OcNOS-DC : Layer 2 Guide : Layer 2 Configuration Guide : Port Security Configuration
Port Security Configuration
The Port Security feature allows network administrators to block unauthorized access to the network. Network administrators can configure each port of the switch to allow network access from only secured MACs, so that the switch forwards traffic from only secured MACs.
Users can limit each port's ingress traffic by limiting MAC addresses (source MACs) that are used to send traffic into ports. Port Security enables users to configure the maximum number of secured MACs for each port. Switches learn secured MAC dynamically (learned by switch during traffic inflow) or statically (User configured MACs). Dynamically Learned or statically programmed MAC addresses cannot exceed the maximum number of secured MACs configured for a particular port. Once the switch reaches the maximum limit for secured MACs, traffic from all other MAC addresses are dropped.
The violated MACs are logged in syslog messages. Refer to cpu queue portsec-drop using the command show interface cpu counter queue-stats for information on the number of violated MACs.
Secured MACs Learned Dynamically
Secured MACs learned dynamically
Send Layer-2 traffic with incremental source MAC of 100 and with VLAN 100 from Edge Network node and since max limit is configured as 3 – only 3 secure MAC addresses will be learned by SW1.
SW1
 
#configure terminal
Enter configure mode.
(config)#hostname SW1
Set the host name
(config)#bridge 1 protocol rstp vlan-bridge
Create a RSTP VLAN bridge on customer side
(config)#vlan 2-200 bridge 1 state enable
Configure VLAN for the bridge
(config)#interface ge1
Enter interface mode
(config-if)#switchport
Make the interface Layer 2
(config-if)#bridge-group 1
Associate the interface to bridge
(config-if)#switchport mode hybrid
Configure the mode as trunk
(config-if)#switchport hybrid allowed vlan all
Configure allowed VLAN all on the interface
(config-if)#switchport port-security
Enable port security mode dynamic
(config-if)#switchport port-security maximum 3
Limit secure MAC to 3 mac addresses.
(config-if)#commit
Commit candidate configuration to be running configuration
(config-if)#exit
Exit interface mode
(config)#interface ge2
Enter interface mode
(config-if)#switchport
Make the interface Layer 2
(config-if)#bridge-group 1
Associate the interface to bridge
(config-if)#switchport mode hybrid
Configure the mode as trunk
(config-if)#switchport hybrid allowed vlan all
Configure allowed VLAN all on the interface
(config-if)#commit
Commit candidate configuration to be running configuration
(config-if)#exit
Exit interface mode
(config)#logging monitor 7
Enable logging level as 7 for debugging
Validation
Validation commands are “show port-security,” “show port-security interface <ifname>,” “show mac address-table count bridge 1,” “show bridge,” and “show mac address-table bridge 1.”
SW1#show port-security
Port port-security mode MAC limit CVLAN SVLAN static secure MAC
-------+-------------------+---------+------+------+-----------------
ge1 dynamic 3
 
SW1#show port-security interface ge1
Port Security Mode : Dynamic
Secure MAC limit : 3
Static Secure MAC list :
CVLAN SVLAN MAC Address
------+------+----------------
 
SW1#show mac address-table count bridge 1
MAC Entries for all vlans:
Dynamic Address Count: 3
Static (User-defined) Unicast MAC Address Count: 0
Static (User-defined) Multicast MAC Address Count: 0
Total MAC Addresses in Use: 3
 
SW1#show bridge
Ageout time is global and if something is configured for vxlan then it will be affected here also
Bridge CVLAN SVLAN BVLAN Port MAC Address FWD Time-out
---------+------+------+------+-----------+-----------------+-----+---------+
1 100 ge1 0000.0300.0500 1 100
1 100 ge1 0000.0300.055b 1 100
1 100 ge1 0000.0300.055c 1 100
 
SW1#show mac address-table bridge 1
VLAN MAC Address Type Ports Port-security
------+---------------+---------+---------+--------------
100 0000.0300.0500 dynamic ge1 Enable
100 0000.0300.055b dynamic ge1 Enable
100 0000.0300.055c dynamic ge1 Enable
SW1#
 
Secured MAC Addresses Learned Statically
1. Stop the traffic from Edge Network node and do “clear mac address-table dynamic bridge 1” on SW1.
2. Verify all dynamic secured MAC addresses are cleared.
3. Configure 3 static secure MAC addresses using the commands below in port security configured interface.
4. Try to add a fourth static secure MAC address.
5. Verify operator log message is displayed, saying “port security mac limit reached.”
 
(config)#interface ge1
Enter interface mode
(config-if)#switchport port-security mac-address 0000.0000.aaaa vlanId 100
Add static secure MAC address for VLAN 100 in interface mode
(config-if)#switchport port-security mac-address 0000.0000.aaab vlanId 100
Add static secure MAC address for VLAN 100 in interface mode
(config-if)#switchport port-security mac-address 0000.0000.aaac vlanId 100
Add static secure MAC address for VLAN 100 in interface mode
(config-if)#commit
Commit candidate configuration to be running configuration
Validation
SW1#show port-security
Port port-security mode MAC limit CVLAN SVLAN static secure MAC
-------+-------------------+---------+------+------+-----------------
ge1 dynamic 3 100 0000.0000.aaaa
100 0000.0000.aaab
100 0000.0000.aaac
 
SW1#show port-security interface ge1
Port Security Mode : Dynamic
Secure MAC limit : 3
Static Secure MAC list :
CVLAN SVLAN MAC Address
------+------+----------------
100 0000.0000.aaaa
100 0000.0000.aaab
100 0000.0000.aaac
 
SW1#show mac address-table count bridge 1
MAC Entries for all vlans:
Dynamic Address Count: 0
Static (User-defined) Unicast MAC Address Count: 3
Static (User-defined) Multicast MAC Address Count: 0
Total MAC Addresses in Use: 3
 
SW1#show bridge
Ageout time is global and if something is configured for vxlan then it will be affected here also
Bridge CVLAN SVLAN BVLAN Port MAC Address FWD Time-out
---------+------+------+------+-----------+-----------------+-----+---------+
1 100 ge1 0000.0000.aaaa 1 -
1 100 ge1 0000.0000.aaab 1 -
1 100 ge1 0000.0000.aaac 1 -
 
SW1#show mac address-table bridge 1
VLAN MAC Address Type Ports Port-security
------+---------------+---------+---------+--------------
100 0000.0000.aaaa static ge1 Enable
100 0000.0000.aaab static ge1 Enable
100 0000.0000.aaac static ge1 Enable
SW1#
Remove the port-security configuration method using the two commands below:
(
config)#interface ge1
Enter interface mode
(config-if)#no switchport port-security
Set the port-security method to static.
(config-if)#commit
Commit candidate configuration to be running configuration
Static Mode
Use the below command to configure the port-security method to static and configure static secure MAC addresses using the commands the in static port-security method, below.
 
(config)#interface ge1
Enter interface mode
(config-if)#switchport port-security static
Set the port-security method as static.
(config-if)#switchport port-security max 3
Limit static secure MAC to 3 mac addresses.
(config-if)#switchport port-security mac-address 0000.0000.aaaa vlanId 100
Add static secure MAC address for VLAN 100 in interface mode.
(config-if)#switchport port-security mac-address 0000.0000.aaab vlanId 100
Add static secure MAC address for VLAN 100 in interface mode.
(config-if)#switchport port-security mac-address 0000.0000.aaac vlanId 100
Add static secure MAC address for VLAN 100 in interface mode .
(config-if)#commit
Commit candidate configuration to be running configuration
Verify the 3 secure static MAC addresses are added in interface ge1 using show running-config and also verify the port-security method should be static using below show commands.
Validation
SW1#show running-config interface ge1
interface ge1
switchport
bridge-group 1
switchport mode hybrid
switchport hybrid allowed vlan all
switchport port-security static
switchport port-security maximum 3
switchport port-security mac-address 0000.0000.aaaa vlanId 100
switchport port-security mac-address 0000.0000.aaab vlanId 100
switchport port-security mac-address 0000.0000.aaac vlanId 100
 
SW1#show port-security
Port port-security mode MAC limit CVLAN SVLAN static secure MAC
-------+-------------------+---------+------+------+-----------------
ge1 static 3 100 0000.0000.aaaa
100 0000.0000.aaab
100 0000.0000.aaac
 
SW1#show port-security interface ge1
Port Security Mode : Static
Secure MAC limit : 3
Static Secure MAC list :
CVLAN SVLAN MAC Address
------+------+----------------
100 0000.0000.aaaa
100 0000.0000.aaab
100 0000.0000.aaac
 
SW1#show mac address-table count bridge 1
MAC Entries for all vlans:
Dynamic Address Count: 0
Static (User-defined) Unicast MAC Address Count: 3
Static (User-defined) Multicast MAC Address Count: 0
Total MAC Addresses in Use: 3
 
SW1#show bridge
Ageout time is global and if something is configured for vxlan then it will be affected here also
Bridge CVLAN SVLAN BVLAN Port MAC Address FWD Time-out
---------+------+------+------+-----------+-----------------+-----+---------+
1 100 ge1 0000.0000.aaaa 1 -
1 100 ge1 0000.0000.aaab 1 -
1 100 ge1 0000.0000.aaac 1 -
 
SW1#show mac address-table bridge 1
VLAN MAC Address Type Ports Port-security
------+---------------+---------+---------+--------------
100 0000.0000.aaaa static ge1 Enable
100 0000.0000.aaab static ge1 Enable
100 0000.0000.aaac static ge1 Enable
SW1#
Configure one more static secure MAC address on interface ge1 and try to verify “port security mac limit reached” operator log message is displayed.
Start sending Layer-2 traffic with incremental source MAC of 100 and with VLAN 100 from Edge Network node, and verify no dynamic secure MAC addresses are being learned using all the validation commands used.
Port Security using MLAG
Port security with MLAG
TOR1
 
#configgure termonal
Enter configure mode
(config)#bridge 1 protocol provider-rstp edge
Create provider RSTP bridge
(config)#vlan 2-10 type customer bridge 1 state enable
Enabling customer vlan for bridge
(config)#vlan 2-10 type service point-point bridge 1 state enable
Enabling service vlan for bridge
(config)#cvlan registration table map1 bridge 1
Creating registration table
(config-cvlan-registation)#cvlan 2 svlan 2
Mapping CVLAN to SVLAN
(config-cvlan-registation)#cvlan 10 svlan 2
Mapping CVLAN to SVLAN
(config-cvlan-registration)#commit
Commit candidate configuration to be running configuration
(config-cvlan-registation)#exit
Exit registration table mode
(config)#interface mlag3
Entering MLAG interface
(config-if)#switchport
Configuring interface as switchport
(config-if)#commit
Commit candidate configuration to be running configuration
(config-if)#exit
Exit interface mode
(config)#interface po1
Entering dynamic lag interface
(config-if)#switchport
Configuring interface as switchport
(config-if)#bridge-group 1 spanning-tree disable
Associate the interface with bridge group 1and disabling spanning-tree
(config-if)#switchport mode customer-edge hybrid
Set the switching characteristics of this interface to customer edge hybrid
(config-if)#switchport customer-edge hybrid vlan 2
Set the switching characteristics of this interface to customer edge hybrid and allow VLAN 2
(config-if)#switchport customer-edge hybrid allowed vlan all
Set the switching characteristics of this interface to customer edge hybrid and allow VLAN all
(config-if)#mlag 3
Enabling mlag group number
(config-if)#commit
Commit candidate configuration to be running configuration
(config-if)#exit
Exit interface mode
(config)#interface xe49/1
Entering interface mode
(config-if)#switchport
Configuring interface as switchport
(config-if)#bridge-group 1
Associate the interface with bridge group 1.
(config-if)#switchport mode provider-network
Set the switching characteristics of this interface to provider network
(config-if)#switchport provider-network allowed vlan all
Set the switching characteristics of this interface to provider network and allow all VLAN
(config-if)#commit
Commit candidate configuration to be running configuration
(config-if)#exit
Enter interface mode
(config)#interface xe3
Entering interface mode
(config-if)#switchport
Configuring interface as switchport
(config-if)#bridge-group 1
Associate the interface with bridge group 1.
(config-if)#switchport mode customer-edge hybrid
Set the switching characteristics of this interface to customer edge hybrid
(config-if)#switchport customer-edge hybrid vlan 2
Set the switching characteristics of this interface to customer edge hybrid and allow vlan 2
(config-if)#switchport customer-edge hybrid allowed vlan all
Set the switching characteristics of this interface to customer edge hybrid and allow VLAN all
(config-if)#channel-group 1 mode active
Add this interface to channel group 1 and enable link aggregation so that it can be selected for aggregation by the local system
(config-if)#commit
Commit candidate configuration to be running configuration
(config-if)#exit
Exit interface mode
(config)#interface mlag3
Entering MLAG interface
(config-if)#bridge-group 1 spanning-tree disable
Associate the interface with bridge group 1and disabling spanning-tree
(config-if)#switchport mode customer-edge hybrid
Set the switching characteristics of this interface to customer edge hybrid
(config-if)#switchport customer-edge hybrid vlan 2
Set the switching characteristics of this interface to customer edge hybrid and allow VLAN 2
(config-if)#switchport customer-edge hybrid allowed vlan all
Set the switching characteristics of this interface to customer edge hybrid and allow VLAN all
(config-if)#switchport customer-edge vlan registration map1
Configuring the registration table mapping on MLAG interface
(config-if)#switchport port-security
Enabling port security
(config-if)#switchport port-security maximum 10
Limiting the maximum mac to 10
(config-if)#commit
Commit candidate configuration to be running configuration
(config-if)#exit
Exit interface mode
(config)#mcec domain configuration
Entering MCEC mode
(config-mcec-domain)#domain-address 2222.2222.2222
Domain address for the MLAG domain
(config-mcec-domain)#domain-system-number 1
Number to identify the node in a domain
(config-if)#commit
Commit candidate configuration to be running configuration
(config-mcec-domain)#exit
Exit MCEC mode
(config)#intra-domain-link xe49/1
Intra domain line between MLAG domain
(config-if)#domain-priority 333
Domain priority for MCEC
(config-if)#commit
Commit candidate configuration to be running configuration
TOR2
(config-if)#
#configure terminal
Enter configure mode
(config)#bridge 1 protocol provider-rstp edge
Create provider RSTP bridge
(config)#vlan 2-10 type customer bridge 1 state enable
Enabling customer VLAN for bridge
(config)#vlan 2-10 type service point-point bridge 1 state enable
Enabling service VLAN for bridge
(config)#cvlan registration table map1 bridge 1
Creating registration table
(config-cvlan-registation)#cvlan 2 svlan 2
Mapping CVLAN to SVLAN
(config-cvlan-registation)#cvlan 10 svlan 2
Mapping CVLAN to SVLAN
(config-cvlan-registration)#commit
Commit candidate configuration to be running configuration
(config-cvlan-registation)#exit
Exit registration table mode
(config)#interface mlag3
Entering MLAG interface
(config-if)#switchport
Configuring interface as switchport
(config-if)#commit
Commit candidate configuration to be running configuration
(config-if)#exit
Exit interface mode
(config)#interface po1
Entering dynamic lag interface
(config-if)#Switchport
Configuring interface as switchport
(config-if)#bridge-group 1 spanning-tree disable
Associate the interface with bridge group 1and disabling spanning-tree
(config-if)#switchport mode customer-edge hybrid
Set the switching characteristics of this interface to customer edge hybrid
(config-if)#switchport customer-edge hybrid vlan 2
Set the switching characteristics of this interface to customer edge hybrid and allow VLAN 2
(config-if)#switchport customer-edge hybrid allowed vlan all
Set the switching characteristics of this interface to customer edge hybrid and allow VLAN all
(config-if)#mlag 3
Enabling MLAG group number
(config-if)#commit
Commit candidate configuration to be running configuration
(config-if)#exit
Exit interface mode
(config)#interface xe49/1
Entering interface mode
(config-if)#switchport
Configuring interface as switchport
(config-if)#bridge-group 1
Associate the interface with bridge group 1.
(config-if)#switchport mode provider-network
Set the switching characteristics of this interface to provider network
(config-if)#switchport provider-network allowed vlan all
Set the switching characteristics of this interface to provider network and allow all VLAN
(config-if)#commit
Commit candidate configuration to be running configuration
(config-if)#exit
Exit interface mode
(config)#interface xe3
Entering interface mode
(config-if)#switchport
Configuring interface as switchport
bridge-group 1
Associate the interface with bridge group 1
(config-if)#switchport mode customer-edge hybrid
Set the switching characteristics of this interface to customer edge hybrid
(config-if)#switchport customer-edge hybrid vlan 2
Set the switching characteristics of this interface to customer edge hybrid and allow VLAN 2
(config-if)#switchport customer-edge hybrid allowed vlan all
Set the switching characteristics of this interface to customer edge hybrid and allow VLAN all
(config-if)#channel-group 1 mode active
Add this interface to channel group 1 and enable link aggregation so that it can be selected for aggregation by the local system
(config-if)#commit
Commit candidate configuration to be running configuration
(config-if)#exit
Exit interface mode
(config)#interface mlag3
Entering MLAG interface
(config-if)#bridge-group 1 spanning-tree disable
Associate the interface with bridge group 1and disabling spanning-tree
(config-if)#switchport mode customer-edge hybrid
Set the switching characteristics of this interface to customer edge hybrid
(config-if)#switchport customer-edge hybrid vlan 2
Set the switching characteristics of this interface to customer edge hybrid and allow VLAN 2
(config-if)#switchport customer-edge hybrid allowed vlanall
Set the switching characteristics of this interface to customer edge hybrid and allow VLAN all
(config-if)#switchport customer-edge vlan registration map1
Configuring the registration table mapping on MLAG interface
(config-if)#commit
Commit candidate configuration to be running configuration
(config-if)#exit
Exit interface mode
mcec domain configuration
Entering MCEC mode
(config-mcec-domain)#domain-address 2222.2222.2222
Domain address for the MLAG domain
(config-mcec-domain)#domain-system-number 2
Number to identify the node in a domain
(config-mcec-domain)#intra-domain-link xe49/1
Intra domain line between MLAG domain
(config-mcec-domain)#domain-priority 333
Domain priority for MCEC
(config-mcec-domain)#commit
Commit candidate configuration to be running configuration
SW1
 
configure terminal
Enter configuration mode
(config)#bridge 1 protocol rstp vlan-bridge
Configuring the RSTP vlan bridge
(config)#interface po1
Entering interface mode
(config-if)#switchport
Configuring interface as switchport
(config-if)#bridge-group 1 spanning-tree disable
Associate the interface with bridge group 1and disabling spanning-tree
(config-if)#switchport mode hybrid
Set the switching characteristics of this interface hybrid
(config-if)#switchport hybrid allowed vlan all
Set the switching characteristics of this interface hybrid and allowing all vlan
(config-if)#commit
Commit candidate configuration to be running configuration
(config-if)#exit
Exit interface mode
(config)#interface xe1/3
Entering interface mode
(config-if)#switchport
Configuring interface as switchport
(config-if)#bridge-group 1 spanning-tree disable
Associate the interface with bridge group 1and disabling spanning-tree
(config-if)#switchport mode hybrid
Set the switching characteristics of this interface hybrid
(config-if)#switchport hybrid allowed vlan all
Set the switching characteristics of this interface hybrid and allowing all vlan
(config-if)#channel-group 1 mode active
Add this interface to channel group 1 and enable link aggregation so that it can be selected for aggregation by the local system.
(config-if)#commit
Commit candidate configuration to be running configuration
(config-if)#exit
Exit interface mode
(config)#interface xe1/1
Entering interface mode
(config-if)#switchport
Configuring interface as switchport
(config-if)#bridge-group 1 spanning-tree disable
Associate the interface with bridge group 1 and disabling spanning-tree
(config-if)#switchport mode hybrid
Set the switching characteristics of this interface hybrid
(config-if)#switchport hybrid allowed vlan all
Set the switching characteristics of this interface hybrid and allowing all vlan
(config-if)#channel-group 1 mode active
Add this interface to channel group 1 and enable link aggregation so that it can be selected for aggregation by the local system.
(config-if)#commit
Commit candidate configuration to be running configuration
(config-if)#exit
Exit interface mode
(config)#interface xe3/3
Entering interface mode
(config-if)#switchport
Configuring interface as switchport
(config-if)#bridge-group 1
Associate the interface with bridge group 1and disabling spanning-tree
(config-if)#switchport mode hybrid
Set the switching characteristics of this interface hybrid
(config-if)#switchport hybrid allowed vlan all
Set the switching characteristics of this interface hybrid and allowing all VLAN
(config-if)#commit
Commit candidate configuration to be running configuration
Validation
TOR1#show bridge
Ageout time is global and if something is configured for vxlan then it will be affected here also
Bridge CVLAN SVLAN BVLAN Port MAC Address FWD Time-out
---------+------+------+------+-----------+-----------------+-----+---------+
1 2 mlag3 0000.0500.0200 1 54
1 2 mlag3 0000.0500.0201 1 60
1 2 mlag3 0000.0500.0202 1 54
1 2 mlag3 0000.0500.0203 1 60
1 2 mlag3 0000.0500.0204 1 54
1 2 mlag3 0000.0500.0205 1 60
1 2 mlag3 0000.0500.0207 1 60
1 2 mlag3 0000.0500.0208 1 54
1 2 mlag3 0000.0500.0209 1 60
1 2 mlag3 0000.0500.020a 1 54
1 2 mlag3 0000.0500.020b 1 60
1 2 mlag3 0000.0500.020c 1 54
1 2 mlag3 0000.0500.020d 1 60
1 2 mlag3 0000.0500.020e 1 54
1 2 mlag3 0000.0500.020f 1 60
1 2 mlag3 0000.0500.0210 1 54
1 2 mlag3 0000.0500.0211 1 60
1 2 mlag3 0000.0500.0212 1 54
1 2 mlag3 cc37.abbb.ed9b 1 40
 
TOR1#sh port-security
Port port-security mode MAC limit CVLAN SVLAN static secure MAC
-------+-------------------+---------+------+------+-----------------
Mlag3 dynamic 10
TOR1#
TOR1#show mac address-table count bridge 1 interface mlag3
MAC Entries for all vlans:
Dynamic Address Count: 20
Static (User-defined) Unicast MAC Address Count: 0
Static (User-defined) Multicast MAC Address Count: 0
Total MAC Addresses in Use: 20
TOR1#