Related Videos
Use the port security feature to restrict the number of workstations that can send traffic through an interface and to control MAC address movement.
Port security is a package of the following sub features that provide added security to the system:
Use the port security feature to define the number of workstations that can send traffic through an interface. MAC addresses that are learnt or statically configured on a port security enabled interface are called secure MAC addresses.
There are three types of Secure MAC addresses :
After you enable port security on an interface, by default, the maximum number of MAC address that the interface can learn is one. This is applicable for both dynamic and static secure MAC addresses. After you enable port security on an interface, by default, sticky MAC addresses and MAC movement are disabled on the interface.
MAC address learning limit
Using the MAC address learning limit method, you can set an upper limit on the number of allowed MAC addresses on an interface. Limiting the MAC addresses protects switches from MAC address flooding attacks. After the configured limit is reached on an interface, by default, the system drops all traffic from any unknown device.
When you configure MAC address learning limit, ensure that the number of static MAC addresses present on the system is not greater than the MAC address learning limit that you configure. If the number of dynamically-learned MAC addresses is greater than your MAC address limit, the system flushes all dynamically-learned MAC addresses.
You can configure an interface to learn a maximum of 3072 MAC addresses. You can also disable the MAC address learning limit feature so that the interface can learn the maximum number MAC addresses that the system supports. Disabling the MAC address learning limit feature does not remove the previously learned or configured secure MAC addresses.
MAC address movement
A MAC address movement happens when the system detects the same MAC address on an interface which it has already learned through another port security-enabled interface on the same broadcast domain. MAC address movement is not allowed for secure static and sticky MAC addresses. By default, MAC address movement for dynamically-learned MAC address is disabled on the system.
Secure dynamic MAC address movement is allowed between port-security-enabled and port-security-disabled interfaces.
Sticky MAC addresses
When you reload the system, port security removes the dynamically learned secure MAC addresses. You can use the sticky feature to make the dynamically learned secure MAC addresses persist even after a system reboot so that the interface does not have to learn these MAC addresses again. Use the copy running-configuration startup-configuration command to save the sticky secure MAC addresses.
When you enable sticky MAC address learning on an interface, all existing dynamically-learned MAC addresses and MAC addresses that are learned in the future are converted to sticky MAC addresses.
To enable sticky MAC address learning on an interface, ensure that the mac learn no-limit command is not configured.
Port security violations
There are two types of port security violations.
Mac address learning limit violation
After the number of secure MAC address reaches the maximum configured, if an interface receives a frame with the source MAC address different from any of the learned MAC addresses, the system considers this as a MAC address learning limit violation.
You can configure MAC address learning limit violation actions.
Mac address move violation
If the system detects the same MAC address in a port-security-enabled interface which it has already learned through another port-security-enabled interface, by default, the system considers this as a MAC address move violation. You can configure MAC address move violation actions. You can also configure the system to permit MAC address movement across port security-enabled interfaces.
You can configure MAC address move violation actions.
MAC address aging
By default, dynamically-learned secure MAC addresses do not age out. You can enable aging for secure MAC addresses so that the dynamically-learned MAC addresses are deleted from the MAC address table after the configured aging period.
Enable port security on the system
To enable port security on the system globally:
Enter the following command in CONFIGURATION mode:
switchport port-security
Enable port security on an interface
To enable port security on an interface:
Enter the following command in INTERFACE mode:
switchport port-security
Enable port security in CONFIGURATION-PORT-SECURITY mode:
no disable
Configure the MAC address learning limit
After you enable port security on an interface, the interface can learn one secure MAC address by default. This limit is applicable for both secure dynamic and secure static MAC addresses.
To configure the MAC address learning limit:
Enter the following command in INTERFACE mode:
switchport port-security
Configure the number of secure MAC addresses that an interface can learn in INTERFACE PORT SECURITY mode:
mac-learn {limit | no-limit}
For the limit keyword, the range is from 0 to 3072. To enable the interface to learn the maximum number of MAC addresses that the hardware supports, use the no-limit keyword.
MAC address learning limit example
OS10# configure terminal OS10(config)#interface ethernet 1/1/1 OS10(config-if-eth1/1/1)#switchport port-security OS10(config-if-port-sec)# no disable OS10(config-if-port-sec)#mac-learn limit 100
Configure MAC address learning limit violation actions
Use the following commands in INTERFACE PORT SECURITY mode:
OS10(config-if-port-sec)#mac-learn limit violation log
OS10(config-if-port-sec)#mac-learn limit violation drop
OS10(config-if-port-sec)#mac-learn limit violation forward
OS10(config-if-port-sec)#mac-learn limit violation shutdown
MAC address learning limit violation actions configuration example
OS10# configure terminal OS10(config)#interface ethernet 1/1/1 OS10(config-if-eth1/1/1)#switchport port-security OS10(config-if-port-sec)#no disable OS10(config-if-port-sec)#mac-learn limit 100 OS10(config-if-port-sec)#mac-learn limit violation shutdown
Configure sticky MAC addresses
To enable sticky MAC address learning on an interface:
Enter the following command in INTERFACE PORT SECURITY mode:
sticky
Sticky MAC addresses configuration example
OS10# configure terminal OS10(config)#interface ethernet 1/1/1 OS10(config-if-eth1/1/1)#switchport port-security OS10(config-if-port-sec)#no disable OS10(config-if-port-sec)#mac-learn limit 100 OS10(config-if-port-sec)#sticky
Permit MAC address movement
OS10(config-if-port-sec)#mac-move allow
MAC address movement configuration example
OS10# configure terminal OS10(config)#interface ethernet 1/1/1 OS10(config-if-eth1/1/1)#switchport port-security OS10(config-if-port-sec)#no disable OS10(config-if-port-sec)#mac-learn limit 100 OS10(config-if-port-sec)#mac-move allow
Configure MAC address movement violation actions
Use the following commands in INTERFACE PORT SECURITY mode:
OS10(config-if-port-sec)#mac-move violation log
OS10(config-if-port-sec)#mac-move violation drop
OS10(config-if-port-sec)#mac-move violation shutdown-original
OS10(config-if-port-sec)#mac-move violation shutdown-offending
OS10(config-if-port-sec)#mac-move violation shutdown-both
Recover an error-disabled interface
shutdown
no shutdown
Clear an error-disabled state of all interfaces
errdisable reset cause mac-learn-limit violation
errdisable reset cause mac-move-violation
errdisable reset cause all
Recover an error-disabled state of interfaces automatically
errdisable recovery cause mac-learn-limit violation
errdisable recovery cause mac-move-violation
errdisable recovery interval 30
Configure secure static MAC addresses
mac address-table static mac-address vlan vlan-id interface {ethernet node/slot/port[:subport] | port-channel number}
Secure static MAC addresses configuration example
OS10# configure terminal OS10(config)#interface port-channel 1 OS10(conf-if-po-1)#switchport port-security OS10(config-if-port-sec)#no disable OS10(config-if-po-1)#exit OS10(config)# mac address-table static 03:ab:cd:21:ba:01 vlan 1 interface port-channel 1
Remove statically-configured secure MAC addresses
To remove statically-configured secure MAC addresses, use the following command in EXEC mode:
clear mac address-table secure {{dynamic | sticky} {address mac_addr | vlan vlan-id | interface {ethernet node/slot/port[:subport] | port-channel}} | all}
Remove statically-configured secure MAC addresses configuration example
OS10# clear mac address-table secure sticky vlan 1 OS10#clear mac address-table secure sticky interface port-channel 128 OS10#clear mac address-table secure sticky address 00:00:00:00:00:01 vlan 100
View statically-configured secure MAC addresses
To view the statically-configured secure MAC addresses, use the following command in EXEC mode:
show mac address-table secure {{dynamic | static | sticky} {vlan vlan-id | interface {ethernet node/slot/port[:subport] | port-channel}}}
View statically-configured secure MAC addresses example
OS10# show mac address-table secure sticky VlanId MAC Address Type Interface 1 4c:76:25:e5:4f:51 sticky ethernet1/1/5 1 4c:76:25:e5:4f:55 sticky ethernet1/1/6 1 4c:76:25:e5:4f:59 sticky ethernet1/1/7 os10# show mac address-table secure dynamic VlanId MAC Address Type Interface 10 4c:76:25:e5:4f:51 dynamic port-channel120 11 4c:76:25:e5:4f:55 dynamic ethernet1/1/6 12 4c:76:25:e5:4f:59 dynamic ethernet1/1/7 os10# show mac address-table secure static VlanId MAC Address Type Interface 10 4c:76:25:e5:4f:51 static port-channel120 11 4c:76:25:e5:4f:55 static ethernet1/1/6 12 4c:76:25:e5:4f:59 static ethernet1/1/7
View the number of secure MAC addresses on the system
show mac address-table count [interface {ethernet slot/port:subport | port-channel number | vlan vlan-id}]
View the number of secure MAC addresses on the system example
OS10# show MAC address-table count MAC Entries for all vlans : Dynamic Address Count: 10000 Total secure dynamic MAC addresses: 5000 of (10000) Static Address (User-defined) Count : 5000 Total secure static MAC addresses:200 of (5000) Total secure sticky MAC addresses :0 Total MAC Addresses in Use: 15000
View port-security parameters for all interfaces
To view port-security parameters for all interfaces, use the following command in EXEC mode:
show switchport port-security [interface {ethernet node/slot/port[:subport] | port-channel port-channel-number}]
View port-security parameters for all interfaces example
OS10# show switchport port-security Global Port-security status :Enable Interface name : eth1/1/1 Port Security :Enabled Port Status :Error-Disable Mac learn limit :100 Mac-learn limit-Violation action :Shutdown Sticky :Disabled Mac-move-allow :Not Allowed mac-move-violation action :shutdown-both Aging :Enabled Total MAC Addresses :10 Secure static MAC Addresses :0 Sticky MAC Addresses :10 Secure Dynamic MAC addresses :0 Interface name : eth1/1/10 Port Security :Enabled Port Status :Error-Disable Mac learn limit :100 Mac-learn-limit-Violation action :Shutdown Sticky :Disabled Mac-move-allow :Not Allowed mac-move-violation action :shutdown-both Aging :Enabled Total MAC Addresses :11 Secure static MAC Addresses :0 Sticky MAC Addresses :0 Secure Dynamic MAC addresses :11
OS10# show switchport port-security interface ethernet 1/1/1 Global Port-security status :Enable Interface name : ethernet1/1/1 Port Security :Enabled Port Status :Error-Disable Mac-learn limit :1024 MaC-learn-limit-Violation Action :Shutdown Sticky :Enabled Mac-move-allow :Not Allowed Mac-move-violation :shutdown-both Aging :Disbaled Total MAC Addresses :10 Secure static MAC Addresses :0 Sticky MAC Addresses :10 Secure Dynamic MAC addresses :0 OS10# show switchport port-security interface port-channel 120 Interface name : port-channel 120 Port Security :Disabled Port Status : Up mac-learn limit :1024 Mac-learn-limit-Violation Action :Flood Sticky :Enabled Mac-move-allow :Allowed Mac-move-violation :shutdown-offending Aging :Disabled Total MAC Addresses :11 Secure static MAC Addresses :0 Sticky MAC Addresses :11 Secure Dynamic MAC addresses :0
View the error disabled state of interfaces
The Errdisable Cause column displays one or more reasons for the error-disabled state of an interface. If an interface is put in to the Error Disabled state for multiple reasons, the interface does not come up unless you enable automatic recovery for all the reasons.
OS10# show errdisable recovery Error-Disable Recovery Timer Interval : 300 seconds Error-Disable Reason Recovery Status ---------------------------------------- bpduguard Enabled MLL violation Enabled MAC-move-violation Enabled Recovery Time Left Interface Errdisable Cause (seconds) ----------------------------------------------------------------------- ethernet1/1/1:1 bpduguard 30 ethernet1/1/1:2 bpduguard 1 ethernet1/1/10 bpduguard/mac-learn limit/mac-move 10 port-channel100 Mac-learn limit 50 port-channel128 mac-move 49