Use the port security feature to restrict the number of workstations that can send traffic through an interface and to control MAC address movement.
Port security is a package of the following sub features that provide added security to the system:
MAC address learning limit (MLL)
Sticky MAC
MAC address movement control
MAC addresses that are learnt or statically configured on a port security enabled interface are called secure MAC addresses.
There are three types of Secure MAC addresses :
Static secure MAC addresses are configured manually. These MAC addresses are stored both in the MAC address table and in the running configuration of the switch. Similar to static MAC addresses, when the system reloads, the system does not remove the static secure MAC addresses. When you enable port security on an interface, all existing static MAC addresses become static secure MAC addresses. These static secure MAC addresses remain in the system until you remove them.
Dynamic secure MAC addresses are dynamically-learned by the switch and stored in the MAC address table. These MAC addresses are removed from the MAC address table when the switch restarts. By default, dynamic secure MAC addresses do not age out.
Sticky secure MAC addresses are learned dynamically but are saved in the running configuration. Secure sticky MAC addresses never age out.
After you enable port security on an interface, by default, the maximum number of MAC addresses that the interface can learn is one. This is applicable for both dynamic and static secure MAC addresses. After you enable port security on an interface, by default, sticky MAC addresses and MAC movement are disabled on the interface.
MAC address learning limit
Using the MAC address learning limit method, you can set an upper limit on the number of allowed MAC addresses on an interface. Limiting the MAC addresses protects switches from MAC address flooding attacks. After the configured limit is reached on an interface, by default, the system drops all traffic from any unknown device.
When you configure MAC address learning limit, ensure that the number of static MAC addresses present on the system is not greater than the MAC address learning limit that you configure. If the number of dynamically learned MAC addresses is greater than your MAC address limit, the system flushes all dynamically learned MAC addresses.
You can configure an interface to learn a maximum of 3072 MAC addresses. You can also disable the MAC address learning limit feature so that the interface can learn the maximum number MAC addresses that the system supports. Disabling the MAC address learning limit feature does not remove the previously learned or configured secure MAC addresses.
MAC address movement
A MAC address movement happens when the system detects the same MAC address on an interface which it has already learned through another port security-enabled interface on the same broadcast domain. MAC address movement is not allowed for secure static and sticky MAC addresses. By default, MAC address movement for dynamically-learned MAC address is disabled on the system.
Secure dynamic MAC address movement is allowed between port-security-enabled and port-security-disabled interfaces.
Sticky MAC addresses
When you reload the system, port security removes the dynamically learned secure MAC addresses. You can use the sticky feature to make the dynamically learned secure MAC addresses persist even after a system reboot so that the interface does not have to learn these MAC addresses again. Use the
copy running-configuration startup-configuration command to save the sticky secure MAC addresses.
When you enable sticky MAC address learning on an interface, all existing dynamically-learned MAC addresses and MAC addresses that are learned in the future are converted to sticky MAC addresses.
To enable sticky MAC address learning on an interface, ensure that the
mac learn no-limit command is not configured.
Port security violations
There are two types of port security violations.
Mac address learning limit violation
Mac address move violation
Mac address learning limit violation
After the number of secure MAC addresses reache the maximum value that is configured, if an interface receives a frame with the source MAC address different from any of the learned MAC addresses, the system considers this as a MAC address learning limit violation.
You can configure MAC address learning limit violation actions.
log—The system drops the packet and displays a log message with the VLAN, interface, and the source MAC address that caused the violation.
drop—The system drops the packet and does not display a log message.
forward—The system forwards the packet without learning the source MAC address or displaying a log message.
shutdown—The system shuts down the port.
Mac address move violation
If the system detects the same MAC address in a port-security-enabled interface which it has already learned through another port-security-enabled interface, by default, the system considers this as a MAC address move violation. You can configure MAC address move violation actions. You can also configure the system to permit MAC address movement across port security-enabled interfaces.
You can configure MAC address move violation actions.
log—The system drops the packet and displays a log message with the VLAN, interface, and the source MAC address that caused the violation.
drop—The system drops the packet and does not display a log message.
shutdown-both—The system shuts down both the original and offending interfaces.
shutdown-offending—The system shuts down the offending interface.
shutdown-original—The system shuts down the interface that originally learned the MAC address that moved.
MAC address aging
By default, dynamically-learned secure MAC addresses do not age out. You can enable aging for secure MAC addresses so that the dynamically learned MAC addresses are deleted from the MAC address table after the configured aging period.
Enable port security on the system
To enable port security on the system globally:
Enter the following command in CONFIGURATION mode:
switchport port-security
NOTE: By default, port security is enabled globally. To disable the port security feature on the system, use the
no switchport port-security command in CONFIGURATION mode.
Enable port security on an interface
To enable port security on an interface:
Enter the following command in INTERFACE mode:
switchport port-security
Enable port security in CONFIGURATION-PORT-SECURITY mode:
no disable
NOTE: To disable the port security feature on an interface, use the
disable command in CONFIGURATION-PORT-SECURITY mode.
Configure the MAC address learning limit
After you enable port security on an interface, the interface can learn one secure MAC address by default. This limit is applicable for both secure dynamic and secure static MAC addresses.
To configure the MAC address learning limit:
Enter the following command in INTERFACE mode:
switchport port-security
Configure the number of secure MAC addresses that an interface can learn in INTERFACE PORT SECURITY mode:
mac-learn {limit | no-limit}
For the
limit keyword, the range is from 1 to 3072. To enable the interface to learn the maximum number of MAC addresses that the hardware supports, use the
no-limit keyword.
NOTE: While changing MAC learning limit, you must ensure that total number of configured (static) MAC addresses are less than or equal to newly configured MAC learn limit value. Otherwise, configuration is rejected.
Configure MAC address learning limit violation actions
Use the following commands in INTERFACE PORT SECURITY mode:
To display which MAC address causes a violation, use the
log option. The system also drops the packet.
NOTE: If you want to know which MAC or host is causing the violation, you must set MAC learn limit violation as LOG. This violation action logs a violation message on the console and drop the packet in the hardware. For example, If the MAC learn limit is set to 10, but if more than 10 hosts (each host carries a different source MAC address) are appearing on that port, this is treated as violation and a log message is generated on the console. Following is an example log message:
Jul 10 09:12:24: Learn limit violation occurred on eth 1/1/1: vlan-100: MAC-00:00:07:00:04:89
To drop the packet when a MAC address learning limit violation occurs, use the
drop option.
OS10(config-if-port-sec)# mac-learn limit violation drop
NOTE: On detecting MAC learn limit violation, this violation action drops all the received packets containing source MAC not learnt on this port.
To forward the packet when a MAC address learning limit violation occurs, use the
flood option. The system does not learn the MAC address.
NOTE: On detecting MAC learn limit violation, this violation action shutdowns the port. In
show interface status command, interface status will be shown as
error-disable instead of DOWN.
MAC address learning limit violation actions configuration example
To enable sticky MAC address learning on an interface:
Enter the following command in INTERFACE PORT SECURITY mode:
sticky
If you enable the sticky feature on an interface, all the dynamic MAC address appearing on this interface are converted to sticky. Sticky MAC addresses are stored in a non-volatile storage in order to retain those MACs across re-boots and upgrades.
Dynamic and sticky address learning are mutually exclusive. When you enable sticky learning on an interface, the switch stops dynamic learning and performs sticky learning instead. If you disable sticky learning, the switch resumes dynamic learning.
NOTE: Before enabling sticky MAC address learning, ensure that you restrict the number of MAC address that an interface can learn using the
mac-learn limit command.
Use the following command in INTERFACE PORT SECURITY mode:
OS10(config-if-port-sec)# mac-move allow
MAC movement is not allowed for secure static and sticky MAC addresses. You can control secure dynamic MAC addresses MAC movement between port-security enabled ports.
By default, MAC movement is disabled even for secure dynamic MAC addresses. If a secure dynamic MAC learnt on one port-security enabled port appears on another port-security port, this movement is detected as violation as MAC movement is disabled by default. You can enable or disable MAC movement on a port security enabled port and this configuration is considered for secure dynamic MAC addresses alone.
NOTE: In order to recover a VLT port-channel, you must configure the
shutdown and
no-shutdown actions on both VLT peers.
Clear an error-disabled state of all interfaces
To clear the error-disabled state of all interfaces that was caused by a MAC address learning limit violation, use the following command in CONFIGURATION mode:
errdisable reset cause mac-learn-limit violation
To clear the error-disabled state of all interfaces that was caused by a MAC address movement violation, use the following command in CONFIGURATION mode:
errdisable reset cause mac-move-violation
To clear the error-disabled state of all interfaces that was caused by all violation incidents, use the following command in CONFIGURATION mode:
errdisable reset cause all
Recover an error-disabled state of interfaces automatically
To automatically recover error-disabled interfaces that was caused by a MAC address learning limit violation, use the following command in CONFIGURATION mode:
errdisable recovery cause mac-learn-limit violation
To automatically recover error-disabled interfaces that was caused by a MAC address movement violation, use the following command in CONFIGURATION mode:
errdisable recovery cause mac-move-violation
Configure the recovery interval timer to delay the recovery of an error-disabled interface in CONFIGURATION mode. The range is from 30 to 65,535 in seconds.
errdisable recovery interval 30
Configure secure static MAC addresses
To configure a secure static MAC address, use the following command in CONFIGURATION mode:
NOTE: The configured MAC address becomes secure MAC address only if you enable the port security feature on the interface.
The static learning method allows you to manually add or remove secure MAC addresses on a port-security enabled port. These MAC addresses are saved to the startup-configuration file along with other running configurations, whenever you save the running-configuration. Since, MAC addresses are written to startup-configuration file, MACs are retained across re-boots.
Secure static MAC addresses remain in the system until you delete them.
You can use the existing MAC address-table command to configure the secure static MAC address.
By default, when you enable port-security globally and on an interface, the dynamic learning method is enabled. Interface learns dynamic secure MAC addresses until MAC learn limit is reached. If you do not configure the MAC learn limit, as the default limit value is 1, only one dynamic secure MAC address is learnt.
Dynamic secure MAC addresses are lost when the following events occur:
Node is re-booted.
Interface is down.
MAC is aged.
Interface is deleted or VLAN membership is deleted.
Spanning-tree flush on interface.
Newly configured MLL limit is less than the total number of secure dynamic MAC addresses learnt on that interface.
Perform the following steps to configure secure dynamic MAC address:
Enters configuration mode.
OS10# configure terminal
Enables port-security globally.
OS10(config)# switchport port-security
The following command prompts change to port-security configuration mode.
OS10(config-if)# switchport port-security
The following command enables port-security on this interface. When port-security is enabled globally and on interface, the following default values are set:
MAC learn limit value will be set to ONE.
sticky is disabled or dynamic MAC learning is enabled.
MAC movement is not allowed.
OS10(config-if-port-sec)# no disable
The following table lists the differences between secure, sticky, and dynamic MAC addresses:
Table 2. Differences between secure, sticky, and dynamic MAC addressesDifferences between secure, sticky, and dynamic MAC addresses
Event
Interface down
Interface deletion
Node reboot
Software upgrade
On aging
Aging disabled
MAC movement
MLL limit change on an interface
Spanning-tree flush on an interface
Disabling port-security
No sticky
Secure Dynamic MAC addresses
MACs are flushed.
MACs are flushed.
MACs are flushed.
MACs are flushed.
MACs are flushed.
MACs are retained.
Configuration dependent. If MAC-movement is allowed on a port, secure dynamic addresses learnt on this port can move freely. Otherwise MAC addresses stick to the interface.
When the new limit is less than the total number of secure dynamic MAC addresses, secure dynamic MAC addresses are flushed out on that port.
MACs are flushed.
MACs are retained.
Not applicable.
Secure Sticky MAC address
MACs are retained but are put in INACTIVE state.
MACs are flushed.
MACs are retained.
MACs are retained.
MACs are retained.
MACs are retained.
MAC movement is not allowed for these MACs.
When the new limit is less than the total number of secure sticky MAC addresses, secure sticky MAC addresses are flushed out on that port.
MACs are retained.
MACs are retained and are converted as DYNAMIC.
MACs are converted to DYNAMIC.
Clearing error disable status on all interfaces
The following table lists the sequence of steps to clear error disable status on all interfaces:
Table 3. Clear error disable statusClear error disable status
Step
Command
Description
1
OS10#errdisable reset cause all
OS10#errdisable reset cause Mac-learning-limit-violation
OS10(#errdisable reset cause mac-move-violation
Clears all the violations on all interfaces in the system.
Clears MAC learn limit violation status on all interfaces.
Clears the MAC move violation status on all interfaces.
Remove statically-configured secure MAC addresses
To remove statically-configured secure MAC addresses, use the following command in EXEC mode:
Remove statically-configured secure MAC addresses configuration example
OS10# clear mac address-table secure sticky vlan 1
OS10#clear mac address-table secure sticky interface port-channel 128
OS10#clear mac address-table secure sticky address 00:00:00:00:00:01 vlan 100
View statically-configured secure MAC addresses
To view the statically-configured secure MAC addresses, use the following command in EXEC mode:
show mac address-table secure {{dynamic | static | sticky} {vlan vlan-id | interface {ethernet node/slot/port[:subport] | port-channel}}}
View statically-configured secure MAC addresses example
OS10# show mac address-table secure sticky
VlanId MAC Address Type Interface
1 4c:76:25:e5:4f:51 sticky ethernet1/1/5
1 4c:76:25:e5:4f:55 sticky ethernet1/1/6
1 4c:76:25:e5:4f:59 sticky ethernet1/1/7
os10# show mac address-table secure dynamic
VlanId MAC Address Type Interface
10 4c:76:25:e5:4f:51 dynamic port-channel120
11 4c:76:25:e5:4f:55 dynamic ethernet1/1/6
12 4c:76:25:e5:4f:59 dynamic ethernet1/1/7
os10# show mac address-table secure static
VlanId MAC Address Type Interface
10 4c:76:25:e5:4f:51 static port-channel120
11 4c:76:25:e5:4f:55 static ethernet1/1/6
12 4c:76:25:e5:4f:59 static ethernet1/1/7
View the number of secure MAC addresses on the system
To view the number of secure MAC addresses on the system, use the following command in EXEC mode:
show mac address-table count [interface {ethernet slot/port:subport | port-channel number | vlan vlan-id}]
View the number of secure MAC addresses on the system example
OS10# show MAC address-table count
MAC Entries for all vlans :
Dynamic Address Count: 10000
Total secure dynamic MAC addresses: 5000 of (10000)
Static Address (User-defined) Count : 5000
Total secure static MAC addresses:200 of (5000)
Total secure sticky MAC addresses :0
Total MAC Addresses in Use: 15000
View port-security parameters for all interfaces
To view port-security parameters for all interfaces, use the following command in EXEC mode:
show switchport port-security [interface {ethernet node/slot/port[:subport] | port-channel port-channel-number}]
View port-security parameters for all interfaces example
OS10# show switchport port-security
Global Port-security status :Enable
Interface name : eth1/1/1
Port Security :Enabled
Port Status :Error-Disable
Mac learn limit :100
Mac-learn limit-Violation action :Shutdown
Sticky :Disabled
Mac-move-allow :Not Allowed
mac-move-violation action :shutdown-both
Aging :Enabled
Total MAC Addresses :10
Secure static MAC Addresses :0
Sticky MAC Addresses :10
Secure Dynamic MAC addresses :0
Interface name : eth1/1/10
Port Security :Enabled
Port Status :Error-Disable
Mac learn limit :100
Mac-learn-limit-Violation action :Shutdown
Sticky :Disabled
Mac-move-allow :Not Allowed
mac-move-violation action :shutdown-both
Aging :Enabled
Total MAC Addresses :11
Secure static MAC Addresses :0
Sticky MAC Addresses :0
Secure Dynamic MAC addresses :11
OS10# show switchport port-security interface ethernet 1/1/1
Global Port-security status :Enable
Interface name : ethernet1/1/1
Port Security :Enabled
Port Status :Error-Disable
Mac-learn limit :1024
MaC-learn-limit-Violation Action :Shutdown
Sticky :Enabled
Mac-move-allow :Not Allowed
Mac-move-violation :shutdown-both
Aging :Disbaled
Total MAC Addresses :10
Secure static MAC Addresses :0
Sticky MAC Addresses :10
Secure Dynamic MAC addresses :0
OS10# show switchport port-security interface port-channel 120
Interface name : port-channel 120
Port Security :Disabled
Port Status : Up
mac-learn limit :1024
Mac-learn-limit-Violation Action :Flood
Sticky :Enabled
Mac-move-allow :Allowed
Mac-move-violation :shutdown-offending
Aging :Disabled
Total MAC Addresses :11
Secure static MAC Addresses :0
Sticky MAC Addresses :11
Secure Dynamic MAC addresses :0
View the error disabled state of interfaces
The
Errdisable Cause column displays one or more reasons for the error-disabled state of an interface. If an interface is put in to the Error Disabled state for multiple reasons, the interface does not come up unless you enable automatic recovery for all the reasons.
OS10# show errdisable recovery
Error-Disable Recovery Timer Interval : 300 seconds
Error-Disable Reason Recovery Status
----------------------------------------
bpduguard Enabled
MLL violation Enabled
MAC-move-violation Enabled
Recovery Time Left
Interface Errdisable Cause (seconds)
-----------------------------------------------------------------------
ethernet1/1/1:1 bpduguard 30
ethernet1/1/1:2 bpduguard 1
ethernet1/1/10 bpduguard/mac-learn limit/mac-move 10
port-channel100 Mac-learn limit 50
port-channel128 mac-move 49
Related Videos
Data is not available for the Topic
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\
