11-3. Port Security Port security enables you to configure a port to only allow a given device or devices access to the switch port. Port security defines the allowed devices by MAC address. MAC addresses for allowed devices can be manually configured and/or "learned" by the switch. There are limits to how many MAC addresses can be secured on a port. These numbers vary between platforms. When an unauthorized MAC attempts to access the port, the switch can suspend or disable the port. Port security cannot be configured on a trunk port, a Switched Port Analyzer (SPAN) port, or a port that is dynamically assigned to a VLAN. Port security is supported on the 5000, 4000, and 6000 switches running COS. It is supported on the 3500XL, 3550, and 2950 switches running IOS.
Configuration When a port is active on a switch, any user can plug into the port and access the network. Because many networks use Dynamic Host Configuration Protocol (DCHP) to assign user addresses, it would be very easy for someone with physical access to a network port to plug in his own device, such as a laptop, into the port and become a user on the network. From there, a person could proceed to generate traffic or cause other problems within the network. Port security enables you to specify the MAC address(es) of the devices that are allowed to connect to the port. Use the following steps to configure port security. 1. | Enable port security:
COS | set port security mod/port enable
| IOS | (interface) switchport port-security
| 3500XL IOS | (interface)port security
|
By default anyone can plug into a port and access network services. To protect a port, you must first enable port security on the individual port. Use the command that is appropriate for your device.
NOTE At the time of this writing, you cannot configure port security on the 4000 or 6000 series switches running Supervisor IOS code. If and when Cisco offers support for those platforms, it is expected that the syntax will be similar to the IOS configuration (not the 3500XL IOS) listed in these steps. | 2. | Specify the number of MAC addresses:
COS | set port security mod/port maximum value
| IOS | (interface) switchport port-security maximum value
| 3500XL IOS | (interface)port security max-mac-count value
|
After you have enabled port security, you need to determine how many different devices will be accessing the ports and how many addresses will need to be secured. The value option specifies the number of addresses to be secured. The default value is one address. Each hardware platform has a limited number of addresses that can be secured; so if you expect to secure more than 250 total addresses on the switch, check the specific documentation for that hardware.
| 3. | Manually enter MAC addresses to be secured:
COS | set port security mod/port enable [mac_address]
| IOS | [View full width] (interface) switchport port-security mac-address  mac_address
| 3500XL IOS | N/A |
By default, the switches will "learn" the MAC addresses of the devices that are plugged into that port. If you want to control which devices can access the switch, use these commands to specify which MAC addresses are secured on a port.
| 4. | Specify the action to be taken by the port:
COS | [View full width] set port security mod/port violation {shutdown | restrict}
| IOS | [View full width] (interface) switchport port-security violation {protect | restrict | shutdown}
| 3500XL IOS | (interface)port security action {shutdown | trap}
|
When a violation occurs, the switch generally protects the port by dropping the traffic that comes from unauthorized MAC addresses. This means that the switch does not allow those frames through the device; if a frame comes from a device that is configured as secure, however, those frames are allowed through. This is the default configuration for each of the devices and is specified by the protect option for IOS switches and the restrict option for COS switchesthe default when you enable port security on a 3500XL (unless you specify a different option). Another option that you can configure is for the interface to move to a shutdown state. If you configure this option, the port remains in the administratively down state until an administrator reenables the port with a no shutdown command. A third option is to generate an SNMP trap. If a violation occurs, the restrict option for IOS and the trap option for the 3500XL IOS perform this function.
|
Verification To verify the configuration of port security on the switch, use one of the following commands: COS | show port security [statistics] mod/port show port security statistics [system] [mod/port]
| IOS | [View full width] (privileged) show port security [interface interface-id] [address]
| 3500XL IOS | show port security [interface-id]
|
Feature Example This example shows the configuration for port security. In this example, ports Fast Ethernet 2/1 are configured to allow a single MAC address 00-01-03-87-09-43 to have access to the port and will shut down if the security is violated. Ports 2/2 and 2/3 are configured to allow 10 addresses each, which the switch will learn as devices plug into the ports, and will drop unauthorized packets. An example of the Catalyst OS configuration follows: Catalyst (enable)>set port security 2/1 enable Catalyst (enable)>set port security 2/1 enable 00-01-03-87-09-43 Catalyst (enable)>set port security 2/1 violation shutdown Catalyst (enable)>set port security 2/2-3 enable Catalyst (enable)>set port security 2/2-3 maximum 10
An example of the Supervisor IOS configuration follows: Switch(config)#interface fastethernet 2/1 Switch(config-if)#switchport port-security Switch(config-if)#switchport port-security mac-address 00-01-03-87-09-43 Switch(config-if)#switchport port-security violation shutdown Switch(config-if)#interface fastethernet 2/2 Switch(config-if)#switchport port-security Switch(config-if)#switchport port-security maximum 10 Switch(config-if)#interface fastethernet 2/3 Switch(config-if)#switchport port-security Switch(config-if)#switchport port-security maximum 10 Switch(config-if)#end Switch(config)#copy running-config startup-config
|
