Port Security

When port security is enabled on a switch, any Media Access Control (MAC) address not specified for that port is denied access to the switch, and to any networks to which the switch is connected. Port security can be used to block input to an Ethernet, Fast Ethernet, or Gigabit Ethernet switch port.

The total supply, or global resource, of MAC addresses for the switch is 1024 MAC addresses. However, not all Cisco switches have 1024 MAC addresses; some have only 64 MAC addresses. In addition to this total supply, there is space for one default MAC address per port to be secured. The total number of MAC addresses that can be specified per port is limited to the global resource of 1024 MAC addresses plus one default MAC address (per port).

note

graphics/note_icon.gif

The total number of MAC addresses on any port cannot exceed 1025. Bear in mind that the switch limit is 1024 MAC addresses total for use.


The maximum number of MAC addresses for each port depends on your network configuration. The following combinations are some examples of valid allocation of MAC addresses:

  • 1025 (1 + 1024) addresses on 1 port and 1 address each on the rest of the ports

  • 513 (1 + 512) each on 2 ports in a system and 1 address each on the rest of the ports

  • 901 (1 + 900) on 1 port, 101 (1 + 100) on another port, 25 (1 + 24) on the third port, and 1 address each on the rest of the ports

Each of these examples is listed in Table 9-1, grouped together by shades of gray. Note that the total number of allocated MAC addresses does not exceed 1024.

Table 9-1. MAC Address Allocation Examples

Number of Ports

x

Number of MAC Addresses

=

Total

1

 

1024

 

1024

2

 

512

 

1024

1

 

900

 

900

1

 

100

 

100

1

 

24

 

24

    

1024


After you have allocated the maximum number of MAC addresses on a switch port, you can do one of two things:

  • Manually specify the secure MAC address for the port

  • Have the port dynamically configure the MAC address of the connected devices

From an allocated number of maximum MAC addresses on a port, you can manually configure all, allow all to be autoconfigured, or configure some manually and allow the rest to be autoconfigured. After the port addresses have been configured, manually or automatically, they are stored in nonvolatile rapid-access memory (NVRAM).

After you allocate a maximum number of MAC addresses on a port, you specify a period of time, called the age time, during which the addresses on the specified port remain secure. After this age time expires, the MAC addresses on the port become insecure and are no longer trusted.

note

graphics/note_icon.gif

All addresses on a port are permanently secured by default.


If a security violation occurs, you can configure the port to go into shutdown mode or restrictive mode. Shutdown mode gives you the option of specifying whether the port is permanently disabled or disabled for a specified amount of time. The default action during a security violation is for the port to permanently shut down. Restrictive mode allows port configuring to remain enabled during the security violation, only stopping packets coming in from insecure hosts.

When a secure port receives a frame, the frame's source MAC address is compared to the list of secure source addresses that were configured (manually or learned via autoconfiguration) on the port. If the MAC address of a device attached to the port is not on the secure address list, the port is shut down, either permanently or for a period of time you've configured.

Port Security Configuration Guidelines

When configuring port security, consider the following guidelines:

  • You cannot configure port security on a trunk port.

  • Port security cannot be enabled on a Switched Port Analyzer (SPAN) port.

  • You cannot configure dynamic, static, or permanent content-addressable memory (CAM) entries on a secure port.

  • When you enable port security on a port, any static or dynamic CAM entries associated with the port are cleared; any currently permanent CAM entries that are configured by an administrator are treated as secure.