When configuring switches, it is recommended that all ports be secured before being deployed for production use in the network. Typically, the unused ports are configured in access mode, placed in an isolated or "blackhole" VLAN, and shut down as a security measure. On the contrary, used ports can be secured by implementing the port security feature.
Port security is a Layer 2 security feature on Cisco switches that allows you to control which devices are allowed to connect to specific switch ports. This feature enables the switch to learn the MAC address of the device connected to a particular port, allowing only that device to communicate through that port.
Once enabled, port security can limit the number of MAC addresses allowed to access a particular port, and it can also shut down the port or execute another action if it detects unauthorized MAC addresses attempting to connect. Port security can help prevent unauthorized access to the network and protect against MAC address spoofing and MAC address table flooding attacks.
Important: Configure port security carefully to avoid inadvertently blocking legitimate network traffic.
Port security is disabled by default on Cisco switches, and it can be enabled only individually on desired interfaces, not globally on the switch. When enabled, a maximum of one MAC address (any MAC) is allowed on the port, and the port shuts down when that violation occurs.
The default behavior can be changed, and different criteria can be defined, such as setting up a new limit for maximum MAC addresses, designating specific MAC addresses to be permitted, and changing the violation action.
How Port Security Works
When a frame is received on a switch port with port security enabled, the source MAC address inside the Layer 2 header is checked against the available MAC addresses in the secure MAC address table. If an entry is matched, the frame is permitted, and the switch continues with the processing. Otherwise, the frame is denied.
As you can see in the image above, port security is enabled on each interface on switch SW1. However, an attacker's PC has been connected to interface FastEthernet0/2 instead of an allowed admin PC. Traffic on interface FastEthernet0/1 is allowed because the MAC address of PC1 is permitted, while everything else is denied on the other two interfaces.
The reason is that the MAC address of the attacker is not recognized on the interface FastEthernet0/2, where only the MAC address of an admin PC was initially allowed. Additionally, the number of MAC addresses connected on interface FastEthernet0/3 is higher than the maximum allowance of one, which causes the port to go down.
Learning MAC Addresses
MAC addresses allowed by the port security feature are stored in the secure MAC address table. Depending on how they are learned, some can be saved for use after a reload, while others are discarded. The three types of secure MAC addresses are:
- Static: With static port security, you manually configure the MAC addresses that are allowed on a specific port. This option can be time-consuming if many devices are connected to the switch.
- Dynamic: With dynamic port security, the switch dynamically learns MAC addresses based on the source address of the packets received on the port. While the switch allows those devices to communicate on the port, the MAC addresses are not stored in the running configuration and are discarded after a reload.
- Sticky: With sticky port security, the switch dynamically learns MAC addresses as with dynamic port security, but it also automatically adds the learned MAC addresses to the running configuration. This option can simplify the configuration process.
Security Violations
Each time there is a violation, the switch does not accept the receiving frames. Violations can occur for a variety of reasons, including:
- When the receiving frame contains a source MAC address that is different from the allowed one on that interface.
- When the receiving frame contains a source MAC address that is different from the allowed one on that interface, and the maximum number of allowed MAC addresses on that interface is already reached.
- When the total number of MAC addresses connected to the port has reached the maximum limit.
- When the frame originates from a secure MAC address arrives at a different interface in the same VLAN as the interface on which the MAC address is secured.
Violation Actions
For each violation, action will be taken on the interface where the port security feature is enabled. Based on the configured violation mode, one of the three available actions can be defined:
- Shutdown: This is the default action. Once the port is logically disabled and the offending frame is dropped, it can be manually or automatically enabled using the error-disabled recovery functionality. The action increments the violation count number and allows sending SMTP or syslog messages.
- Restrict: This is a less severe action, and instead of shutting down the port, it stays active but drops the offending frame. When executed, the violation count number increases, and SMTP and syslog messages can be generated (if configured).
- Protect: This action is the simplest, and only the offending frame is dropped. There is no support for SMTP and syslog messages, and the violation count number is not incremented.
Important: In most use cases, it is recommended to avoid the “protect” action and deploy the “shutdown” or “restrict” action instead for maximum protection.
Configuring Port Security
You should always configure port security according to your network's security requirements and best practices. To configure this feature, first, you need to change the interface mode to either access or trunk because port security cannot function in the default dynamic mode. Typically, port security is enabled on access ports that connect to endpoints.
After the mode is set, you can enable port security on the interface using the switchport port-security interface. This enables the default behavior of the feature, as described before.
Optionally, you can change the maximum number of secure MAC addresses allowed on the port using the switchport port-security maximum value command. The default is one.
In addition, you can specify the allowed MAC addresses on a port, which can be done in two different ways. The first approach allows you to manually define the allowed MAC addresses using the switchport port-security mac-address mac-address command.
The second approach uses sticky learning of MAC addresses. To enable sticky learning, use the switchport port-security mac-address sticky command.
Note: You can configure as many MAC addresses as the defined value of the maximum number of MAC addresses. However, if you configure fewer MAC addresses than the maximum allowed, the remaining MAC addresses will be dynamically learned.
Optionally, you can change the default action of a shutdown to another one. To set the violation mode, use the switchport port-security violation protect | restrict | shutdown command.
Port security supports several aging parameters to control how long a secure MAC address is retained in the address table before being aged out. The ageing type specifies the type of aging used for secure MAC addresses.
The two supported types are absolute and inactivity. Absolute aging is based on a fixed time period, while inactivity aging is based on the amount of time since the last time a secure MAC address was seen on the port. To set the aging type, use the switchport port-security aging type absolute | restrict command.
In addition, you can also define the aging time. This is the length of time a secure MAC address is retained in the address table before being aged out. The default aging time is 300 seconds. Use the switchport port-security aging time minutes command to set the aging time.
Port Security Configuration Example
The image below shows an example topology, which will be used to illustrate the configuration of port security on a switch.
The goal is to enable port security on both interfaces on SW1. On interface FastEthernet0/1, only the MAC address of PC1 should be allowed, and the "shutdown" action should be applied in case of a violation.
On interface FastEthernet0/2, a maximum limit of two MAC addresses should be permitted (the MAC addresses of the IP phone and PC3), and the violation action of "restrict" should be applied. See the commands below to configure this setup:
To verify that the security feature is correctly configured, you should use the show port-security command for the port security-enabled interfaces. The output below is for interface FastEthernet0/1:
