Latest

Introduction to Switch Port Security

Introduction to Switch Port Security 

Port security monitors and blocks Layer 2 traffic on a switch on an individual port basis. Enabling this feature keeps track of permitted source MAC addresses and restricts the number of MACs that can use a specific port. 

The switch can restrict access to a certain set of MAC addresses or employ a hybrid approach, with some addresses set statically and others learnt dynamically.

When a port reaches its maximum number of allowed addresses or comes across a source MAC address that is not in its list of learnt or statically configured permissible addresses, a violation occurs. After then, it can carry out a designated task.

⭐Related : CCNA RnS Article #31: STP Behavior
⭐Related : CCNA RnS Article #32: Influencing STP

What are the various violation modes on the switch port?

The switch port is utilized in three different modes, which are described below. Depending on what should happen in the event of a violation, we can set up the interface for one of three modes.

Introduction to Switch Port Security
Fig 1.1- Introduction to Switch Port Security 

So  there are 3 different modes you can enable on port to secure your end devices and these modes are 

  • Protect mode
  • Restrict mode
  • Shut down mode 
Lets discuss all these one by one followed with the configurations.

 ⭐ Violation : Protect Mode

In the protect mode, packets with unknown source addresses are rejected until we remove enough secure MAC addresses to reduce the maximum value or raise the total number of allowed addresses when the number of secure MAC addresses reaches the maximum limit allowed on the port. This mode doesn't have a notice.

  • Traffic is forwarded in the Protect mode: No
  • Sends SNMP Traps for notification: No
  • Sends Syslog message: No
  • Display Error message: No
  • Violation counter increment: No
  • Shutdown the port: No

Let's see how to configure this on Switch using Protect mode
  • Interface is Eth0/5
  • MAC should be manual, so check the mac of PC 5 and put there, in our case it is 0000.0500.0003
  • Max is 1 device per port
  • Violation mode is protect

NDNA_Sw1> en
NDNA_Sw1# config t
NDNA_Sw1 (config) # interface range Eth0/5
NDNA_Sw1 (config-if) # switchport mode access
NDNA_Sw1 (config-if) # switchport port-security
NDNA_Sw1 (config-if) # switchport port-security maximum 1
NDNA_Sw1 (config-if) # switchport port-security mac-address 0000.0500.0003 
NDNA_Sw1 (config-if) # switchport port-security violation protect
NDNA_Sw1 (config-if) # exit
NDNA_Sw1# 
Hope you understand this switch port security protect mode.

 ⭐ Violation : Restrict Mode

In the restrict mode, packets with unknown source addresses are rejected until we remove enough secure MAC addresses to bring the total number of allowed addresses below the maximum value or raise the number of maximum allowable addresses when the number of secure MAC addresses reaches the maximum limit allowed on the port. 

In this mode, we are notified that a security violation has occurred. An SNMP trap is sent, a syslog message is logged, and the violation counter increments.

  • Traffic is forwarded in the Protect mode: No
  • Sends SNMP Traps for notification: Yes
  • Sends Syslog message: Yes
  • Display Error message: No
  • Violation counter increment: yes
  • Shutdown the port: No
Let's see how to configure this on Switch using Restrict mode
  • Interface is Eth0/1 and Eth0/2
  • MAC should be Sticky
  • Max is 2 device per port
  • Violation mode is restrict 

NDNA_Sw1> en
NDNA_Sw1# config t
NDNA_Sw1 (config) # interface range Eth0/1-2
NDNA_Sw1 (config-if) # switchport mode access
NDNA_Sw1 (config-if) # switchport port-security
NDNA_Sw1 (config-if) # switchport port-security maximum 2
NDNA_Sw1 (config-if) # switchport port-security mac-address sticky
NDNA_Sw1 (config-if) # switchport port-security violation restrict
NDNA_Sw1 (config-if) # exit
NDNA_Sw1# 
Hope you understand this switch port security restrict mode.

 ⭐ Violation : Shutdown Mode

When a port security breach occurs in this mode, the interface becomes error-disabled, shuts down instantly, and the port LED goes off. When a secure port is in the error-disabled state, we can manually re-enable it by using the shutdown and no shut down interface configuration commands, or we can use the err disable recovery cause secure-violation global configuration command to get it out of this status. This is how things normally work. This is the default mode.

  • Traffic is forwarded in the Protect mode: No
  • Sends SNMP Traps for notification: No
  • Sends Syslog message: Yes
  • Display Error message: No
  • Violation counter increment: Yes
  • Shutdown the port: No
Let's see how to configure this on Switch using Shutdown mode
  • Interface is Eth0/3 and Eth0/4
  • MAC should be Sticky
  • Max is 1 device per port
  • Violation mode is shutdown

NDNA_Sw1> en
NDNA_Sw1# config t
NDNA_Sw1 (config) # interface range Eth0/3-4
NDNA_Sw1 (config-if) # switchport mode access
NDNA_Sw1 (config-if) # switchport port-security
NDNA_Sw1 (config-if) # switchport port-security maximum 1
NDNA_Sw1 (config-if) # switchport port-security mac-address sticky
NDNA_Sw1 (config-if) # switchport port-security violation shutdown
NDNA_Sw1 (config-if) # exit
NDNA_Sw1# 
Hope you understand this switch port security shutdown mode.

So now lets suppose, we have another device trying to connect on Eth0/3 which is not connected earlier, which means it will hit the port with the violation "shutdown" 

NDNA_Sw1#show port-security interface Eth0/3

Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
Secure Static Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 1
Security Violation Count : 0

Now check the interface, you will see the port is in err-disabled state 

SW1#show interface Eth0/3
FastEthernet0/1 is down, line protocol is down (err-disabled)
Hardware is Lance, address is  0000.7a20.0b01 (bia 0000.7a20.0b01)
BW 100000 Kbit, DLY 1000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Hope the article helps you to understand on switch port security, violation modes and the configurations related to it. 


Continue Reading...

Free Tools...