Understanding Port Security
In this article, I will be discussing Switch Port Security. Port security is a method of securing an interface by only allowing traffic from a specific set or number of MAC Addresses. If traffic from an invalid MAC is detected, it will be blocked or dropped. This is a low-level form of security that can be used to prevent unwanted devices from being connected to the network. Port Security works by learning a specific number of MAC addresses based on what the engineer defines. When port security is enabled on an interface, only one MAC address can be learned. You can configure a maximum number of MAC addresses for the interface and even per VLAN assigned to said interface.
Learning MAC Addresses
There are three key ways a switch can be configured to learn and "secure" MAC addresses:
Static - as the name suggests, this is a MAC address that is statically configured to the interface. A static entry is only removed when an engineer removes the MAC address OR if the interface is configured as a layer 3 interface. MAC addresses can be statically configured on interfaces that have dynamic or sticky learning enabled as well.
Dynamic - with this method, the switch learns the device's MAC address once the device begins sending traffic. Dynamically learned MAC addresses do not remain in the configuration if the switch reboots or if the MAC address reaches the aging limit. Switch automatically drops MAC address that has reached the configured age limit. This value can be set between 0-1440 minutes. A value of 0 will disable aging altogether. Also, there are two configurable options to determine a MAC Address’s age. Inactivity - the length of time since a packet has been received from the device. Absolute - default aging method. Time since the switch learned the MAC address.
Sticky - the switch learning MAC addresses in the same manner as Dynamic learning; however MAC addresses are stored in NVRAM allowing the configuration to remain after a reboot. It's important to point out that MAC addresses don't appear in the running configuration. Also, when Sticky Learning is enabled, dynamic learning is automatically disabled as they function similarly.
As mentioned above, you can configure MAC address maximums based on interface or VLAN.
Interface maximum - You can configure a maximum number of MAC Addresses per interface. By default, the interface maximum is 1. This allows a high level of customization based on users’ needs.
VLAN maximum - You can configure the maximum number of secure MAC addresses per VLAN. You'll commonly see this value set with data and voice VLANs. *A VLAN maximum cannot exceed the interface maximum.
Violation Modes
So once you have configured your learning method and MAC address maximums, now it's time to decide what you want the switch to do once a violation has occurred.
Shutdown - By default, the switch will shut down by placing it in an error-disabled (errdisable) the interface once a violation occurs. The interface must be manually re-enabled. An SNMP trap will be sent when this occurs. You can enable auto recovery mode on your switch which will re-enable the port after a configured time limit. In the event the violation still exists, the switch will disable the interface again.
Restrict - Drops traffic from any nonsecure MAC addresses but allows secured MAC addresses to continue to function. The switch keeps a count of the number of dropped packets.
Protect - Functions similar to the Restrict method but generates a Syslog message.
Guideline and Restrictions
There are a few restrictions to keep in mind while you're configuring Port Security.
A secure port cannot be a trunk port.
A secure port cannot be a destination port for Switch Port Analyzer (SPAN).
A secure port cannot belong to an EtherChannel port-channel interface
Please be advised; users can get around port security by connecting mini-switches which will appear as a single MAC address. You can use BPDU Guard to combat this.
Also, keep in mind that MAC addresses can be spoofed. While port security is a great way to control user traffic, it should not be your only line of security for your network.
Command Cheat Sheet
Port security is configured at the interface level, and the port must be set as an access port.
switchport port-security - Enables port security on the interface.
switchport port-security maximum "value" - Configures your maximum number of MAC addresses allowed for the interface. The range is 1 to 3072.
switchport port-security violation {restrict | shutdown | protect} - Configures your violation mode.
switchport port-security mac-address mac_address - allows you to configure specific MAC addresses on the interface
switchport port-security mac-address sticky - Enables sticky learning.
Key Show Commands to check your configuration.
show port-security
interface interface_num
show port-security address
If you'd like to check out some additional info on Port Security, click here.