Switchport Security Concepts
- select the contributor at the end of the page -
When configuring the security for a network, it is important to take advantage of the security features of all deployed devices. One of the security features available with Cisco switches (among other vendors) is switchport security. While the name of this feature is a bit vague, it makes it possible to limit the number and type of devices that are allowed on the individual switchports. This article takes a look at the concepts behind the switchport security feature.
Before getting into the mechanics of how switchport security operates; it is important to review what happens should a violation occur. On Cisco equipment there are three different main violation types: shutdown, protect, and restrict. These are described in more detail below:
- Shutdown – When a violation occurs in this mode, the switchport will be taken out of service and placed in the err-disabled state. The switchport will remain in this state until manually removed; this is the default switchport security violation mode.
- Protect – When a violation occurs in this mode, the switchport will permit traffic from known MAC addresses to continue sending traffic while dropping traffic from unknown MAC addresses. When using this mode, no notification message is sent when this violation occurs.
- Restrict – When a violation occurs in this mode, the switchport will permit traffic from known MAC addresses to continue sending traffic while dropping traffic from unknown MAC addresses. However, unlike the protect violation type, a message is also sent indicating that a violation has occurred.
Switchport Security MAC Addresses
When using the switchport security feature, source MAC addresses are separated into three different categories, these include:
- Static – Static secure MAC addresses are statically configured on each switchport and stored in the address table. The configuration for a static secure MAC address is stored in the running configuration by default and can be made permanent by saving them to the startup configuration.
- Dynamic – Dynamic secure MAC addresses are learned from the device (or devices) connected to the switchport. These addresses are stored in the address table only and will be lost when the switchport state goes down or when the switch reboots.
- Sticky – Sticky secure MAC addresses are a hybrid. They are learned dynamically from the devices connected to the switchport, are put into the address table AND are entered into the running configuration as a static secure MAC address (sometimes referred to as a static sticky MAC address). Like a static secure MAC address, these MAC addresses will be lost unless saved to the startup configuration.
The type of secure MAC addresses that an organization uses depends on the specific network environment.
What causes a Switchport Violation?
The next question to ask is what causes a switchport violation; there are two situations that can cause a violation, these two situations include:
- When the maximum number of secure MAC addresses has been added to a switchport's address table and traffic from another MAC address is received on the switchport.
- When an address that has been seen on a secure switchport has already been seen on another secure switchport in the same VLAN.
By default, each secure switchport is configured with a maximum of one MAC address. What this means is that if more than one MAC address is seen on any given port a violation will occur. By default, dynamic MAC entries in the address table will never time out (dynamic is the default method used for learning secure MAC addresses) as long as the switchport state remains up.
When using dynamic MAC addresses, engineers must physically disconnect the cable or shutdown the switchport to reset the dynamic entries in the address table. When using sticky MAC addresses either the MAC addresses must be manually removed from the running configuration or the switch must be rebooted to remove the contents from the address table. If the switchport is configured with a static secure MAC address, they must be manually removed from the running configuration to remove the contents from the address table. Only after the initial address has been removed from the address table can a device with a new MAC address be connected to the switchport (this is by default, as the maximum number of MAC addresses allowed per switchport is 1).
There are certainly a number of different concepts to learn to make the port security feature work well in an organizational environment, if configured badly it can quickly become more of a hindrance than a help. The purpose of this article is to cover the basic concepts behind the switchport security feature as preparation switchport security configuration. Hopefully, this article is able to be used as a starting point when learning about the switchport security feature and provides enough detail so that the configuration is easier to understand.