Port security is one of the methods for restricting unauthorized access to your switch ports. By configuring port security you can make sure that only certain MAC addresses are allowed to connect to certain switch ports and if others are detected, these ports can be shutdown. However you should plan beforehand which ports are to be secured, how many MACs are allowed on these ports, should the MACs be static or dynamic and what action to perform if the restriction is violated. This feauture can typically be used if your switch is in a public area where it is possible for people to pull out cables and plug in to your switch ports etc. Also you can restict too many devices sharing connection to one of the switch ports by attaching to hubs or other dumb switches.
Port security can only be configured on access ports. By default port security is disabled. To turn it on, on any of the switch interfaces:
OTGSwitch(config)# interface Fa0/1 OTGSwitch(config-if)# switchport mode access OTGSwitch(config-if)# switchport port-security
The default settings for port security are:
i.e, Only one MAC address is allowed to connect to the port. If violation occurs then the port goes to shutdown (error-disabled) state. Aging is disabled and so learned MAC addresses do not expire even after the host is disconnected.
However you may want to modify the above default settings to suit your needs which is explained next.
Sometimes you need a maximum of two devices to attach to a switch port. eg: PC and laptop.
OTGSwitch(config-if)# switchport port-security maximum 2
You can decide what action should be taken if violation is detected. Available modes are shutdown, restrict and protect. In protect mode only the traffic from authorized MACs are allowed and other traffic is blocked.
OTGSwitch(config-if)# switchport port-security violation protect
In restrict mode traffic is blocked and logs are generated.
OTGSwitch(config-if)# switchport port-security violation restrict
The default is shutdown mode where the port goes to error-disabled state. This will be the mode if violation mode is not explicitly specified.
OTGSwitch(config-if)# switchport port-security violation shutdown
You can configure the switch to forget learned MAC addresses after sometime (regular interval or periods of inactivity). To set an aging time of 10 minutes of inactivity:
OTGSwitch(config-if)# switchport port-security aging time 10 OTGSwitch(config-if)# switchport port-security aging type inactivity
To configure the MAC address that can attach to an interface
OTGSwitch(config-if)# switchport port-security mac-address 001a.a48d.d0d8
It is not practically possible to configure all the allowed MAC addresses for each port. An easier way is to let the switch learn the attached MAC addresses and keep in memory. These are called sticky MAC addresses and remain in the running configuration.
OTGSwitch(config-if)# switchport port-security mac-address sticky
The switch will dynamically learn addresses until the maximum number allowed is reached. To configure port security on multiple ports altogether, the configuration can be applied to multiple ports together if all settings are similar
OTGSwitch(config)# interface range fastEthernet 0/1 - 5 OTGSwitch(config-if)# switchport port-security
To view port security status:
OTGSwitch# show port-security address Secure Mac Address Table ------------------------------------------ Vlan Mac Address Type Ports Remaining Age 1 001a.a48d.d0d8 SecureDynamic Fa0/1 - ------------------------------------------
View port security settings on an interface
OTGSwitch# show port-security interface fa0/1 Port Security : Enabled Port Status : Secure-up Violation Mode : Shutdown Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 1 Total MAC Addresses : 1 Configured MAC Addresses : 0 Sticky MAC Addresses : 0 Last Source Address : 001a.a48d.d0d8 Security Violation Count : 0