How to prevent unauthorized users from connecting their PCs to an enterprise network? How to prevent employees from connecting unauthorized devices to a LAN or moving their computers without permission?
Port Security is a Layer 2 feature, which can be enabled on an interface, to prevent devices with untrusted MAC address, from accessing a switch interface. When enabled, MAC address of the device connected to the port, is dynamically learned by the switch and stored in a memory (by default it is not aged out). Only this MAC address is then allowed to forward traffic over switch port (only one trusted MAC is allowed by default). Every different MAC address will cause the port to go into one of the following states:
- Protect – packets coming from untrusted MAC address will be dropped,
- Restrict – packets coming from untrusted MAC address will be dropped and SNMP trap message will be generated (default behavior),
- Shutdown – port will be put into shutdown state.
Let’s configure port security feature on a switch port and see, how it works.
<labnarioSW1>sys Enter system view, return user view with Ctrl+Z. [labnarioSW1]interface gi0/0/1 [labnarioSW1-GigabitEthernet0/0/1]port link-type access [labnarioSW1-GigabitEthernet0/0/1]port-security enable
Generate some traffic from your PC, so that switch could learn PC’s MAC address. As you can see, my PC’s MAC address of aabb-ccdd-eeff was dynamically learned and assigned to the GigabitEthernet 0/0/1 port.
[labnarioSW1-GigabitEthernet0/0/1]display mac-address security MAC address table of slot 0: ------------------------------------------------------------------------------- MAC Address VLAN/ PEVLAN CEVLAN Port Type LSP/LSR-ID VSI/SI MAC-Tunnel ------------------------------------------------------------------------------- aabb-ccdd-eeff 1 - - GE0/0/1 security - ------------------------------------------------------------------------------- Total matching items on slot 0 displayed = 1
Let’s see what happens, when different PC with different MAC address will be connected to the same port.
<labnarioSW1> Sep 18 2013 12:51:06-08:00 labnarioSW1 L2IFPPI/4/PORTSEC_ACTION_ALARM:OID 1.3.6.1 .4.1.2011.5.25.42.2.1.7.6 The number of MAC address on interface (6/6) GigabitEth ernet0/0/1 reaches the limit, and the port status is : 1. (1:restrict;2:protect;3 :shutdown)
All the traffic coming from different PC is dropped by the switch. Port GigabitEthernet 0/0/1 has changed its status to restrict, only MAC address of aabb-ccdd-eeff is allowed to send traffic over this port. All the other traffic will be dropped and SNMP message will be generated.
If we want our port to go into different state than the default restrict state, we can use the following options:
[labnarioSW1-GigabitEthernet0/0/1]port-security protect-action ? protect Discard packets restrict Discard packets and warning shutdown shutdown
It is important to note that this secure MAC address, which was learned dynamically by the switch, is stored in a switch memory and will not be aged out, but in case of the switch reload, it will disappear from memory. To avoid this, MAC address sticky can be configured. This option instructs our switch to save this MAC address to the configuration file.
[labnarioSW1-GigabitEthernet0/0/1]port-security mac-address sticky
MAC address sticky has an option to define MAC address manually. This option can be used in case when PC is not actually connected to the switch port and its MAC address cannot be dynamically learned:
[labnarioSW1-GigabitEthernet0/0/1]port-security mac-address sticky aaaa-bbbb-cccc vlan 1 [labnarioSW1-GigabitEthernet0/0/1]display mac-address security MAC address table of slot 0: ------------------------------------------------------------------------------- MAC Address VLAN/ PEVLAN CEVLAN Port Type LSP/LSR-ID VSI/SI MAC-Tunnel ------------------------------------------------------------------------------- aaaa-bbbb-cccc 1 - - GE0/0/1 sticky - ------------------------------------------------------------------------------- Total matching items on slot 0 displayed = 1
If we want to define more than one secure MAC address (this is the default behavior), we can use a command as follows:
[labnarioSW1-GigabitEthernet0/0/1]port-security max-mac-num 2
Now I can add the second secure MAC address:
[labnarioSW1-GigabitEthernet0/0/1]port-security mac-address sticky cccc-bbbb-aaaa vlan 1 [labnarioSW1-GigabitEthernet0/0/1]display mac-address security MAC address table of slot 0: ------------------------------------------------------------------------------- MAC Address VLAN/ PEVLAN CEVLAN Port Type LSP/LSR-ID VSI/SI MAC-Tunnel ------------------------------------------------------------------------------- aaaa-bbbb-cccc 1 - - GE0/0/1 sticky - cccc-bbbb-aaaa 1 - - GE0/0/1 sticky - ------------------------------------------------------------------------------- Total matching items on slot 0 displayed = 2
The last option of the Port Security feature is aging time. By default every MAC address, learned dynamically and stored in a switch memory as a secure MAC address, will not be aged out. This default behavior can be changed and aging time can be set using the following command.
[labnarioSW1-GigabitEthernet0/0/1]port-security aging-time 2
Keep in mind, that this value represents time in minutes.