The secretive "Port security" feature

We often hear how powerful the "Port security" feature is and how flexible the application is, but few of us have a systematic understanding of the "Port security" feature. The port security feature in the Cisco iOS switch allows you to limit the MAC address used on the port (called the "Secure MAC Address"), or the MAC address range, or the maximum number of security addresses, to enable users to prevent unauthorized MAC addresses from being accessed. Of course it's a flexible way of using it. This article only introduces its basic profile, detailed introduction to the "CISCO/H3C Switch advanced 醘 and Management technology manual".

"description" is excerpted from the author's "CISCO/H3C Switch Advanced Configuration and Management technology manual". Its sister chapter "CISCO/H3C Switch Configuration and management of the Complete Manual" (second edition) (currently Dangdang and excellent online minimum of shock 63 percent) the actual time only three months have been achieved reprint, thank you for your strong support!!

Introduction to 15.3.1 Port security features

The port security feature of the Cisco iOS switch allows you to configure a static secure MAC address to allow only fixed device connections, and allows you to configure a maximum number of secure MAC addresses on a single port, allowing only devices identified before this number to be connected to that port. When the maximum number of safe ports is exceeded, a security violation is triggered, and a violation based on the mode of violation that is configured on the port will be executed. If you configure a port with a maximum number of security MAC addresses of 1, the secure port on the device is only allowed to connect to a fixed device. If a secure MAC address is securely bound on a port, the MAC address cannot enter any other port other than the VLAN that the port joins, otherwise the packet will be silently discarded at the hardware layer.

1. Security MAC address type supported by port security features

The Cisco iOS switch port security feature supports the following types of secure MAC addresses:

Dynamic or Learning Type: Dynamic secure MAC addresses are learned when a packet is received from a host connected to a secure port. You can use this type when a user's MAC address is not fixed, such as a mobile laptop that is used by a network user, such as a laptop computer.

• Static or configuration type: a static secure MAC address is a user-configured MAC address via CLI or SNMP. This type can be used when your MAC address is fixed (for example, if the user is using a PC).

L viscous (Sticky) type: Sticky secure MAC addresses are also learned by learning like dynamic secure MAC addresses, but they are still valid after a switch reboot, and a bit like a static secure MAC address. This type can be used when there are a large number of fixed MAC addresses, and you do not want to manually configure these secure MAC addresses.

If a port has reached its maximum number of secure MAC addresses, and you want to configure a static secure MAC address, it is rejected and an error message is displayed. If a port has reached its maximum number of secure MAC addresses and a new dynamic secure MAC address has been added, an offending behavior will be triggered.

You can use the Clear port-security command to purge dynamic secure MAC addresses, and you can use the no switchport port-security mac-address command to remove sticky and static secure MAC addresses at once.

2. Maximum number of secure MAC addresses

A secure port defaults to a secure MAC address. You can change this default value between 1~3000. When you set the maximum number of secure Macs on a port, you can include these secure MAC addresses in the Address table in any of the following ways:

L You can configure a secure MAC address using the Switchport port-security mac-address mac_address Interface configuration mode command.

L You can configure all secure MAC addresses in a range VLAN on the relay port via the port-security mac-address VLAN range Configuration command.

L You can allow the port to dynamically configure the secure MAC address with the MAC address of the connected device.

L You can statically configure some secure MAC addresses and allow the rest of the secure MAC address to be dynamically configured (all dynamic secure MAC addresses on that port will no longer be secure if the port link is closed).

L You can have the MAC address as sticky (sticky). These secure MAC addresses can be dynamically learned or configured manually, and then saved in the MAC Address table and added to the Run configuration file. These addresses are then saved in the switch's startup configuration file, and the interface does not need to be learned again after the switch restarts. Although you can manually configure a sticky secure MAC address, this approach is not recommended.

"Experience" on a relay port, the maximum number of secure MAC addresses can be configured based on ports and on port VLANs. The maximum number of secure MAC addresses configured on the port can be greater than or equal to (not less than) the maximum number of secure MAC addresses configured on the Port VLAN. If the maximum number of secure MAC addresses configured on a port is less than the maximum number of secure MAC addresses configured on the Port VLAN (for example, the maximum security MAC address set on VLAN 10 is 3, and the maximum number of secure MAC addresses for the port is the default of 1), The port will be closed if the number of secure MAC addresses on the port VLAN exceeds the maximum number of secure MAC addresses set on the port.

3. Secure MAC Address Aging

When receiving more than 3,000 MAC addresses, you may want to have an aging secure MAC address to remove from the MAC Address table some secure MAC addresses that are not connected for a long time. However, the sticky (sticky) Secure MAC address does not support the aging process.

By default, port security does not age the security address, and after learning, the MAC address remains on the port until the switch restarts or links are disconnected (which is, of course, when the Sticky MAC address feature is not enabled). Port security allows you to configure MAC address aging and aging time based on absolute (absolute) or QUIESCE (inactivity) mode. The aging cycle of the absolute mode is n~n+1 minutes, and the rest mode's aging period is between n+1~n+2 minutes (the time increment is 1 minutes).

Use the Secure MAC address aging feature to remove and add a PC on a secure port before you can reach the maximum number of secure MAC addresses configured on the port, without manually removing the existing secure MAC address.

Unless you explicitly use the Switchport port-security aging static command to statically configure the MAC address aging time, a static secure MAC address is not an aging process, even if the aging process is configured on that port.

4. Sticky MAC address on the port

By enabling sticky port security features, you can configure an interface to convert dynamic MAC addresses to sticky secure MAC addresses and add them to the switch's run configuration file. You can use this feature when you don't need a user to move to another port, so you don't have to manually configure a large number of secure MAC addresses on each port.

To enable the Sticky port security feature, type the switchport port-security mac-address Sticky interface configuration mode command. At this point, the interface converts all dynamic secure MAC addresses to sticky secure MAC addresses, including all MAC addresses that are dynamically learned before the Sticky secure MAC address feature is enabled.

Sticky secure MAC addresses are not automatically part of the switch startup configuration file, if you save the Run configuration file, the interface does not have to learn the MAC address again after the switch is restarted, but if you do not save the run profile, the previously automatically converted sticky secure MAC Address table will be lost.

If the sticky port security function is prohibited, the sticky secure MAC address is automatically converted to a dynamic secure MAC address and automatically removed from the switch's running configuration file. These sticky secure MAC addresses are stored as tables after the maximum number of secure MAC addresses is configured. To make a device a unique connector for a port, you can configure the maximum number of secure MAC addresses on that port to be 1. If the number of secure MAC addresses added to a port exceeds the configured maximum number of secure MAC addresses, an offending event will occur.

5. Pattern of violations

You can configure the behavior patterns that occur after an offending event:

L Protection (Protect): When the number of secure MAC addresses exceeds the maximum number of secure MAC addresses configured on the port, packets of unknown source MAC addresses are discarded until the number of secure MAC addresses in the MAC address table drops to the maximum number of secure MAC addresses configured, or the maximum number of secure MAC addresses is added. Moreover, there is no notification of any security breaches of the Act. It is recommended that you do not configure protection behavior on the relay port, because the port is blocked when a VLAN reaches the maximum number of secure MAC addresses configured in that VLAN on the relay port, even if the number of secure MAC addresses on the port does not reach the maximum number of secure MAC addresses configured on the port.

L Limit (Restrict): Similar to the previous protection mode, and also when the number of secure MAC addresses is configured on the port to the maximum number of secure MAC addresses, the packets for the unknown source MAC address are discarded. Until the number of secure MAC addresses in the MAC address table drops to the maximum number of secure MAC addresses configured, or increases the maximum number of secure MAC addresses. However, this behavior pattern will have an SNMP capture message sent, and the system log logged, the offending counter increased by 1. The frequency at which SNMP capture notifications are sent can be controlled by the Snmp-server enable traps port-security trap-rate command, with a default value of 0, which indicates that SNMP capture notifications are sent when any security violations occur.