Switchport Security

Port Security

General

Port security configuration on the whole switch can be viewed by.

switch#show port-security 
Secure Port  MaxSecureAddr  CurrentAddr  SecurityViolation  Security Action
                (Count)       (Count)          (Count)
---------------------------------------------------------------------------
    Te1/0/1              1            0                  0         Shutdown
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port)     : 0
Max Addresses limit in System (excluding one mac per port) : 4096

Port security configuration on a port can be viewed by.

switch#show port-security interface tenGigabitEthernet 1/0/1
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Shutdown
Aging Time                 : 1 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 0
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 0000.0000.0000:0
Security Violation Count   : 0

Administrative Mode

The Administrative Mode static access or trunk to enable port-security on a port.

switch#show interfaces te1/0/1 switchport
Name: Te1/0/1
Switchport: Enabled
Administrative Mode: static access

switch(config)#int te 1/0/1
switch(config-if)#switchport port-security

switch#show interfaces te1/0/3 switchport
Name: Te1/0/3
Switchport: Enabled
Administrative Mode: trunk

switch(config)#int t 1/0/3
switch(config-if)#switchport port-security

The default of dynamic auto will result in a rejected switchport port-security command.

switch(config-if)#do show int t1/0/2 switchport     
Name: Te1/0/2
Switchport: Enabled
Administrative Mode: dynamic auto

switch(config-if)#switchport port-security
Command rejected: TenGigabitEthernet1/0/2 is a dynamic port.

Aging Time

By default, secure MAC addresses will not age out.

To define an aging time, from 1-1440 minutes

switch(config-if)#switchport port-security aging time ?
  <1-1440>  Aging time in minutes. Enter a value between 1 and 1440

Aging Types

The Aging types are:
- Absolute
  - The default aging type is Absolute.
  - After the secure MAC address is learned, the aging timer starts and the MAC is removed after the timer expires, even if the switch continues receiving frames from that source MAC address.
- Inactivity
  - After the secure MAC address is learned, the aging timer starts but is reset every time a frame from that source MAC address is received on the interface.
- Can be configured by.
  - ```
  switch(config-if)#switchport port-security aging type ?
    absolute    Absolute aging (default)
    inactivity  Aging based on inactivity time period
```

Secure MAC aging

Secure Static MAC aging is disabled by default (addresses configured with switchport port-security mac-address <MAC>.

Can be enabled by.

switch(config-if)#switchport port-security aging static

Violation Modes

Determines how port-security will protect the port in case of a violation.
The modes are:
- protect
  - Discard traffic from unauthorized hosts.
  - The interface will remain up if more than the maximum number of addresses is learned, but traffic violating devices are dropped and no log entry is generated.
  - Keyword: No log entry.
- restrict
  - The interface will remain up if more than the maximum number of addresses is learned, but traffic violating devices is dropped and a log entry is generated.
- shutdown
  - Shutdowns the port if more than the maximum number of allowable MAC addresses are learned on the interface.

Defined per port by.

switch(config-if)#switchport port-security violation ?
  protect   Security violation protect mode
  restrict  Security violation restrict mode
  shutdown  Security violation shutdown mode

Sticky MAC addresses

General

There are two type of sticky secure MAC address.
1. An incoming packet, with a MAC address, is automatically assigned to that port.
2. The MAC address is statically defined.
By default, when enabled, one MAC address is allowed per port.

Sticky secure MAC address learning can be enabled, per interface, by.

switch(config-if)#switchport port-security mac-address sticky ?
  H.H.H  48 bit mac address
  <cr>   <cr>

switch(config-if)#switchport port-security mac-address sticky 1234.1234.1234

Sticky secure MAC address will never age out.
If the command, switchport port-security mac-address sticky is issued, then all current dynamically-learned secure MAC addresses will be converted to sticky secure MAC addresses.
Sticky secure MAC address learning can be disabled by.
- ```
no switchport port-security mac-address sticky
```
- All current sticky secure MAC addresses will be converted to regular dynamically-learned secure MAC address.

Types

Secure MAC addresses will be added to the MAC address table like any other MAC address.
- Sticky and Static secure MAC addresses will have a type of STATIC.
- Dynamically-learned secure MAC addresses will have a type of DYNAMIC.
- To view all secure MAC addresses.
  - ```
  switch#show mac address-table secure
            Mac Address Table
  -------------------------------------------
  
  Vlan    Mac Address       Type        Ports
  ----    -----------       --------    -----
```

Errdisable recovery

Causes

Can be caused by:
- arp-inspection
  - Detects errors with dynamic ARP inspection.
- bpduguard
  - Detects when a spanning-tree bridge protocol data unit (BPDU) is received on a port configured for STP PortFast.
- dhcp-rate-limit
  - Detects an error with DHCP snooping.
- dtp-flap
  - Detects when trunking encapsulation is changing from one type to another.
- gbic-invalid
  - Detects the presence of an invalid GBIC or SFP module.
- inline-power
  - Detects an error with offering PoE inline power.
- l2ptguard
  - Detects an error with L2 Protocol Tunneling.
- link-flap
  - Detects when the port link state is flapping between the up and down states.
- loopback
  - Detects when an interface has been looped back.
- pagp-flap
  - Detects when an EtherChannel bundle's ports no longer have consistent configurations.
- pppoe-ia-rate-limit
  - Detects errors with PPPoE Intermediate Agent rate limiting.
- psecure-violation
  - Detects conditions that trigger port security configured on a port.
- psp
  - Detects an error related to protocol storm protection.
- security-violation
  - Detects errors related to 802.1X security.
- sfp-config-mismatch
  - Detects errors related to SFP config mismatches.
- small-frame
  - Detects errors when VLAN-tagged packets are too small and arrive above a certain time.
- storm-control
  - Detects when a storm control threshold has been exceeded on a port.
- udld
  - Detects when a link is seen to be unidirectional.
- all
  - Detects every possible cause.

Configuration

Are applied globally.

To configure all causes.

switch(config)#errdisable detect cause all

To configure one cause.

switch(config)#errdisable detect cause <cause name>

switch(config)#errdisable detect cause link-flap

To disable all causes.

switch(config)#no errdisable detect cause all

To disable one cause.

switch(config)#no errdisable detect cause <cause name>

switch(config)#no errdisable detect cause link-flap

Recovery Options

Automatically recover from all error conditions.
- ```
switch(config)#errdisable recovery cause all
```

Automatically recover from one error condition.

switch(config)#errdisable recovery cause mac-limit

Else, to recover from an errdisabled state, the port must be shut/no shut.

switch(config-line)#int te 1/0/1
switch(config-if)#shut
*Nov 23 06:47:22.720: %LINK-5-CHANGED: Interface TenGigabitEthernet1/0/1, changed state to administratively down
switch(config-if)#no shut
*Nov 23 06:47:30.749: %LINK-3-UPDOWN: Interface TenGigabitEthernet1/0/1, changed state to up

Recovery Interval

When enabled, the default recovery interval is 300 secs (5 mins)

Modify recovery interval from 30-86400 secs (24 hrs) by

switch(config)#errdisable recovery interval ?
  <30-86400>  timer-interval(sec)

switch(config)#errdisable recovery interval 30

Verification

View a single interface status line protocol.

switch#show interfaces t1/0/1 | i line protocol
TenGigabitEthernet1/0/1 is down, line protocol is down (notconnect)

View all interface status line protocols.

switch#show interfaces status err-disabled

View all errdisable reason status' and timer.

switch#sh errdisable recovery 
ErrDisable Reason            Timer Status
-----------------            --------------
arp-inspection               Enabled
bpduguard                    Enabled
channel-misconfig            Enabled
dhcp-rate-limit              Enabled
dtp-flap                     Enabled
gbic-invalid                 Enabled
inline-power                 Enabled
l2ptguard                    Enabled
link-flap                    Enabled
mac-limit                    Enabled
link-monitor-failure         Enabled
loopback                     Enabled
oam-remote-failure           Enabled
pagp-flap                    Enabled
port-mode-failure            Enabled
pppoe-ia-rate-limit          Enabled
psecure-violation            Enabled
security-violation           Enabled
sfp-config-mismatch          Enabled
storm-control                Enabled
udld                         Enabled
vmps                         Enabled
psp                          Enabled
dual-active-recovery         Disabled
evc-lite input mapping fa    Disabled

Timer interval: 30 seconds

Interfaces that will be enabled at the next timeout: