How to configure port-security on Cisco Switch

Hi Steven,

You are absolutely right, I just fixed this in the article. You only need to enable errdisable recovery cause psecure-violation and after 300 seconds, it will recover the interface. You can speed this up with the errdisable recovery interval command.

The “aging” commands are about removing MAC addresses, not about recovering the interface itself.

Rene

Is it possible to configure port security on multiple ports at a time? Looks at the steps, it looks like it’s not possible because I have to get into the interface I’m configuring then use the command. I’m just curious and if it’s not possible is there a reason it’s not allowed?

Also, am I missing a command that will show me more details on why the port went down or am I suppose to use my troubleshooting knowledge to figure out the possible reasons why the port went down?

An example, I configured the switch to only allow a laptops mac address on fa0/1. I put a hub between the laptop and fa0/1 so I can plug a PC into the hub and test the port security. The port goes down but I only get (%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to administratively down).

I was hoping to get something else like, port down due to security violation or something.

Hello Rafael

It is possible to apply port security on multiple ports at the same time. Indeed it is possible to configure any feature on multiple ports at the same time. This is done using the “range” command. For example, you can configure fastethernet ports 0/1 to 0/10 by issuing the following command:

interface range fastethernet 0/1 - 10

The result will be the following prompt:

switch(config-if-range)#

All configurations you apply, including port security features, will be applied to all ports within the range. You can also choose specific ports rather than a range using:

interface range fastethernet 0/1, 5, 8

There are a multitude of commands that will allow you to discover the status of port security for specific ports and for a switch in general. More information about these can be found here:

I hope this has been helpful!

Laz

about cam table :
Thank you for this presentation.
In your video, with no port-security enabled, you indicate that a user can connect his switch, then several host and then your switch learns all the host mac in the cam-table. I feel that your switch also learns the mac address of the user’s switch , but you do not indicate it : is it an oversight? Or can the user’s switch (arrange for) never send his own mac to your switch?
So, if all the hosts are yours, as long as you do not type “show cdp neighbors” on your switch, you can’t see this “shadow switch” mac-address on the cam-table for example?
am i wright ?

(default values)
you confirm that the default values are:

switchport port-security 1
switchport port-security violation shutdown

and so that a
no switchport port-security 5
returns its value to 1

or
no switchport port-security restrict
reactivates the shutdown
thank you in advance

Hello Roger Hugues,

Article is specifically mentioning “cheap” switch, you can understand it as “dumb switch”.

  • Dumb switches are unmanaged and do not support features like STP.
  • Dumb switch is not generating any traffic by itself, well because it has no features to do so. Therefore “smart” switch can not learn switchport MAC address of this dumb (“shadow”) switch. (Switches learn MAC addresses from “Source MAC Address” fields, located in ethernet frames.)

That is right, default values are:

  • max 1 mac address
  • violation shutdown

You can check this by yourself.

Switch2(config)# interface g1/1
Switch2(config-if)# switchport port-security

These values are not shown int running-config, because default values are never shown in running-config.

Switch2(config-if)# do show run interface g1/1
Building configuration...

Current configuration : 121 bytes
!
interface GigabitEthernet1/1
 switchport mode access
 switchport port-security
 media-type rj45
 negotiation auto
end

But you can verify them by using “show port-security”

Switch2(config-if)# do show port-security
Secure Port  MaxSecureAddr  CurrentAddr  SecurityViolation  Security Action
                (Count)       (Count)          (Count)
---------------------------------------------------------------------------
      Gi1/1              1            0                  0         Shutdown
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port)     : 0
Max Addresses limit in System (excluding one mac per port) : 4096

Or be more specific:

Switch2(config-if)# do show port-security interface g1/1
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 0
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 0000.0000.0000:0
Security Violation Count   : 0

The rest of your post is also correct. If you negate “switchport port-security maximum 5” and “switchport port-security violation restrict” with “NO” statement in front, then it goes back to its defaults (1, shutdown).

Switch2(config-if)# switchport port-security maximum 5
Switch2(config-if)# switchport port-security violation restrict
Switch2(config-if)# do show port-security
Secure Port  MaxSecureAddr  CurrentAddr  SecurityViolation  Security Action
                (Count)       (Count)          (Count)
---------------------------------------------------------------------------
      Gi1/1              5            0                  0         Restrict
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port)     : 0
Max Addresses limit in System (excluding one mac per port) : 4096

Negate previous commands.

Switch2(config-if)# no switchport port-security maximum 5      
Switch2(config-if)# no switchport port-security violation restrict
Switch2(config-if)# do show port-security
Secure Port  MaxSecureAddr  CurrentAddr  SecurityViolation  Security Action
                (Count)       (Count)          (Count)
---------------------------------------------------------------------------
      Gi1/1              1            0                  0         Shutdown
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port)     : 0
Max Addresses limit in System (excluding one mac per port) : 4096

Hello Hugues

@fugazz has got it spot on, Thanks Michal.

Laz

Hello Lazaros,
your answer suits me

1 Like

Hi,
I need some clarification on port security when an ip phone is connected in between a switch and host pc. It maybe a problem I am having with packet tracer and GNS3 but I am unable to get the switch to learn 2 MAC addresses on a port. It seems to identify one MAC address but not the other then declare a duplication of MAC addresses when I attempt to add a new MAC address.

I have tried adding a MAC address manually or using the sticky method. Neither seem to work fully with this example but works perfectly with a single device connected to a port.

Please note I do have a home lab but have no IP phone to complete a live test.

Adrian

Hello Adrian

The methodology for port security with IP phones is well documented and quite straightforward. Take a look at this Cisco documentation that specifies some guidelines that should be followed for implementations using IP phones and PCs connected to them.

I hope this has been helpful!

Laz

A post was merged into an existing topic: Cisco IOS Router Password Recovery

I have port security enabled on fa0/11 to accept 3 devices. The show port-security command shows 3, show mac address-table interface fa0/11 shows 3 but show interface fa0/11 only show 2. 9c57.x.x.x is an IP phone, 3464.x.x.x is a desktop and 0800.x.x.x is a virtual machine that was added after increasing the limit from 2 to 3 to allow the VM to connect. Looking for reason I don’t the 0800.x.x.x int the running config. I assume it would also be a static entry since it was learned by port-security as Dynamic secure MAC addresses. Can you explain the Total addresses in System (excluding one mac per port). Thanks.

+++++++++++++++++++++++++++++++++++++++++++++++++++++

SW3#sh port-security
Secure Port  MaxSecureAddr  CurrentAddr  SecurityViolation  Security Action
                (Count)       (Count)          (Count)
---------------------------------------------------------------------------
     Fa0/11              3            3                  0         Shutdown
     Fa0/18              1            1                  0         Shutdown
     Fa0/19              1            1                  0         Shutdown
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port)     : 2
Max Addresses limit in System (excluding one mac per port) : 6144
SW3#

+++++++++++++++++++++++++++++++++++++++++++++++++++++

SW3#sh run int fa0/11
Building configuration...
 
 
Current configuration : 274 bytes
!
interface FastEthernet0/11
switchport mode access
switchport nonegotiate
switchport port-security maximum 3
switchport port-security
switchport port-security mac-address 3464.a918.d8d0 vlan access
switchport port-security mac-address 9c57.ad3e.f384 vlan access
end

+++++++++++++++++++++++++++++++++++++++++++++++++++++

SW3#sh mac address-table interface fa0/11
          Mac Address Table
-------------------------------------------
 
Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
   1    0800.27bd.9085    STATIC      Fa0/11
   1    3464.a918.d8d0    STATIC      Fa0/11
   1    9c57.ad3e.f384    STATIC      Fa0/11

Hello Donald

Port security has been enabled on Fa0/11, and two MAC addresses have been manually configured for that port security. Because you have a maximum of 3, two of these must match the configured MACs and the third (in your case the 0800.x.x address) can be anything. So at any time, on this port, only the two configured MACs plus one more can be seen. 0800.x.x will not appear in the configuration since it has not been manually configured.

With the configuration as you have it, the MAC of the VM will never appear in the configuration. In order for that to happen, you need this command:

switchport port-security mac-address sticky

The sticky keyword will cause the MAC of any connected device to be recorded and saved within the configuration. The two MAC addresses in the config were not put there by the “sticky” feature, but manually configured as I mentioned before. Otherwise, they would have had the following configuration:

switchport port-security mac-address sticky 3464.a918.d8d0 vlan access
switchport port-security mac-address sticky 9c57.ad3e.f384 vlan access

…which includes the “sticky” keyword.

So you have two choices. Either you manually configure the 0800.x.x MAC, or you add the switchport port-security mac-address sticky command which will automatically read and record the MAC of the VM.

Actually, strictly speaking it is a dynamic MAC address entry since it was not manually configured in the MAC address table. However, Cisco switches will record MAC addresses that appear on interfaces configured with port security as STATIC in the MAC address table, regardless of whether they were manually configured, configured using sticky, or not referenced at all in the interface config.

Finally, the statement “Total Addresses in System (excluding one mac per port)” shows the number of addresses that are being used in port security beyond the single MAC per port. So this number is the total number of MAC addresses in excess of the single MAC per port. So in your case, you have three ports with port security enabled, you have a single MAC address being used for Fa0/18 and Fa0/19, so those don’t count, and you have 3 MAC addresses on Fa0/11 minus the one, gives you a total of 2.

I hope this has been helpful!

Laz

I read your reply three times and now understand why the VM mac did not show up as a static entry in the running config and the meaning of the (Total addresses in system (excluding one mac per port). Great clear explanation! Thanks.

1 Like

Hi Rene,

What should be the best practise to configure a port security with IPSG and DAI with VMs ?

Thanks

Hello Giovanni

According to Cisco, port security is not recommended within a VM infrastructure in a Cisco environment:

…due to the need for the VM MAC addresses to move from one switchport to a different switchport on the same or a different switch and on the same VLAN without the port physically going down.

See Page 50 in the following Cisco document:


Although there are many professionals that disagree with this philosophy, as there are ways of dealing with the shifting of VM MACs. Ultimately, I would go with Cisco’s recommendations unless your particular implementations absolutely needs port security, in which case you can implement it appropriately for your needs. Unfortunately there is no one clear answer to this, but maybe this gives you some guidelines.

As for IPSG and DAI, there are no specialized requirements for the implementation of these features within a virtual environment beyond those stipulated in a more traditional datacenter implementation.

I hope this has been helpful!

Laz

Hi,
I have a problem during the configuration of a port-security on my sw.

This is the configuration.

interface GigabitEthernet0/4
 description 99_FW_OOB
 switchport access vlan 99
 switchport mode access
 switchport port-security maximum 5
 switchport port-security mac-address sticky
 spanning-tree portfast
!         

If I try an attack using macof the switch not put the port on err-disable and I can see all the mac in the cam table on the port g0/4.

Solved,
I forgotted the port-security command :slight_smile:

1 Like

I have a question.I want to prevent anyone from getting a new ip from the dhcp server.I know I can use a dhcp snooping,but my challenge is that our main trunk to the GPON currently has dhcp snooping trust set.We intend to do this on a voice vlan on the switch.most subnets are beyond the trunk
How do you advise i approach this?.

Hello Temitope

One way you could do this is to configure the DHCP server to stop giving out new DHCP addresses. You can maintain the current address leases, lock them to the specific MACs that are already in the DHCP bindings, and simply don’t give out any more. The current leases can be renewed, but no new ones will be provided.

In a GPON network (or any network for that matter), if you already having snooping trust set, and you don’t have control over that network, then you can’t use it to block DHCP messages.

Can you share a little more about your network topology and what you want to achieve? As well as what portions of the network you have control over (and can thus configure) and which you don’t? Maybe that way we’ll be able to suggestion something more specific.

I hope this has been helpful!

Laz