Port Security Configuration
The Port Security feature allows network administrators to block unauthorized access to the network. Network administrators can configure each port of the switch to allow network access from only secured MACs, so that the switch forwards traffic from only secured MACs.
Users can limit each port's ingress traffic by limiting MAC addresses (source MACs) that are used to send traffic into ports. Port Security enables users to configure the maximum number of secured MACs for each port. Switches learn secured MAC dynamically (learned by switch during traffic inflow) or statically (User configured MACs). Dynamically Learned or statically programmed MAC addresses cannot exceed the maximum number of secured MACs configured for a particular port. Once the switch reaches the maximum limit for secured MACs, traffic from all other MAC addresses are dropped.
The violated MACs are logged in syslog messages. Refer to cpu queue portsec-drop using the command show interface cpu counter queue-stats for information on the number of violated MACs.
Note: When configuring port-security over MLAG, configure the port-security in both MASTER and SLAVE MLAG nodes.
Note: When a port-security limit 2X is configured on MLAG (X in Master and X in Slave), the total number of secured MACs could be less than 2X if most of the traffic is load-balanced with one MLAG node which is not capable of securing more than X MACs even if peer MLAG node has secured less than X MACs.
Secured MACs Learned Dynamically
Secured MACs learned dynamically
Send Layer 2 traffic with incremental source MAC of 100 and with VLAN 100 from IXIA1. Because the maximum limit is configured to 3, only 3 secure MAC addresses will be learned by SW1.
SW1
#configure terminal | Enter configure mode. |
(config)#hostname SW1 | Set the host name |
(config)#bridge 1 protocol rstp vlan-bridge | Create a RSTP VLAN bridge on customer side |
(config)#vlan database | Enter vlan database mode. |
(config)#vlan 2-200 bridge 1 state enable | Configure VLAN for the bridge |
(config-vlan)#eixt | Exit from vlan database mode. |
(config)#interface ge1 | Enter interface mode |
(config-if)#switchport | Make the interface Layer 2 |
(config-if)#bridge-group 1 | Associate the interface to bridge |
(config-if)#switchport mode hybrid | Configure the mode as trunk |
(config-if)#switchport hybrid allowed vlan all | Configure allowed VLAN all on the interface |
(config-if)#switchport port-security | Enable port security mode dynamic |
(config-if)#switchport port-security maximum 3 | Limit secure MAC to 3 mac addresses. |
(config-if)#commit | Commit the candidate configuration to the running configuration. |
(config-if)#exit | Exit interface mode |
(config)#interface ge2 | Enter interface mode |
(config-if)#switchport | Make the interface Layer 2 |
(config-if)#bridge-group 1 | Associate the interface to bridge |
(config-if)#switchport mode hybrid | Configure the mode as trunk |
(config-if)#switchport hybrid allowed vlan all | Configure allowed VLAN all on the interface |
(config-if)#commit | Commit the candidate configuration to the running configuration. |
(config-if)#exit | Exit interface mode |
(config)#logging monitor 7 | Enable logging level as 7 for debugging |
(config-if)#commit | Commit the candidate configuration to the running configuration. |
(config-if)#exit | Exit interface mode |
Validation
Validation commands are show port-security, show port-security interface <ifname>, show mac address-table count bridge 1, show bridge, and show mac address-table bridge 1.
SW1#show port-security
Port port-security mode MAC limit CVLAN SVLAN static secure MAC
-------+-------------------+---------+------+------+-----------------
ge1 dynamic 3
SW1#show port-security interface ge1
Port Security Mode : Dynamic
Secure MAC limit : 3
Static Secure MAC list :
CVLAN SVLAN MAC Address
------+------+----------------
SW1#show mac address-table count bridge 1
MAC Entries for all vlans:
Dynamic Address Count: 3
Static (User-defined) Unicast MAC Address Count: 0
Static (User-defined) Multicast MAC Address Count: 0
Total MAC Addresses in Use: 3
SW1#show bridge
Ageout time is global and if something is configured for vxlan then it will be affected here also
Bridge CVLAN SVLAN BVLAN Port MAC Address FWD Time-out
---------+------+------+------+-----------+-----------------+-----+---------+
1 100 ge1 0000.0300.0500 1 100
1 100 ge1 0000.0300.055b 1 100
1 100 ge1 0000.0300.055c 1 100
SW1#show mac address-table bridge 1
CVLAN SVLAN MAC Address Type Ports Port-security
------+------+---------------+---------+---------+--------------
100 0000.0300.0500 dynamic ge1 Enable
100 0000.0300.055b dynamic ge1 Enable
100 0000.0300.055c dynamic ge1 Enable
Secured MAC Addresses Learned Statically
1. Stop the traffic from IXIA1 and do a clear mac address-table dynamic bridge 1 on SW1.
2. Verify all dynamic secured MAC addresses are cleared.
3. Configure 3 static secure MAC addresses using the commands below in port security configured interface.
4. Try to add a fourth static secure MAC address.
5. Verify operator log message is displayed, saying “port security mac limit reached.”
(config)#interface ge1 | Enter interface mode |
(config-if)#switchport port-security mac-address 0000.0000.aaaa vlanId 100 | Add static secure MAC address for VLAN 100 in interface mode |
(config-if)#switchport port-security mac-address 0000.0000.aaab vlanId 100 | Add static secure MAC address for VLAN 100 in interface mode |
(config-if)#switchport port-security mac-address 0000.0000.aaac vlanId 100 | Add static secure MAC address for VLAN 100 in interface mode |
(config-if)#commit | Commit the candidate configuration to the running configuration. |
(config-if)#exit | Exit interface mode |
Validation
SW1#show port-security
Port port-security mode MAC limit CVLAN SVLAN static secure MAC
-------+-------------------+---------+------+------+-----------------
ge1 dynamic 3 100 0000.0000.aaaa
100 0000.0000.aaab
100 0000.0000.aaac
SW1#show port-security interface ge1
Port Security Mode : Dynamic
Secure MAC limit : 3
Static Secure MAC list :
CVLAN SVLAN MAC Address
------+------+----------------
100 0000.0000.aaaa
100 0000.0000.aaab
100 0000.0000.aaac
SW1#show mac address-table count bridge 1
MAC Entries for all vlans:
Dynamic Address Count: 0
Static (User-defined) Unicast MAC Address Count: 3
Static (User-defined) Multicast MAC Address Count: 0
Total MAC Addresses in Use: 3
SW1#show bridge
Ageout time is global and if something is configured for vxlan then it will be affected here also
Bridge CVLAN SVLAN BVLAN Port MAC Address FWD Time-out
---------+------+------+------+-----------+-----------------+-----+---------+
1 100 ge1 0000.0000.aaaa 1 -
1 100 ge1 0000.0000.aaab 1 -
1 100 ge1 0000.0000.aaac 1 -
SW1#show mac address-table bridge 1
CVLAN SVLAN MAC Address Type Ports Port-security
------+------+---------------+---------+---------+--------------
100 0000.0000.aaaa static ge1 Enable
100 0000.0000.aaab static ge1 Enable
100 0000.0000.aaac static ge1 Enable
SW1#
Remove the port-security configuration method using the two commands below:
config)#interface ge1 | Enter interface mode |
(config-if)#no switchport port-security | Set the port-security method to static. |
(config-if)#commit | Commit the candidate configuration to the running configuration. |
(config-if)#exit | Exit interface mode |
Static Mode
Use the below command to configure the port-security method to static and configure static secure MAC addresses using the commands in static port-security method, below.
(config)#interface ge1 | Enter interface mode |
(config-if)#switchport port-security static | Set the port-security method as static. |
(config-if)#switchport port-security max 3 | Limit static secure MAC to 3 mac addresses. |
(config-if)#switchport port-security mac-address 0000.0000.aaaa vlanId 100 | Add static secure MAC address for VLAN 100 in interface mode. |
(config-if)#switchport port-security mac-address 0000.0000.aaab vlanId 100 | Add static secure MAC address for VLAN 100 in interface mode. |
(config-if)#switchport port-security mac-address 0000.0000.aaac vlanId 100 | Add static secure MAC address for VLAN 100 in interface mode . |
(config-if)#commit | Commit the candidate configuration to the running configuration. |
(config-if)#exit | Exit interface mode |
Verify the 3 secure static MAC addresses are added in interface ge1 using show running-config and also verify the port-security method should be static using below show commands.
Validation
SW1#show running-config interface ge1
interface ge1
switchport
bridge-group 1
switchport mode hybrid
switchport mode hybrid acceptable-frame-type all
switchport hybrid allowed vlan all
switchport port-security static
switchport port-security maximum 3
switchport port-security mac-address 0000.0000.aaaa vlanId 100
switchport port-security mac-address 0000.0000.aaab vlanId 100
switchport port-security mac-address 0000.0000.aaac vlanId 100
SW1#show port-security
Port port-security mode MAC limit CVLAN SVLAN static secure MAC
-------+-------------------+---------+------+------+-----------------
ge1 static 3 100 0000.0000.aaaa
100 0000.0000.aaab
100 0000.0000.aaac
SW1#show port-security interface ge1
Port Security Mode : Static
Secure MAC limit : 3
Static Secure MAC list :
CVLAN SVLAN MAC Address
------+------+----------------
100 0000.0000.aaaa
100 0000.0000.aaab
100 0000.0000.aaac
SW1#show mac address-table count bridge 1
MAC Entries for all vlans:
Dynamic Address Count: 0
Static (User-defined) Unicast MAC Address Count: 3
Static (User-defined) Multicast MAC Address Count: 0
Total MAC Addresses in Use: 3
SW1#show bridge
Ageout time is global and if something is configured for vxlan then it will be affected here also
Bridge CVLAN SVLAN BVLAN Port MAC Address FWD Time-out
---------+------+------+------+-----------+-----------------+-----+---------+
1 100 ge1 0000.0000.aaaa 1 -
1 100 ge1 0000.0000.aaab 1 -
1 100 ge1 0000.0000.aaac 1 -
SW1#show mac address-table bridge 1
CVLAN SVLAN MAC Address Type Ports Port-security
------+------+---------------+---------+---------+--------------
100 0000.0000.aaaa static ge1 Enable
100 0000.0000.aaab static ge1 Enable
100 0000.0000.aaac static ge1 Enable
Configure one more static secure MAC address on interface ge1 and try to verify “port security mac limit reached” operator log message is displayed.
Start sending Layer-2 traffic with incremental source MAC of 100 and with VLAN 100 from IXIA1, and verify no dynamic secure MAC addresses are being learned using all the validation commands used.