Information About Port Security
Port security allows you to configure Layer 2 interfaces that permit inbound traffic from a restricted, secured set of MAC addresses. Traffic from secured MAC addresses is not allowed on another interface within the same VLAN. The number of MAC addresses that can be secured is configured per interface.
Secure MAC Address Learning
-
The process of securing a MAC address is called learning.
-
The number of addresses that can be learned is restricted.
-
Address learning can be accomplished on any interface where port security is enabled.
Static Method
-
The static learning method allows you to manually add or remove secure MAC addresses to the running configuration of an interface. If you copy the running configuration to the startup configuration, static secure MAC addresses are persistent if the device restarts.
-
A static secure MAC address entry remains in the configuration of an interface until you explicitly remove the address from the configuration.
-
Adding secure addresses by the static method is not affected by whether dynamic or sticky address learning is enabled.
-
The burned-in MAC address is secured as a static MAC address starting from Release 5.2(1)SV3(1.1). In previous releases, the burned-in MAC address was secured as a dynamic MAC address.
Dynamic Method
By default, when you enable port security on an interface, you enable the dynamic learning method. With this method, the device secures MAC addresses as ingress traffic passes through the interface. If the address is not yet secured and the device has not reached any applicable maximum, it secures the address and allows the traffic.
The device stores dynamic secure MAC addresses in memory. A dynamic secure MAC address entry remains in the configuration of an interface until one of the following events occurs:
-
The VSM and VEM restarts.
-
The interface restarts.
-
The address reaches the age limit that you configured for the interface.
-
You explicitly remove the address.
The burned-in MAC address is secured as a static MAC address starting from Release 5.2(1)SV3(1.1). In previous releases, the burned-in MAC address was secured as a dynamic MAC address.
Sticky Method
-
If you enable the sticky method, the device secures MAC addresses in the same manner as dynamic address learning. These addresses can be made persistent through a reboot by using the copy run start command to copy the running configuration to the startup configuration.
-
Dynamic and sticky address learning are mutually exclusive. When you enable sticky learning on an interface, dynamic learning is stopped and sticky learning is used instead. If you disable sticky learning, dynamic learning is resumed.
-
Sticky secure MAC addresses are not aged.
-
A sticky secure MAC address entry remains in the configuration of an interface until you explicitly remove the address.
Dynamic Address Aging
MAC addresses that are learned by the dynamic method are aged and dropped when reaching the age limit. You can configure the age limit on each interface. The range is from 0 to 1440 minutes, where 0 disables aging.
There are two methods of determining the address age:
-
Inactivity—The length of time after the device last received a packet from the address on the applicable interface.
-
Absolute—The length of time after the device learned the address. This is the default aging method; however, the default aging time is 0 minutes, which disables aging.
Secure MAC Address Maximums
The secure MAC addresses on a secure port are inserted in the same MAC address table as other regular MAC addresses. If a MAC table has reached its limit, it does not learn any new secure MAC addresses for that VLAN.
The following figure shows that each VLAN in a VEM has a forwarding table that can store a maximum number of secure MAC addresses.
Interface Secure MAC Addresses
By default, an interface can have only one secure MAC address. You can configure the maximum number of MAC addresses permitted per interface or per VLAN on an interface. Maximums apply to secure MAC addresses learned by any method: dynamic, sticky, or static.
The following limits can determine how many secure MAC address are permitted on an interface:
-
Device maximum— If learning a new address would violate the device maximum, the device does not permit the new address to be learned, even if the interface or VLAN maximum has not been reached.
-
Interface maximum—You can configure a maximum number of secure MAC addresses for each interface protected by port security. The default interface maximum is one address for both access and trunk vethernet ports. Interface maximums cannot exceed the device maximum.
-
VLAN maximum—You can configure the maximum number secure MAC addresses per VLAN for each interface protected by port security. A VLAN maximum cannot exceed the interface maximum. VLAN maximums are useful only for trunk ports. There are no default VLAN maximums.
The maximum number of secure MAC addresses per port is limited to ten. When configuring ports in trunk mode, be sure not to exceed the maximum MAC address limit.
You can configure a VLAN and interface maximums per interface, as needed; however, when the new limit is less than the applicable number of secure addresses, you must reduce the number of secure MAC addresses first.
Security Violations and Actions
Port security triggers a security violation when the following occurs:
Note |
Beginning with Release 5.2(1)SV3(1.1), MAC move detection and violation is local to a VEM. |
-
Ingress traffic arrives at an interface from a nonsecure MAC address and learning the address would exceed the applicable maximum number of secure MAC addresses.
When an interface has both a VLAN maximum and an interface maximum configured, a violation occurs when either maximum is exceeded. For example, consider the following on a single interface configured with port security:
-
VLAN 1 has a maximum of five addresses.
-
The interface has a maximum of ten addresses.
A violation is detected when either of the following occurs:
-
Five addresses are learned for VLAN 1 and inbound traffic from a sixth address arrives at the interface in VLAN 1.
-
Ten addresses are learned on the interface and inbound traffic from an 11th address arrives at the interface.
-
-
Shutdown—Shuts down the interface that received the packet triggering the violation. The interface is error disabled. This action is the default. After you reenable the interface, it retains its port security configuration, including its secure MAC addresses.
You can use the errdisable global configuration command to configure the device to reenable the interface automatically if a shutdown occurs, or you can manually reenable the interface by entering the shutdown and no shut down interface configuration commands.
switch(config)# errdisable recovery cause psecure-violation switch(config)# copy running-config startup-config
-
Protect—Prevents violations from occurring. Address learning continues until the maximum number of MAC addresses on the interface is reached, after which the device disables learning on the interface and drops all ingress traffic from nonsecure MAC addresses.
-
Restrict—Prevents violations from occurring. Address learning continues until the maximum number of MAC addresses on the interface is reached, after which the device disables learning on the interface and drops all ingress traffic from nonsecure MAC addresses and causes the security violation counter to increment.
Port Security and Port Types
You can configure port security only on Layer 2 interfaces. Details about port security and different types of interfaces or ports are as follows:
-
Access ports—You can configure port security on interfaces that you have configured as Layer 2 access ports. On an access port, port security applies only to the access VLAN.
-
Trunk ports—You can configure port security on interfaces that you have configured as Layer 2 trunk veth ports. VLAN maximums are not useful for access ports. The device allows VLAN maximums only for VLANs associated with the trunk port.
-
SPAN ports—You can configure port security on SPAN source ports but not on SPAN destination ports.
-
Ethernet Ports—Port security is not supported on Ethernet ports.
-
Ethernet Port Channels—Port security is not supported on Ethernet port channels.
Result of Changing an Access Port to a Trunk Port
When you change a Layer 2 interface from an access port to a trunk port, the device drops all secure addresses learned by the dynamic method. The device moves the addresses learned by the static or sticky method to the native trunk VLAN.
Result of Changing a Trunk Port to an Access Port
When you change a Layer 2 interface from a trunk port to an access port, the device drops all secure addresses learned by the dynamic method. It also moves all addresses learned by the sticky method on the native trunk VLAN to the access VLAN. The device drops secure addresses learned by the sticky method if they are not on the native trunk VLAN.
Beginning with Release 5.2(1)SV3(1.1), the maximum number of secure MAC addresses per port is limited to 10. When configuring ports in trunk mode, be sure not to exceed the maximum MAC address limit. If you configure an interface in trunk mode that exceeds the MAC address limit and you attempt to change the mode to access, the interface might be left with stale secure MAC address entries.