Managing Cisco Port Security

By /

I want to preface this by stating that although Port Security may still have a place, it’s a legacy approach, replaced with more modern standards like 802.1x & RADIUS. I’d look at Cisco ISE, as a more enterprising way of managing who and what can connect to the network. Nonetheless, for anyone specifically interested in Port Security, read on!

At its core, Port Security is a Layer 2 traffic filtering feature on Cisco switches that gives you control over exactly what can plug into a specific physical network port. It prevents rogue devices from establishing network connections. The feature looks at device MAC addresses, and based on the configuration of Port Security it will allow the connection of an allowed device, or potentially disable the port if a violation occurs. Some reasons to consider using it are:

  1. Stops users from bringing in unauthorized home routers, wireless access points, or other network devices.
  2. Bad actors can use tools to flood a switch with millions of fake MAC addresses, blinding the switch and forcing it to broadcast all network traffic to every port. Port Security renders this attack useless.
  3. Ensures that critical wall jacks (like those in a reception area or conference room) can only be used by designated company hardware.

Port Security relies on three main concepts:

  1. Defining MAC addresses that are allowed to use the port. A switch can learn the MAC addresses a few ways.
    • Statically – a switch ports running-config needs to be configured with MAC addresses.
    • Dynamically – a switch port learns the device when first plugged in and only allows that device, the config is lost at switch reboot
    • Sticky – the switch dynamically learns the MAC, saves it to the running-config and can survive a reboot if written to startup-config
  2. Defining limits on how many MAC addresses can connect on a given port.
  3. Violation Modes determine what happens if a devices MAC is not on the “allowed to connect” list. The modes are:
    • Protect – traffic from unauthorized MAC is dropped and valid traffic from approved devices pass
    • Restrict – drops unauthorized traffic but logs the violation and increments the security violation counter
    • Shutdown – this is the default behavior and places the port in an error/disabled state upon violation. The link is down until an admin resolves the port security violation.

An appropriate example here would be a scenario where a user (Jack) has 1 data port in his office. The upstream Cisco switch port has Port Security enabled and Port Security is set with a maximum limit of 2 MAC addresses remembered with the default Shutdown violation mode set. Connected to that wall port is an IP phone (unique MAC 1) and daisy chained to it is a desktop computer (unique MAC 2). At this point, all is good and everything is working normally for Jack. Later on, Jack finds a spare switch in an unused office and connects the 5 port unmanaged switch to his wall jack, to support more ports for connecting a printer and a laptop. Upon connecting the next device, the printer (unique MAC 3), Port Security senses that the limit has been exceeded resulting in a port security violation. The upstream switch port becomes disabled and now Jack has nothing.

Now, if your curious to know what it’s like to manage this specific configuration (Sticky MAC, Limit=2, Violation Mode=Shutdown), specifically in offices where there’s constant people and equipment movement, it’s brutal so be warned. Decisions have consequences.

Managing Port Security Violations (scenario is Sticky MAC, Limit=2, Violation Mode=Shutdown)

First, you need to find out where the active Port Security violation is by reviewing the log. Using the scenario above, this is the port in Jack’s office where he plugged in the 5 port switch. Note the port number and MAC address that caused the violation.

show log

Next, find out if that MAC used to live on another port. This can be considered the abandoned port. Note that MAC addresses are case sensitive and Cisco’s MAC table stores them in lowercase format (example, 001a.2b3c.4d5e)

show port-security address | include [MAC address]

Now, let’s clear the port security violation on the abandoned port first so that it won’t become an issue later. Due to Violation Mode being set to shutdown, we have to down the abandoned port, clear port security on it, and then turn the port back on.

conf t
interface [abandoned_interface_name]
shutdown
exit

clear port-security all interface [abandoned_interface_name]

conf t
interface [abandoned_interface_name]
no shutdown
exit

Finally, we will clear the port security violation on the active port. 

conf t
interface [active_interface_name]
shutdown
exit

clear port-security all interface [active_interface_name]

conf t
interface [active_interface_name]
no shutdown
exit

So we’re back to square one now, but Jack still needs that additional laptop and printer. To review, 2 additional MAC addresses are necessary for a total of 4 unique MAC address on the upstream switch port. Below is the configuration of a switch port that can meet the requirement.

interface GigabitEthernet1/0/12
 description Jack-Office Port with Port Security Enabled
 switchport mode access
 switchport access vlan 10
 switchport port-security
 switchport port-security maximum 4
 switchport port-security violation shutdown
 switchport port-security mac-address sticky

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by
Scroll to Top