What is an IOS command that can be used to control access to a switch port based on MAC address?
Configuring Port Security
This chapter describes how to configure port security on Catalyst 4500 series switches. It provides guidelines, procedures, and configuration examples.
Annotation 
For complete syntax and usage information for the switch commands used in this chapter, refer to the Catalyst 4500 Series Switch Cisco IOS Command Reference and related publications at
http://www.cisco.com/univercd/cc/td/medico/product/software/ios122/122cgcr/alphabetize.htm.
This chapter consists of these sections:
•Overview of Port Security
•Default Port Security Configuration
•Port Security Guidelines and Restrictions
•Configuring Port Security
•Displaying Port Security Settings
Overview of Port Security
Yous can utilize the port security feature to restrict input to an interface by limiting and identifying MAC addresses of the workstations that are allowed to access the port. When you assign secure MAC addresses to a secure port, the port does non forward packets with source addresses exterior the group of defined addresses. If yous limit the number of secure MAC addresses to one and assign a single secure MAC accost, the workstation attached to that port is assured the full bandwidth of the port.
If a port is configured as a secure port and the maximum number of secure MAC addresses is reached, when the MAC address of a workstation attempting to access the port is different from any of the identified secure MAC addresses, a security violation occurs.
Afterwards you have set the maximum number of secure MAC addresses on a port, the secure addresses are included in an address table in 1 of these means:
•You can configure all secure MAC addresses by using the switchport port-security mac-address mac_address interface configuration command.
•You can allow the port to dynamically configure secure MAC addresses with the MAC addresses of continued devices.
•You can configure a number of addresses and allow the residual to be dynamically configured.
Note If the port shuts downwards, all dynamically learned addresses are removed.
•You can configure MAC addresses to be sticky. These can be dynamically learned or manually configured, stored in the address table, and added to the running configuration. If these addresses are saved in the configuration file, the interface does not need to dynamically relearn them when the switch restarts. Although viscid secure addresses can be manually configured, information technology is non recommended.
You can configure an interface to convert the dynamic MAC addresses to glutinous secure MAC addresses and to add them to the running configuration past enabling sticky learning. To enable sticky learning, enter the switchport port-security mac-address glutinous command. When you enter this control, the interface converts all the dynamic secure MAC addresses, including those that were dynamically learned earlier sticky learning was enabled, to pasty secure MAC addresses.
The viscous secure MAC addresses practise not automatically get role of the configuration file, which is the startup configuration used each time the switch restarts. If y'all save the sticky secure MAC addresses in the configuration file, when the switch restarts, the interface does not need to relearn these addresses. If you practice not relieve the configuration, they are lost.
If viscous learning is disabled, the sticky secure MAC addresses are converted to dynamic secure addresses and are removed from the running configuration.
After the maximum number of secure MAC addresses is configured, they are stored in an accost tabular array. To ensure that an attached device has the total bandwidth of the port, configure the MAC address of the attached device and set the maximum number of addresses to i, which is the default.
Note When a Goad 4500 serial switch port is configured to support voice as well as port security, the maximum number of commanded MAC addresses on this port should be changed to three.
A security violation occurs if the maximum number of secure MAC addresses has been added to the accost table and a workstation whose MAC address is not in the address table attempts to access the interface.
You can configure the interface for i of these violation modes, based on the action to exist taken if a violation occurs:
•Restrict—A port security violation restricts data, causes the SecurityViolation counter to increment, and causes an SNMP Notification to be generated. The rate at which SNMP traps are generated tin be controlled past the snmp-server enable traps port-security trap-charge per unit command. The default value ("0") causes an SNMP trap to be generated for every security violation.
•Shutdown—A port security violation causes the interface to shut down immediately. When a secure port is in the error-disabled state, you can bring it out of this state past entering the errdisable recovery cause psecure-violation global configuration command or you tin can manually reenable it by entering the shutdown and no shut downward interface configuration commands. This is the default mode.
You can also customize the fourth dimension to recover from the specified error disable cause (default is 300 seconds) by entering the errdisable recovery interval interval command.
Default Port Security Configuration
Table 32-1 shows the default port security configuration for an interface.
| | |
|---|---|
| Port security | Disabled on a port |
| Maximum number of secure MAC addresses | 1 |
| Violation way | Shutdown. The port shuts down when the maximum number of secure MAC addresses is exceeded, and an SNMP trap notification is sent. |
| Aging | Disabled |
| Aging type | Absolute |
| Static Aging | Disabled |
| Sticky | Disabled |
Port Security Guidelines and Restrictions
Follow these guidelines when configuring port security:
•A secure port cannot be a trunk port.
•A secure port cannot be a destination port for Switch Port Analyzer (SPAN).
•A secure port cannot belong to an EtherChannel port-channel interface.
•A secure port and static MAC address configuration are mutually sectional.
Configuring Port Security
These sections describe how to configure port security:
•Configuring Port Security on an Interface
•Configuring Port Security Aging
Configuring Port Security on an Interface
To restrict traffic through a port by limiting and identifying MAC addresses of the stations allowed to access the port, perform this task:
| | | |
|---|---|---|
| Step 1 | Switch(config)# interface interface_id | Enters interface configuration style and enters the concrete interface to configure, for example gigabitethernet 3/i. |
| Step ii | Switch(config-if)# switchport mode access | Sets the interface style as admission; an interface in the default mode (dynamic desirable) cannot exist configured as a secure port. |
| Footstep 3 | Switch(config-if)# switchport port-security | Enables port security on the interface. |
| Step iv | Switch(config-if)# switchport port-security maximum value | (Optional) Sets the maximum number of secure MAC addresses for the interface. The range is ane to 3072; the default is 1. |
| Step 5 | Switch(config-if)# switchport port-security violation {restrict | shutdown} | (Optional) Sets the violation style, the activeness to be taken when a security violation is detected, as one of these: • • Note |
| Step 6 | Switch(config-if)# switchport port-security limit rate invalid-source-mac | Sets the rate limit for bad packets. |
| Step 7 | Switch(config-if)# switchport port-security mac-address mac_address | (Optional) Enters a secure MAC address for the interface. You lot can use this command to enter the maximum number of secure MAC addresses. If yous configure fewer secure MAC addresses than the maximum, the remaining MAC addresses are dynamically learned. |
| Pace 8 | Switch(config-if)# switchport port-security mac-address gluey | (Optional) Enable sticky learning on the interface. |
| Pace 9 | Switch(config-if)# end | Returns to privileged EXEC manner. |
| Footstep 10 | Switch# evidence port-security accost interface interface_id Switch# show port-security address | Verifies your entries. |
•To return the interface to the default status every bit not a secure port, utilise the no switchport port-security interface configuration command.
•To render the interface to the default number of secure MAC addresses, utilize the no switchport port-security maximum value.
•To delete a MAC address from the address tabular array, use the no switchport port-security mac-address mac_address control.
•To return the violation mode to the default condition (shutdown style), use the no switchport port-security violation {restrict | shutdown} control.
•To disable sticky learning on an interface, apply the no switchport port-security mac-address sticky control. The interface converts the sticky secure MAC addresses to dynamic secure addresses.
•To delete a viscous secure MAC addresses from the address table, use the no switchport port-security mucilaginous mac-address mac_address command. To delete all the viscid addresses on an interface or a VLAN, use the no switchport port-security gummy interface interface-id command.
•To clear dynamically learned port security MAC in the CAM tabular array, use the clear port-security dynamic command. The address keyword enables you to articulate a secure MAC addresses. The interface keyword enables you to clear all secure addresses on an interface.
This example shows how to enable port security on Fast Ethernet port 12 and how to prepare the maximum number of secure addresses to five. The violation mode is the default, and no secure MAC addresses are configured.
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# interface fastethernet 3/12
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum five
Switch(config-if)# switchport port-security mac-address pasty
Switch(config-if)# stop
Switch# show port-security interface fastethernet 3/12
Port Security :Enabled
Port Status :Secure-up
Violation Fashion :Shutdown
Aging Time :0
Aging Type :Absolute
SecureStatic Address Aging :Enabled
Maximum MAC Addresses :5
Total MAC Addresses :0
Configured MAC Addresses :0
Viscous MAC Addresses :11
Final Source Address :0000.0000.0401
Security Violation Count :0
This example shows how to configure a secure MAC address on Fast Ethernet port 5/i and verify the configuration:
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# interface fastethernet 5/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum ten
Switch(config-if)# switchport port-security mac-address 0000.0000.0003 (Static secure MAC)
Switch(config-if)# switchport port-security mac-accost sticky
Switch(config-if)# switchport port-security mac-address sticky 0000.0000.0001 (Viscous static MAC)
Switch(config-if)# switchport port-security mac-accost gluey 0000.0000.0002
Switch(config-if)# end
Switch#bear witness port address
Secure Mac Address Table
------------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- -------------
ane 0000.0000.0001 SecureSticky Fa5/1 -
1 0000.0000.0002 SecureSticky Fa5/1 -
1 0000.0000.0003 SecureConfigured Fa5/1 -
------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 2
Max Addresses limit in Organisation (excluding one mac per port) : 1024
Configuring Port Security Aging
You can use port security crumbling to set the aging time and aging type for all secure addresses on a port.
Use this feature to remove and add PCs on a secure port without manually deleting the existing secure MAC addresses while all the same limiting the number of secure addresses on a port.
To configure port security aging, perform this task:
| | | |
|---|---|---|
| Step 1 | Switch(config)# interface interface_id | Enters interface configuration mode for the port on which y'all desire to enable port security aging. |
| Step 2 | Switch(config-if)# switchport port-security [ aging {static | fourth dimension aging_time | type {accented | inactivity} ] | Sets the crumbling time for the secure port. The static keyword enables aging for statically configured secure addresses on this port. The time aging_time keyword specifies the aging time for this port. Valid range for aging_time is from 0 to 1440 minutes. If the time is equal to 0, aging is disabled for this port. The type keyword sets the aging type as accented or inactive. For absolute aging, all the secure addresses on this port ago out exactly later the time (minutes) specified and are removed from the secure address list. For inactive aging, the secure addresses on this port agone out only if at that place is no data traffic from the secure source address for the specified time menstruation. |
| Stride three | Switch(config-if)# terminate | Returns to privileged EXEC mode. |
| Step 4 | Switch# bear witness port security [interface interface_id] [address] | Verifies your entries. |
To disable port security aging for all secure addresses on a port, utilise the no switchport port-security crumbling time interface configuration command.
This example shows how to set the aging time as 2 hours for the secure addresses on the Fast Ethernet interface v/ane:
Switch(config)# interface fastethernet 5/1
Switch(config-if)# switchport port-security aging fourth dimension 120
This case shows how to set the aging fourth dimension as 2 minutes:
Switch(config-if)# switchport port-security aging time two
Y'all tin can verify the previous commands past entering the bear witness port-security interface interface_id control.
Displaying Port Security Settings
Use the show port-security control to display port-security settings for an interface or for the switch.
To display traffic control data, perform one or more of these tasks:
| | |
|---|---|
| Switch# bear witness port-security [interface interface_id] | Displays port security settings for the switch or for the specified interface, including the maximum immune number of secure MAC addresses for each interface, the number of secure MAC addresses on the interface, the number of security violations that have occurred, and the violation mode. |
| Switch# show port-security [interface interface_id] address | Displays all secure MAC addresses configured on all switch interfaces or on a specified interface with aging information for each address. |
This example displays output from the show port-security command when y'all do not enter an interface:
Switch# prove port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
---------------------------------------------------------------------------
Fa3/i 2 2 0 Restrict
Fa3/2 2 2 0 Restrict
Fa3/iii 2 two 0 Shutdown
Fa3/4 2 2 0 Shutdown
Fa3/5 2 ii 0 Shutdown
Fa3/6 ii 2 0 Shutdown
Fa3/7 2 2 0 Shutdown
Fa3/8 2 2 0 Shutdown
Fa3/10 1 0 0 Shutdown
Fa3/11 i 0 0 Shutdown
Fa3/12 1 0 0 Restrict
Fa3/13 i 0 0 Shutdown
Fa3/14 1 0 0 Shutdown
Fa3/15 1 0 0 Shutdown
Fa3/xvi one 0 0 Shutdown
---------------------------------------------------------------------------
Total Addresses in Organisation (excluding one mac per port) :eight
Max Addresses limit in System (excluding one mac per port) :1024
Global SNMP trap control for port-security :20 (traps per second)
This example displays output from the testify port-security command for a specified interface:
Switch# show port-security interface fastethernet 5/1
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Crumbling Time : 0 mins
Aging Blazon : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : one
Total MAC Addresses : 1
Configured MAC Addresses : 0
Viscid MAC Addresses : ane
Concluding Source Address : 0000.0001.001a
Security Violation Count : 0
This example displays output from the testify port-security address command:
Switch#sh port-security address
Secure Mac Address Tabular array
-------------------------------------------------------------------
Vlan Mac Accost Type Ports Remaining Age
(mins)
---- ----------- ---- ----- -------------
one 0000.0001.0000 SecureConfigured Fa3/ane 15 (I)
1 0000.0001.0001 SecureConfigured Fa3/1 14 (I)
1 0000.0001.0100 SecureConfigured Fa3/2 -
1 0000.0001.0101 SecureConfigured Fa3/two -
1 0000.0001.0200 SecureConfigured Fa3/3 -
ane 0000.0001.0201 SecureConfigured Fa3/3 -
1 0000.0001.0300 SecureConfigured Fa3/iv -
i 0000.0001.0301 SecureConfigured Fa3/4 -
1 0000.0001.k SecureDynamic Fa3/five -
1 0000.0001.1001 SecureDynamic Fa3/5 -
1 0000.0001.1100 SecureDynamic Fa3/6 -
one 0000.0001.1101 SecureDynamic Fa3/6 -
i 0000.0001.1200 SecureSticky Fa3/7 -
ane 0000.0001.1201 SecureSticky Fa3/vii -
1 0000.0001.1300 SecureSticky Fa3/8 -
ane 0000.0001.1301 SecureSticky Fa3/eight -
-------------------------------------------------------------------
Full Addresses in Organisation (excluding one mac per port) :8
Max Addresses limit in System (excluding i mac per port) :1024
Source: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/port_sec.html
0 Response to "What is an IOS command that can be used to control access to a switch port based on MAC address?"
Post a Comment