The Cisco port security violation mode is a port security feature that restricts input to an interface when it receives a frame that breaks the port security settings on the said interface. This security mechanism is used in Cisco Catalyst switches to secure their ethernet ports from unauthorized users by limiting and identifying MAC addresses of the peripheral that are allowed to access the port. Show
Enabling the port security violation feature on the switch ports means that each port can be configured to take advantage of one of the three violation modes that define the necessary actions to take when a violation happens. These modes cause the switch to discard the violating frame (the frame whose source MAC address would drive the number of learned MAC addresses over the limit). Configuring Port Security on a Switch PortTo limit or discard an unwanted frame on a switch interface, we need to limit and identify the MAC address of the peripherals that are allowed to access the port. We need to configure port security to these interfaces. Step 1: Enter interface configuration mode and input the physical interface to configure. We will be using gigabitEthernet 2/1 as an example. Switch(config)# interface gigabitEthernet 2/1 Step 2: Set the interface mode to access. The default mode, which is dynamic desirable, cannot be configured to be a secured port. Switch(config-if)# switchport mode access Step 3: Enable port security on the interface. Switch(config-if)# switchport port-security Step 4: Set the maximum number of secure MAC addresses for the interface, which ranges from 1 to 3072, wherein the default value is 1. Switch(config-if)# switchport port-security maximum {1-3072} Step 5: Configure the violation mode on the port. Actions that shall be taken when a security violation is detected. Refer to the table below for the actions to be taken. Switch(config-if)# switchport port-security violation {protect| restrict | shutdown} NOTE: Step 6: Set the rate limit for bad packets. Switch(config-if)# switchport port-security limit rate invalid-source-mac Step 7: Input the identified secure MAC addresses for the interface. You can use this command to limit the maximum number of secure MAC addresses. If in case, you configure fewer secure MAC addresses than the maximum, then the remaining MAC addresses are dynamically learned. Switch(config-if)# switchport port-security mac-address {mac_address} Step 8: Verify your configuration by the following commands below. Switch# show port-security address interface gigabitEthernet 2/1 Switch# show port-security address Download our Free CCNA Study Guide PDF for complete notes on all the CCNA 200-301 exam topics in one book. We recommend the Cisco CCNA Gold Bootcamp as your main CCNA training course. It’s the highest rated Cisco course online with an average rating of 4.8 from over 30,000 public reviews and is the gold standard in CCNA training:
Cisco CCNA – Port Security and ConfigurationSwitch port security limits the number of valid MAC addresses allowed on a port. When a MAC address, or a group of MAC addresses are configured to enable switch port security, the switch will forward packets only to the devices using those MAC addresses. Any packet coming from other device is discarded by the switch as soon as it arrives on the switch port. If you limit the number of allowed MAC addresses allowed on a port to only one MAC address, only one device will be able to connect to that port and will get the full bandwidth of the port. If the maximum number of secure MAC addresses has been reached, a security violation occurs when a devices with a different MAC addresses tries to attach to that port. In most of today’s scenarios when the switch detects a security violation, the switch automatically shuts down that port. A switch can be configured to only protect or restrict that port. We will discuss theses security violation modes a little bit later. Secure MAC addresses are of three types:
Sticky secure MAC addresses have these characteristics:
In a Cisco switch, you are able to configuration three types of security violation modes. A security violation occurs when the maximum number of MAC addresses has been reached and a new device, whose MAC address is not in the address table attempts to connect to the interface or when a learned MAC address on an interface is seen on another secure interface in the same VLAN. Depending on the action you want a switch to take when a security violation occurs, you can configure the behavior of a switch port to one of the following:
The default configuration of a Cisco switch has port security disabled. If you enable switch port security, the default behavior is to allow only 1 MAC address, shutdown the port in case of security violation and sticky address learning is disabled. Next, we will enable dynamic port security on a switch. As you can see, we did not specify an action to
be taken if a security violation occurs, neither how many MAC addresses are allowed on the port. Recalling from above, the default behavior is to shutdown the port and allow only one MAC address. Switch(config)#interface FastEthernet 0/1 Good. After you have configured port security in the desired mode on a switch, it’s time to verify the configuration and the learned MAC addresses with the show
port-security interface interface-id and with show port-security address. Switch#show port-security address ——————————————————————- ------------------------------------------------------------------- Total Addresses in System: 0 Max Addresses limit in System: 8320 Switch(config)#interface FastEthernet 0/2 In this CCNA certification topic we have covered Switch Port Security. Knowing what switch port security is and how to implement it is important. Not only you may encounter questions about this topic when you take the Cisco CCNA certification exam, but you will see switches configured with port security in almost all real-life environments. Companies and service providers are using port security to prevent attacks and unauthorized access to their networks. We hope you found this article helpful in your preparation for the CCNA exam, as well as for your day to day activities. Page load linkWhich port security violation mode does not increase violation counter?If the switch port-security violation mode "protect" is enabled, packets coming from the violating hosts at the port-security process level but does not increment the security-violation count. And, if the "shutdown" mode is enabled, the port will go into shutdown mode.
What are the port security violation modes?You can configure the port for one of three violation modes: protect, restrict, or shutdown.
What is the default port security violation mode?Shutdown - In this (default) violation mode, a port security violation causes the interface to immediately become error-disabled and turns off the port LED.
Which port security mode turns off a port when security is violated?Shut down mode also shuts down the port. The status code of err-disabled means that the security violation occurred on the port.
|