6.1 Configure, verify, and troubleshoot port security

Let’s begin with the following topology (download lab here)

Screenshot_2018-12-07_06-55-03

I have configured this topology with R1 acting as a ROAS and as a DHCP server with the DHCP pools configured for each VLAN.

Router#show ip dhcp binding 
Bindings from all pools not associated with VRF:
IP address          Client-ID/	 	    Lease expiration        Type
		    Hardware address/
		    User name
10.10.254.2         0100.5079.6668.01       Jan 07 2019 06:50 AM    Automatic
10.200.100.2        0100.5079.6668.02       Jan 07 2019 06:50 AM    Automatic
10.200.100.3        0100.5079.6668.04       Jan 07 2019 06:51 AM    Automatic
10.200.101.2        0100.5079.6668.00       Jan 07 2019 06:49 AM    Automatic
10.200.102.2        0100.5079.6668.03       Jan 07 2019 06:50 AM    Automatic
10.200.102.3        0100.5079.6668.05       Jan 07 2019 06:50 AM    Automatic
10.200.102.4        0100.5079.6668.07       Jan 07 2019 06:50 AM    Automatic
10.200.102.5        0100.5079.6668.06       Jan 07 2019 06:50 AM    Automatic
Router#

Connectivity has been verified:

PC-1> ping 10.200.100.2
10.200.100.2 icmp_seq=1 timeout
10.200.100.2 icmp_seq=2 timeout
84 bytes from 10.200.100.2 icmp_seq=3 ttl=63 time=13.333 ms
84 bytes from 10.200.100.2 icmp_seq=4 ttl=63 time=14.403 ms
84 bytes from 10.200.100.2 icmp_seq=5 ttl=63 time=13.416 ms

PC-1> ping 10.200.102.2
10.200.102.2 icmp_seq=1 timeout
10.200.102.2 icmp_seq=2 timeout
84 bytes from 10.200.102.2 icmp_seq=3 ttl=63 time=13.100 ms
84 bytes from 10.200.102.2 icmp_seq=4 ttl=63 time=12.385 ms
84 bytes from 10.200.102.2 icmp_seq=5 ttl=63 time=12.282 ms

PC-1> ping 10.200.101.2
10.200.101.2 icmp_seq=1 ttl=64 time=0.001 ms
10.200.101.2 icmp_seq=2 ttl=64 time=0.001 ms
10.200.101.2 icmp_seq=3 ttl=64 time=0.001 ms
10.200.101.2 icmp_seq=4 ttl=64 time=0.001 ms
10.200.101.2 icmp_seq=5 ttl=64 time=0.001 ms

PC-1> ping 10.10.254.2 
10.10.254.2 icmp_seq=1 timeout
10.10.254.2 icmp_seq=2 timeout
84 bytes from 10.10.254.2 icmp_seq=3 ttl=63 time=15.034 ms
84 bytes from 10.10.254.2 icmp_seq=4 ttl=63 time=12.031 ms
84 bytes from 10.10.254.2 icmp_seq=5 ttl=63 time=13.712 ms

PC-1>

The switch shows each computer’s address has been registered into the MAC address table (note the multiple addresses per switchport):

Switch#show mac address-table dynamic 
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
   1    ca01.4ce4.0008    DYNAMIC     Et1/3
  33    0050.7966.6800    DYNAMIC     Et0/0
  33    ca01.4ce4.0008    DYNAMIC     Et1/3
  31    0050.7966.6801    DYNAMIC     Et0/1
  31    ca01.4ce4.0008    DYNAMIC     Et1/3
  30    0050.7966.6802    DYNAMIC     Et1/1
  30    0050.7966.6804    DYNAMIC     Et1/1
  30    ca01.4ce4.0008    DYNAMIC     Et1/3
  20    0050.7966.6803    DYNAMIC     Et1/0
  20    0050.7966.6805    DYNAMIC     Et1/0
  20    0050.7966.6806    DYNAMIC     Et1/0
  20    0050.7966.6807    DYNAMIC     Et1/0
  20    ca01.4ce4.0008    DYNAMIC     Et1/3
Total Mac Addresses for this criterion: 13
Switch#

It is now time to configure port security.

6.1.a Static

Configure static on port e0/0 (VLAN 33):

Switch#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)#int e0/0
Switch(config-if)#switchport port-security ?
  aging        Port-security aging commands
  mac-address  Secure mac address
  maximum      Max secure addresses
  violation    Security violation mode
  

Switch(config-if)#switchport port-security 
Switch(config-if)#switchport port-security violation shutdown 
Switch(config-if)#switchport port-security mac-address 0050.7966.6801
Switch(config-if)#^Z
Switch#

Attempting to ping from PC-1 will result in the interface being shutdown:

PC-1> ping 10.200.101.1
10.200.101.1 icmp_seq=1 timeout
10.200.101.1 icmp_seq=2 timeout
10.200.101.1 icmp_seq=3 timeout
10.200.101.1 icmp_seq=4 timeout
10.200.101.1 icmp_seq=5 timeout

PC-1> 
Switch#
*Dec  6 21:48:44.071: %PM-4-ERR_DISABLE: secure-violation error detected on Et0/0, putting Et0/0 in err-disable state
Switch#
*Dec  6 21:48:44.071: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0050.7966.6800 on port Ethernet0/0.
*Dec  6 21:48:45.076: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/0, changed state to down
Switch#
*Dec  6 21:48:46.072: %LINK-3-UPDOWN: Interface Ethernet0/0, changed state to down
Switch#show int e0/0
Ethernet0/0 is down, line protocol is down (err-disabled)
Switch#show port-security int e0/0
Port Security              : Enabled
Port Status                : Secure-shutdown
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 1
Configured MAC Addresses   : 1
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 0050.7966.6800:33
Security Violation Count   : 1
Switch#

6.1.b Dynamic

Dynamic mode will be triggered when the max mac addresses is exceeded (default is 1). To configure:

Switch#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)#int e1/1
Switch(config-if)#switchport port-security    
Switch(config-if)#switchport port-security violation restrict 
Switch(config-if)#^Z

Now if we try to ping with both PC-5 and PC-3 the second machine will be blocked, while PC-5 will be allowed to still access the network.

PC-5> ping 10.10.254.1
84 bytes from 10.10.254.1 icmp_seq=1 ttl=255 time=4.195 ms
84 bytes from 10.10.254.1 icmp_seq=2 ttl=255 time=9.041 ms
84 bytes from 10.10.254.1 icmp_seq=3 ttl=255 time=11.537 ms
84 bytes from 10.10.254.1 icmp_seq=4 ttl=255 time=10.708 ms
84 bytes from 10.10.254.1 icmp_seq=5 ttl=255 time=10.623 ms
PC-3> ping 10.10.254.1
10.10.254.1 icmp_seq=1 timeout
10.10.254.1 icmp_seq=2 timeout
10.10.254.1 icmp_seq=3 timeout
10.10.254.1 icmp_seq=4 timeout
10.10.254.1 icmp_seq=5 timeout
Switch#
*Dec 6 22:03:03.182: %SYS-5-CONFIG_I: Configured from console by console
Switch#
*Dec 6 22:03:11.967: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0050.7966.6802 on port Ethernet1/1.
Switch#
*Dec 6 22:03:17.969: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0050.7966.6802 on port Ethernet1/1.
Switch#

6.1.c Sticky

The sticky keyword tells the switch to dynamically learn mac-addresses and store them in the running config.

If you want the learned mac-address saved in the startup config run “copy run st”.

Switch#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)#int e0/1
Switch(config-if)#switchport port-security 
Switch(config-if)#switchport port-security mac-address sticky 
Switch(config-if)#switchport port-security violation protect 
Switch(config-if)#^Z
Switch#
*Dec  6 22:16:10.803: %SYS-5-CONFIG_I: Configured from console by console

The “protect” violation mode will restrict access to the learned MAC-address but will not log violations. It will not increment the violation counter or disable the interface.

For example after connecting a different PC and trying to access the network the show command does not show any violations:

Switch#show port-security interface e0/1
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Protect
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 1
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 1
Last Source Address:Vlan   : 0050.7966.6808:31
Security Violation Count   : 0
Switch#

However when we change the violation mode to restrict we see warning messages and the violation counter is incremented:

Switch#
*Dec  6 22:24:16.775: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0050.7966.6808 on port Ethernet0/1.
Switch#show port-security interface e0/1
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Restrict
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 1
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 1
Last Source Address:Vlan   : 0050.7966.6808:31
Security Violation Count   : 6
Switch#

6.1.d Max MAC addresses

The “switchport port-security maximum” command allows for a configured amount of max-addresses to be allowed to access an interface.

Switch#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)#int e1/0
Switch(config-if)#switchport port-security
Switch(config-if)#switchport port-security maximum ?
  <1-4097>  Maximum addresses
Switch(config-if)#switchport port-security maximum 3
Switch(config-if)#switchport port-security violation restrict 
Switch(config-if)#^Z
Switch#
*Dec  6 22:26:40.753: %SYS-5-CONFIG_I: Configured from console by console
Switch#

We  can trigger this by attempting to ping 4 computers on the e1/0 interface:

Router#ping 10.200.102.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.200.102.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/12/24 ms
Router#ping 10.200.102.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.200.102.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/14/28 ms
Router#ping 10.200.102.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.200.102.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/20/36 ms
Router#ping 10.200.102.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.200.102.5, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Router# 

Switch#
*Dec  6 22:32:39.063: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0050.7966.6807 on port Ethernet1/0.
Switch#
*Dec  6 22:32:45.058: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0050.7966.6807 on port Ethernet1/0.

Switch#show port-security interface e1/0 
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Restrict
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 3
Total MAC Addresses : 3
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0050.7966.6807:20
Security Violation Count : 5

6.1.e Violation actions

Discards traffic:

  • Protect/Restrict/Shutdown -> YES

Sends log and SNMP messges & increments the violation counter for each frame:

  • Protect -> NO
  • Restrict/Shutdown -> YES

Shuts down interface:

  • Protect/Restrict -> NO
  • Shutdown -> YES

 

6.1.f Err-disable recovery

To recover a err-disabled port first verify the port has been disabled due to port security with the following “show” commands:

Switch#show port-security interface e1/0
Port Security              : Enabled
Port Status                : Secure-shutdown
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 3
Total MAC Addresses        : 0
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 0050.7966.6807:20
Security Violation Count   : 6
Switch#
Switch#show int e1/0
Ethernet1/0 is down, line protocol is down (err-disabled) 

To recover it simply:

Switch#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)#int e1/0
Switch(config-if)#shutdown 
Switch(config-if)#no shutdown 
Switch(config-if)#^Z
Switch#
*Dec  6 22:41:43.901: %LINK-3-UPDOWN: Interface Ethernet1/0, changed state to up
Switch#
*Dec  6 22:41:44.329: %SYS-5-CONFIG_I: Configured from console by console
*Dec  6 22:41:44.901: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet1/0, changed state to up
Switch#

One thought on “6.1 Configure, verify, and troubleshoot port security

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s