Introduction to Switch Port Security
Introduction to Switch Port Security
Port security monitors and blocks Layer 2 traffic on a switch on an individual port basis. Enabling this feature keeps track of permitted source MAC addresses and restricts the number of MACs that can use a specific port.
The switch can restrict access to a certain set of MAC addresses or employ a hybrid approach, with some addresses set statically and others learnt dynamically.
When a port reaches its maximum number of allowed addresses or comes across a source MAC address that is not in its list of learnt or statically configured permissible addresses, a violation occurs. After then, it can carry out a designated task.
⭐Related : CCNA RnS Article #31: STP Behavior
⭐Related : CCNA RnS Article #32: Influencing STP
What are the various violation modes on the switch port?
The switch port is utilized in three different modes, which are described below. Depending on what should happen in the event of a violation, we can set up the interface for one of three modes.
Fig 1.1- Introduction to Switch Port Security |
So there are 3 different modes you can enable on port to secure your end devices and these modes are
- Protect mode
- Restrict mode
- Shut down mode
⭐ Violation : Protect Mode
In the protect mode, packets with unknown source addresses are rejected until we remove enough secure MAC addresses to reduce the maximum value or raise the total number of allowed addresses when the number of secure MAC addresses reaches the maximum limit allowed on the port. This mode doesn't have a notice.
- Traffic is forwarded in the Protect mode: No
- Sends SNMP Traps for notification: No
- Sends Syslog message: No
- Display Error message: No
- Violation counter increment: No
- Shutdown the port: No
- Interface is Eth0/5
- MAC should be manual, so check the mac of PC 5 and put there, in our case it is 0000.0500.0003
- Max is 1 device per port
- Violation mode is protect
⭐ Violation : Restrict Mode
In the restrict mode, packets with unknown source addresses are rejected until we remove enough secure MAC addresses to bring the total number of allowed addresses below the maximum value or raise the number of maximum allowable addresses when the number of secure MAC addresses reaches the maximum limit allowed on the port.
In this mode, we are notified that a security violation has occurred. An SNMP trap is sent, a syslog message is logged, and the violation counter increments.
- Traffic is forwarded in the Protect mode: No
- Sends SNMP Traps for notification: Yes
- Sends Syslog message: Yes
- Display Error message: No
- Violation counter increment: yes
- Shutdown the port: No
- Interface is Eth0/1 and Eth0/2
- MAC should be Sticky
- Max is 2 device per port
- Violation mode is restrict
⭐ Violation : Shutdown Mode
When a port security breach occurs in this mode, the interface becomes error-disabled, shuts down instantly, and the port LED goes off. When a secure port is in the error-disabled state, we can manually re-enable it by using the shutdown and no shut down interface configuration commands, or we can use the err disable recovery cause secure-violation global configuration command to get it out of this status. This is how things normally work. This is the default mode.
- Traffic is forwarded in the Protect mode: No
- Sends SNMP Traps for notification: No
- Sends Syslog message: Yes
- Display Error message: No
- Violation counter increment: Yes
- Shutdown the port: No
- Interface is Eth0/3 and Eth0/4
- MAC should be Sticky
- Max is 1 device per port
- Violation mode is shutdown
⭐Related : CCNA RnS Article #27: VLAN Trunking Configuration
Continue Reading...
- OSPF Show Commands on Cisco, Juniper, Huawei, HP and Arista Networks devices
- How to Optimize Your MPLS VPN with OSPF Sham-Link
- OSPF protocol : OSPF Packet Types
- OSPF NSSA Area introduction and Configuration
- Facts about DR and BDR selection in OSPF
- OSPF and BGP configuration setup on a vEdge Router
- OSPF Configuration Guide : OSPF Distance External Command Behavior
- A quick difference: OSPF Vs IS-IS Dynamic Routing Protocol
- Routing: Configuration OSPF To Filter Type-5 LSAs
- Introduction to OSPFv3 AS External LSA Route Calculation
- Differences between OSPFv3 and OSPFv2
- OSPF Over non-Broadcast Networks ( NBMA) basics and Configuration
- OSPF Configurations in Huawei Routers
- Quick tips to OSPF Routing Protocol for Network Engineers
- OSPF Basic configuration Step by step on Cisco Routers
- OSPF Basics : Simple points to study
- OSPF prefix-suppression- Configurations and Verification
- OSPF LSA-ID Conflict : %OSPF-4-CONFLICTING_LSAID
- Cisco IOS-XE: OSPF stuck in INIT - LLS TLV
- Configure Redistribution of iBGP Routes Into OSPF
- Cisco and Juniper Routers : OSPF point to multipoint configurations