Search
Home Search Center IP Encyclopedia Online Courses Intelligent Model Selection

What Is Port Security?

Port security controls and manages network traffic based on MAC addresses. This function not only binds MAC addresses to ports, but also limits the number of MAC addresses that can be learned by a port. It converts dynamic MAC addresses learned by a port into secure MAC addresses (including secure dynamic MAC addresses, secure static MAC addresses, and sticky MAC addresses), and allows only packets with source MAC addresses in the secure MAC address list to pass through. Packets whose source MAC addresses are not in the secure MAC address list are considered unauthorized. Port security prevents unauthorized users from accessing the switch through the port, enhancing network security.

Why Do We Need Port Security?

When unauthorized users acquire a port's MAC address, they may use this address as a destination MAC address to communicate with the device, thereby initiating attacks. For example, if an unauthorized user sends a large number of packets with variable source MAC addresses to the switch, the MAC address entry resources on the switch may become exhausted. In this case, the switch cannot learn source MAC addresses of normal packets. For another example, on a network that has high security requirements, visitors who use their own computers to access the enterprise network pose great security risks to the network.

To mitigate such risks, port security can be enabled on the device to convert the dynamic MAC addresses learned by a port into secure MAC addresses. In this case, the dynamic MAC address entries that have been learned on the port are deleted. When the number of MAC addresses newly learned by the port reaches the upper limit, the port stops learning new MAC addresses. If the source MAC address of packets received by a port matches a secure MAC address entry, the switch permits the packets. If no match is found, the switch considers the packets as attack packets and takes a protective action, such as discarding the packets, reporting an alarm, or shutting down the port.

How Does Port Security Work?

MAC address entries can be classified as dynamic, static, or blackhole MAC address entries. The secure MAC address is a type of service MAC address entry, and is converted from the dynamic MAC address entry.

After port security is enabled, the device takes a protective action, such as discarding packets, reporting alarms, or shutting down the port.

Classification of Secure MAC Addresses

Secure MAC addresses are classified into secure dynamic MAC addresses, secure static MAC addresses, and sticky MAC addresses.

Table 1-1 Description of secure MAC addresses

Type

Definition

Feature

Secure dynamic MAC address

MAC address that is converted on a port with port security enabled but sticky MAC disabled.

After a device restarts, secure dynamic MAC addresses are lost and need to be relearned.

By default, secure dynamic MAC addresses never age. They can be aged only after the aging time is set.

Secure dynamic MAC addresses can be aged based on the absolute aging time or relative aging time.

  • Absolute aging time: When the absolute aging time is set to 5 minutes, the system calculates the lifetime of each MAC address every minute. If the lifetime is greater than or equal to 5 minutes, the system immediately ages out the secure dynamic MAC address. If the lifetime is less than 5 minutes, the system determines again whether to age out the secure dynamic MAC address 1 minute later.
  • Relative aging time: When the relative aging time is set to 5 minutes, the system checks whether there is traffic from the secure dynamic MAC address every 1 minute. If no traffic is received from the secure dynamic MAC address, this address is aged out 5 minutes later.

Secure static MAC address

MAC address that is manually configured on a port with port security enabled.

Secure static MAC addresses are not aged out and are not lost after a device restarts.

Before enabling the secure static MAC address function, you need to know the endpoint MAC address and then manually configure the mapping between the port, MAC address, and VLAN.

Sticky MAC address

MAC address that is converted on a port with both port security and sticky MAC enabled.

Sticky MAC addresses are not aged out and are not lost after a device restart.

You do not need to know the endpoint MAC address before enabling sticky MAC. After sticky MAC is enabled on a port, the mapping between the port, MAC address, and VLAN is automatically generated.

MAC Address Changes

When port security or sticky MAC is enabled or disabled on a port, MAC addresses on the port may change or be deleted. For details, see the following table.

Function

Enabled

Disabled

Port security

The dynamic MAC address entries that have been learned on the port are deleted, and subsequently learned MAC address entries are converted into secure dynamic MAC address entries.

The existing secure dynamic MAC address entries on the port are deleted, and the port relearns dynamic MAC address entries.

Sticky MAC

The existing secure dynamic MAC address entries and subsequently learned MAC address entries on the port are converted into sticky MAC address entries.

The sticky MAC address entries on the port are converted into secure dynamic MAC address entries.

Action to Take After the Number of Secure MAC Addresses Exceeds the Limit

After port security is enabled, a port can learn only one secure MAC address by default. You can manually set the number of secure MAC addresses that a port can learn. When the number of secure MAC addresses on a port reaches the limit, if the port receives packets whose source MAC address is not in the secure MAC address list, the switch considers that an attack from an unauthorized user occurs regardless of whether the destination MAC address of packets exists in the MAC address list. It then takes a specified action to protect the port. There are three port security protective actions: restrict, protect, and shutdown. The following table lists the protective actions for port security. By default, the protective action is restrict.

Table 1-2 Action to take after the number of secure MAC addresses exceeds the limit

Action

Description

restrict

Discards packets whose source MAC addresses are not in the secure MAC address list and reports an alarm. This action is recommended.

protect

Discards packets whose source MAC addresses are not in the secure MAC address list but does not report an alarm.

shutdown

Sets the port state to error-down and reports an alarm.

Action to Take When Static MAC Address Flapping Occurs

Secure MAC addresses are also static MAC addresses. After static MAC address flapping detection is configured on a port, if the source MAC address of packets received on the port exists in the static MAC address table of another port, the switch considers that static MAC address flapping occurs and takes a specified action to protect the port. There are three port security protective actions: restrict, protect, and shutdown.

Table 1-3 Protective action on a port where static MAC address flapping occurs

Action

Description

restrict

Discards the packets that trigger static MAC address flapping and sends an alarm. This action is recommended.

protect

Discards the packets that trigger static MAC address flapping but does not send an alarm.

shutdown

Sets the port state to error-down and reports an alarm.

How to Apply Port Security on the Network?

Port security can be configured on:

  • Access devices, to prevent unauthorized users from initiating attacks through ports.
  • Aggregation devices, to control the number of access users.

Configuring Port Security at the Access Layer

As shown in the following figure, PC1 and PC3 connect to SwitchA through IP phones, and PC2 directly connects to SwitchA. To ensure security of SwitchA and prevent attacks from unauthorized users, configure port security on the ports connecting SwitchA to the endpoints to restrict the number of MAC addresses of hosts connected to ports on the switch. As the endpoint MAC addresses are fixed, when SwitchA receives packets whose source MAC addresses are not in the secure MAC address list, SwitchA considers the packets as attack packets regardless of whether the destination MAC address of the packets exists in the MAC address list, and takes a specified action to protect the port. Configuring port security on access switches can:
  • Prevent visitors from using their own computers to access the company network.
  • Prevent employees from changing their locations without permission.
Networking of port security on an access device
Networking of port security on an access device
  • If access users frequently change locations, you can configure port security to convert dynamic MAC addresses to secure dynamic MAC addresses. This ensures that bound MAC address entries are deleted as soon as users change locations.
  • If access users rarely change locations, you can configure port security to convert dynamic MAC addresses to sticky MAC addresses. This ensures that bound MAC address entries are not lost after a device restarts with configurations saved.
  • If there are only a few access users who rarely change locations, you can configure secure static MAC addresses.

Configuring Port Security at the Aggregation Layer

As shown in the following tree networking diagram, multiple users communicate with the aggregation device Switch through SwitchA. To ensure the security of the aggregation device and control the number of access users, configure port security on the aggregation device and set the maximum number of secure MAC addresses. This prevents the MAC address table of the aggregation device from being full due to MAC address flooding.

Networking of port security on an aggregation device
Networking of port security on an aggregation device
About This Topic
  • Author: Tang Jinhua
  • Updated on: 2024-11-15
  • Views: 821
  • Average rating:
Share link to