Port Security

By stretch | Monday, May 3, 2010 at 4:21 a.m. UTC

Port security is a layer two traffic control feature on Cisco Catalyst switches. It enables an administrator configure individual switch ports to allow only a specified number of source MAC addresses ingressing the port. Its primary use is to deter the addition by users of "dumb" switches to illegally extend the reach of the network (e.g. so that two or three users can share a single access port). The addition of unmanaged devices complicates troubleshooting by administrators and is best avoided.

Enabling Port Security

Port security can be enabled with default parameters by issuing a single command on an interface:

Switch(config)# interface f0/13
Switch(config-if)# switchport port-security

Although only a single interface is used for illustration in this article, port security, if configured, is typically configured on all user-facing interfaces.

We can view the default port security configuration with show port-security:

Switch# show port-security interface f0/13
Port Security              : Enabled
Port Status                : Secure-down
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 0
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 0000.0000.0000:0
Security Violation Count   : 0

As you can see, there are a number of attributes which can be adjusted. We'll cover these in a moment. When a host connects to the switch port, the port learns the host's MAC address as the first frame is received:

Switch# show port-security interface f0/13
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 1
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 001b.d41b.a4d8:10
Security Violation Count   : 0

Now, we disconnect the host from the port, connect a small switch or hub, and reconnect the original host plus a second, unauthorized host so that they both attempt to share the access port. Observe what happens as soon as the second host attempts to send traffic:

%PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/13, putting Fa0/13 in err-disable state
%PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0021.55c8.f13c on port FastEthernet0/13.
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/13, changed state to down
%LINK-3-UPDOWN: Interface FastEthernet0/13, changed state to down

Inspecting the status of port security on the port again, we can see that the new MAC address triggered a violation:

Switch# show port-security interface f0/13
Port Security              : Enabled
Port Status                : Secure-shutdown
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 0
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 0021.55c8.f13c:10
Security Violation Count   : 1
Switch# show interfaces f0/13
FastEthernet0/13 is down, line protocol is down (err-disabled) 
  Hardware is Fast Ethernet, address is 0013.c412.0f0d (bia 0013.c412.0f0d)
  MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
...

By default, a port security violation forces the interface into the error-disabled state. An administrator must re-enable the port manually by issuing the shutdown interface command followed by no shutdown. This must be done after the offending host has been removed, or the violation will be triggered again as soon as the second host sends another frame.

Tweaking Port Security

Violation Mode

Port security can be configured to take one of three actions upon detecting a violation:

shutdown (default) ; The interface is placed into the error-disabled state, blocking all traffic. protect ; Frames from MAC addresses other than the allowed addresses are dropped; traffic from allowed addresses is permitted to pass normally. restrict ; Like protect mode, but generates a syslog message and increases the violation counter.

By changing the violation mode to restrict, we are still alerted when a violation occurs, but legitimate traffic remains unaffected:

Switch(config-if)# switchport port-security violation restrict
Switch(config-if)# ^Z
Switch#
%PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0021.55c8.f13c on port FastEthernet0/13.
Switch# show port-security interface f0/13
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Restrict
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 1
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 0021.55c8.f13c:10
Security Violation Count   : 3

Unfortunately, violating traffic will continue to trigger log notifications, and the violation counter will continue to increase, until the violating host is dealt with.

Maximum MAC Addresses

By default, port security limits the ingress MAC address count to one. This can be modified, for example, to accommodate both a host and an IP phone connected in series on a switch port:

Switch(config-if)# switchport port-security maximum 2

One also has the option to set a maximum MAC count for the access and voice VLANs independently (assuming a voice VLAN has been configured on the interface):

Switch(config-if)# switchport port-security maximum 1 vlan access
Switch(config-if)# switchport port-security maximum 1 vlan voice

MAC Address Learning

An administrator has the option of statically configuring allowed MAC addresses per interface. MAC addresses can optionally be configured per VLAN (access or voice).

Switch(config-if)# switchport port-security mac-address 001b.d41b.a4d8 ?
  vlan  set VLAN ID of the VLAN on which this address can be learned
  <cr>
Switch(config-if)# switchport port-security mac-address 001b.d41b.a4d8 vlan access

The configured MAC address(es) are recorded in the running configuration:

Switch# show running-config interface f0/13
Building configuration...

Current configuration : 259 bytes
!
interface FastEthernet0/13
 switchport access vlan 10
 switchport mode access
 switchport voice vlan 20
 switchport port-security
 switchport port-security violation restrict
 switchport port-security mac-address 001b.d41b.a4d8
 spanning-tree portfast
end

Obviously, this is not a scalable practice. A much more convenient alternative is to enable "sticky" MAC address learning; MAC addresses will be dynamically learned until the maximum limit for the interface is reached.

Switch(config-if)# no switchport port-security mac-address 001b.d41b.a4d8
Switch(config-if)# switchport port-security mac-address sticky
Switch(config-if)# ^Z
Switch# show port-security interface f0/13
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Restrict
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 1
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 1
Last Source Address:Vlan   : 001b.d41b.a4d8:10
Security Violation Count   : 0

After a MAC address has been learned, it is recorded to the configuration similarly to as if it were entered manually:

Switch# show running-config interface f0/13
Building configuration...

Current configuration : 311 bytes
!
interface FastEthernet0/13
 switchport access vlan 10
 switchport mode access
 switchport voice vlan 20
 switchport port-security
 switchport port-security violation restrict
 switchport port-security mac-address sticky
 switchport port-security mac-address sticky 001b.d41b.a4d8
 spanning-tree portfast
end

MAC Address Aging

By default, secure MAC addresses are learned (in effect) permanently. Aging can be configured so that the addresses expire after a certain amount of time has passed. This allows a new host to take the place of one which has been removed. Aging can be configured to take effect at regular intervals, or only during periods of inactivity. The following example configures expiration of MAC addresses after five minutes of inactivity:

Switch(config-if)# switchport port-security aging time 5
Switch(config-if)# switchport port-security aging type inactivity
Switch(config-if)# ^Z
Switch# show port-security interface f0/13
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Restrict
Aging Time                 : 5 mins
Aging Type                 : Inactivity
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 1
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 001b.d41b.a4d8:10
Security Violation Count   : 0

After five minutes of inactivity, we can see that the address has been purged:

Switch# show port-security interface f0/13
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Restrict
Aging Time                 : 5 mins
Aging Type                 : Inactivity
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 0
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 001b.d41b.a4d8:10
Security Violation Count   : 0

At this point, the old address will be re-learned the next time a frame is sent from that host, or a new host can take its place.

Auto-recovery

To avoid having to manually intervene every time a port-security violation forces an interface into the error-disabled state, one can enable auto-recovery for port security violations. A recovery interval is configured in seconds.

Switch(config)# errdisable recovery cause psecure-violation
Switch(config)# errdisable recovery interval 600

Ten minutes after a port was error-disabled, we can see that the port is automatically transitioned back into operation:

%PM-4-ERR_RECOVER: Attempting to recover from psecure-violation err-disable state on Fa0/13
%LINK-3-UPDOWN: Interface FastEthernet0/13, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/13, changed state to up

This is a great way to automatically clear port security violations after the user has been given an opportunity to remove the offending host(s). Note that is the cause is not cleared, the violation will trigger again after the port comes back up, re-initating the auto-recovery cycle.

Footnote

Although a deterrent, port security is not a reliable security feature, as MAC addresses are trivially spoofed, and multiple hosts can still easily be hidden behind a small router. IEEE 802.1X is a much more robust access edge security solution.

About the Author

Jeremy Stretch is a network engineer living in the Raleigh-Durham, North Carolina area. He is known for his blog and cheat sheets here at Packet Life. You can reach him by email or follow him on Twitter.

Posted in Security, Switching

Comments


laith43d
May 3, 2010 at 6:39 a.m. UTC

I think there are some errors in the editing,


tormentum (guest)
May 3, 2010 at 11:25 a.m. UTC

I actually had to learn his the other day. We had enabled all user facing ports on our 2960G's using the Catalyst Web Interface, configuring them as "Desktop" ports. As a result, when a rogue switch is connected, the port was shutdown permanently and a manual "shut" and "no shut" would be needed each time an offense occurred.

I'll be making some changes based on the above.

Cheers mate!


hexem (guest)
May 3, 2010 at 1:00 p.m. UTC

Only glanced over the article, but port-security is definitely a cool feature to have in smaller to medium sized enviroments, good for preventing mac-address-table flooding attacks where a user may attempt to take advantage of a full mac table and sniffing those unknown unicast frames that will get flooded once the switch can no longer learn additional mac addresses.


robertjuric
May 3, 2010 at 1:13 p.m. UTC

Talk about just in time. I was needing to implement some of these features this week. Thanks for the write up.


A guest
May 3, 2010 at 2:27 p.m. UTC

I usually put in 2 mac addresses to cover for multicast.


ekenny
May 3, 2010 at 5:05 p.m. UTC

DHCP Snooping is also a nice feature to enable for Layer 2 security. You can use this to stop rouge DHCP servers from taking over your network, or to prevent people from changing their IP address manually on a DHCP enabled network.

ip dhcp snooping

Also ARP inspection can help prevent against ARP poisoning attacks and other MAC address spoofing.

ip arp inspection validate dst-mac src-mac ip


abester1
May 3, 2010 at 6:33 p.m. UTC

Something to keep in mind: some protocols, e.g. HSRP require more than 1 MAC Address. HSRP requires 1 MAC for real address and 1 MAC for Virtual IP Address. The switch port where the routers are connected will see two separate mac address from that port. If the port is set to MAX 1 then the port will err-disable.


Jefferson (guest)
May 3, 2010 at 10:08 p.m. UTC

There's an issue with VoIP phones (or any other swich) and port security that's caused us some interesting problems in the past. A user would connect to their device to a port behind a VoIP phone. At this point the switch would learn their devices MAC address and tie it to the port. If that device is then unplugged and moved to a different port on the same switch, the switch will not properly pass traffic to the new port. This was an issue for us even without manually (or sticky) MAC addresses. (Normally this wouldn't be an issue as the switch would forget the MAC once link went down. However with a VoIP phone in place the link never went down.) We resolved this by putting in an inactivity timer to automatically age out old entries.


SG (guest)
May 3, 2010 at 10:47 p.m. UTC

Good article on the basics of Port Security. I've recently had to use this to provisionally secure ports from rogue end-user points and it worked well. Certainly port-security isn't the end all be all (802.1x), but it did the job nicely. :)


sonic (guest)
May 4, 2010 at 7:36 a.m. UTC

to Jefferson : I was faced same problem. I solved this by setting age to 1 minute. to stretch : great article, but would be great to write article about complete solution without 802.1x (I mean : Port-security + DHCP Snooping + Dynamic arp inspection + IP source guard). I think with these 4 things installed you have secure enough environment without paying for 802.1x implementation.


joshlowe
May 4, 2010 at 4:29 p.m. UTC

One important "gotcha" to remember when configuring port security, no matter how you configure it, you still need the "switchport port-security" command (with no parameters) to enable it. For instance, I see this all the time:

Switch(config-if)# switchport port-security maximum 2

The above command does not enable port security. You must also add:

Switch(config-if)# switchport port-security

to turn it on. So many times I've been told that port security was configured, only to find that it wasn't enabled with the generic version of the command.


Bob (guest)
May 4, 2010 at 7:02 p.m. UTC

If you want to use HSRP with port-security and keep to the default of one MAC address per switchport you can use the following command on the routers:

interface FastEthernet0/1
 standby 1 use-bia

guym
May 7, 2010 at 11:10 a.m. UTC

Thanks for the article. We use it as hexem mentioned - as protection against MAC flood attacks. In fact, that's what the Cisco chaps were advising at Networkers this year for the reasons covered above.

We set the limit to 20 MAC addresses which allows for VMS and the like and have it timeout after a minute. Here is our edge port port-security config:

 switchport port-security
 switchport port-security maximum 20
 switchport port-security aging time 1
 switchport port-security violation restrict

thiagotrixnet (guest)
June 29, 2010 at 3:40 a.m. UTC

great post!


Alp (guest)
August 10, 2010 at 2:39 p.m. UTC

Be aware that sticky mac addresses do not expire, hence the errdisable ports cannot auto recover if sticky mac addresses are enabled.


Harry (guest)
January 24, 2011 at 6:05 a.m. UTC

I have configured one port in a 3750 x series with the following commands and the Voip phone was showing " configuring IP address" .

        switchport port-security maximum 3
        switchport port-security maximum 2 vlan voice
        switchport port-security maximum 2 vlan access

after doing some tests i had found that it is the port security command that restricted it form getting an IP address .i had changed the command as follows

        switchport port-security maximum 3
        switchport port-security maximum 3 vlan voice
        switchport port-security maximum 2 vlan access

ie i changed the data vlan allowance to 3 and the remaining settings reamines the same. but still i didn't understand why it was not working in the previous config.


CadJoe (guest)
May 10, 2011 at 7:54 p.m. UTC

Also remember that if you are using sticky, you need to make sure your WRITE your config after all addresses are learned.

Otherwise, if the switch loses power, all ports will dynamically relearn new mac's when it comes up.


A guest
August 23, 2011 at 2:17 p.m. UTC

Interesting paper about port security: Media Access Control Address Spoofing Attacks against Port Security

http://www.usenix.org/events/woot11/tech/final_files/Buhr.pdf


maapinho
September 19, 2011 at 11:58 p.m. UTC

Hi,
grrreat site. I'm going for CCNP switch and found this on the site (which i'm following for a long time).

Got one question hopefully someone can help:

I'm I right to think that mac address aging is just for dynamic/sticky mac addresses? could not find this clear and explicity anywhere.

thanks


generalnetworkerror
May 11, 2013 at 11:44 p.m. UTC

Thanks for the article. I wasn't familiar with the PROTECT option.

P.S. The config needs to be saved to nvram so sticky entries are not lost.


jim (guest)
December 4, 2014 at 10:28 a.m. UTC

Hi Jeremy,

Thanks for your nice explaination. I have seen number of your posts , they are all to the point.

Kind regards, jim


A guest
December 4, 2014 at 4:49 p.m. UTC

thanks for the info. it make my life a little easy.

Comments have closed for this article due to its age.