Related Videos
Use the port security feature to restrict the number of workstations that can send traffic through an interface and to control MAC address movement.
Port security is a package of the following sub features that provide added security to the system:
MAC addresses that are learnt or statically configured on a port security enabled interface are called secure MAC addresses.
There are three types of Secure MAC addresses :
After you enable port security on an interface, by default, the maximum number of MAC addresses that the interface can learn is one. This is applicable for both dynamic and static secure MAC addresses. After you enable port security on an interface, by default, sticky MAC addresses and MAC movement are disabled on the interface.
MAC address learning limit
Using the MAC address learning limit method, you can set an upper limit on the number of allowed MAC addresses on an interface. Limiting the MAC addresses protects switches from MAC address flooding attacks. After the configured limit is reached on an interface, by default, the system drops all traffic from any unknown device.
When you configure MAC address learning limit, ensure that the number of static MAC addresses present on the system is not greater than the MAC address learning limit that you configure. If the number of dynamically learned MAC addresses is greater than your MAC address limit, the system flushes all dynamically learned MAC addresses.
You can configure an interface to learn a maximum of 3072 MAC addresses. You can also disable the MAC address learning limit feature so that the interface can learn the maximum number MAC addresses that the system supports. Disabling the MAC address learning limit feature does not remove the previously learned or configured secure MAC addresses.
MAC address movement
A MAC address movement happens when the system detects the same MAC address on an interface which it has already learned through another port security-enabled interface on the same broadcast domain. MAC address movement is not allowed for secure static and sticky MAC addresses. By default, MAC address movement for dynamically-learned MAC address is disabled on the system.
Secure dynamic MAC address movement is allowed between port-security-enabled and port-security-disabled interfaces.
Sticky MAC addresses
When you reload the system, port security removes the dynamically learned secure MAC addresses. You can use the sticky feature to make the dynamically learned secure MAC addresses persist even after a system reboot so that the interface does not have to learn these MAC addresses again. Use the copy running-configuration startup-configuration command to save the sticky secure MAC addresses.
When you enable sticky MAC address learning on an interface, all existing dynamically-learned MAC addresses and MAC addresses that are learned in the future are converted to sticky MAC addresses.
To enable sticky MAC address learning on an interface, ensure that the mac learn no-limit command is not configured.
Port security violations
There are two types of port security violations.
Mac address learning limit violation
After the number of secure MAC addresses reache the maximum value that is configured, if an interface receives a frame with the source MAC address different from any of the learned MAC addresses, the system considers this as a MAC address learning limit violation.
You can configure MAC address learning limit violation actions.
Mac address move violation
If the system detects the same MAC address in a port-security-enabled interface which it has already learned through another port-security-enabled interface, by default, the system considers this as a MAC address move violation. You can configure MAC address move violation actions. You can also configure the system to permit MAC address movement across port security-enabled interfaces.
You can configure MAC address move violation actions.
MAC address aging
By default, dynamically-learned secure MAC addresses do not age out. You can enable aging for secure MAC addresses so that the dynamically learned MAC addresses are deleted from the MAC address table after the configured aging period.
Enable port security on the system
To enable port security on the system globally:
Enter the following command in CONFIGURATION mode:
switchport port-security
Enable port security on an interface
To enable port security on an interface:
Enter the following command in INTERFACE mode:
switchport port-security
Enable port security in CONFIGURATION-PORT-SECURITY mode:
no disable
Configure the MAC address learning limit
After you enable port security on an interface, the interface can learn one secure MAC address by default. This limit is applicable for both secure dynamic and secure static MAC addresses.
To configure the MAC address learning limit:
Enter the following command in INTERFACE mode:
switchport port-security
Configure the number of secure MAC addresses that an interface can learn in INTERFACE PORT SECURITY mode:
mac-learn {limit | no-limit}
For the limit keyword, the range is from 1 to 3072. To enable the interface to learn the maximum number of MAC addresses that the hardware supports, use the no-limit keyword.
MAC address learning limit example
OS10# configure terminal OS10(config)# interface ethernet 1/1/1 OS10(config-if-eth1/1/1)# switchport port-security OS10(config-if-port-sec)# no disable OS10(config-if-port-sec)# mac-learn limit 100
Configure MAC address learning limit violation actions
Use the following commands in INTERFACE PORT SECURITY mode:
OS10(config-if-port-sec)# mac-learn limit violation log
Jul 10 09:12:24: Learn limit violation occurred on eth 1/1/1: vlan-100: MAC-00:00:07:00:04:89
OS10(config-if-port-sec)# mac-learn limit violation drop
OS10(config-if-port-sec)# mac-learn limit violation forward
OS10(config-if-port-sec)# mac-learn limit violation shutdown
MAC address learning limit violation actions configuration example
OS10# configure terminal OS10(config)# interface ethernet 1/1/1 OS10(config-if-eth1/1/1)# switchport port-security OS10(config-if-port-sec)# no disable OS10(config-if-port-sec)# mac-learn limit 100 OS10(config-if-port-sec)# mac-learn limit violation shutdown
Configure sticky MAC addresses
To enable sticky MAC address learning on an interface:
Enter the following command in INTERFACE PORT SECURITY mode:
sticky
If you enable the sticky feature on an interface, all the dynamic MAC address appearing on this interface are converted to sticky. Sticky MAC addresses are stored in a non-volatile storage in order to retain those MACs across re-boots and upgrades.
Dynamic and sticky address learning are mutually exclusive. When you enable sticky learning on an interface, the switch stops dynamic learning and performs sticky learning instead. If you disable sticky learning, the switch resumes dynamic learning.
Sticky MAC addresses configuration example
OS10# configure terminal OS10(config)# interface ethernet 1/1/1 OS10(config-if-eth1/1/1)# switchport port-security OS10(config-if-port-sec)# no disable OS10(config-if-port-sec)# mac-learn limit 100 OS10(config-if-port-sec)# sticky
Permit MAC address movement
OS10(config-if-port-sec)# mac-move allow
MAC movement is not allowed for secure static and sticky MAC addresses. You can control secure dynamic MAC addresses MAC movement between port-security enabled ports.
By default, MAC movement is disabled even for secure dynamic MAC addresses. If a secure dynamic MAC learnt on one port-security enabled port appears on another port-security port, this movement is detected as violation as MAC movement is disabled by default. You can enable or disable MAC movement on a port security enabled port and this configuration is considered for secure dynamic MAC addresses alone.
MAC address movement configuration example
OS10# configure terminal OS10(config)# interface ethernet 1/1/1 OS10(config-if-eth1/1/1)# switchport port-security OS10(config-if-port-sec)# no disable OS10(config-if-port-sec)# mac-learn limit 100 OS10(config-if-port-sec)# mac-move allow
Restrictions on MAC movement
Secure dynamic MAC address MAC movement is allowed only between port-security enabled ports.
The following table lists the restrictions on MAC movement:
Combination | Port-security enabled port to port-security disabled port | Port-security enabled port to port-security enabled port | Port-security disabled port to port-security enabled port | Port-security disabled port to port-security disabled port |
---|---|---|---|---|
Secure Dynamic MAC address MAC movement |
Not allowed. | Allowed. |
Not Applicable. A MAC learnt on port-security disabled port is treated as unsecured MAC. As a result, this unsecured MAC is learnt as secure MAC. |
Not Applicable. |
Configure MAC address movement violation actions
Use the following commands in INTERFACE PORT SECURITY mode:
OS10(config-if-port-sec)# mac-move violation log
OS10(config-if-port-sec)# mac-move violation drop
OS10(config-if-port-sec)# mac-move violation shutdown-original
OS10(config-if-port-sec)# mac-move violation shutdown-offending
OS10(config-if-port-sec)# mac-move violation shutdown-both
Recover an error-disabled interface
shutdown
no shutdown
Clear an error-disabled state of all interfaces
errdisable reset cause mac-learn-limit violation
errdisable reset cause mac-move-violation
errdisable reset cause all
Recover an error-disabled state of interfaces automatically
errdisable recovery cause mac-learn-limit violation
errdisable recovery cause mac-move-violation
errdisable recovery interval 30
Configure secure static MAC addresses
mac address-table static mac-address vlan vlan-id interface {ethernet node/slot/port[:subport] | port-channel number}
The static learning method allows you to manually add or remove secure MAC addresses on a port-security enabled port. These MAC addresses are saved to the startup-configuration file along with other running configurations, whenever you save the running-configuration. Since, MAC addresses are written to startup-configuration file, MACs are retained across re-boots.
Secure static MAC addresses remain in the system until you delete them.
You can use the existing MAC address-table command to configure the secure static MAC address.
Secure static MAC addresses configuration example
OS10# configure terminal OS10(config)# interface port-channel 1 OS10(conf-if-po-1)# switchport port-security OS10(config-if-port-sec)# no disable OS10(config-if-po-1)# exit OS10(config)# mac address-table static 03:ab:cd:21:ba:01 vlan 1 interface port-channel 1
Secure dynamic MAC address learning
By default, when you enable port-security globally and on an interface, the dynamic learning method is enabled. Interface learns dynamic secure MAC addresses until MAC learn limit is reached. If you do not configure the MAC learn limit, as the default limit value is 1, only one dynamic secure MAC address is learnt.
Dynamic secure MAC addresses are lost when the following events occur:
Perform the following steps to configure secure dynamic MAC address:
OS10# configure terminal
OS10(config)# switchport port-security
OS10(config-if)# switchport port-security
OS10(config-if-port-sec)# no disable
The following table lists the differences between secure, sticky, and dynamic MAC addresses:
Event | Interface down | Interface deletion | Node reboot | Software upgrade | On aging | Aging disabled | MAC movement | MLL limit change on an interface | Spanning-tree flush on an interface | Disabling port-security | No sticky |
---|---|---|---|---|---|---|---|---|---|---|---|
Secure Dynamic MAC addresses | MACs are flushed. | MACs are flushed. | MACs are flushed. | MACs are flushed. | MACs are flushed. | MACs are retained. | Configuration dependent. If MAC-movement is allowed on a port, secure dynamic addresses learnt on this port can move freely. Otherwise MAC addresses stick to the interface. | When the new limit is less than the total number of secure dynamic MAC addresses, secure dynamic MAC addresses are flushed out on that port. | MACs are flushed. | MACs are retained. | Not applicable. |
Secure Sticky MAC address | MACs are retained but are put in INACTIVE state. | MACs are flushed. | MACs are retained. | MACs are retained. | MACs are retained. | MACs are retained. | MAC movement is not allowed for these MACs. | When the new limit is less than the total number of secure sticky MAC addresses, secure sticky MAC addresses are flushed out on that port. | MACs are retained. | MACs are retained and are converted as DYNAMIC. | MACs are converted to DYNAMIC. |
Clearing error disable status on all interfaces
The following table lists the sequence of steps to clear error disable status on all interfaces:
Step | Command | Description |
---|---|---|
1 |
OS10#errdisable reset cause all OS10#errdisable reset cause Mac-learning-limit-violation OS10(#errdisable reset cause mac-move-violation |
Clears all the violations on all interfaces in the system. Clears MAC learn limit violation status on all interfaces. Clears the MAC move violation status on all interfaces. |
Remove statically-configured secure MAC addresses
To remove statically-configured secure MAC addresses, use the following command in EXEC mode:
clear mac address-table secure {{dynamic | sticky} {address mac_addr | vlan vlan-id | interface {ethernet node/slot/port[:subport] | port-channel}} | all}
Remove statically-configured secure MAC addresses configuration example
OS10# clear mac address-table secure sticky vlan 1 OS10#clear mac address-table secure sticky interface port-channel 128 OS10#clear mac address-table secure sticky address 00:00:00:00:00:01 vlan 100
View statically-configured secure MAC addresses
To view the statically-configured secure MAC addresses, use the following command in EXEC mode:
show mac address-table secure {{dynamic | static | sticky} {vlan vlan-id | interface {ethernet node/slot/port[:subport] | port-channel}}}
View statically-configured secure MAC addresses example
OS10# show mac address-table secure sticky VlanId MAC Address Type Interface 1 4c:76:25:e5:4f:51 sticky ethernet1/1/5 1 4c:76:25:e5:4f:55 sticky ethernet1/1/6 1 4c:76:25:e5:4f:59 sticky ethernet1/1/7 os10# show mac address-table secure dynamic VlanId MAC Address Type Interface 10 4c:76:25:e5:4f:51 dynamic port-channel120 11 4c:76:25:e5:4f:55 dynamic ethernet1/1/6 12 4c:76:25:e5:4f:59 dynamic ethernet1/1/7 os10# show mac address-table secure static VlanId MAC Address Type Interface 10 4c:76:25:e5:4f:51 static port-channel120 11 4c:76:25:e5:4f:55 static ethernet1/1/6 12 4c:76:25:e5:4f:59 static ethernet1/1/7
View the number of secure MAC addresses on the system
show mac address-table count [interface {ethernet slot/port:subport | port-channel number | vlan vlan-id}]
View the number of secure MAC addresses on the system example
OS10# show MAC address-table count MAC Entries for all vlans : Dynamic Address Count: 10000 Total secure dynamic MAC addresses: 5000 of (10000) Static Address (User-defined) Count : 5000 Total secure static MAC addresses:200 of (5000) Total secure sticky MAC addresses :0 Total MAC Addresses in Use: 15000
View port-security parameters for all interfaces
To view port-security parameters for all interfaces, use the following command in EXEC mode:
show switchport port-security [interface {ethernet node/slot/port[:subport] | port-channel port-channel-number}]
View port-security parameters for all interfaces example
OS10# show switchport port-security Global Port-security status :Enable Interface name : eth1/1/1 Port Security :Enabled Port Status :Error-Disable Mac learn limit :100 Mac-learn limit-Violation action :Shutdown Sticky :Disabled Mac-move-allow :Not Allowed mac-move-violation action :shutdown-both Aging :Enabled Total MAC Addresses :10 Secure static MAC Addresses :0 Sticky MAC Addresses :10 Secure Dynamic MAC addresses :0 Interface name : eth1/1/10 Port Security :Enabled Port Status :Error-Disable Mac learn limit :100 Mac-learn-limit-Violation action :Shutdown Sticky :Disabled Mac-move-allow :Not Allowed mac-move-violation action :shutdown-both Aging :Enabled Total MAC Addresses :11 Secure static MAC Addresses :0 Sticky MAC Addresses :0 Secure Dynamic MAC addresses :11
OS10# show switchport port-security interface ethernet 1/1/1 Global Port-security status :Enable Interface name : ethernet1/1/1 Port Security :Enabled Port Status :Error-Disable Mac-learn limit :1024 MaC-learn-limit-Violation Action :Shutdown Sticky :Enabled Mac-move-allow :Not Allowed Mac-move-violation :shutdown-both Aging :Disbaled Total MAC Addresses :10 Secure static MAC Addresses :0 Sticky MAC Addresses :10 Secure Dynamic MAC addresses :0 OS10# show switchport port-security interface port-channel 120 Interface name : port-channel 120 Port Security :Disabled Port Status : Up mac-learn limit :1024 Mac-learn-limit-Violation Action :Flood Sticky :Enabled Mac-move-allow :Allowed Mac-move-violation :shutdown-offending Aging :Disabled Total MAC Addresses :11 Secure static MAC Addresses :0 Sticky MAC Addresses :11 Secure Dynamic MAC addresses :0
View the error disabled state of interfaces
The Errdisable Cause column displays one or more reasons for the error-disabled state of an interface. If an interface is put in to the Error Disabled state for multiple reasons, the interface does not come up unless you enable automatic recovery for all the reasons.
OS10# show errdisable recovery Error-Disable Recovery Timer Interval : 300 seconds Error-Disable Reason Recovery Status ---------------------------------------- bpduguard Enabled MLL violation Enabled MAC-move-violation Enabled Recovery Time Left Interface Errdisable Cause (seconds) ----------------------------------------------------------------------- ethernet1/1/1:1 bpduguard 30 ethernet1/1/1:2 bpduguard 1 ethernet1/1/10 bpduguard/mac-learn limit/mac-move 10 port-channel100 Mac-learn limit 50 port-channel128 mac-move 49