1. Portsecurity
Portsecurity is a feature that can limit the MAC adresses that are allowed on a physical port. A violation of the port security occurs if
-
the number if MAC adresses on a port is reached an the MAC id is different from the allowed list
-
an allowed MAC id is connected to a differnt port in the same VLAN
Port security is seen as a deterrent for people that want to connect rogue devices to your network.
You can allow a single MAC to connect, or allow multiple MAC IDs. The maximum number of MAC IDs depends on the switch model and IOS version.
There are 3 modes for determining the allowed MAC IDs:
-
Dynamic: The switch automatically learns the MAC addresses of devices that connect to the port. The switch automatically learns the MAC addresses of devices that connect to the port. When the switch restarts or the port goes down, these dynamically learned addresses are lost.
-
Static or fixed: You manually configure the allowed MAC addresses on the switchport using commands. These statically configured addresses are stored in the switch's configuration file. They remain even after a switch restart.
-
The switch dynamically learns MAC addresses, like in the dynamic method. Then, it "sticks" those learned addresses, adding them to the running configuration. If you save the running configuration to the startup configuration, these sticky addresses will persist across switch restarts.
Port security depends on MAC-IDs. It is therefore vulnerable for MAC ID spoofing, where you copy the MAC ID from an allowed device to your own adapter. On Linux, this is trivial to do.
GNS3, which I use for most simulations, does not provide a switch that supports portsecurity. Therefore, this is not a simulated lab, but a real switch was used.