How to configure port-security on Cisco Switch

fugazz · February 28, 2019, 9:36am

Hello Roger Hugues,

Article is specifically mentioning “cheap” switch, you can understand it as “dumb switch”.

Dumb switches are unmanaged and do not support features like STP.
Dumb switch is not generating any traffic by itself, well because it has no features to do so. Therefore “smart” switch can not learn switchport MAC address of this dumb (“shadow”) switch. (Switches learn MAC addresses from “Source MAC Address” fields, located in ethernet frames.)

That is right, default values are:

max 1 mac address
violation shutdown

You can check this by yourself.

Switch2(config)# interface g1/1
Switch2(config-if)# switchport port-security

These values are not shown int running-config, because default values are never shown in running-config.

Switch2(config-if)# do show run interface g1/1
Building configuration...

Current configuration : 121 bytes
!
interface GigabitEthernet1/1
 switchport mode access
 switchport port-security
 media-type rj45
 negotiation auto
end

But you can verify them by using “show port-security”

Switch2(config-if)# do show port-security
Secure Port  MaxSecureAddr  CurrentAddr  SecurityViolation  Security Action
                (Count)       (Count)          (Count)
---------------------------------------------------------------------------
      Gi1/1              1            0                  0         Shutdown
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port)     : 0
Max Addresses limit in System (excluding one mac per port) : 4096

Or be more specific:

Switch2(config-if)# do show port-security interface g1/1
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 0
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 0000.0000.0000:0
Security Violation Count   : 0

The rest of your post is also correct. If you negate “switchport port-security maximum 5” and “switchport port-security violation restrict” with “NO” statement in front, then it goes back to its defaults (1, shutdown).

Switch2(config-if)# switchport port-security maximum 5
Switch2(config-if)# switchport port-security violation restrict
Switch2(config-if)# do show port-security
Secure Port  MaxSecureAddr  CurrentAddr  SecurityViolation  Security Action
                (Count)       (Count)          (Count)
---------------------------------------------------------------------------
      Gi1/1              5            0                  0         Restrict
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port)     : 0
Max Addresses limit in System (excluding one mac per port) : 4096

Negate previous commands.

Switch2(config-if)# no switchport port-security maximum 5      
Switch2(config-if)# no switchport port-security violation restrict
Switch2(config-if)# do show port-security
Secure Port  MaxSecureAddr  CurrentAddr  SecurityViolation  Security Action
                (Count)       (Count)          (Count)
---------------------------------------------------------------------------
      Gi1/1              1            0                  0         Shutdown
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port)     : 0
Max Addresses limit in System (excluding one mac per port) : 4096

lagapides · February 28, 2019, 2:14pm

Hello Hugues

@fugazz has got it spot on, Thanks Michal.

Laz

hroger · March 5, 2019, 2:43pm

Hello Lazaros,
your answer suits me

deckspin74 · July 9, 2019, 2:37pm

Hi,
I need some clarification on port security when an ip phone is connected in between a switch and host pc. It maybe a problem I am having with packet tracer and GNS3 but I am unable to get the switch to learn 2 MAC addresses on a port. It seems to identify one MAC address but not the other then declare a duplication of MAC addresses when I attempt to add a new MAC address.

I have tried adding a MAC address manually or using the sticky method. Neither seem to work fully with this example but works perfectly with a single device connected to a port.

Please note I do have a home lab but have no IP phone to complete a live test.

Adrian

lagapides · July 11, 2019, 5:53am

Hello Adrian

The methodology for port security with IP phones is well documented and quite straightforward. Take a look at this Cisco documentation that specifies some guidelines that should be followed for implementations using IP phones and PCs connected to them.

I hope this has been helpful!

Laz

lagapides · October 10, 2019, 5:29am

A post was merged into an existing topic: Cisco IOS Router Password Recovery

neuralping · November 20, 2019, 9:42pm

I have port security enabled on fa0/11 to accept 3 devices. The show port-security command shows 3, show mac address-table interface fa0/11 shows 3 but show interface fa0/11 only show 2. 9c57.x.x.x is an IP phone, 3464.x.x.x is a desktop and 0800.x.x.x is a virtual machine that was added after increasing the limit from 2 to 3 to allow the VM to connect. Looking for reason I don’t the 0800.x.x.x int the running config. I assume it would also be a static entry since it was learned by port-security as Dynamic secure MAC addresses. Can you explain the Total addresses in System (excluding one mac per port). Thanks.

+++++++++++++++++++++++++++++++++++++++++++++++++++++

SW3#sh port-security
Secure Port  MaxSecureAddr  CurrentAddr  SecurityViolation  Security Action
                (Count)       (Count)          (Count)
---------------------------------------------------------------------------
     Fa0/11              3            3                  0         Shutdown
     Fa0/18              1            1                  0         Shutdown
     Fa0/19              1            1                  0         Shutdown
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port)     : 2
Max Addresses limit in System (excluding one mac per port) : 6144
SW3#

+++++++++++++++++++++++++++++++++++++++++++++++++++++

SW3#sh run int fa0/11
Building configuration...
 
 
Current configuration : 274 bytes
!
interface FastEthernet0/11
switchport mode access
switchport nonegotiate
switchport port-security maximum 3
switchport port-security
switchport port-security mac-address 3464.a918.d8d0 vlan access
switchport port-security mac-address 9c57.ad3e.f384 vlan access
end

+++++++++++++++++++++++++++++++++++++++++++++++++++++

SW3#sh mac address-table interface fa0/11
          Mac Address Table
-------------------------------------------
 
Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
   1    0800.27bd.9085    STATIC      Fa0/11
   1    3464.a918.d8d0    STATIC      Fa0/11
   1    9c57.ad3e.f384    STATIC      Fa0/11

lagapides · November 21, 2019, 8:32am

Hello Donald

Port security has been enabled on Fa0/11, and two MAC addresses have been manually configured for that port security. Because you have a maximum of 3, two of these must match the configured MACs and the third (in your case the 0800.x.x address) can be anything. So at any time, on this port, only the two configured MACs plus one more can be seen. 0800.x.x will not appear in the configuration since it has not been manually configured.

With the configuration as you have it, the MAC of the VM will never appear in the configuration. In order for that to happen, you need this command:

switchport port-security mac-address sticky

The sticky keyword will cause the MAC of any connected device to be recorded and saved within the configuration. The two MAC addresses in the config were not put there by the “sticky” feature, but manually configured as I mentioned before. Otherwise, they would have had the following configuration:

switchport port-security mac-address sticky 3464.a918.d8d0 vlan access
switchport port-security mac-address sticky 9c57.ad3e.f384 vlan access

…which includes the “sticky” keyword.

So you have two choices. Either you manually configure the 0800.x.x MAC, or you add the switchport port-security mac-address sticky command which will automatically read and record the MAC of the VM.

Actually, strictly speaking it is a dynamic MAC address entry since it was not manually configured in the MAC address table. However, Cisco switches will record MAC addresses that appear on interfaces configured with port security as STATIC in the MAC address table, regardless of whether they were manually configured, configured using sticky, or not referenced at all in the interface config.

Finally, the statement “Total Addresses in System (excluding one mac per port)” shows the number of addresses that are being used in port security beyond the single MAC per port. So this number is the total number of MAC addresses in excess of the single MAC per port. So in your case, you have three ports with port security enabled, you have a single MAC address being used for Fa0/18 and Fa0/19, so those don’t count, and you have 3 MAC addresses on Fa0/11 minus the one, gives you a total of 2.

I hope this has been helpful!

Laz

neuralping · November 21, 2019, 5:16pm

I read your reply three times and now understand why the VM mac did not show up as a static entry in the running config and the meaning of the (Total addresses in system (excluding one mac per port). Great clear explanation! Thanks.

Giovanni · December 29, 2019, 12:42pm

Hi Rene,

What should be the best practise to configure a port security with IPSG and DAI with VMs ?

Thanks

lagapides · January 7, 2020, 8:29am

Hello Giovanni

According to Cisco, port security is not recommended within a VM infrastructure in a Cisco environment:

…due to the need for the VM MAC addresses to move from one switchport to a different switchport on the same or a different switch and on the same VLAN without the port physically going down.

See Page 50 in the following Cisco document:

Although there are many professionals that disagree with this philosophy, as there are ways of dealing with the shifting of VM MACs. Ultimately, I would go with Cisco’s recommendations unless your particular implementations absolutely needs port security, in which case you can implement it appropriately for your needs. Unfortunately there is no one clear answer to this, but maybe this gives you some guidelines.

As for IPSG and DAI, there are no specialized requirements for the implementation of these features within a virtual environment beyond those stipulated in a more traditional datacenter implementation.

I hope this has been helpful!

Laz

Giovanni · February 29, 2020, 11:28pm

Hi,
I have a problem during the configuration of a port-security on my sw.

This is the configuration.

interface GigabitEthernet0/4
 description 99_FW_OOB
 switchport access vlan 99
 switchport mode access
 switchport port-security maximum 5
 switchport port-security mac-address sticky
 spanning-tree portfast
!

If I try an attack using macof the switch not put the port on err-disable and I can see all the mac in the cam table on the port g0/4.

Giovanni · February 29, 2020, 11:38pm

Solved,
I forgotted the port-security command

temitope.ogunwola · April 8, 2020, 8:43pm

I have a question.I want to prevent anyone from getting a new ip from the dhcp server.I know I can use a dhcp snooping,but my challenge is that our main trunk to the GPON currently has dhcp snooping trust set.We intend to do this on a voice vlan on the switch.most subnets are beyond the trunk
How do you advise i approach this?.

lagapides · April 9, 2020, 7:35am

Hello Temitope

One way you could do this is to configure the DHCP server to stop giving out new DHCP addresses. You can maintain the current address leases, lock them to the specific MACs that are already in the DHCP bindings, and simply don’t give out any more. The current leases can be renewed, but no new ones will be provided.

In a GPON network (or any network for that matter), if you already having snooping trust set, and you don’t have control over that network, then you can’t use it to block DHCP messages.

Can you share a little more about your network topology and what you want to achieve? As well as what portions of the network you have control over (and can thus configure) and which you don’t? Maybe that way we’ll be able to suggestion something more specific.

I hope this has been helpful!

Laz

Giovanni · June 27, 2020, 11:28am

Hi,
Can you help me to understand these logs.

Jun 27 12:01:09 79.33.42.119 8515 .Jun 27 10:01:08.036: PSECURE: psecure_vp_fwdchange invoked
Jun 27 12:01:09 79.33.42.119 8516 .Jun 27 10:01:08.041: PSECURE: psecure_linkchange: Gi0/8  hwidb=0x5734918
Jun 27 12:01:09 79.33.42.119 8517 .Jun 27 10:01:08.041: PSECURE: Link is going down
Jun 27 12:01:09 79.33.42.119 8518 .Jun 27 10:01:08.041: PSECURE: psecure_linkdown_init: Gi0/8 hwidb = 0x5734918
Jun 27 12:01:09 79.33.42.119 8519 .Jun 27 10:01:08.041: PSECURE: psecure_deactivate_port_security: Deactivating port-security feature
Jun 27 12:01:09 79.33.42.119 8520 .Jun 27 10:01:08.041: PSECURE: port_deactivate: port status is 1
Jun 27 12:01:09 79.33.42.119 8521 .Jun 27 10:01:08.041: PSECURE: port security not active on GigabitEthernet0/8

For issues that I’ve discovered in my network, Ive decided to remove enterly port-security from interfaces…but I can see on logs something with PSECURE , even if it is disabled

In my configuration I have not any port-security commands on g0/8.

Why is it happaning?

lagapides · June 29, 2020, 3:23pm

Hello Giovanni

This series of port security syslog messages seem to indicate that port security is being deactivated on the interface. The last one also indicates that port security is not active on the interface. Did these messages appear at the time that you actually deactivated port security on the interface or at some time after that? Do you find that other PSECURE messages appear even after port security is completely removed form all ports?

Let us know so we can help you further in your troubleshooting process.

I hope this has been helpful!

Laz

Kbuseem12 · May 16, 2021, 4:04pm

Hi,
I have question regarding the network lan security. Let’s say a vendor visited my company and he’s using his personal laptop. He connected his laptop using my data ports or interface and he got my MAC address, now my question is will he get internet connection and why?!. And if yes, how to prevent this type of attack?! Plus how to make my environment secure?!

lagapides · May 18, 2021, 5:56am

Hello Khawla

If you don’t configure any security features, and you have DHCP enabled on your network, then the laptop that was plugged into your network port will obtain an IP address, and would also gain access to your network and to the Internet as well…

In order to prevent this from happening, you should implement port security, which is a series of layer 2 security features that enable or disable connectivity to hosts at the switch port. You can find out more about it at this lesson as well as in subsequent related lessons:

I hope this has been helpful!

Laz

Kbuseem12 · May 17, 2021, 6:32pm

Dear Lazaros Agapides,

Appreciating your reply, that is if the port found another MAC address, but nowadays there’s a way to change the MAC address of the laptop itself, in this case is there a way to catch or will my port know this. Since same MAC address, same IP address and same interface, same username and password. But the person is not. In this case how to protect, I know you will reply physical security, but logically?!