Port Security: Ultimate Definition

Unanswered Question
Jul 30th, 2007
User Badges:

Hi gurus,


What I really want is a definitive answer as to precisely what "port security" does. I've read and re-read config guides and any doco I can find on port security but still cannot answer these questions.


I have it configured and working in our network but I need some clarification on a couple of points:


Assuming a MAC address is mapped (either statically or via sticky): Once a MAC address is known on a specific secure port on "Switch A" it cannot appear on another _secure_ port on "Switch A".


1. What about secure ports on "Switch B"?

2. Does the secure mapping apply only to the local switch or is it propagated throughout the network somehow??


I'm sure I've witnessed behaviour that would suggest that other switches are able to limit connectivity based on non-local port-security info, but I can find no doco to confirm or deny that this _should_ be the case.


I need to get port security past my Change Board so I need to be certain of the way it works (or doesn't work) as I'm going to get questions!!


Thanks for any assistance.


Cheers,

Ben.


[Edit] I've just posted another message about port security not appearing to work as documented on a switch I've set up for testing. Hope someone can help with either :)

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
gmarogi Fri, 08/03/2007 - 09:46
User Badges:
  • Bronze, 100 points or more

You can use port security to block input to an Ethernet, Fast Ethernet, or Gigabit Ethernet port when the Media Access Control (MAC) address of the station attempting to access the port is different from any of the MAC addresses specified for that port.

For more information please click following URL:

http://www.cisco.com/en/US/docs/switches/lan/catalyst5000/catos/5.x/configuration/guide/sec_port.html#wp1019841


Edison Ortiz Fri, 08/03/2007 - 10:13
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

1. Yes


2. It only applies to the local switch, it's not propagated in the network.


Rack1SW4#sh run int f0/7

Building configuration...


Current configuration : 136 bytes

!

interface FastEthernet0/7

switchport mode access

switchport port-security

switchport port-security mac-address 0000.1001.8f8f

end



Rack1SW4(config)#int f0/8

Rack1SW4(config-if)# switchport mode access

Rack1SW4(config-if)# switchport port-security

Rack1SW4(config-if)# switchport port-security mac-address 0000.1001.8f8f

Found duplicate mac-address 0000.1001.8f8f.


Rack1SW1#sh run int f0/7

Building configuration...


Current configuration : 136 bytes

!

interface FastEthernet0/7

switchport mode access

switchport port-security

switchport port-security mac-address 0000.1001.8f8f


Verifying their are connected to each other


Rack1SW4#sh cdp ne | i Rack1SW1

Rack1SW1 Fas 0/15 179 R S I WS-C3560-4Fas 0/21

Rack1SW1 Fas 0/14 179 R S I WS-C3560-4Fas 0/20

Rack1SW1 Fas 0/13 179 R S I WS-C3560-4Fas 0/19

Rack1SW4#


Actions

This Discussion