Port Security Configuration
The Port Security feature allows network administrators to block unauthorized access to the network. Network administrators can configure each port of the switch to allow network access from only secured MACs, so that the switch forwards traffic from only secured MACs.
Users can limit each port's ingress traffic by limiting MAC addresses (source MACs) that are used to send traffic into ports. Port Security enables users to configure the maximum number of secured MACs for each port. Switches learn secured MAC dynamically (learned by switch during traffic inflow) or statically (User configured MACs). Dynamically Learned or statically programmed MAC addresses cannot exceed the maximum number of secured MACs configured for a particular port. Once the switch reaches the maximum limit for secured MACs, traffic from all other MAC addresses are dropped.
The violated MACs are logged in syslog messages. Refer to cpu queue portsec-drop using the command show interface cpu counter queue-stats for information on the number of violated MACs.
Secured MACs Learned Dynamically
Secured MACs learned dynamically
Send Layer-2 traffic with incremental source MAC of 100 and with VLAN 100 from Edge Network node and since max limit is configured as 3 – only 3 secure MAC addresses will be learned by SW1.
SW1
#configure terminal | Enter configure mode. |
(config)#hostname SW1 | Set the host name |
(config)#bridge 1 protocol rstp vlan-bridge | Create a RSTP VLAN bridge on customer side |
(config)#vlan 2-200 bridge 1 state enable | Configure VLAN for the bridge |
(config)#interface ge1 | Enter interface mode |
(config-if)#switchport | Make the interface Layer 2 |
(config-if)#bridge-group 1 | Associate the interface to bridge |
(config-if)#switchport mode hybrid | Configure the mode as trunk |
(config-if)#switchport hybrid allowed vlan all | Configure allowed VLAN all on the interface |
(config-if)#switchport port-security | Enable port security mode dynamic |
(config-if)#switchport port-security maximum 3 | Limit secure MAC to 3 mac addresses. |
(config-if)#commit | Commit candidate configuration to be running configuration |
(config-if)#exit | Exit interface mode |
(config)#interface ge2 | Enter interface mode |
(config-if)#switchport | Make the interface Layer 2 |
(config-if)#bridge-group 1 | Associate the interface to bridge |
(config-if)#switchport mode hybrid | Configure the mode as trunk |
(config-if)#switchport hybrid allowed vlan all | Configure allowed VLAN all on the interface |
(config-if)#commit | Commit candidate configuration to be running configuration |
(config-if)#exit | Exit interface mode |
(config)#logging monitor 7 | Enable logging level as 7 for debugging |
Validation
Validation commands are “show port-security,” “show port-security interface <ifname>,” “show mac address-table count bridge 1,” “show bridge,” and “show mac address-table bridge 1.”
SW1#show port-security
Port port-security mode MAC limit CVLAN SVLAN static secure MAC
-------+-------------------+---------+------+------+-----------------
ge1 dynamic 3
SW1#show port-security interface ge1
Port Security Mode : Dynamic
Secure MAC limit : 3
Static Secure MAC list :
CVLAN SVLAN MAC Address
------+------+----------------
SW1#show mac address-table count bridge 1
MAC Entries for all vlans:
Dynamic Address Count: 3
Static (User-defined) Unicast MAC Address Count: 0
Static (User-defined) Multicast MAC Address Count: 0
Total MAC Addresses in Use: 3
SW1#show bridge
Ageout time is global and if something is configured for vxlan then it will be affected here also
Bridge CVLAN SVLAN BVLAN Port MAC Address FWD Time-out
---------+------+------+------+-----------+-----------------+-----+---------+
1 100 ge1 0000.0300.0500 1 100
1 100 ge1 0000.0300.055b 1 100
1 100 ge1 0000.0300.055c 1 100
SW1#show mac address-table bridge 1
VLAN MAC Address Type Ports Port-security
------+---------------+---------+---------+--------------
100 0000.0300.0500 dynamic ge1 Enable
100 0000.0300.055b dynamic ge1 Enable
100 0000.0300.055c dynamic ge1 Enable
SW1#
Secured MAC Addresses Learned Statically
1. Stop the traffic from Edge Network node and do “clear mac address-table dynamic bridge 1” on SW1.
2. Verify all dynamic secured MAC addresses are cleared.
3. Configure 3 static secure MAC addresses using the commands below in port security configured interface.
4. Try to add a fourth static secure MAC address.
5. Verify operator log message is displayed, saying “port security mac limit reached.”
(config)#interface ge1 | Enter interface mode |
(config-if)#switchport port-security mac-address 0000.0000.aaaa vlanId 100 | Add static secure MAC address for VLAN 100 in interface mode |
(config-if)#switchport port-security mac-address 0000.0000.aaab vlanId 100 | Add static secure MAC address for VLAN 100 in interface mode |
(config-if)#switchport port-security mac-address 0000.0000.aaac vlanId 100 | Add static secure MAC address for VLAN 100 in interface mode |
(config-if)#commit | Commit candidate configuration to be running configuration |
Validation
SW1#show port-security
Port port-security mode MAC limit CVLAN SVLAN static secure MAC
-------+-------------------+---------+------+------+-----------------
ge1 dynamic 3 100 0000.0000.aaaa
100 0000.0000.aaab
100 0000.0000.aaac
SW1#show port-security interface ge1
Port Security Mode : Dynamic
Secure MAC limit : 3
Static Secure MAC list :
CVLAN SVLAN MAC Address
------+------+----------------
100 0000.0000.aaaa
100 0000.0000.aaab
100 0000.0000.aaac
SW1#show mac address-table count bridge 1
MAC Entries for all vlans:
Dynamic Address Count: 0
Static (User-defined) Unicast MAC Address Count: 3
Static (User-defined) Multicast MAC Address Count: 0
Total MAC Addresses in Use: 3
SW1#show bridge
Ageout time is global and if something is configured for vxlan then it will be affected here also
Bridge CVLAN SVLAN BVLAN Port MAC Address FWD Time-out
---------+------+------+------+-----------+-----------------+-----+---------+
1 100 ge1 0000.0000.aaaa 1 -
1 100 ge1 0000.0000.aaab 1 -
1 100 ge1 0000.0000.aaac 1 -
SW1#show mac address-table bridge 1
VLAN MAC Address Type Ports Port-security
------+---------------+---------+---------+--------------
100 0000.0000.aaaa static ge1 Enable
100 0000.0000.aaab static ge1 Enable
100 0000.0000.aaac static ge1 Enable
SW1#
Remove the port-security configuration method using the two commands below:
(
config)#interface ge1 | Enter interface mode |
(config-if)#no switchport port-security | Set the port-security method to static. |
(config-if)#commit | Commit candidate configuration to be running configuration |
Static Mode
Use the below command to configure the port-security method to static and configure static secure MAC addresses using the commands the in static port-security method, below.
(config)#interface ge1 | Enter interface mode |
(config-if)#switchport port-security static | Set the port-security method as static. |
(config-if)#switchport port-security max 3 | Limit static secure MAC to 3 mac addresses. |
(config-if)#switchport port-security mac-address 0000.0000.aaaa vlanId 100 | Add static secure MAC address for VLAN 100 in interface mode. |
(config-if)#switchport port-security mac-address 0000.0000.aaab vlanId 100 | Add static secure MAC address for VLAN 100 in interface mode. |
(config-if)#switchport port-security mac-address 0000.0000.aaac vlanId 100 | Add static secure MAC address for VLAN 100 in interface mode . |
(config-if)#commit | Commit candidate configuration to be running configuration |
Verify the 3 secure static MAC addresses are added in interface ge1 using show running-config and also verify the port-security method should be static using below show commands.
Validation
SW1#show running-config interface ge1
interface ge1
switchport
bridge-group 1
switchport mode hybrid
switchport hybrid allowed vlan all
switchport port-security static
switchport port-security maximum 3
switchport port-security mac-address 0000.0000.aaaa vlanId 100
switchport port-security mac-address 0000.0000.aaab vlanId 100
switchport port-security mac-address 0000.0000.aaac vlanId 100
SW1#show port-security
Port port-security mode MAC limit CVLAN SVLAN static secure MAC
-------+-------------------+---------+------+------+-----------------
ge1 static 3 100 0000.0000.aaaa
100 0000.0000.aaab
100 0000.0000.aaac
SW1#show port-security interface ge1
Port Security Mode : Static
Secure MAC limit : 3
Static Secure MAC list :
CVLAN SVLAN MAC Address
------+------+----------------
100 0000.0000.aaaa
100 0000.0000.aaab
100 0000.0000.aaac
SW1#show mac address-table count bridge 1
MAC Entries for all vlans:
Dynamic Address Count: 0
Static (User-defined) Unicast MAC Address Count: 3
Static (User-defined) Multicast MAC Address Count: 0
Total MAC Addresses in Use: 3
SW1#show bridge
Ageout time is global and if something is configured for vxlan then it will be affected here also
Bridge CVLAN SVLAN BVLAN Port MAC Address FWD Time-out
---------+------+------+------+-----------+-----------------+-----+---------+
1 100 ge1 0000.0000.aaaa 1 -
1 100 ge1 0000.0000.aaab 1 -
1 100 ge1 0000.0000.aaac 1 -
SW1#show mac address-table bridge 1
VLAN MAC Address Type Ports Port-security
------+---------------+---------+---------+--------------
100 0000.0000.aaaa static ge1 Enable
100 0000.0000.aaab static ge1 Enable
100 0000.0000.aaac static ge1 Enable
SW1#
Configure one more static secure MAC address on interface ge1 and try to verify “port security mac limit reached” operator log message is displayed.
Start sending Layer-2 traffic with incremental source MAC of 100 and with VLAN 100 from Edge Network node, and verify no dynamic secure MAC addresses are being learned using all the validation commands used.
Port Security using MLAG
Port security with MLAG
TOR1
#configgure termonal | Enter configure mode |
(config)#bridge 1 protocol provider-rstp edge | Create provider RSTP bridge |
(config)#vlan 2-10 type customer bridge 1 state enable | Enabling customer vlan for bridge |
(config)#vlan 2-10 type service point-point bridge 1 state enable | Enabling service vlan for bridge |
(config)#cvlan registration table map1 bridge 1 | Creating registration table |
(config-cvlan-registation)#cvlan 2 svlan 2 | Mapping CVLAN to SVLAN |
(config-cvlan-registation)#cvlan 10 svlan 2 | Mapping CVLAN to SVLAN |
(config-cvlan-registration)#commit | Commit candidate configuration to be running configuration |
(config-cvlan-registation)#exit | Exit registration table mode |
(config)#interface mlag3 | Entering MLAG interface |
(config-if)#switchport | Configuring interface as switchport |
(config-if)#commit | Commit candidate configuration to be running configuration |
(config-if)#exit | Exit interface mode |
(config)#interface po1 | Entering dynamic lag interface |
(config-if)#switchport | Configuring interface as switchport |
(config-if)#bridge-group 1 spanning-tree disable | Associate the interface with bridge group 1and disabling spanning-tree |
(config-if)#switchport mode customer-edge hybrid | Set the switching characteristics of this interface to customer edge hybrid |
(config-if)#switchport customer-edge hybrid vlan 2 | Set the switching characteristics of this interface to customer edge hybrid and allow VLAN 2 |
(config-if)#switchport customer-edge hybrid allowed vlan all | Set the switching characteristics of this interface to customer edge hybrid and allow VLAN all |
(config-if)#mlag 3 | Enabling mlag group number |
(config-if)#commit | Commit candidate configuration to be running configuration |
(config-if)#exit | Exit interface mode |
(config)#interface xe49/1 | Entering interface mode |
(config-if)#switchport | Configuring interface as switchport |
(config-if)#bridge-group 1 | Associate the interface with bridge group 1. |
(config-if)#switchport mode provider-network | Set the switching characteristics of this interface to provider network |
(config-if)#switchport provider-network allowed vlan all | Set the switching characteristics of this interface to provider network and allow all VLAN |
(config-if)#commit | Commit candidate configuration to be running configuration |
(config-if)#exit | Enter interface mode |
(config)#interface xe3 | Entering interface mode |
(config-if)#switchport | Configuring interface as switchport |
(config-if)#bridge-group 1 | Associate the interface with bridge group 1. |
(config-if)#switchport mode customer-edge hybrid | Set the switching characteristics of this interface to customer edge hybrid |
(config-if)#switchport customer-edge hybrid vlan 2 | Set the switching characteristics of this interface to customer edge hybrid and allow vlan 2 |
(config-if)#switchport customer-edge hybrid allowed vlan all | Set the switching characteristics of this interface to customer edge hybrid and allow VLAN all |
(config-if)#channel-group 1 mode active | Add this interface to channel group 1 and enable link aggregation so that it can be selected for aggregation by the local system |
(config-if)#commit | Commit candidate configuration to be running configuration |
(config-if)#exit | Exit interface mode |
(config)#interface mlag3 | Entering MLAG interface |
(config-if)#bridge-group 1 spanning-tree disable | Associate the interface with bridge group 1and disabling spanning-tree |
(config-if)#switchport mode customer-edge hybrid | Set the switching characteristics of this interface to customer edge hybrid |
(config-if)#switchport customer-edge hybrid vlan 2 | Set the switching characteristics of this interface to customer edge hybrid and allow VLAN 2 |
(config-if)#switchport customer-edge hybrid allowed vlan all | Set the switching characteristics of this interface to customer edge hybrid and allow VLAN all |
(config-if)#switchport customer-edge vlan registration map1 | Configuring the registration table mapping on MLAG interface |
(config-if)#switchport port-security | Enabling port security |
(config-if)#switchport port-security maximum 10 | Limiting the maximum mac to 10 |
(config-if)#commit | Commit candidate configuration to be running configuration |
(config-if)#exit | Exit interface mode |
(config)#mcec domain configuration | Entering MCEC mode |
(config-mcec-domain)#domain-address 2222.2222.2222 | Domain address for the MLAG domain |
(config-mcec-domain)#domain-system-number 1 | Number to identify the node in a domain |
(config-if)#commit | Commit candidate configuration to be running configuration |
(config-mcec-domain)#exit | Exit MCEC mode |
(config)#intra-domain-link xe49/1 | Intra domain line between MLAG domain |
(config-if)#domain-priority 333 | Domain priority for MCEC |
(config-if)#commit | Commit candidate configuration to be running configuration |
TOR2
(config-if)#
#configure terminal | Enter configure mode |
(config)#bridge 1 protocol provider-rstp edge | Create provider RSTP bridge |
(config)#vlan 2-10 type customer bridge 1 state enable | Enabling customer VLAN for bridge |
(config)#vlan 2-10 type service point-point bridge 1 state enable | Enabling service VLAN for bridge |
(config)#cvlan registration table map1 bridge 1 | Creating registration table |
(config-cvlan-registation)#cvlan 2 svlan 2 | Mapping CVLAN to SVLAN |
(config-cvlan-registation)#cvlan 10 svlan 2 | Mapping CVLAN to SVLAN |
(config-cvlan-registration)#commit | Commit candidate configuration to be running configuration |
(config-cvlan-registation)#exit | Exit registration table mode |
(config)#interface mlag3 | Entering MLAG interface |
(config-if)#switchport | Configuring interface as switchport |
(config-if)#commit | Commit candidate configuration to be running configuration |
(config-if)#exit | Exit interface mode |
(config)#interface po1 | Entering dynamic lag interface |
(config-if)#Switchport | Configuring interface as switchport |
(config-if)#bridge-group 1 spanning-tree disable | Associate the interface with bridge group 1and disabling spanning-tree |
(config-if)#switchport mode customer-edge hybrid | Set the switching characteristics of this interface to customer edge hybrid |
(config-if)#switchport customer-edge hybrid vlan 2 | Set the switching characteristics of this interface to customer edge hybrid and allow VLAN 2 |
(config-if)#switchport customer-edge hybrid allowed vlan all | Set the switching characteristics of this interface to customer edge hybrid and allow VLAN all |
(config-if)#mlag 3 | Enabling MLAG group number |
(config-if)#commit | Commit candidate configuration to be running configuration |
(config-if)#exit | Exit interface mode |
(config)#interface xe49/1 | Entering interface mode |
(config-if)#switchport | Configuring interface as switchport |
(config-if)#bridge-group 1 | Associate the interface with bridge group 1. |
(config-if)#switchport mode provider-network | Set the switching characteristics of this interface to provider network |
(config-if)#switchport provider-network allowed vlan all | Set the switching characteristics of this interface to provider network and allow all VLAN |
(config-if)#commit | Commit candidate configuration to be running configuration |
(config-if)#exit | Exit interface mode |
(config)#interface xe3 | Entering interface mode |
(config-if)#switchport | Configuring interface as switchport |
bridge-group 1 | Associate the interface with bridge group 1 |
(config-if)#switchport mode customer-edge hybrid | Set the switching characteristics of this interface to customer edge hybrid |
(config-if)#switchport customer-edge hybrid vlan 2 | Set the switching characteristics of this interface to customer edge hybrid and allow VLAN 2 |
(config-if)#switchport customer-edge hybrid allowed vlan all | Set the switching characteristics of this interface to customer edge hybrid and allow VLAN all |
(config-if)#channel-group 1 mode active | Add this interface to channel group 1 and enable link aggregation so that it can be selected for aggregation by the local system |
(config-if)#commit | Commit candidate configuration to be running configuration |
(config-if)#exit | Exit interface mode |
(config)#interface mlag3 | Entering MLAG interface |
(config-if)#bridge-group 1 spanning-tree disable | Associate the interface with bridge group 1and disabling spanning-tree |
(config-if)#switchport mode customer-edge hybrid | Set the switching characteristics of this interface to customer edge hybrid |
(config-if)#switchport customer-edge hybrid vlan 2 | Set the switching characteristics of this interface to customer edge hybrid and allow VLAN 2 |
(config-if)#switchport customer-edge hybrid allowed vlanall | Set the switching characteristics of this interface to customer edge hybrid and allow VLAN all |
(config-if)#switchport customer-edge vlan registration map1 | Configuring the registration table mapping on MLAG interface |
(config-if)#commit | Commit candidate configuration to be running configuration |
(config-if)#exit | Exit interface mode |
mcec domain configuration | Entering MCEC mode |
(config-mcec-domain)#domain-address 2222.2222.2222 | Domain address for the MLAG domain |
(config-mcec-domain)#domain-system-number 2 | Number to identify the node in a domain |
(config-mcec-domain)#intra-domain-link xe49/1 | Intra domain line between MLAG domain |
(config-mcec-domain)#domain-priority 333 | Domain priority for MCEC |
(config-mcec-domain)#commit | Commit candidate configuration to be running configuration |
SW1
configure terminal | Enter configuration mode |
(config)#bridge 1 protocol rstp vlan-bridge | Configuring the RSTP vlan bridge |
(config)#interface po1 | Entering interface mode |
(config-if)#switchport | Configuring interface as switchport |
(config-if)#bridge-group 1 spanning-tree disable | Associate the interface with bridge group 1and disabling spanning-tree |
(config-if)#switchport mode hybrid | Set the switching characteristics of this interface hybrid |
(config-if)#switchport hybrid allowed vlan all | Set the switching characteristics of this interface hybrid and allowing all vlan |
(config-if)#commit | Commit candidate configuration to be running configuration |
(config-if)#exit | Exit interface mode |
(config)#interface xe1/3 | Entering interface mode |
(config-if)#switchport | Configuring interface as switchport |
(config-if)#bridge-group 1 spanning-tree disable | Associate the interface with bridge group 1and disabling spanning-tree |
(config-if)#switchport mode hybrid | Set the switching characteristics of this interface hybrid |
(config-if)#switchport hybrid allowed vlan all | Set the switching characteristics of this interface hybrid and allowing all vlan |
(config-if)#channel-group 1 mode active | Add this interface to channel group 1 and enable link aggregation so that it can be selected for aggregation by the local system. |
(config-if)#commit | Commit candidate configuration to be running configuration |
(config-if)#exit | Exit interface mode |
(config)#interface xe1/1 | Entering interface mode |
(config-if)#switchport | Configuring interface as switchport |
(config-if)#bridge-group 1 spanning-tree disable | Associate the interface with bridge group 1 and disabling spanning-tree |
(config-if)#switchport mode hybrid | Set the switching characteristics of this interface hybrid |
(config-if)#switchport hybrid allowed vlan all | Set the switching characteristics of this interface hybrid and allowing all vlan |
(config-if)#channel-group 1 mode active | Add this interface to channel group 1 and enable link aggregation so that it can be selected for aggregation by the local system. |
(config-if)#commit | Commit candidate configuration to be running configuration |
(config-if)#exit | Exit interface mode |
(config)#interface xe3/3 | Entering interface mode |
(config-if)#switchport | Configuring interface as switchport |
(config-if)#bridge-group 1 | Associate the interface with bridge group 1and disabling spanning-tree |
(config-if)#switchport mode hybrid | Set the switching characteristics of this interface hybrid |
(config-if)#switchport hybrid allowed vlan all | Set the switching characteristics of this interface hybrid and allowing all VLAN |
(config-if)#commit | Commit candidate configuration to be running configuration |
Validation
TOR1#show bridge
Ageout time is global and if something is configured for vxlan then it will be affected here also
Bridge CVLAN SVLAN BVLAN Port MAC Address FWD Time-out
---------+------+------+------+-----------+-----------------+-----+---------+
1 2 mlag3 0000.0500.0200 1 54
1 2 mlag3 0000.0500.0201 1 60
1 2 mlag3 0000.0500.0202 1 54
1 2 mlag3 0000.0500.0203 1 60
1 2 mlag3 0000.0500.0204 1 54
1 2 mlag3 0000.0500.0205 1 60
1 2 mlag3 0000.0500.0207 1 60
1 2 mlag3 0000.0500.0208 1 54
1 2 mlag3 0000.0500.0209 1 60
1 2 mlag3 0000.0500.020a 1 54
1 2 mlag3 0000.0500.020b 1 60
1 2 mlag3 0000.0500.020c 1 54
1 2 mlag3 0000.0500.020d 1 60
1 2 mlag3 0000.0500.020e 1 54
1 2 mlag3 0000.0500.020f 1 60
1 2 mlag3 0000.0500.0210 1 54
1 2 mlag3 0000.0500.0211 1 60
1 2 mlag3 0000.0500.0212 1 54
1 2 mlag3 cc37.abbb.ed9b 1 40
TOR1#sh port-security
Port port-security mode MAC limit CVLAN SVLAN static secure MAC
-------+-------------------+---------+------+------+-----------------
Mlag3 dynamic 10
TOR1#
TOR1#show mac address-table count bridge 1 interface mlag3
MAC Entries for all vlans:
Dynamic Address Count: 20
Static (User-defined) Unicast MAC Address Count: 0
Static (User-defined) Multicast MAC Address Count: 0
Total MAC Addresses in Use: 20
TOR1#