Port Security

Port Security is a security feature of Cisco switches which enables you permit or deny traffic by source MAC address on a per-interface basis. This effectively allows engineers to control which devices are allowed to access a network.

Whenever traffic from an unauthorized MAC address enters the interface some action will be taken. By default, the interface is put into an ‘err-disabled’ state. This means that, assuming default configuration, if port security is triggered on an interface no traffic will be able to pass the interface, even if it’s authorized.

When you enable port security on an interface with the default settings, one MAC address is allowed. You can configure this address manually, but if you don’t the switch will allow the first source MAC address that enters the interface. That way, whatever host is connected to the interface will be allowed, but if someone disconnects the host and plugs in a new one the interface will be disabled.

Obviously, this configuration has limitations; if you want to connect multiple devices to the same interface (e.g. a PC and an IP phone) you won’t be able to. Thankfully, you can increase the number of allowed MAC addresses.

Warning

MAC address spoofing is simple for an attacker; if they know one of the allowed MAC addresses, they can easily spoof it and get access to the interface.

Info

It is often more useful to use Port Security to limit the number of MAC addresses allowed on each interface than it is to rigidly control exactly which MAC addresses are allowed — this helps mitigate attacks that involve large numbers of spoofed MAC addresses, like DHCP exhaustion attacks.

---

Violation Modes

There are three violations modes that determine what happens when unauthorized traffic enters an interface:

1. Shutdown (default)
   • Shuts the port entirely, for all traffic; port enters err-disabled state
   • Generates a Syslog (and possible a SNMP) message
   • Violation counter is incremented by 1
2. Restrict
   • Unauthorized traffic is discarded
   • Interface is not disabled
   • Syslog &/or SNMP messages generated every time an unauthorized MAC is detected
   • Violation counter is incremented by 1 for every unauthorized frame
3. Protect
   • Unauthorized traffic is discarded
   • Interface is not disabled
   • Syslog/SNMP messages are not generated
   • Violation counter not incremented

---

Secure MAC Address Aging

By default secure MAC addresses (those dynamically learned or manually configured to be trusted) do not age out. They are permanent unless manually deleted.

You can configure aging time using the command in [[#Configuration#Cisco IOS]]. There are two aging types you can then select from:

1. Absolute (default)
   • After the secure MAC address is learned, the aging timer starts and the MAC is removed once it expires, even if the interface is still receiving traffic from that source MAC address.
2. Inactivity
   • The aging timer is reset every time the interface receives a frame from the source MAC address.

Even if you enable aging, by default only dynamically learned MAC addresses will age. You can also configure statically configured addresses to age with an additional command.

---

Sticky Secure MAC Addresses

Enabling this feature causes all current and future dynamically learned MAC addresses to be converted to ‘sticky’ addresses i.e. they will be added as entries to the switch’s running-config. You can then save the running-config (write, write memory, or copy running-config startup-config) and these MAC addresses will be already configured as secure addresses for the interface.

Sticky MAC addresses never age out, regardless of aging configurations.

Disabling sticky addresses will convert all addresses to dynamic.

---

Verification

Cisco IOS

• show port-security interface interface-id
  • Displays basic info about port security configuration on the selected interface.

Configuration

Cisco IOS

Note

Port security may be used on either access or trunk ports however they must be statically configured as access or trunk. The default ‘dynamic auto’ will not work with port security.

• (config-if)#switchport mode [access | trunk]
  • Designate the port as either access or trunk. Either will work, but it must be explicitly configured; no dynamic auto mode.
• (config-if)#switchport port-security
  • Enable port security on the interface with default settings.
• (config-if)#switchport port-security violation [shutdown | restrict | protect]
  • Enable port security with a particular violation mode. shutdown is the default mode.
• (config-if)#switchport port-security mac-address mac-address
  • Configure a permitted MAC address.
• (config-if)#switchport port-security aging time minutes
  • Configure a time after which trusted ‘secure’ MAC addresses will be forgotten.
• (config-if)#switchport port-security aging type [absolute | inactivity]
  • Configure the aging type. absolute is default.
• (config-if)#switchport port-security aging static
  • Enable aging for statically (manually) configured addresses. Off by default.
• (config-if)#switchport port-security mac-address sticky
  • Enable ‘Sticky Secure MAC Addresses’. Converts current and future dynamically-learned MAC addresses to ‘sticky’ addresses.
  • Disabling (prepend no) will convert all ‘sticky’ addresses to dynamic addresses.

Re-enable an Interface

Note

Before re-enabling an interface that was shutdown by port security, you should first remove the offending device(s) that triggered the shutdown.

Manual

• (config)interface shutdown-interface-id
• (config-if)#shutdown
• (config-if)#no shutdown

ErrDisable Recovery (Automatic)

errdisable recovery is a tool that can be used to automatically re-enables any interface that is in an errdisable state. We can use it to re-enable interfaces that were shut down by port security. See Errdisable Recovery for more info.

• (config)#errdisable recovery cause psecure-violation
• (config)#errdisable recovery interval seconds
  • Configure how frequently interfaces will be re-enabled. 300s by default.