3. Port security

3.1. Enabling portsecurity

In our switch, we set all ports on VLAN 10. For most interfaces, we set:
interface FastEthernet0/1
 switchport access vlan 10
 switchport mode access
 switchport port-security
 switchport port-security mac-address sticky

For most interfaces; not for all:
  • I noticed some strange behaviour when the Raspberry Pi boots. It triggers a port security violation, but only sometimes.
  • I do not have a console cable, so I left port 23 and port 24 without port security to prevent locking myself out.

Let's examine the configuration.
switchport access vlan 10

Port security in this older versions can onl be applied on access ports.
 switchport port-security
 switchport port-security mac-address sticky

This defines the port security. Here, we have chosen to use sticky. You have the folowing options:
type
command
explanation
fixed
switchport port-security mac-address xxxx.yyyy.zzzz
Puts a fixed MAC ID on the port
sticky
switchport port-security mac-address sticky
Allows MAC ID to be dynamically learned and stores the MAC ID in the config
dynamic
(no additional command)
Allows MAC ID to be dynamically learned but does not store the MAC ID in the config

In general, sticky will be the preferred option. If you have a very good administration of devices, MAC IDs and cabling, fixed could be an option. Dyanamic is the default.

There are some additional options, for which I have chosen the default.
switchport port-security maximum 1

Defines the maximum number of MAC IDs allowed on the port. The default is 1.
switchport port-security violation {protect | restrict | shutdown} 

Default is shutdown; this means that if a port has a vioaltion, it will be closed. Options are:
protect
Drops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value.
restrict
Drops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value and causes the SecurityViolation counter to increment.
shutdown
Puts the interface into the error-disabled state immediately and sends an SNMP trap notification.

You can also put some aging parameters on the port security. When the aging type is configured with the absolute keyword, all the dynamically learned secure addresses age out when the aging time expires. When the aging type is configured with the inactivity keyword, the aging time defines the period of inactivity after which all the dynamically learned secure addresses age out. I have not tried this.

3.2. And testing it...

I have tested two scenario's with mac address sticky.

3.2.1. Abusing the port and restoring the original situation

In this scenario, we removed one of the fixed computers and attached the rogue laptop. If the laptop is blocked, we put back the original computer. This is our original situation (an extract from sh run for the two interfaces):
interface FastEthernet0/1
 switchport access vlan 10
 switchport mode access
 switchport port-security
 switchport port-security mac-address sticky 0080.6494.adba
interface FastEthernet0/2
 switchport access vlan 10
 switchport mode access
 switchport port-security
 switchport port-security mac-address sticky 0080.6494.b208

The two MAC adresses are dynamically learned.

So now we put our rogue laptop on the switch. The port will be blocked and in our syslog we see:
Oct  3 16:10:09 192.168.10.1 311: 08:51:11: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/1, putting Fa0/1 in err-disable state
Oct  3 16:10:10 192.168.10.1 312: 08:51:11: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 847b.eb43.c06d on port FastEthernet0/1.

Puting back the cable in the original computer will still block any trafic; the port is still shut. To get things working again, we have to issue:
config t
int fa0/1
shut
no shut
end

Which will result in the following syslog:
Oct  3 13:11:41 192.168.10.1 182: 05:52:42: %SYS-5-CONFIG_I: Configured from console by cisco on vty0 (192.168.10.13)
Oct  3 13:12:31 192.168.10.1 183: 05:53:31: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down
Oct  3 13:12:32 192.168.10.1 184: 05:53:32: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to down
Oct  3 13:12:36 192.168.10.1 185: 05:53:37: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
Oct  3 13:12:36 192.168.10.1 186: 05:53:38: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up

Now the port is back up after some manual intervention.

3.2.2. Put a new device in

This time, we do not put in a rogue laptop, but a replacement device. Attaching the device will ofcourse lead to a port security violation:
Oct  3 23:49:53 192.168.10.1 678: 3d01h: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/2, putting Fa0/2 in err-disable state
Oct  3 23:49:54 192.168.10.1 679: 3d01h: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 847b.eb43.c06d on port FastEthernet0/2.

This time, we not only need to reset the port, but will also need to remove the sticky MAC ID to allow a new one to be learned:
config t
int fa0/2
shut
no switchport port-security mac-address sticky 0080.6494.b208
no shut
end

And, as expected, the new MAC ID is learned and the port comes back up.

3.3. Some problems I encountered

If the MAC ID of computer_1 is allowed on Fa0/1, connecting that computer to a new port (for example Fa0/5) will cause a port security violation. In other words: if your computer connects to a specific port, you cannot just connect it to another port. This means that you need to keep an administration of which port has which MAC ID.

For some inexplicable reason, the portsecurity sticky did not learn the MAC ID correctly. A reload of the switch did nothing to improve the situation. I had to remove all cables, remove all MAC IDs and disable/re-enable port security to get everything working again.