
When you configure port-security, you are configuring ports as secure ports. Secure ports are really defined by two fundamental things — secure MAC addresses and the maximum number of secure addresses you can have on a port at any given time. There is also aging, but that is disabled by default. We’ll talk about aging later on in this article. The secure MAC addresses are either manually defined or dynamically learned by the switch. Once the port is configured for port-security and the maximum number of secure MAC addresses is reached, the switch acts a little differently than it normally would. When the switch receives a frame, it will check the source MAC address against the secure MAC table. If the source MAC is in the secure table the switch processes the frame. If the source MAC is not in the table, a security violation occurs and one of a number of different things can happen depending on your configuration
Defining Secure Ports
As I said in the introduction, configuring port-security basically comes down to configuring secure ports which includes defining or learning secure MAC addresses and defining how many secure MAC addresses you will allow on a port.
First, let’s look at defining the maximum number of secure MAC addresses on the port. To define the maximum number of secure addresses allowed on the port you use the switchport port-security maximum command on the interface. The default is 1 secure MAC address.
Once we have instructed the switch how many secure MACs we want to allow, we need to tell the switch which MAC addresses will be secured. There are three different types of secure addresses and each one works a little differently.
- Static – With statically defined secure MAC addresses we actually hard code into the switch port configuration a specific MAC address or MAC addresses that will be considered secure with the switchport port-security mac-address command. When you enter this command, the static entry is put into the secure address table and you will also see the command in your running configuration. If you save your configuration to startup-config, the command will be in the switch configuration after you reload.
- Dynamic – Dynamic secure addresses are learned by your switch automatically. Basically, the switch looks at source MAC addresses and adds them into the secure table automatically up to the maximum number of addresses you have defined. The catch is that these addresses are only put into the secure address table, and not saved in any way in either the running or startup configuration. When you reload the switch, it loses all this information and has to relearn all the addresses. You enable dynamic learning with the switchport port-security command
- Sticky – Sticky secure addresses are sort of the best of both worlds. What this feature does is it has your switch automatically learn MAC addresses just like dynamic learning. However, once the switch learns the addresses, the switch hard codes those MAC addresses in the port configuration using the switchport port-security mac-address sticky command. Once you save your running-configuration to startup-configuration those hard coded addresses remain after a reload. This avoids having the switch relearn MAC addresses after a reload and at the same time also avoids you having to manually type in each specific MAC address. It is the lazy mans static secure configuration. This feature can be a little confusing because you enable it with the switchport port-security mac-address sticky command, but after the switch dynamically learns MAC addresses it actually adds a line into your running-configuration that looks like this: switchport port-security mac-address sticky hhhh.hhhh.hhhh where the hhhh.hhhh.hhhh is the MAC address it learned dynamically.
Port-Security Violations
Once we have defined how many secure MAC addresses we want on a port at any one time, and we have defined what those addresses are via static, dynamic or sticky configuration, we need to decide what to do in the event that we violate the policy. There are three options here
- Protect – Once the maximum number of MAC addresses has been hit, any frames coming from unsecured MAC addresses are simply dropped.
- Restrict – This mode is very similar to protect, but with three notable differences. A syslog message is logged, an SNMP trap is sent, and the violation counter increases in the show port-security interface output
- Shutdown – The default action. The port goes to err-disabled state and is effectively shutdown.
Examples
For our examples, we will be using a Catalyst 3560. We have a router called R1 connected to Fa0/1 on our switch.
Let’s start basic — We’ll just turn on port-security in it’s most basic form on Fa0/1 and see what happens
Cat1#conf t Enter configuration commands, one per line. End with CNTL/Z. Cat1(config)#int fa0/1 Cat1(config-if)#switchport mode access Cat1(config-if)#switchport port-security Cat1(config-if)#no shutdown Cat1(config-if)#end Cat1#show port-security interface fa0/1 Port Security : Enabled Port Status : Secure-up Violation Mode : Shutdown Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 1 Total MAC Addresses : 1 Configured MAC Addresses : 0 Sticky MAC Addresses : 0 Last Source Address:Vlan : 0019.e721.84da:1 Security Violation Count : 0
The switchport port-security command did two things for us. It enabled port security with the following default parameters — a maximum secure MAC count of 1 and it defines secure MAC addresses using dynamic learning. We can see from the show port-security output that we have 1 maximum MAC address defined and that we have learned 1 total MAC address dynamically from R1. Since we have not gone over the limit of 1 MAC address, the port is in the secure-up state.
Here are a few other useful commands to look at when dealing with port-security verification
Cat1#show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
---------------------------------------------------------------------------
Fa0/1 1 1 0 Shutdown
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 6144
Cat1#show port-security address
Secure Mac Address Table
------------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- -------------
1 0019.e721.84da SecureDynamic Fa0/1 -
------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 6144
Notice that the type is SecureDynamic since we dynamically learned that MAC address. Since we are using the default of dynamic learning, we will not see anything added to the running-configuration on the port involving the MAC addresses.
Let’s try statically defined MAC addresses
interface FastEthernet0/1 switchport mode access switchport port-security switchport port-security mac-address 0019.e721.84da Cat1(config-if)#do show port-security interface fa0/1 Port Security : Enabled Port Status : Secure-up Violation Mode : Shutdown Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 1 Total MAC Addresses : 1 Configured MAC Addresses : 1 Sticky MAC Addresses : 0 Last Source Address:Vlan : 0019.e721.84da:1 Security Violation Count : 0
Since we have a maximum of 1 secure address and we have statically defined that secure address, any other address seen on the port will result in a violation. The default violation is shutdown. Let’s test this. We will manually change the MAC address of R1 to something else and bring the port online.
R1(config)#int fa0/0 R1(config-if)#shutdown R1(config-if)#mac-address 1011.1111.1111 R1(config-if)#no shutdown
Almost immediately on Cat1 we will see the following:
%PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/1, putting Fa0/1 in err-disable state %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 1011.1111.1111 on port FastEthernet0/1.
Let’s modify things. We will change the max MAC addresses to two. We will then have our statically defined MAC and the switch will dynamically learn our “fake” MAC
Cat1(config-if)#int fa0/1 Cat1(config-if)#switchport port-security maximum 2 Cat1(config-if)#shut Cat1(config-if)#no shut
Notice in the below verification that one out of our two addresses is statically defined and the other is dynamically learned.
Cat1(config-if)#do sh port-security int fa0/1
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 2
Total MAC Addresses : 2
Configured MAC Addresses : 1
Sticky MAC Addresses : 0
Last Source Address:Vlan : 1011.1111.1111:1
Security Violation Count : 0
Cat1(config-if)#do sh port-security address
Secure Mac Address Table
------------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- -------------
1 0019.e721.84da SecureConfigured Fa0/1 -
1 1011.1111.1111 SecureDynamic Fa0/1 -
------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 1
Max Addresses limit in System (excluding one mac per port) : 6144
OK, let’s test the sticky functionality. We will reset the port to allow a single MAC address, and we will remove our static definition. Then, we will enable sticky learning.
Cat1(config-if)#int fa0/1 Cat1(config-if)#no switchport port-security mac-address 0019.e721.84da Cat1(config-if)#switchport port-security maximum 1 Cat1(config-if)#switchport port-security mac-address sticky Cat1(config-if)#do sh port-security int fa0/1 Port Security : Enabled Port Status : Secure-up Violation Mode : Shutdown Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 1 Total MAC Addresses : 1 Configured MAC Addresses : 0 Sticky MAC Addresses : 1 Last Source Address:Vlan : 1011.1111.1111:1 Security Violation Count : 0 Cat1(config-if)#do sh run int fa0/1 Building configuration... Current configuration : 212 bytes ! interface FastEthernet0/1 switchport mode access switchport port-security switchport port-security mac-address sticky switchport port-security mac-address sticky 1011.1111.1111 spanning-tree portfast
Notice how the switch actually added a line into my interface configuration with the MAC address it learned. Now, if I save my config and reload, that line will still be there and the switch will not have to relearn the MAC address 1011.1111.1111. This comes with a price though — sticky MAC addresses never age out of the secure address table regardless of your aging time configuration! That means if we shut down our port, remove the “fake” MAC on R1 and bring the port back up, we can expect a port-security violation / port shutdown. Since the sticky learned MAC will not age out our maximum of 1 MAC is already met and will never change without manual intervention. More on aging below
Aging Timers
We can configure aging so that our secure MAC addresses eventually age out of the secure address table. Aging is disabled all together by default. There are a few different things to keep in mind when you configure aging.
- We can age secure MAC addresses out of the secure table based on a few different things. First, we set the aging time with the switchport port-security aging time command.
- If we want them to age out after they have been inactive for the aging time we use the switchport port-security aging type inactive command
- If we want them to age out after a statically set absolute time regardless of port use we use the switchport port-security aging type absolute command. Once you have enabled aging, this is the default type.
- Aging configuration as explained above has no effect on statically configured secure addresses unless you have configured the switchport port-security aging static command. After adding that command your statically defined MAC with age out after the aging time, and the static definition is actually removed from your running configuration! Without that extra command, the aging configuration only effects dynamically learned secure addresses (and not sticky!)
- Aging configuration has no effect whatsoever on sticky secure addresses in any situation. Ever. This is quite interesting, because if a switch port learns a secure address via sticky, that port is basically stuck with that secure MAC address forever after you write your configuration unless you manually clear it with the clear port-security sticky command. If you are using port-security in an environment where devices are mobile, sticky probably is not the best option for you.
Automatic Recovery
If your switch port goes into err-disabled state due to a port security shutdown violation, the only way to manually recover the port is to login and shutdown / no shutdown the interface. This can become quite tedious in a large network. You can automate this process with the following configuration on your switch in global config mode. You set the error disable cause to be a port security violation, and you set the recovery interval in seconds.
errdisable recovery cause psecure-violation errdisable recovery interval
Hi Joe, your article was very usefull specially the automatic recovery part! I really enjoyed that and in addition to that aging timers. I am studying CCNA right now and i tried to understand aging timers but no luck! We have a cisco 2960G switch here for exercises. I tried to age out dynamic addresses. How can i really test aging out? I mean by using switchport port-security addressess it shows me that remaining age is less than 1 minute but it seems it never ages out, and the ports stays up! And 1 more thing, when i use dynamic MAC learning, shouldn’t it shutdown different MACs when aging is disables? both scenarios are not working here, please describe more about dynamic records and aging timers, i saw the video on youtube but it described like here nothing more. thanks
Hi Murray. You are probably just not catching the aging out happening at the exact right moment. When the MAC address ages out of the secure MAC table the port doesn’t get shut down, the MAC address is just removed from the table for a second and the next time the port sees a frame, it is relearned and put back into the table. If you are doing “show port-security interface” fast enough you can see it. You will see the number of “Total MAC Addresses” decrement to 0 for a second.
Regarding dynamic learning — If the port has aging disabled and is learning MAC addresses dynamically, the switch should shut down your port when it sees more than the maximum number of MAC addresses allowed AT THE SAME TIME. Let’s say your maximum is the default of 1 MAC address. If the port sees more than 1 MAC on the port, the port will be shut down. HOWEVER, what you are probably running into is the fact that when you unplug one device, even with aging disabled, the MAC address is removed from the secure mac table. For example, let’s say you have PC-A plugged in with MAC address aaaa.aaaa.aaaa. You have dynamic learning enabled with a max number of MAC addresses set to 1. When you plug in PC-A and it sends a frame, the port learns MAC aaaa.aaaa.aaaa and puts it into the secure MAC table. If you UNPLUG PC-A, the MAC aaaa.aaaa.aaaa is REMOVED from that table. You can see that with “show port-security interface” after you unplug it. If you then plug in PC-B with MAC bbbb.bbbb.bbbb the count of secure MAC addresses at that moment is 0 so it learns the MAC of PC-B and puts that into the secure MAC table.
I hope that helps!
Thanks man! That really helped me, I guess i had the wrong understanding, but not anymore :-)
Hi Joe, I’m kind of enjoying your presentation on youtube and I found your blog fascinating. I’d like to compare numbers of people that teaches for Cisco certification and I got to admit that you have outstanding teaching technique. To prove that, usually I get doze off watching it but not your presentation. Currently, I study QoS and configuring HSRP for voice and data VLANs as well as layer 2 protection and redundancy. I noticed that you left off about a year ago and haven’t continue to uploading new video in youtube. If you ever feel to upload a new video, please show me of your masterpiece on QoS, HSRP for voice and data, and IPv6. Thanks Joe
Good explanation. I am studying for CCNA. i have one doubt. after enabling port security(or its variants), something interesting i found. when i run the command, show mac address it shows static which it learned dynamically. can you explain why it is showing the word static? does it mean that it wont change by time?
thanks
Hello,
If I define sticky MAC address on port 1/1 and if I would like to replace the PC on that port, what are the steps needed to redefine the sticky MAC on that port?