Analysis of port security functions of Cisco switches

The following is a brief analysis of the port security function of a Cisco switch. It is taken from the recently published Cisco/H3C switch advanced configuration and management technical manual. The Port security function in the Cisco IOS switch limits the number of MAC addresses ("secure MAC addresses") used on the Port, allow you to prevent unauthorized access to the MAC address, that is, to bind the port to the MAC address. Port Security Function Introduction The port security function of the Cisco IOS switch allows you to only allow connections from fixed devices by configuring static security MAC addresses, you can also configure a maximum number of secure MAC addresses on a port. You can only connect devices identified before this number to this port. When the maximum number of security ports is exceeded, a security violation event is triggered, and a violation behavior based on the violation mode configured on the port is executed. If the maximum number of secure MAC addresses configured on a port is 1, the security port on the device can only be connected to a fixed device. If a secure MAC address is securely bound to a port, the MAC address cannot enter any port other than the VLAN added to the port, otherwise, the package will be quietly discarded on the hardware layer.
1. port Security supports Security MAC address type www.2cto.com Cisco IOS switch port security function supports the following security MAC address types: l dynamic or learning type: the dynamic security MAC address is learned when receiving packets sent from the host connected to the secure port. You can use this type when your MAC address is not fixed (for example, a portable computer that is often used by network users, such as a laptop. L static or configuration type: the static security MAC address is the MAC address configured by the user through CLI or SNMP. This type can be used when your MAC address remains fixed (for example, the user uses a PC. L Sticky type: the Sticky MAC address is also obtained through learning like a dynamic secure MAC address, but it is still valid after the switch is restarted, it's a bit like a static secure MAC address. This type can be used when there are a large number of fixed MAC addresses and you do not want to manually configure these secure MAC addresses.
If a port has reached its maximum number of secure MAC addresses and you want to configure a static secure MAC address, the port is denied and an error message is displayed. If a port reaches its maximum number of secure MAC addresses and a new dynamic secure MAC address is added, an violation is triggered. You can use the clear port-security Command to clear the dynamic security MAC address. You can use the no switchport port-security mac-address command to clear both the viscosity and static security MAC address at a time.
2. the maximum number of secure MAC addresses. A Secure port has a secure MAC address by default. You can change the default value to 1 ~ In the range of 3000. After you set the maximum number of secure MAC addresses on a port, You can include these secure MAC addresses in the address table in any of the following ways: l you can use the switchport port-security mac-address mac_address interface configuration mode command to configure a secure MAC address. L you can use the port-security mac-address VLAN range configuration command to configure all the secure MAC addresses in the range VLAN on the relay port. L you can allow the port to dynamically configure a secure MAC address with the MAC address of the connected device. L you can statically configure some secure MAC addresses and allow dynamic configuration of other secure MAC addresses (if the Port Link is disabled, all dynamic security MAC addresses on the port are no longer secure ). L you can use sticky as the MAC address ). These secure MAC addresses can be dynamically learned or manually configured, stored in the MAC address table, and added to the running configuration file. These addresses are then stored in the startup configuration file of the vswitch. After the vswitch is restarted, the interface does not need to be re-learned. Although you can manually configure a sticky and secure MAC address, this method is not recommended. Www.2cto.com
[Experience] on a relay port, the maximum number of secure MAC addresses can be configured based on ports and port VLANs. The maximum number of secure MAC addresses configured on the port can be greater than or equal to the maximum number of secure MAC addresses configured on the port VLAN. If the maximum number of secure MAC addresses configured on the port is smaller than the maximum number of secure MAC addresses configured on the port VLAN (for example, the maximum number of secure MAC addresses set on VLAN 10 is 3, the maximum number of secure MAC addresses on the port is 1 by default. When the number of secure MAC addresses on the port VLAN exceeds the maximum number of secure MAC addresses set on the port, the port is closed.
3. Secure MAC address aging when receiving more than 3000 MAC addresses, you may want to aging secure MAC addresses so that some unconnected secure MAC addresses can be removed from the MAC address table for a long time. However, sticky secure MAC addresses do not support aging. By default, port security does not aging the security address. After learning, the MAC address will be retained on the port, it is not until the switch is restarted or the link is disconnected (of course, this is when the viscous MAC address function is not enabled ). Port Security allows you to configure the MAC address aging and aging time in absolute (absolute) or inactivity mode. The aging period of the absolute mode is n ~ The aging period of the static mode is between n + 1 minutes ~ N + 2 minutes (the time increment is 1 minute ).
Before using the secure MAC address aging function, you can delete and add PCs on the secure port before the maximum number of secure MAC addresses configured on the port. You do not need to manually delete the existing secure MAC addresses. Unless you explicitly use the switchport port-security aging static command to statically configure the MAC address aging time, the static security MAC address will not be aging, even if the aging process is configured on the port.
4. by enabling the sticky port security function, you can configure an interface to convert a dynamic MAC address to a sticky MAC address and add them to the running configuration file of the switch. You can use this function when you do not need to move the user to another port, so that you do not need to manually configure a large number of secure MAC addresses on each port. To enable the sticky port security function, type the switchport port-security mac-address sticky interface configuration mode command. In this case, the interface will convert all the dynamic security MAC addresses to the viscous Security MAC addresses, including all the MAC addresses dynamically learned before enabling the viscous Security MAC address function.
The viscous Security MAC address is not automatically part of the switch STARTUP configuration file. If you save the running configuration file, the interface does not need to learn the MAC address again after the switch is restarted, however, if you do not save the running configuration file, the previously automatically converted viscous Security MAC address table will be lost. If the sticky port security function is disabled, the sticky MAC address is automatically converted to a dynamic security MAC address and deleted from the switch's operating configuration file. After the maximum number of secure MAC addresses is configured, these sticky and secure MAC addresses are stored as tables. To make a device a unique connector for a port, you can configure the maximum number of secure MAC addresses on the port to 1. If the number of secure MAC addresses added to a port exceeds the configured maximum number of secure MAC addresses, an violation occurs.
5. illegal behavior mode: www.2cto.com you can configure the behavior mode after the violation event: l protection (protect): When the number of secure MAC addresses exceeds the maximum number of secure MAC addresses configured on the port, packets with unknown source MAC addresses are discarded until the number of secure MAC addresses in the MAC address table falls within the configured maximum number of secure MAC addresses, or the maximum number of secure MAC addresses is increased. In addition, there is no notification of any security violation. We recommend that you do not configure protection on the relay port, because when a VLAN on the relay port reaches the maximum number of secure MAC addresses configured in the VLAN, the port will be disabled, even if the number of secure MAC addresses on the port does not reach the maximum number of secure MAC addresses configured on the port.
L Restrict: similar to the previous protection mode, when the number of secure MAC addresses reaches the maximum number of secure MAC addresses configured on the port, packets with unknown source MAC addresses are discarded until the number of secure MAC addresses in the MAC address table falls within the configured maximum number of secure MAC addresses, or the maximum number of secure MAC addresses is increased. However, in this behavior mode, an SNMP capture message is sent and the system logs are recorded. The number of violation counters increases by 1. The SNMP capture notification sending frequency can be controlled by the snmp-server enable traps port-security trap-rate command. The default value is 0, indicating that an SNMP capture notification is sent when any security violation occurs. L Shutdown: when a security violation occurs, the port immediately shows an error-disabled status ). At the same time, an SNMP capture message is sent and system logs are recorded. The number of violation counters increases by 1. You can use this mode to disable non-MAC addresses in a secure and secure environment.
L Shutdown VLAN: Applicable to the VLAN security violation mode. In this mode, when a penalty event is triggered for a security violation, all VLANs corresponding to the port are in an error-prohibited status. Disable the corresponding VLAN instead of the corresponding port. Table 15-1 lists various violation modes and corresponding actions.

When a security port is in the error-disabled status, you can use the errdisable recovery causedisable cure-violation global configuration mode command to restore it, alternatively, you can use the shutdown and no shut down interface configuration mode commands to restart. If the port is in the per-VLAN errdisable status, you can use the clear errdisable interface name VLAN range Command to restart the vlan on the port. You can also use the errdisable recovery interval command to customize the time for resuming the specified error prohibition status. The default value is 300 seconds. Www.2cto.com [experience] If you can predict that an illegal and secure MAC address package will be sent on a port, you may want to limit the transmission rate of the illegal and secure MAC address package on the security port. Port Security considers a packet whose MAC address is 0 as a multicast or broadcast source MAC address and considers it as an invalid packet. You can choose to limit the transmission rate of these packets. When the rate is exceeded, an violation event will be captured on the port. It also leaves a certain amount of space for multicast or broadcast packet transmission. From Wang DA's column