Port Security
In this article, I’ll be talking about the fundamentals of port security, why it is important and how to configure it.
A network engineer configures port security on a switch’s interface to restrict it to one or more devices. Let’s say the network engineer knows that an email server or a particular PC is to be connected to interface F0/1 of a switch, he/she could configure that interface with port security to restrict it to only that server. In that case, when someone else mistakenly or intends to connect an unrecognized device to that port, the switch restricts the device from sending traffic by either shutting down the interface or discarding traffic sent in that interface.
We know that the switch has a MAC address table, and it builds that table by mapping the source MAC address of a frame to the port the frame was received from.
Port security works by checking the source MAC address of a frame and if the device with that MAC address is allowed to send traffic through that port. If a frame with an unauthorized source MAC enters an interface configured with port security, the switch by default will put that interface in an err-disabled state, but the switch can also be configured to put that interface in other states. Later in the article, I’ll talk about the violation modes.
Port security can only be enabled on access or trunk ports. When port security is enabled on an interface, only one MAC address is allowed by default settings, the MAC address can be configured manually, or the switch will allow the first MAC address that enter the interface. The maximum number of MAC addresses allowed in an interface can be changed. Let’s say a maximum of 4 addresses were allowed on an interface, if a frame with a new source MAC enters that interface, a violation occurs and by default, the switch discards all traffic entering that port.
VIOLATION MODES
There are three violation modes in port security.
- Shutdown Mode: This is the default mode when port security is configured on an interface. When unauthorized frames enter a port, the port acts like it have been shut down, however it is being placed in an err-disable state. Ports in err-disable state discards frames by default and to re-enable a port in err-disable state, you have to shut it down with the shutdown command and turn it back on with the no shutdown command. To re-enable the interface automatically, enter this command in global config mode errdisable recovery cause psecure violation. This violation mode generates a syslog and/or SNMP message when the interface is disabled, and it increases the violation counter by 1 (we will see the violation counter when we start configurations).
- Restrict Mode: An interface configured with the restrict violation mode is not disabled when an unauthorized source MAC address enters an interface. Instead, the frame with the unauthorized source MAC address will be discarded while devices with authorized MAC addresses will still be able to use the interface. This violation mode generates a syslog and/or SNMP message when the interface is disabled, and it increases the violation counter by 1.
- Protect Mode: This mode acts like the Restrict mode, only that it does not generate syslog and/or SNMP messages for unauthorized traffic, and it does not also increment the violation counter.
PORT SECURITY CONFIGURATION
Step 1: Navigate to the interface configuration mode of the interface you wish to configure port security on and configure it to be an access port to a VLAN, I will be using VLAN 1. After that, enter the command switchport port-security.
Step 2: In this step, we will configure this port to learn the MAC address automatically. We will set the violation mode to shutdown and the maximum MAC addresses to 1.
The first command switchport port-security mac-address sticky tells the switch to allow the first MAC address in learns on that interface. You can also specify a MAC address if you know the MAC address of the device. switchport port-security violation shutdown sets the violation mode to shutdown switchport port-security maximum 1 sets the maximum allowed addresses to 1.
With these two steps, we have been able to configure port security on the F0/1 of the switch. Now let’s use the show command to see our configuration.
From the output of this command, we can see that our configurations were a success, and the switch has learnt a new device with MAC address 0060.4748.DBE5.
Now let’s connect another device to that port and see what happens.
We can see that the port status changed to Secure-shutdown, the last MAC address that entered the interface was 0001.4363.74A8 and the violation counter increased to 1. If we view the interface, we will see that it is in the err-disable state.
With this, we have come to the end of this article. Do well to practice the configurations and practice with other violation modes too. Until next time, bye!
