network-security-image.jpg

^^^Credit to Avalon.com for this picture I found I google images, I just love that picture in regards to Port-Security, I thought it was very fitting to open the section up here 🙂
Intro and Fundamentals of Port-Security
As mentioned, this information will be at the CCNA level of knowledge, so if you just passed your CCNA R/S you may want to move along to more advanced topic posts.

Port-Security is configured on a Cisco switch, on a per interface level, which can all use different types of security (sticky, statically set, etc).

Port security uses the Source MAC address of Frames to any incoming port as verification of whether the device sending traffic is trusted, if the frame is deemed not from a trusted source the switch can take actions ranging from just alerting / logging the issue to shutting the port down (err-disable mode).

Trunk interfaces, or interfaces that even have the ability to form a trunk, cannot be used to configure Port-Security on.

So the very most basic concept of port-security, is the switch looking at the incoming frames Source MAC, and verifying the Source MAC of the Frame is trusted.
Configuring Port-Security with default parameters
To begin, you must configure Port-Security on interface level, with the following options:

SW1(config-if)#switchport port-security ?
aging Port-security aging commands
mac-address Secure mac address
maximum Max secure addresses
violation Security violation mode
<cr>

SW1(config-if)#switchport port-security
Before discussing the sub-commands I issued “switchport port-security” to demonstrate an important behavior of Port-Security:

SW1(config-if)#switchport port-security
Command rejected: FastEthernet1/0/1 is a dynamic port.
SW1(config-if)#

This error means that this port must never be able to become a Trunk port, as Port-Security doesn’t work / wouldn’t make sense on a Trunk port, so you will need to make it an Access Port before issuing “switchport port-security” :

SW1(config-if)#switchport mode access
SW1(config-if)#switchport port-security
SW1(config-if)#

No errors were thrown, so now Fa1/0/1 has Port-Security enabled with all default values, and to know what those defaults are we’ll look at the different verification outputs.
A first look at verification commands / tables output
First a look at the options we have for “show port-security …” :

SW1#sh port ?
address Show secure address
interface Show secure interface
| Output modifiers
<cr>

“sh port” is short hand for “show port-security” if you see me using that throughout the security section, however lets review what the options above are:

  • “sh port address” – This will show you whats called the “Secure MAC Address” table
  • “sh port interface FaX/X” – This will give you Port-Security info for a single interface
  • “<cr>” – This is an overview table that shows all interfaces basic Port-Security config

First a look at the <cr> or general Port-Security overview table:

SW1#sh port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
—————————————————————————
Fa1/0/1 1 1 0 Shutdown
—————————————————————————
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 6144
SW1#

This gives an overview of all ports configured with port-security, and their parameters, and on the far right the “Security Action” is what will happen if the security is violated as indicated in the Security Violation (Count) column.

These are the default settings for a generic port-security command issued on an interface, so its good to remember 1 max MAC addy, violation results in shutdown, etc.
(Excuse table formatting of “sh port-security” output as it doesn’t copy / paste well)
Next we’ll review the “Secure MAC Address” table, you will issue the following:

SW1#sh port add
Secure Mac Address Table
—————————————————————————–
Vlan Mac Address Type Ports Remaining Age
(mins)
—- ———– —- —– ————-
1 001e.f797.f14b SecureDynamic Fa1/0/1 –
—————————————————————————–
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 6144
SW1#

This shows more information like the VLAN that the actual MAC address in, that is was dynamically learned / considered secure, the Port interface #, and Remaining Age which is turned off by default as shown in the output.
And now a look at our last verification command (containing the most information):

SW1#sh port interface fa1/0/1
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 001e.f797.f14b:1
Security Violation Count : 0

SW1#

It shows you basically any type of option you can add to the Port-Security for the interface, however in the “Last Source Address:Vlan” it actually shows you the last VLAN # of the last Source MAC Address:
Last Source Address:Vlan : 001e.f797.f14b:1 <—— VLAN 1 on the very end!

So that is a great command for interface level Port-Security information, and to keep in mind for exam day, when asked which VLAN the last source MAC came in on 🙂
Changing those Default Port-Security configurations!
Maximum Secured Ports will be the first configuration to review

SW1(config-if)#switchport port ?
aging Port-security aging commands
mac-address Secure mac address
maximum Max secure addresses
violation Security violation mode
<cr>

SW1(config-if)#switchport port maximum ?
<1-6144> Maximum addresses

SW1(config-if)#switchport port maximum 2 ?
vlan Max secure addresses per vlan
<cr>

I believe VLAN options are geared towards Private VLANs, which I have not covered yet, so I will cover that at a later date.

The default as shown in the original verification is a Maximum of 1 Secure Address, which I put it here as 2, as I think of generally a Phone / PC of Access ports in most networks that I work on however it can be up to a Maximum of 6144.

You will want to adjust this based on the devices off of the port, for example if a Hub is plugged in on the port with 3 PC’s attached to the Hub, this would want to be raised to a maximum of 3 Secure MAC Addresses.

Violation will be the next default to review

SW1(config-if)#switchport port ?
aging Port-security aging commands
mac-address Secure mac address
maximum Max secure addresses
violation Security violation mode
<cr>

SW1(config-if)#switchport port violation ?
protect Security violation protect mode
restrict Security violation restrict mode
shutdown Security violation shutdown mode

SW1(config-if)#switchport port violation protect ?
<cr>

SW1(config-if)#switchport port violation restrict ?
<cr>

SW1(config-if)#switchport port violation shutdown ?
vlan Security violation shutdown vlan mode
<cr>

Again shutdown has that VLAN option, that Cisco documentation is showing to be Private VLAN configuration, which I will not cover here – But we need to review these 3 options:

  • Protect – Drops the Frames and takes no other action
  • Restrict – Drops the Frames but also creates SNMP Trap / syslog notifications, Port remains open and Up
  • Shutdown – Port is shutdown in an “err-disable” state, which requires manual intervention of actually doing a “shut” then “no shut” on the interface to clear it, this also generates SNMP Trap / syslog messages

Mac-Address sub-command options that can be reconfigured:

SW1(config-if)#switchport port mac-address ?
H.H.H 48 bit mac address
sticky Configure dynamic secure addresses as sticky

This allows you to either manually enter a MAC address considered secure for the port, or the second option “Sticky” will dynamically learn the first MAC Address(es) it learns and only those will be allowed to use the port.

When Sticky is used, the MAC Addresses learned are kept through a switch reload.
Aging sub-command configuration:

SW1(config-if)#switchport port aging ?
static Enable aging for configured secure addresses
time Port-security aging time
type Port-security aging type

SW1(config-if)#switchport port aging static ?
<cr>

SW1(config-if)#switchport port aging time ?
<1-1440> Aging time in minutes. Enter a value between 1 and 1440

SW1(config-if)#switchport port aging time 60 ?
<cr>

SW1(config-if)#switchport port aging type ?
absolute Absolute aging (default)
inactivity Aging based on inactivity time period

SW1(config-if)#switchport port aging type inactivity ?
<cr>
To review these bullet point style:

  • Static – This relies on the “time” configuration also being set to have an age-out time statically configured for the Secure MAC Address – Probably not a great option, ever.
  • Time – The timer for aging related sub-commands to refer to, as the default “Aging” or “Timer” for Port-Security is absolute (never ending)
  • Type – This is where we have the default “Absolute” or the other option is “Inactivity”, again depending on the time set the port will age out the Secure MAC Address based on that time

And that will do it for the fundamentals / review of Port-Security!

I’ll get into some labs, but just wanted to review the CCNA level knowledge needed to move onto more advanced topics, the labbing may start out at a CCNA level as well for review so feel free to skip on over if you just passed your CCNA!