In this lesson we continue our studies of the topics in the Security Fundamentals section of the CCNA exam blueprint. This lesson covers switch port security configuration and verification. Port security is a security feature of Cisco switches that allows you to control what source MAC addresses are allowed to enter a switchport. Port security is covered in exam topic 5.7, which says you must be able to “Configure Layer 2 security features (DHCP snooping, dynamic ARP inspection, and port security)”. DHCP snooping and ARP inspection are two other switch security tools that take advantage of the switch’s access layer role. These tools are the topics of the next two lessons respectively.
This lesson first introduces port security and its importance in enterprise network security. Then key port security concepts relating to how the port security feature functions are introduced. Then switch port security configuration and verification are discussed. Finally, port security violation modes are discussed (shutdown, protect, and restrict). This post constitutes Issue 38 of my CCNA 200-301 study notes.
- Key port security concepts
- Port security configuration
- Verifying port security
- Port security violation modes
- Port security shutdown mode
- Port security protect mode
- Port security restrict mode
- Command review
- Practice quiz questions
- Key references
You may also be interested in CCNA 200-301 study notes.
Key port security concepts
Attackers can launch attacks from endpoints connected to an enterprise’s LAN switch. Attackers might gain physical access to the endpoint or first infect the switch to then launch an attack.
LAN switches connected to endpoint devices can be configured for security enforcement. Port security is a feature in Cisco switches that helps prevent several types of attacks.
The network engineer can use port security to restrict interfaces so that only certain network devices can use the interfaces. Port security identifies devices based on the source MAC address of Ethernet frames sent by the device.
If an unauthorized person (e.g., an attacker) connects a laptop to an unused switch port and attempts to send frames to the switch interface from the laptop, the switch can take different actions, ranging from simply issuing informational messages to effectively shutting down the interface.
If a frame with an unauthorized source MAC address enters the port, an action will be taken. There are a few possible actions that you can configure, but the default action is to place the interface in an err-disabled state.
For example, in Figure 6-1, PC1 sends a frame with PC1’s MAC address as the source address. SW1’s F0/1 interface can be configured with port security such that SW1 would examine PC1’s MAC address and decide whether PC1 was allowed to send frames into port F0/1.
This port security feature will also work if the Ethernet frame is forwarded through other switches and not sent from a local device. SW1 can use port security on its G0/1 interface, checking the source MAC address of the frame from PC2, when forwarded up to SW1 from SW2.
Port security has several flexible options, but it operates according to some core concepts:
*Port security is configured on a per-interface basis, meaning switches enable port security per port, with different settings available per port.
*Each port has a maximum number of allowed unique MAC addresses. “When a frame with a new source MAC address arrives, pushing the number of MAC addresses past the allowed maximum, a port security violation occurs. At that point, the switch takes action—by default, discarding all future incoming traffic on that port.” (p. 334)
The basics of port security
- When port security is configured on a switch interface, the switch will examine frames received on the interface to determine if a violation has occurred. The switch will compare the source MAC address of the frame to the list of MAC addresses that are allowed to transmit on the interface. If the source MAC address is not on the list, the switch will drop the frame.
- The switchport port-security command on a switch defines a maximum number of unique source MAC addresses allowed for all frames coming in the interface. This setting can help prevent unauthorized devices from connecting to the network.
- The switch port security feature keeps a list and counter of all unique source MAC addresses on the interface. This list is used to track the number of MAC addresses that are allowed on the port, and to detect security violations. The list of MAC addresses is stored in the switch’s memory, and it is updated whenever a new MAC address is learned or an existing MAC address is removed. The list is also used to track the aging time for MAC addresses.
- The switch port security feature keeps track of the MAC addresses that are learned on a port. If the number of MAC addresses exceeds the maximum allowed for a port, the switch considers the newly learned MAC address to be a violation.
- The switch port security feature takes action to discard frames from the violating MAC addresses, beside other actions depending on the configured violation mode.
Port security allows other options as well, including:
- Define a maximum of three MAC addresses, defining all three specific MAC addresses.
- Define a maximum of three MAC addresses but allow those addresses to be dynamically learned, allowing the first three MAC addresses learned.
- Define a maximum of three MAC addresses, predefining one specific MAC address, and allowing two more to be dynamically learned.
Finding the MAC address of each device to allow us to predefine the MAC addresses for port security can be a hassle.
*A port security feature called sticky secure MAC addresses helps reduce the effort of finding out the MAC address of each device. “With this feature, port security learns the MAC addresses off each port so that you do not have to preconfigure the values. It also adds the learned MAC addresses to the port security configuration (in the running-config file)”. (p. 335)
Port security configuration
Port security works on both access ports and trunk ports. The port must be statically configured as a trunk or an access port rather than let the switch dynamically decide whether to use trunking.
Here’s how to enable port security, set the maximum allowed MAC addresses per port, and configure the actual MAC addresses:
Step 1: Use the switchport mode access interface subcommand to make the switch interface a static access. Use the switchport mode trunk interface subcommand to make the switch interface a trunk interface.
Step 2: Use the switchport port-security interface subcommand to enable port security on the interface.
Step 3: (Optional) Use the switchport port-security maximum number interface subcommand to override the default maximum number (one) of allowed MAC addresses associated with the interface.
Step 4: (Optional) Use the switchport port-security violation {protect | restrict | shutdown} interface subcommand to override the default action to take upon a security violation (shutdown).
Step 5: (Optional) Use the switchport port-security mac-address mac-address interface subcommand to predefine any allowed source MAC addresses for this interface. Use the command multiple times to define more than one MAC address.
Step 6: (Optional) Use the switchport port-security mac-address sticky interface subcommand to tell the switch to “sticky learn” dynamically learned MAC addresses.
Let’s look at a port security configuration example to demonstrate how to configure this variety of the settings, Figure 6-2 and Example 6-1 show four examples of port security. On SW1, ports F0/1, F0/2, and F0/3 operate as access ports, while port F0/4, connected to another switch (SW2), operates as a trunk.
Let’s check out SW1’s current configuration using the show running-config command in the CLI.
Example 6-1: Variations on Port Security Configuration (Odom, 2020)
Note the subcommands used for configuration in each case (each interface).
>When a frame with a source other than 0200.1111.1111 enters F0/1, port security will take the default violation action to disable the interface.
>FastEthernet 0/2 uses the sticky learning feature. The configuration of the switchport port-security mac-address sticky command tells the switch to dynamically learn source MAC addresses and add port-security commands to the running-config.
Using the show running-config interface command we can see the running-config file that lists the sticky-learned MAC address in this case (as expected, that of Server 2).
Example 6-2 shows the running-config file that lists the sticky-learned MAC address in this case.
Example 6-2 Configuration Added by the Port Security Sticky Feature (Odom, 2020)
SW1#show running-config interface f0/2
Use the copy running-config startup-config command if you want port security to save the configuration of the sticky addresses.
>Interface F0/3 uses the default maximum number of allowed MAC addresses of one.
>FastEthernet 0/4 supports eight MAC addresses because it connects to another switch and can receive frames with multiple source MAC addresses.
Switches can also use port security on voice ports and EtherChannels. For voice ports, make sure to configure the maximum MAC address to at least two (one for the phone, or for a PC connected to the phone). On EtherChannels, the port security configuration should be placed on the port-channel interface, rather than the individual physical interfaces in the channel. (Odom, 2020, p. 340)
Verifying port security
The show port-security interface command lists the configuration settings for port security on an interface and lists several important facts about the current operation of port security, including information about any security violations.
The two commands in Example 6-3 show interfaces F0/1 and F0/2, based on Example 6-1’s configuration.
Example 6-3 Using Port Security to Define Correct MAC Addresses of Particular Interfaces (Odom, 2020)
Note, a security violation has occurred on FastEthernet 0/1. This interface is in a secure-shutdown state, which means that the interface has been disabled because of port security. Another device connected to port F0/1 sent a frame with a source MAC address other than 0200.1111.1111, causing a violation.
Port security MAC addresses
Even if the MAC addresses are dynamically learned, as in F0/2, once port security has been enabled the switch no longer considers MAC addresses associated with that port as being dynamic entries as listed with the show mac address-table dynamic EXEC command.
You need to use one of the following two options to see the MAC table entries associated with ports using port security:
- show mac address-table secure: Lists MAC addresses associated with ports that use port security.
- show mac address-table static: Lists MAC addresses associated with ports that use port security, as well as any other statically defined MAC addresses.
Example 6-4 Using the secure Keyword to See MAC Table Entries When Using Port Security (Odom, 2020)
Port security violation modes
Think back to the DHCP starvation attack covered in the CCNA Security Fundamentals lesson. The attacker spoofed thousands of MAC addresses and the DHCP server assigned IP addresses to those fake MAC addresses, exhausting the DHCP pool. Using port security to limit the number of MAC addresses allowed on an interface and to control which MAC addresses are allowed can protect against this type of attack.
The violation mode defines how port security should react when a violation occurs.
- For an interface that predefines all the specific MAC addresses allowed on the interface, a violation occurs when the switch receives a frame whose source MAC is not one of those configured addresses.
- For an interface that allows two MAC addresses, a violation occurs when the total of preconfigured and learned MAC addresses on the interface exceeds the configured maximum of two.
Each switch port can be configured to use one of three violation modes that defines the actions to take when a violation occurs – shutdown, protect, and restrict. All three options cause the switch to discard the frame whose source MAC address would push the number of learned MAC addresses over the limit. However, additional steps taken in each mode vary. The restrict and shutdown options send log messages when a violation occurs. Shutdown mode also shuts down the port.
Shutdown mode is the primary port security operational mode. The shutdown mode puts the interface in an err-disabled state and sets port security state to secure-down.
The restrict and protect violation modes secure switch ports in a different way than the shutdown mode, which disables the interface. The restrict and protect violation modes still discard offending traffic, but the interface remains in a connected (up/up) state and in a port security state of secure-up. So the port continues to forward good traffic but discards offending traffic.
Table 6-2 lists the three modes, their actions, along with the keywords that enable each mode on the switchport port-security violation {protect | restrict | shutdown} interface subcommand.
Table 6-2 Actions When Port Security Violation Occurs (Odom, 2020)
Port security shutdown mode
When the (default) shutdown violation mode is used and a port security violation occurs, the switch uses the err-disabled feature, in effect shutting down the port. All frame forwarding on the interface, both in and out of the port, is stopped. Traffic will no longer be sent or received by that interface. However, port security does not literally configure the port with the shutdown interface subcommand.
Cisco switches use the err-disabled state for a range of purposes. When a violation occurs while using port security shutdown mode, the following happens:
- The switch interface state (per show interfaces and show interfaces status) changes to an err-disabled state.
- The switch interface port security state (per show port-security) changes to a secure-down state.
- The switch stops sending and receiving frames on the interface.
In order for the interface to recover from an err-disabled state, the interface must be shut down with the shutdown command and then enabled with the no shutdown command.
Alternately, the switch can be configured to automatically recover from the err-disabled state with these commands:
- errdisable recovery cause psecure-violation: A global command to enable automatic recovery for interfaces in an err-disabled state caused by port security.
- errdisable recovery interval seconds: A global command to set the time to wait before recovering the interface.
We can check the port security configuration on an interface with the show port-security interface command, as we see in Example 6-3 and Example 6-6.
The show port-security command (as listed in Example 6-5) shows briefer output, with one line per enabled interface.
Example 6-5 Confirming the Port Security Violation Mode (Odom, 2020)
For these next examples, a switch has port security configured on port Fa0/13, to support one MAC address. Having reached that total, it has a security violation action of “shutdown.”
The first command confirms the err-disabled state (per the show interfaces status command).
Example 6-6 Port Security Status in Shutdown Mode After a Violation (Odom, 2020)
The output of the show port-security interface command lists the current port-security status (secure-shutdown) as well as the configured mode (shutdown).
The second-to-last line of the output identifies the MAC address and VLAN of the device that caused the violation.
The last line of the output lists the number of violations that caused the interface to fail to an err-disabled state.
The violations counter notes the number of times the interface has been moved to the err-disabled (secure-shutdown) state. Another violation after recovery that causes the interface to fail to an err-disabled state will cause the counter to increment to 2.
Port security protect mode
Protect mode just discards the offending frame. “The switch does not change the port to an err-disabled state, does not generate messages, and does not even increment the violations counter.”
Let’s look at an example in the CLI.
Example 6-7 shows a sample with protect mode after several violations.
The show port-security interface command confirms the protect mode as configured in the top part of the diagram, with a port security state of secure-up—a state that will not change in protect mode.
Note that the counter at the bottom shows 0 despite several violations because protect mode does not count the violating frames.
Example 6-7 Port Security Using Protect Mode (Odom, 2020)
Port security restrict mode
Restrict mode provides a compromise between the other two modes. If Example 6-7 had used the restrict violation mode instead of protect, the port status would have remained in a secure-up state. However, the CLI would give indication of port security activity, such as an incrementing violation counter, as well as syslog messages.
Example 6-8 shows an example of the violation counter and ends with an example port security syslog message. In this example, 97 incoming frames violated the rules, with the most recent frame having a source MAC address of 0200.3333.3333 in VLAN 1.
Example 6-8 Port Security Using Violation Mode Restrict (Odom, 2020)
Figure 6-4 summarizes the key points about the restrict mode for port security. The figure matches the same scenario as the example, with 97 total violating frames arriving so far, with the most recent being from source MAC address MAC3.
Command review
>Three steps are required to configure port security (with examples):
Step 1. Define the interface as an access (or as a trunk) interface by using the switchport mode access (or the switchport mode trunk) interface subcommand.
SW(config-if)#switchport mode {access | trunk}
→to tell the switch to always be an access port or always be a trunk port
SW1(config)#interface g0/1
SW1(config-if)#switchport mode access
Step 2. Enable port security on the interface.
SW(config-if)#switchport port-security
Step 3. Define which MAC addresses are allowed to send frames through this interface by using the switchport port-security mac-address interface subcommand or the switchport port-security mac-address sticky interface subcommand to dynamically learn the MAC address of the currently connected host.
SW(config-if)#switchport port-security mac-address mac-address
→to statically add a specific MAC address as an allowed MAC address on the interface
SW1(config-if)#switchport port-security mac-address 0200.1111.1111
SW(config-if)#switchport port-security mac-address sticky
→to tell the switch to learn MAC addresses on the interface and add them to the configuration for the interface as secure MAC addresses
>Two steps are optional to configure port security (with examples):
>Define what action the switch will take when receiving a frame from an unauthorized device.
SW(config-if)#switchport port-security violation {protect | restrict | shutdown}
→to tell the switch what to do if an inappropriate MAC address tries to access the network through a secure switch port
SW1(config-if)#switchport port-security violation protect
>Define the maximum number of MAC addresses that can be used on the port.
SW(config-if)#switchport port-security maximum value
→to set the maximum number of static secure MAC addresses that can be assigned to a single interface
SW1(config-if)#switchport port-security maximum 8
>Other port security configuration commands:
In order for the interface to recover from an err-disabled state, the interface must be shut down with the shutdown command and then enabled with the no shutdown command.
SW(config-if)#shutdown | no shutdown
→to administratively disable and enable an interface
Alternately, the switch can be configured to automatically recover from the err-disabled state with these commands:
SW(config)#errdisable recovery cause psecure-violation
→to enable the automatic recovery from err-disabled state for ports that reach that state due to port security violations
SW(config)#errdisable recovery interval seconds
→to set the delay, in seconds, before a switch attempts to recover an interface in err-disabled mode, regardless of the reason for that interface being in that state
>Port security verification commands:
SW#show running-config
→to list the currently used configuration
SW#show running-config | interface interface
→to display the running-configuration excerpt of the listed interface and its subcommands only
SW#show port-security interface interface
→to list an interface’s port security configuration settings and security operational status
SW#show port-security
→to list one line per enabled interface that summarizes the port security settings for any interface on which it is enabled
SW#show interfaces [interface interface] status
→to list one output line per interface (or for only the listed interface if included), noting the description, operating state, and settings for duplex and speed on each interface
SW#show mac address-table dynamic [interface interface]
→to list the dynamically learned entries in the switch’s address (forwarding) table
Once port security has been enabled the switch no longer considers MAC addresses associated with that port as being dynamic entries.
Use one of the following two options to see the MAC table entries associated with ports using port security:
SW#show mac address-table secure [interface interface]
→to list MAC addresses defined or learned on ports configured with port security
SW#show mac address-table static [interface interface]
→to list static MAC addresses and MAC addresses learned or defined with port security
Free CCNA | Port Security | Day 49 Lab – Notes
Practice quiz questions
You can find five quiz questions and answers for this lesson in Odom, 2020, pp. 330-332.
Key references
Odom, W. (2020). Chapter 6. Implementing Switch Port Security, CCNA 200-301 Official Cert Guide (pp. 328-358), Volume 2. Cisco Press.
Related content
Compliance frameworks and industry standards
DAI configuration and verification
DHCP snooping configuration and verification
How data flow through the Internet
How to break into information security
IT career paths – everything you need to know
Job roles in IT and cybersecurity
The GRC approach to managing cybersecurity
The Security Operations Center (SOC) career path
Back to DTI Courses
