Port Security and Filtering
Â
Overview of Flood Blocking
Occasionally, unknown unicast or multicast traffic is flooded to a switch port because a MAC address has timed out or has not been learned by the switch. (This condition is especially undesirable for a private VLAN isolated port.) To guarantee that no unicast and multicast traffic is flooded to the port, use the switchport block unicast and switchport block multicast commands to enable flood blocking on the switch.
Note The flood blocking feature is supported on all switched ports (including PVLAN ports) and is applied to all VLANs on which the port is forwarding.
Configuring Port Blocking
By default, a switch floods packets with unknown destination MAC addresses to all ports. If unknown unicast and multicast traffic is forwarded to a switch port, there might be security issues. To prevent forwarding such traffic, you can configure a port to block unknown unicast or multicast packets.
Note Blocking of unicast or multicast traffic is not automatically enabled on a switch port; you must explicitly configure it.
Blocking Flooded Traffic on an Interface
Note The interface can be a physical interface (for example, GigabitEthernet 1/1) or an EtherChannel group (such as port-channel 5). When you block multicast or unicast traffic for a port channel, it is blocked on all ports in the port channel group.
To disable the flooding of multicast and unicast packets to an interface, perform this task:
 |
Command
|
Purpose
|
---|---|---|
Step 1 |
Switch# configure terminal
|
Enters global configuration mode. |
Step 2 |
Switch(config)# interface interface-id |
Enters interface configuration mode and enter the type and number of the switchport interface (for example, GigabitEthernet 1/1). |
Step 3 |
Switch(config-if)# switchport block multicast |
Blocks unknown multicast forwarding to the port. |
Step 4 |
Switch(config-if)# switchport block unicast |
Blocks unknown unicast forwarding to the port. |
Step 5 |
Switch(config)# end |
Returns to privileged EXEC mode. |
Step 6 |
Switch# |
Verifies your entry. |
Step 7 |
Switch# copy running-config startup-config |
(Optional) Saves your entries in the configuration file. |
This example shows how to block unicast and multicast flooding on a GigabitEthernet interface1/1 and how to verify the configuration:
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# interface gigabitethernet1/1
Switch(config-if)# switchport block multicast
Switch(config-if)# switchport block unicast
Switch(config-if)# end
Switch# show interface gigabitethernet1/1 switchport
Name: Gi1/3
Switchport: Enabled
Port Protected: On
Unknown Unicast Traffic: Not Allowed
Unknown Multicast Traffic: Not Allowed
Broadcast Suppression Level: 100
Multicast Suppression Level: 100
Unicast Suppression Level: 100
Resuming Normal Forwarding on a Port
To resume normal forwarding on a port, perform this task:
 |
Command
|
Purpose
|
---|---|---|
Step 1 |
Switch# configure terminal
|
Enters global configuration mode. |
Step 2 |
Switch(config)# interface interface-id |
Enters interface configuration mode and enter the type and number of the switchport interface (GigabitEthernet1/1). |
Step 3 |
Switch(config-if)# no switchport block multicast |
Enables unknown multicast flooding to the port. |
Step 4 |
Switch(config-if)# no switchport block unicast |
Enables unknown unicast flooding to the port. |
Step 5 |
Switch(config)# end |
Returns to privileged EXEC mode. |
Step 6 |
Switch# show interface interface-id switchport |
Verifies your entry. |
Step 7 |
Switch# copy running-config startup-config |
(Optional) Saves your entries in the configuration file. |
Port Security with Sticky MAC Addresses
Port security with sticky MAC addresses provides many of the same benefits as port security with static MAC addresses, but sticky MAC addresses can be learned dynamically. Port security with sticky MAC addresses retains dynamically learned MAC addresses during a link-down condition.
If you enter a write memory or copy running-config startup-config command, then port security with sticky MAC addresses saves dynamically learned MAC addresses in the startup-config file and the port does not have to learn addresses from ingress traffic after bootup or a restart.
Default Port Security Configuration
Table shows the default port security configuration for an interface.
Table Default Port Security Configuration
Feature
|
Default Setting
|
---|---|
Port security |
Disabled. |
Maximum number of secure MAC addresses |
1. |
Violation mode |
Shutdown. The port shuts down when the maximum number of secure MAC addresses is exceeded, and an SNMP trap notification is sent. |
Port Security Guidelines and Restrictions
When configuring port security, follow these guidelines:
•With the default port security configuration, to bring all secure ports out of the error-disabled state, enter the errdisable recovery cause psecure-violation global configuration command, or manually reenable the port by entering the shutdown and no shut down interface configuration commands.
•Enter the clear port-security dynamic global configuration command to clear all dynamically learned secure addresses. See the Cisco IOS Master Command List, Release 12.2SX for complete syntax information.
•Port security learns unauthorized MAC addresses with a bit set that causes traffic to them or from them to be dropped. The show mac-address-table command displays the unauthorized MAC addresses, but does not display the state of the bit. (CSCeb76844)
•To preserve dynamically learned sticky MAC addresses and configure them on a port following a bootup or a reload and after the dynamically learned sticky MAC addresses have been learned, you must enter a write memory or copy running-config startup-config command to save them in the startup-config file.
•Port security supports private VLAN (PVLAN) ports.
•Port security supports IEEE 802.1Q tunnel ports.
•Port security does not support Switch Port Analyzer (SPAN) destination ports.
•Port security does not support EtherChannel port-channel interfaces.
•With Cisco IOS Release 12.2(33)SXH and later releases, you can configure port security and 802.1X port-based authentication on the same port. With releases earlier than Cisco IOS Release 12.2(33)SXH:
–If you try to enable 802.1X port-based authentication on a secure port, an error message appears and 802.1X port-based authentication is not enabled on the port.
–If you try to enable port security on a port configured for 802.1X port-based authentication, an error message appears and port security is not enabled on the port.
•Port security supports nonnegotiating trunks.
–Port security only supports trunks configured with these commands:
switchport
switchport trunk encapsulation
switchport mode trunk
switchport nonegotiate
–If you reconfigure a secure access port as a trunk, port security converts all the sticky and static secure addresses on that port that were dynamically learned in the access VLAN to sticky or static secure addresses on the native VLAN of the trunk. Port security removes all secure addresses on the voice VLAN of the access port.
–If you reconfigure a secure trunk as an access port, port security converts all sticky and static addresses learned on the native VLAN to addresses learned on the access VLAN of the access port. Port security removes all addresses learned on VLANs other than the native VLAN.
Note Port security uses the VLAN ID configured with the switchport trunk native vlan command for both IEEE 802.1Q trunks and ISL trunks.
•Take care when you enable port security on the ports connected to the adjacent switches when there are redundant links running between the switches because port security might error-disable the ports due to port security violations.
Â
Enabling Port Security on a Trunk
Port security supports nonnegotiating trunks.
To enable port security on a trunk, perform this task:
 |
Command
|
Purpose
|
---|---|---|
Step 1 |
Router(config)# interface type1 Â slot/port |
Selects the LAN port to configure. |
Step 2 |
Router(config-if)# switchport |
Configures the port as a Layer 2 port. |
Step 3 |
Router(config-if)# switchport trunk encapsulation {isl | dot1q} |
Configures the encapsulation, which configures the Layer 2 switching port as either an ISL or 802.1Q trunk. |
Step 4 |
Router(config-if)# switchport mode trunk |
Configures the port to trunk unconditionally. |
Step 5 |
Router(config-if)# switchport nonegotiate |
Configures the trunk not to use DTP. |
Step 6 |
Router(config-if)# switchport port-security |
Enables port security on the trunk. |
Step 7 |
Router(config-if)# do show port-security interface type1Â slot/port | include Port Security |
Verifies the configuration. |
1 type = fastethernet, gigabitethernet, or tengigabitethernet |
This example shows how to configure Fast Ethernet port 5/36 as a nonnegotiating trunk and enable port security:
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# interface fastethernet 5/36
Router(config-if)# switchport
Router(config-if)# switchport mode trunk
Router(config-if)# switchport nonegotiate
Router(config-if)# switchport port-security
Router(config-if)# do show port-security interface fastethernet 5/36 | include Port
Security
Port Security : Enabled
Enabling Port Security on an Access Port
To enable port security on an access port, perform this task:
 |
Command
|
Purpose
|
---|---|---|
Step 1 |
Router(config)# interface type1 Â slot/port |
Selects the LAN port to configure. Note The port can be a tunnel port or a PVLAN port. |
Step 2 |
Router(config-if)# switchport |
Configures the port as a Layer 2 port. |
Step 3 |
Router(config-if)# switchport mode access |
Configures the port as a Layer 2 access port. Note A port in the default mode (dynamic desirable) cannot be configured as a secure port. |
Step 4 |
Router(config-if)# switchport port-security |
Enables port security on the port. |
Step 5 |
Router(config-if)# do show port-security interface type1Â slot/port | include Port Security |
Verifies the configuration. |
1 type = fastethernet, gigabitethernet, or tengigabitethernet |
Â
This example shows how to enable port security on Fast Ethernet port 5/12:
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# interface fastethernet 5/12
Router(config-if)# switchport
Router(config-if)# switchport mode access
Router(config-if)# switchport port-security
Router(config-if)# do show port-security interface fastethernet 5/12 | include Port
Security
Port Security : Enabled
Configuring the Maximum Number of Secure MAC Addresses on a Port
To configure the maximum number of secure MAC addresses on a port, perform this task:
Â
 |
Command
|
Purpose
|
---|---|---|
Step 1 |
Router(config)# interface type1 Â slot/port |
Selects the LAN port to configure. |
Step 2 |
Router(config-if)# switchport port-security maximum number_of_addresses vlan {vlan_ID | vlan_range} |
Sets the maximum number of secure MAC addresses for the port (default is 1). Note Per-VLAN configuration is supported only on trunks. |
Step 3 |
Router(config-if)# do show port-security interface type1Â slot/port | include Maximum |
Verifies the configuration. |
1 type = fastethernet, gigabitethernet, or tengigabitethernet |
When configuring the maximum number of secure MAC addresses on a port, note the following information:
•The range for number_of_addresses is 1 to 4,097.
•Port security supports trunks.
–On a trunk, you can configure the maximum number of secure MAC addresses both on the trunk and for all the VLANs on the trunk.
–You can configure the maximum number of secure MAC addresses on a single VLAN or a range of VLANs.
–For a range of VLANs, enter a dash-separated pair of VLAN numbers.
–You can enter a comma-separated list of VLAN numbers and dash-separated pairs of VLAN numbers.
This example shows how to configure a maximum of 64 secure MAC addresses on Fast Ethernet port 5/12:
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# interface fastethernet 3/12
Router(config-if)# switchport port-security maximum 64
Router(config-if)# do show port-security interface fastethernet 5/12 | include Maximum
Maximum MAC Addresses : 64
Enabling Port Security with Sticky MAC Addresses on a Port
To enable port security with sticky MAC addresses on a port, perform this task:
 |
Command
|
Purpose
|
---|---|---|
Step 1 |
Router(config)# interface type1 Â slot/port |
Selects the LAN port to configure. |
Step 2 |
Router(config-if)# switchport port-security mac-address sticky |
Enables port security with sticky MAC addresses on a port. |
1 type = fastethernet, gigabitethernet, or tengigabitethernet |
When enabling port security with sticky MAC addresses, note the following information:
•When you enter the switchport port-security mac-address sticky command:
–All dynamically learned secure MAC addresses on the port are converted to sticky secure MAC addresses.
–Static secure MAC addresses are not converted to sticky MAC addresses.
–Secure MAC addresses dynamically learned in a voice VLAN are not converted to sticky MAC addresses.
–New dynamically learned secure MAC addresses are sticky.
•When you enter the no switchport port-security mac-address sticky command, all sticky secure MAC addresses on the port are converted to dynamic secure MAC addresses.
•To preserve dynamically learned sticky MAC addresses and configure them on a port following a bootup or a reload, after the dynamically learned sticky MAC addresses have been learned, you must enter a write memory or copy running-config startup-config command to save them in the startup-config file.
This example shows how to enable port security with sticky MAC addresses on Fast Ethernet port 5/12:
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# interface fastethernet 5/12
Router(config-if)# switchport port-security mac-address sticky
Displaying Port Security Settings
To display port security settings, enter this command:
Command
|
Purpose
|
---|---|
Router# show port-security [interface {{vlan vlan_ID} | {type1 Â slot/port}}] [address] |
Displays port security settings for the switch or for the specified interface. |
1 type = fastethernet, gigabitethernet, or tengigabitethernet |
When displaying port security settings, note the following information:
•Port security supports the vlan keyword only on trunks.
•Enter the address keyword to display secure MAC addresses, with aging information for each address, globally for the switch or per interface.
•The display includes these values:
–The maximum allowed number of secure MAC addresses for each interface
–The number of secure MAC addresses on the interface
–The number of security violations that have occurred
–The violation mode.
This example displays output from the show port-security command when you do not enter an interface:
Router# show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security
Action
(Count) (Count) (Count)
----------------------------------------------------------------------------
Fa5/1 11 11 0 Shutdown
Fa5/5 15 5 0 Restrict
Fa5/11 5 4 0 Protect
----------------------------------------------------------------------------
Total Addresses in System: 21
Max Addresses limit in System: 128
This example displays output from the show port-security command for a specified interface:
Router# show port-security interface fastethernet 5/1
Port Security: Enabled
Port status: SecureUp
Violation mode: Shutdown
Maximum MAC Addresses: 11
Total MAC Addresses: 11
Configured MAC Addresses: 3
Aging time: 20 mins
Aging type: Inactivity
SecureStatic address aging: Enabled
Security Violation count: 0
This example displays the output from the show port-security address privileged EXEC command:
Router# show port-security address
Secure Mac Address Table
-------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- -------------
1 0001.0001.0001 SecureDynamic Fa5/1 15 (I)
1 0001.0001.0002 SecureDynamic Fa5/1 15 (I)
1 0001.0001.1111 SecureConfigured Fa5/1 16 (I)
1 0001.0001.1112 SecureConfigured Fa5/1 -
1 0001.0001.1113 SecureConfigured Fa5/1 -
1 0005.0005.0001 SecureConfigured Fa5/5 23
1 0005.0005.0002 SecureConfigured Fa5/5 23
1 0005.0005.0003 SecureConfigured Fa5/5 23
1 0011.0011.0001 SecureConfigured Fa5/11 25 (I)
1 0011.0011.0002 SecureConfigured Fa5/11 25 (I)
-------------------------------------------------------------------
Total Addresses in System: 10
Max Addresses limit in System: 128
Â