Introduction:
Port security is easy to configured and it allows you to secure access to a port based upon a MAC address basis.Port security can also configured locally and has no mechanism for controlling port security in a centralized fashion for distributed switches.Port security is normally configured on ports that connect servers or fixed devices, because the likelihood of the MAC address changing on that port is low. A common example of using basic port security is applying it to a port that is in an area of the physical premises that is publicly accessible. This could include a meeting room or reception area available for public usage. By restricting the port to accept only the MAC address of the authorized device, you prevent unauthorized access if somebody plugged another device into the port.
Configuring port security on Catalyst switches running CatOS:
To enable port security on CatOS, you use the "set port security" command. The first step you must take is to enable port security on a particular port. You then can allow one or more MAC addresses to use a secured port. You can manually specify these addresses, allow the switch to auto-learn the addresses, or use a mixture of both. Finally, you can specify a violation action (either shut down the entire port or block unauthorized traffic), which occurs when an unauthorized MAC address is detected on the port. The set port security command has the following syntax:
set port security mod/port [enable | disable] [mac_addr] [age age_time]
[maximum limit] [shutdown shutdown-time] [violation {shutdown | restrict}]
In the event of a security violation, the port can be configured to go into shutdown mode or restrictive mode. The port behavior depends on how the port is configured to respond to a security violation. If a security violation occurs, the link LED for that port turns orange.
These are the guidelines for port security configuration:
-> Port security cannot be configured on a trunk port.
-> Port security cannot be enabled on a Switched Port Analyzer (SPAN) destination port, nor SPAN enabled on a destination port with port security enabled.
-> Dynamic, static, or permanent Content-Addressable Memory (CAM) entries cannot be configured on a secure port.
-> Port security is not supported on the three-port Gigabit Ethernet module (WS-X5403).
-> When port security is enabled on a port, any static or dynamic CAM entries associated with the port are cleared. All currently configured permanent CAM entries are treated as secure.
configuration example:
Switch> (enable) set port security 3/1 enable
Port 2/1 port security enabled with the learned mac address.
Trunking disabled for Port 2/1 due to Security Mode
Switch> (enable) set port security 3/1 maximum 10
Maximum number of secure addresses set to 10 for port 3/1
Switch> (enable) set port security 3/1 00-d0-ba-11-21-31
Mac address 00-d0-ba-11-21-31 set for port 3/1
Switch> (enable) set port security 3/1 violation restrict
Port security violation on port 3/1 will cause insecure packets to be dropped
Related Information:
Cisco Catalyst 6000 Series Switches