Port Security

Port Security
Port security limits the number of MAC addresses allowed per port and can
also limit which MAC addresses are allowed. Allowed MAC addressed can
be manually configured or the switch can sticky learn them. Table 8-1 lists
port security commands; these are given at the interface.
Table 8-1 Port Security Commands
Command Description
switchport port-security Enables port security on that interface.
switchport port-security Specifies the max MAC addresses
maximum value allowed on this port. Default is 1.
switchport port-security Configures the action to be taken when
violation {shutdown | the maximum number is reached and a
restrict | protect} MAC address not associated with the
port attempts to use the port, or when a
station whose MAC address is associated
with a different port attempt to access
this port. Default is shutdown.
switchport port-security Statically associates a specific MAC
mac-address mac-address address with a port.
switchport port-security Enables the switch port to dynamically
mac-address sticky learn secure MAC addresses. MAC
addresses learned through that port, up
to the maximum number, if a maximum
is configured, are treated as secure MAC
addresses.
show port security [interface Verifies port security actions.
interface | address]
Port-Based Authentication
802.1x authentication requires a computer (called a client) to be authenticated
before it is allowed access to the LAN. This can be combined with port
security to allow only authenticated clients with specified MAC addresses to
access a port. When a computer connects to a switch port configured for
802.1x authentication, the following steps occur:
Step 1. The port is in the unauthorized state, allowing only 802.1x EAP
over LAN (EAPOL) traffic.
Step 2. The client connects to the port. The switch either requests authentication
or the client sends an EAPOL frame to begin authentication.
Step 3. The switch relays authentication information between the client
and a RADIUS server that acts in proxy for the client.
Step 4. If authentication succeeds, the port transitions to the authorized
state, and normal LAN traffic is allowed through it.
Table 8-2 shows commands to configure 802.1x authentication on a switch.
Table 8-2 Configuring 802.1x Port Authentication
Command Description
(config)#aaa new-model Enables AAA on the switch.
(config)#aaa authentication Creates a AAA method list that says to
dot1x default group radius use 802.1x authentication by default,
using a RADIUS server (configured
separately).
(config)#dot1x system- Globally enabled 802.1x authentication
auth-control on the switch.
(config-if)#dot1x port- Enables 802.1x authentication on an
control auto interface of the switch.
show dot1x Verifies 802.1x authentication.