Friday, September 18, 2009

Cisco Catalyst Port-Security

The Cisco Catalyst switch is capable of restricting network access to certain MAC addresses.  Using the port-security feature, you can cause the switch port to go into shutdown if an unauthorized MAC address is connected.

There are two other states that the switch port can go into, rather than shutdown mode.   Here are all three states (taken from

  • Protected - When a violation occurs, it´ll simple ignore any exceeding MAC Addresses, according to your configuration (if you allow only one MAC Address, it´ll permit the first MAC Address to transmit, and drop everything else for any new MAC Address trying to transmit to this port).

  • Restrict - Does exactly the same thing as Protected mode, but will also send a SNMP Trap regarding the violation.

  • Shutdown - When a violation occurs in the shutdown mode, it sets the port to ERRDISABLE state. The port will stop transmitting anything in the ERRDISABLE state, also, the port LED will  turn off. It  sends out a SNMP Trap about this.

The following example shows how this is done:

config t
interface fa0/1
switchport mode access

switchport port-security
switchport port-security violation shutdown
switchport port-security maximum 1
switchport port-security mac-address xxxx.xxxx.xxxx

If the switch port goes into shutdown mode because of a violation, you will have to manually log into the switch and do a shut/no shut on the port that is affected.

The commands show port-security address and show port-security interface fa0/1 will show you exactly what is going on.

Optionally, if you want the port to automatically reset itself you can add these commands to your configuration:

errdisable recovery cause psecure-violation
errdisable recovery interval 3600

This will cause the port to reset after 3600 seconds (30 minutes).

No comments:

Post a Comment