While the switchport security feature is very useful if used correctly, it can easily be misconfigured; this misconfiguration can cause service interruption and ongoing headaches for an organization. The planning of the configuration includes determining which violation mode and operation mode to use based on the goals of the organization, as well as determining which switchports should be enabled with the feature. This article takes a look at how the switchport security feature is configured by extending on the concepts that were covered in Switchport Security Concepts.
By default, the switchport security feature is disabled on all switchports and must be enabled. Table 1 shows the steps required to enable the switchport security feature on an interface This can cause some confusion, but when using Cisco IOS, switchport configuration is performed while in interface configuration mode. The terms interface and switchport are interchangeable. Without configuring any other specific parameters, the switchport security feature will only permit one MAC address to be learned per switchport dynamically and use the shutdown violation mode; this means that if a second MAC address is seen on the switchport the port will be shutdown and put into the err-disabled state.
As stated above, by default MAC addresses are learned on a switchport dynamically and are called dynamic MAC addresses. MAC addresses can also be configured in two other ways: statically and sticky.
Static MAC addresses can be configured on a switchport to ensure that only a device with a specific MAC can utilize a switchport for example, if the switchport location and a device are publically accessible and the organization wants to ensure only that authorized device can access the network. When it is dynamically learned, the MAC address is automatically entered into the running configuration as a static MAC address; the address is then kept in the running configuration until a reboot.
On reboot, the MAC address will be lost; if the network engineer wants to keep the MAC address across a reboot a configuration save is required copy running startup. To wrap the configuration commands into a single example to ensure clarity, this section will show a basic switchport security example. If the maximum number of secure MAC addresses has been reached, a security violation occurs when a devices with a different MAC addresses tries to attach to that port.
A switch can be configured to only protect or restrict that port. We will discuss theses security violation modes a little bit later. In a Cisco switch, you are able to configuration three types of security violation modes.
A security violation occurs when the maximum number of MAC addresses has been reached and a new device, whose MAC address is not in the address table attempts to connect to the interface or when a learned MAC address on an interface is seen on another secure interface in the same VLAN. Depending on the action you want a switch to take when a security violation occurs, you can configure the behavior of a switch port to one of the following:.
The default configuration of a Cisco switch has port security disabled. If you enable switch port security, the default behavior is to allow only 1 MAC address, shutdown the port in case of security violation and sticky address learning is disabled. Next, we will enable dynamic port security on a switch. As you can see, we did not specify an action to be taken if a security violation occurs, neither how many MAC addresses are allowed on the port.
Recalling from above, the default behavior is to shutdown the port and allow only one MAC address. After you have set the maximum number of secure MAC addresses on a port, the secure addresses are included in an address table in one of these ways:.
Note If the port shuts down, all dynamically learned addresses are removed. These can be dynamically learned or manually configured, stored in the address table, and added to the running configuration. If these addresses are saved in the configuration file, the interface does not need to dynamically relearn them when the switch restarts. Although sticky secure addresses can be manually configured, it is not recommended.
You can configure an interface to convert the dynamic MAC addresses to sticky secure MAC addresses and to add them to the running configuration by enabling sticky learning. To enable sticky learning, enter the switchport port-security mac-address sticky command. When you enter this command, the interface converts all the dynamic secure MAC addresses, including those that were dynamically learned before sticky learning was enabled, to sticky secure MAC addresses.
The sticky secure MAC addresses do not automatically become part of the configuration file, which is the startup configuration used each time the switch restarts.
If you save the sticky secure MAC addresses in the configuration file, when the switch restarts, the interface does not need to relearn these addresses. If you do not save the configuration, they are lost.
Switch config-if switchport port-security mac-address sticky. Note When a Catalyst series switch port is configured to support voice as well as port security, the maximum number of allowable MAC addresses on this port should be changed to three. For example, suppose port A1 allows one authorized device and already has a device listed:. Testing suggested the problem. Optional Sets the violation mode, the action to be taken when a security violation is detected, as one of these:. For absolute aging, all the secure addresses on this port ago out exactly after the time minutes specified and are removed from the secure address list. Find out more or Sign In.
If sticky learning is disabled, the sticky secure MAC addresses are converted to dynamic secure addresses and are removed from the running configuration. After the maximum number of secure MAC addresses is configured, they are stored in an address table. To ensure that an attached device has the full bandwidth of the port, configure the MAC address of the attached device and set the maximum number of addresses to one, which is the default.
Note When a Catalyst series switch port is configured to support voice as well as port security, the maximum number of allowable MAC addresses on this port should be changed to three. A security violation occurs if the maximum number of secure MAC addresses has been added to the address table and a workstation whose MAC address is not in the address table attempts to access the interface.
You can configure the interface for one of these violation modes, based on the action to be taken if a violation occurs:. The rate at which SNMP traps are generated can be controlled by the snmp-server enable traps port-security trap-rate command. The default value "0" causes an SNMP trap to be generated for every security violation. This is the default mode. You can also customize the time to recover from the specified error disable cause default is seconds by entering the errdisable recovery interval interval command.
To enable sticky learning, enter the switchport port-security mac-address sticky command. When you enter this command, the interface converts. We have implemented port security on our IOS switches and one of the options is mac-address sticky. I wanted to know what it does and.
To restrict traffic through a port by limiting and identifying MAC addresses of the stations allowed to access the port, perform this task:. Sets the interface mode as access; an interface in the default mode dynamic desirable cannot be configured as a secure port.
Optional Sets the maximum number of secure MAC addresses for the interface.