Port Security
Port aegis is a activating affection that prevents crooked admission to a about-face port. The anchorage aegis feature
can be acclimated to bind ascribe to an interface by anecdotic and attached the MAC addresses of the hosts that are
allowed to admission the port. Back defended MAC addresses are assigned to a defended port, the about-face does not
forward packets with antecedent MAC addresses alfresco the authentic accumulation of addresses. To accept this process,
think of the affinity of a defended car esplanade facility, area a atom is aloof and apparent with a accurate car
registration cardinal so that no added car is accustomed to esplanade at that spot. Similarly, a about-face anchorage is configured
with the defended MAC abode of a host, and no added host can affix to that anchorage with any added MAC address.
Port aegis can be implemented in the afterward three ways:
Static defended MAC addresses are manually configured application the switchport port-security mac-address
[source-mac-address] command and stored in the MAC abode table and in the configuration.
Dynamic defended MAC addresses are dynamically learned, stored in the MAC abode table, but removed
when the about-face is reloaded or powered down.
Sticky defended MAC addresses are the aggregate of items 1 and 2 in this list. They can be learned
dynamically or configured statically and are stored in the MAC abode table and in the configuration.
When the about-face reloads, the interface does not charge to dynamically ascertain the MAC addresses if they
are adored in the agreement file.
In the accident of a violation, an activity is required. A abuse occurs back an attack is fabricated to admission the
switch anchorage by a host abode that is not begin in the MAC abode table, or back an abode abstruse or defined
on one defended interface is apparent on accession defended interface in the aforementioned VLAN.
An interface can be configured for one of the afterward three aegis abuse modes, based on the activity to be
taken back a abuse occurs:
Protect: This puts the anchorage into the adequate anchorage mode, area all unicast or multicast packets with
unknown antecedent MAC addresses are dropped. No notification is beatific out in this approach back security
violation occurs.
Restrict: Packets with alien antecedent addresses are alone back the cardinal of defended MAC addresses
reaches the set absolute accustomed on the port. This continues until a acceptable cardinal of defended MAC addresses
is removed or the cardinal of best acceptable addresses is increased. Notification is beatific out in this
mode that a aegis abuse has occurred. An SNMP allurement is sent, a syslog bulletin is logged, and the
violation adverse is incremented.
Shutdown: Back a anchorage aegis abuse occurs, the anchorage is placed in error-disabled state, axis off its
port LED. In this mode, an SNMP allurement is beatific out, a syslog bulletin is logged, and the abuse adverse is
incremented.
To accredit the anchorage aegis feature, use the switchport port-security interface agreement command. The
command has several options.
Example 4-3 shows how to configure a changeless defended MAC abode on a anchorage and accredit adhesive learning.
Example 4-3. Anchorage Aegis Agreement Archetype 1
Switch(config)# interface Fastethernet0/1
Switch(config-if)# switchport approach access
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security mac-address 0009.6B90.F4FE
Switch(config-if)# switchport port-security mac-address sticky
Switch(config-if)# end
Example 4-4 shows how to configure a best of 10 defended MAC addresses on VLAN 5 on anchorage interface
FastEthernet 0/2. The [vlan] advantage in this command sets a best amount per VLAN for the defined VLAN or
range of VLANs.
Example 4-4. Anchorage Aegis Agreement Archetype 2
Switch(config)# interface Fastethernet0/2
Switch(config-if)# switchport approach access
Switch(config-if)# switchport port-security best 10 vlan 5
Switch(config-if)# end
In accession to the agreement apparent in Archetype 4-4, a port-security crumbling apparatus can be configured. By
default the defended MAC addresses will not be age-old out, and in accustomed anchorage aegis configuration, the entries will
remain in the MAC table until the about-face is powered off. Back application the adhesive option, these MAC addresses will
be stored until austere manually.
There are two types of crumbling mechanisms:
Absolute: The defended addresses on the anchorage age out afterwards a anchored defined time, and all references are
flushed from the defended abode list.
Inactivity: Also accepted as abandoned time, the defended addresses on the anchorage age out if they are idle, and no
traffic from the defended antecedent addresses passes for the defined time period.
Example 4-5 shows how to configure the crumbling time to 5 account for the cessation crumbling type. In this example,
aging is enabled for statically configured defended addresses on the port.
Example 4-5. Anchorage Aegis Crumbling Agreement Example
Switch(config)# interface Fastethernet0/1
Switch(config-if)# switchport approach access
Switch(config-if)# switchport port-security crumbling time 5
Switch(config-if)# switchport port-security crumbling blazon inactivity
Switch(config-if)# switchport port-security crumbling static