Introduction to Switch Port Security 

Port security monitors and blocks Layer 2 traffic on a switch on an individual port basis. Enabling this feature keeps track of permitted source MAC addresses and restricts the number of MACs that can use a specific port. 

The switch can restrict access to a certain set of MAC addresses or employ a hybrid approach, with some addresses set statically and others learnt dynamically.

When a port reaches its maximum number of allowed addresses or comes across a source MAC address that is not in its list of learnt or statically configured permissible addresses, a violation occurs. After then, it can carry out a designated task.

⭐Related : CCNA RnS Article #31: STP Behavior
⭐Related : CCNA RnS Article #32: Influencing STP

What are the various violation modes on the switch port?

The switch port is utilized in three different modes, which are described below. Depending on what should happen in the event of a violation, we can set up the interface for one of three modes.

Fig 1.1- Introduction to Switch Port Security 

So  there are 3 different modes you can enable on port to secure your end devices and these modes are 

• Protect mode
• Restrict mode
• Shut down mode 

Lets discuss all these one by one followed with the configurations.

 ⭐ Violation : Protect Mode

In the protect mode, packets with unknown source addresses are rejected until we remove enough secure MAC addresses to reduce the maximum value or raise the total number of allowed addresses when the number of secure MAC addresses reaches the maximum limit allowed on the port. This mode doesn't have a notice.

• Traffic is forwarded in the Protect mode: No
• Sends SNMP Traps for notification: No
• Sends Syslog message: No
• Display Error message: No
• Violation counter increment: No
• Shutdown the port: No

Let's see how to configure this on Switch using Protect mode

• Interface is Eth0/5
• MAC should be manual, so check the mac of PC 5 and put there, in our case it is 0000.0500.0003
• Max is 1 device per port
• Violation mode is protect

NDNA_Sw1> en

NDNA_Sw1# config t

NDNA_Sw1 (config) # interface range Eth0/5

NDNA_Sw1 (config-if) # switchport mode access

NDNA_Sw1 (config-if) # switchport port-security

NDNA_Sw1 (config-if) # switchport port-security maximum 1

NDNA_Sw1 (config-if) # switchport port-security mac-address 0000.0500.0003 

NDNA_Sw1 (config-if) # switchport port-security violation protect

NDNA_Sw1 (config-if) # exit

NDNA_Sw1# 

Hope you understand this switch port security protect mode.

 ⭐ Violation : Restrict Mode

In the restrict mode, packets with unknown source addresses are rejected until we remove enough secure MAC addresses to bring the total number of allowed addresses below the maximum value or raise the number of maximum allowable addresses when the number of secure MAC addresses reaches the maximum limit allowed on the port. 

In this mode, we are notified that a security violation has occurred. An SNMP trap is sent, a syslog message is logged, and the violation counter increments.

• Traffic is forwarded in the Protect mode: No
• Sends SNMP Traps for notification: Yes
• Sends Syslog message: Yes
• Display Error message: No
• Violation counter increment: yes
• Shutdown the port: No

Let's see how to configure this on Switch using Restrict mode

• Interface is Eth0/1 and Eth0/2
• MAC should be Sticky
• Max is 2 device per port
• Violation mode is restrict 

NDNA_Sw1> en

NDNA_Sw1# config t

NDNA_Sw1 (config) # interface range Eth0/1-2

NDNA_Sw1 (config-if) # switchport mode access

NDNA_Sw1 (config-if) # switchport port-security

NDNA_Sw1 (config-if) # switchport port-security maximum 2

NDNA_Sw1 (config-if) # switchport port-security mac-address sticky

NDNA_Sw1 (config-if) # switchport port-security violation restrict

NDNA_Sw1 (config-if) # exit

NDNA_Sw1# 

Hope you understand this switch port security restrict mode.

 ⭐ Violation : Shutdown Mode

When a port security breach occurs in this mode, the interface becomes error-disabled, shuts down instantly, and the port LED goes off. When a secure port is in the error-disabled state, we can manually re-enable it by using the shutdown and no shut down interface configuration commands, or we can use the err disable recovery cause secure-violation global configuration command to get it out of this status. This is how things normally work. This is the default mode.

• Traffic is forwarded in the Protect mode: No
• Sends SNMP Traps for notification: No
• Sends Syslog message: Yes
• Display Error message: No
• Violation counter increment: Yes
• Shutdown the port: No

Let's see how to configure this on Switch using Shutdown mode

• Interface is Eth0/3 and Eth0/4
• MAC should be Sticky
• Max is 1 device per port
• Violation mode is shutdown

NDNA_Sw1> en

NDNA_Sw1# config t

NDNA_Sw1 (config) # interface range Eth0/3-4

NDNA_Sw1 (config-if) # switchport mode access

NDNA_Sw1 (config-if) # switchport port-security

NDNA_Sw1 (config-if) # switchport port-security maximum 1

NDNA_Sw1 (config-if) # switchport port-security mac-address sticky

NDNA_Sw1 (config-if) # switchport port-security violation shutdown

NDNA_Sw1 (config-if) # exit

NDNA_Sw1# 

Hope you understand this switch port security shutdown mode.

So now lets suppose, we have another device trying to connect on Eth0/3 which is not connected earlier, which means it will hit the port with the violation "shutdown" 

NDNA_Sw1#show port-security interface Eth0/3

Port Security : Enabled

Port Status : Secure-up

Violation Mode : Shutdown

Aging Time : 0 mins

Aging Type : Absolute

Secure Static Address Aging : Disabled

Maximum MAC Addresses : 1

Total MAC Addresses : 1

Configured MAC Addresses : 0

Sticky MAC Addresses : 1

Security Violation Count : 0

Now check the interface, you will see the port is in err-disabled state 

SW1#show interface Eth0/3

FastEthernet0/1 is down, line protocol is down (err-disabled)

Hardware is Lance, address is  0000.7a20.0b01 (bia 0000.7a20.0b01)

BW 100000 Kbit, DLY 1000 usec,

reliability 255/255, txload 1/255, rxload 1/255

Hope the article helps you to understand on switch port security, violation modes and the configurations related to it. 

⭐Related : CCNA RnS Article #33: How STP & RSTP Relate?
⭐Related : CCNA RnS Article #27: VLAN Trunking Configuration

Continue Reading...

• OSPF Show Commands on Cisco, Juniper, Huawei, HP and Arista Networks devices
• How to Optimize Your MPLS VPN with OSPF Sham-Link
• OSPF protocol : OSPF Packet Types
• OSPF NSSA Area introduction and Configuration
• Facts about DR and BDR selection in OSPF
• OSPF and BGP configuration setup on a vEdge Router
• OSPF Configuration Guide : OSPF Distance External Command Behavior
• A quick difference: OSPF Vs IS-IS Dynamic Routing Protocol
• Routing: Configuration OSPF To Filter Type-5 LSAs

Many More...

• Introduction to OSPFv3 AS External LSA Route Calculation
• Differences between OSPFv3 and OSPFv2
• OSPF Over non-Broadcast Networks ( NBMA) basics and Configuration
• OSPF Configurations in Huawei Routers
• Quick tips to OSPF Routing Protocol for Network Engineers
• OSPF Basic configuration Step by step on Cisco Routers
• OSPF Basics : Simple points to study
• OSPF prefix-suppression- Configurations and Verification
• OSPF LSA-ID Conflict : %OSPF-4-CONFLICTING_LSAID
• Cisco IOS-XE: OSPF stuck in INIT - LLS TLV
• Configure Redistribution of iBGP Routes Into OSPF
• Cisco and Juniper Routers : OSPF point to multipoint configurations

Free Tools...

• Internet Speed Test - The Network DNA
• IP Address Calculator - The Network DNA
• Password Generator Tool - The Network DNA
• What is my IP address & Location - The Network DNA
• API Collection - The Network DNA
• Visio Stencils & Icons - The Network DNA