Port Security

Done

It is a feature in Cisco Switches that allows a switch to take an action if the Source MAC Address of a frame is not in the Secure MAC Address Table of that interface when Port Security is enabled.

By default, when port-security is enabled, it has:

  • Maximum of 1 MAC Address on that interface
  • Violation Mode as Shutdown
  • Aging time set to 0
  • Aging type set to Absolute
  • Violation count set to 0

The MAC Addresses can be learned dynamically or manually set. There are different treatments between the two types (Static and Dynamic) BY DEFAULT. Some of them are:

  • Dynamically learned addresses are cleared after a shutdown
  • Dynamically learned addresses are cleared after aging time (if set)

💡
NOTE: Port Security can be avoided with MAC Address spoofing!
🚨
IMPORTANT: Static MAC Addresses can also age and be removed automatically, but not by default. Also, there are what is called Sticky MAC Addresses, that are Dynamically learned MAC Addresses that turned into Sticky MAC Addresses, also needs a configuration by default.
🚨
IMPORTANT: To enable Port Security on an interface, it must be either static access or trunk. Therefore, no dynamic auto or dynamic desirable.

Violation Modes

There are three violation modes that can be set, so the switch will take different actions when it receives an unauthorized frame.

Shutdown (default)

This is set by default after enabling the feature, it has the following characteristics:

💡
IMPORTANT: Shutting down the interface will make it flush the Dynamic learned MAC addresses, unless they are sticky ones.

Restrict

Protect

How to re-enabled a err-disabled interface?

Option #1 - Manually
  1. Unplug the unauthorized device
  1. Issue shutdown and no shutdown in the CLI
Option #2 - err-disable recovery

This is a useful feature that doesn`t apply only to Port-Security, it applies to all events that trigger err-disable, and can be configured per such.

configure terminal
err-disable recovery psecurity-violation
err-disable recovery interval {time} //Optional, sets the time it takes to re-enable the interface
💡
NOTE: The default Timer is 300 seconds (5 minutes) to re-enable the interface.

Configure

Enable/Disable Port Security

configure terminal
[no] switchport port-security

Set a Static Secure MAC Address

It manually specifies a secured MAC address. By default, they will:

  • NOT be cleared after shutdown
  • NOT Age

interface g0/0  //EXAMPLE
switchport port-security mac-address {mac}

Make an Static MAC Address age

This make aging timer apply also to Static addresses

interface g0/0
switchport port-security aging static

Set Aging Time

This feature makes a Secure Dynamically learned MAC Address or a Secure Static MAC Address (IF CONFIGURED) be removed after a given time in minutes.

interface g0/0
switchport port-security aging time {minutes}

Set Aging Time

There are two types of Aging Time:

  • Absolute: The timer will not reset and will count uninterruptedly until it reaches 0, like a normal Timer.
  • Inactivity: Every time the switch receives an authorized frame on that interface, it will reset the timer to its configured value.

interface g0/0
switchport port-security aging type {Absolute | Inactivity}

Sticky MAC Addresses

This features allow Dynamically learned MAC addresses to be registered in the running-config. Therefore they will NOT be removed, even with a reload, shutdown or aging (yes, even static addresses can age, but this one not).

interface g0/0
switchport port-security mac-address sticky

Clear a Secured MAC Address (Privileged EXEC)

clear port-security dynamic [mac-address {mac} | interface {interface-id}]

Show Commands

List all available interfaces with Port Security enabled

show port-security

Interface

show port-security interface {interface-id}

List all Secure MAC Addresses

show mac address-table secure