Jeremy’s IT Lab lecture video:
Commands
Commands List
Port Security Show Commands
20. Port Security
Link to original
- show port-security
-->Shows general port security information about the current configuration- show port-security interface interface-id
-->Shows the port security configuration on the specified interface- show mac address-table secure
-->Shows all configured Secure MAC addresses- show errdisable recovery
-->Shows the current err-disable recovery settingsPort Security Global Commands
ErrDisable (Port Security / DHCP Snooping / ARP Inspection)
Link to original
- errdisable recovery cause cause { psecure-violation | dhcp-rate-limit | arp-inspection }
-->Enables err-disable recovery for the specified cause- errdisable recovery interval seconds
-->Determines how long the switch should wait before enabling an err-disabled interface (if the err-disable recovery for that cause is enabled)Port Security Interface Commands
Port Security
Link to original
- switchport port-security
-->Enables port security on the current interface- switchport port-security maximum maximum-mac-addresses
-->Configures the maximum amount of Secure MAC addresses allowed on the current port-security enabled interface- switchport port-security mac-address mac-address
-->Manually configures an authorized port security MAC address- switchport port-security mac-address sticky
-->Enables Sticky MAC address learning- switchport port-security mac-address sticky mac-address
-->Manually adds a Sticky MAC address- switchport port-security violation violation-mode { shutdown | restrict | protect }
-->Configures the violation mode for the port security enabled interface- switchport port-security aging static
-->Enables aging for Secure Static MAC addresses- switchport port-security aging time minutes
-->Configures the timer for Secure MAC addresses aging- switchport port-security aging type type { absolute | inactivity }
-->Configures the type for Secure MAC addresses aging
Port Security Info
Port Security General Information
Port Security is a feature of Cisco switches that allows you to control which source MAC address(es) are allowed to enter the switchport.
- If an unauthorized source MAC address enters the port, an action will be taken.
- The default action is to place the interface in an ‘err-disabled’ state.
- When you enable port security on an interface, one MAC address is allowed by default.
- You can configure the allowed MAC address manually.
- The allowed MAC addresses can be configured manually or dynamically. A combination of both is also possible.
- If not configured manually, the switch will allow the first source MAC address that enters the interface.
- You can also change the maximum number of MAC addresses allowed.
Reasons to Use Port Security
Port Security allows network admins to control which devices are allowed to access the network.
- Despite MAC address spoofing being a simple task and commonly used to deploy attacks on networks, port security’s main benefit is the ability to limit the number of MAC addresses allowed on the interface. This is beneficial as it can limit the amount of attacks that can be deployed on the network.
General Configuration - Port Security
show port-security- Shows general information about the current port security configuration
- Includes information like:
- Ports that have port security enabled
- Max Secure MAC addresses
- Currently configured MAC addresses
- Current security violations
- Configured security action
- Total addresses in the system
- Max addresses limit in the system
show port-security interface INTERFACE-ID- Shows port security information of the specified interface.
- Includes information such as:
- Port security status
- Port status
- Aging time (for static MAC addresses)
- Aging type (for static MAC addresses)
- Status of Secure Static MAC address aging
- Maximum MAC addresses allowed
- Total MAC addresses (Dynamic and Static addresses)
- Configured MAC addresses (Manually configured)
- Sticky MAC addresses (Sticky Dynamic addresses)
- Last source MAC address + VLAN
- Security violation count
show errdisable recovery- Shows information about the current ‘err-disable recovery’ configuration
- Includes information such as:
- Every disabled/enabled protocol
- Timer interval
show mac address-table secure^show-mac-addresstable-secure- Shows all configured Secure MAC addresses on the switch.
- Includes information such as:
- VLAN
- The Secure MAC address
- Secure MAC address type
- Port
switchport port-security- Enables port security on the current interface.
- The interface must be in access or trunk mode for the command to work. If it’s dynamic mode, the switch will reject the command.
switchport port-security violation VIOLATION-MODE { SHUTDOWN | RESTRICT | PROTECT }- Configures the violation mode for the port security enabled interface
switchport port-security mac-address sticky^sw-ps-mac-sticky- Enables ‘Sticky’ Secure MAC address learning for port-security
switchport port-security mac-address sticky MAC-ADDRESS- Manually adds a ‘Sticky’ Secure MAC address for port-security
switchport port-security mac-address MAC-ADDRESS- Manually configures a Secure MAC address for port security.
switchport port-security maximum MAXIMUM-MAC-ADDRESSES- Changes the maximum amount of allowed Secure MAC addresses on the port security-enabled interface
switchport port-security aging static^sw-ps-age-static- Enables aging for port security Secure Static MAC addresses
switchport port-security aging time MINUTES^sw-ps-age-time- Configures the port security Secure MAC address aging time
switchport port-security aging type TYPE { ABSOLUTE | INACTIVITY }^sw-ps-age-type- Configures the port security Secure MAC address aging type
Re-Enabling an Interface (Manually)
An err-disabled interface can be manually re-enabled by running the shutdown command followed by the no shutdown command.
Re-Enabling an Interface (ErrDisable Recovery)
errdisable recovery cause psecure-violation- Enables err-disable recovery for port security violations
errdisable recovery interval SECONDS- Determines how long the switch should wait before enabling an err-disabled interface (if the err-disable recovery for that cause is enabled)
Watch out: ErrDisable Recovery and Manual Recovery
Make sure to disconnect any unauthorized devices before enabling ErrDisable recovery or manually re-enabling disabled interfaces.
- If you manually configured a MAC address for port security and the unauthorized device is still connected, it will lead to the interface getting err-disabled again.
- If the port security system is dynamically learning MAC addresses, then it will clear its dynamic MAC addresses when the interface is disabled; and when the interface becomes enabled again, the unauthorized device might become the new Secure MAC address on the interface.
Port Security - Violation Modes
There are three different port security violation modes that determine what the switch will do if an unauthorized frame enters an interface configured with port security.
- Shutdown
- Discards traffic from unauthorized MAC addresses.
- Shuts down the port by putting it in an err-disabled state.
- Generates a Syslog and/or SNMP message when the interface is disabled.
- Violation counter is set to 1 when the interface is disabled. (Resets when the interface is enabled)
- Restrict
- Discards traffic from unauthorized MAC addresses.
- The interface is NOT disabled.
- Generates a Syslog and/or SNMP message each time an unauthorized MAC is detected.
- Violation counter is incremented by 1 for each unauthorized frame.
- Protect
- Discards traffic from unauthorized MAC addresses.
- The interface is NOT disabled.
- It does NOT generate Syslog/SNMP messages for unauthorized traffic.
- It does NOT increment the violation counter.
Secure MAC Address Aging
By default, Secure MAC addresses will not age out/expire (Aging Time: 0 mins).
You can enable Secure Static MAC address aging with switchport port-security aging static
- There are two types of aging for port security:
- Absolute
- After the Secure MAC address is learned, the aging timer starts and the MAC is removed after the timer expires, even if the switch continues receiving frames from that source MAC address.
- Inactivity
- After the Secure MAC address is learned, the aging timer starts counting down but is reset every time a frame from that source MAC address is received on the interface.
- They can be configured with the switchport port-security aging type command.
- The timer can also be configured with switchport port-security aging time.
- Absolute
Sticky Secure MAC Addresses
Sticky Secure MAC addresses are dynamically-learned Secure MAC addresses that will be added to the running-config and will never age out.
- It can be enabled with switchport port-security mac-address sticky
- Once enabled, dynamically-learned MAC addresses will be added to the running-config like this:
switchport port-security mac-address sticky MAC-ADDRESS- (You will need to save the running-config to make them permanent)
- When you issue the switchport port-security mac-address sticky command, all current dynamically-learned Secure MAC addresses will be converted into Sticky Secure MAC addresses.
- If you issue the no switchport port-security mac-address sticky command, all current Sticky Secure MAC addresses will be converted to regular dynamically-learned Secure MAC addresses.
MAC Address Table
Secure MAC addresses will be added to the MAC address table like any other MAC address.
- You can view all secure MAC addresses with the show mac address-table secure command.
- Sticky and Static Secure MAC addresses will have a type of STATIC.
- Dynamically-learned Secure MAC addresses will have a type of DYNAMIC.