Switchport Security Concepts (2024)

Table of Contents
Overview Switchport Violations Switchport Security MAC Addresses What causes a Switchport Violation? Summary

Overview

When configuring the security for a network, it is important to take advantage of the security features of all deployed devices. One of the security features available with Cisco switches (among other vendors) is switchport security. While the name of this feature is a bit vague, it makes it possible to limit the number and type of devices that are allowed on the individual switchports. This article takes a look at the concepts behind the switchport security feature.

See Also
Easy Ways to Enable a Port on a Cisco Switch: 8 StepsModify Port ModeExtreme SLX-OS Layer 2 Switching Configuration Guide, 20.4.1Default Port and VLAN Configuration/Behavior on Cisco IOS switches

Switchport Violations

Before getting into the mechanics of how switchport security operates; it is important to review what happens should a violation occur. On Cisco equipment there are three different main violation types: shutdown, protect, and restrict. These are described in more detail below:

  • Shutdown – When a violation occurs in this mode, the switchport will be taken out of service and placed in the err-disabled state. The switchport will remain in this state until manually removed; this is the default switchport security violation mode.
  • Protect – When a violation occurs in this mode, the switchport will permit traffic from known MAC addresses to continue sending traffic while dropping traffic from unknown MAC addresses. When using this mode, no notification message is sent when this violation occurs.
  • Restrict – When a violation occurs in this mode, the switchport will permit traffic from known MAC addresses to continue sending traffic while dropping traffic from unknown MAC addresses. However, unlike the protect violation type, a message is also sent indicating that a violation has occurred.

Switchport Security MAC Addresses

When using the switchport security feature, source MAC addresses are separated into three different categories, these include:

See Also
Switchport modes

  • Static – Static secure MAC addresses are statically configured on each switchport and stored in the address table. The configuration for a static secure MAC address is stored in the running configuration by default and can be made permanent by saving them to the startup configuration.
  • Dynamic – Dynamic secure MAC addresses are learned from the device (or devices) connected to the switchport. These addresses are stored in the address table only and will be lost when the switchport state goes down or when the switch reboots.
  • Sticky – Sticky secure MAC addresses are a hybrid. They are learned dynamically from the devices connected to the switchport, are put into the address table AND are entered into the running configuration as a static secure MAC address (sometimes referred to as a static sticky MAC address). Like a static secure MAC address, these MAC addresses will be lost unless saved to the startup configuration.

The type of secure MAC addresses that an organization uses depends on the specific network environment.

What causes a Switchport Violation?

The next question to ask is what causes a switchport violation; there are two situations that can cause a violation, these two situations include:

  • When the maximum number of secure MAC addresses has been added to a switchport's address table and traffic from another MAC address is received on the switchport.
  • When an address that has been seen on a secure switchport has already been seen on another secure switchport in the same VLAN.

By default, each secure switchport is configured with a maximum of one MAC address. What this means is that if more than one MAC address is seen on any given port a violation will occur. By default, dynamic MAC entries in the address table will never time out (dynamic is the default method used for learning secure MAC addresses) as long as the switchport state remains up.

When using dynamic MAC addresses, engineers must physically disconnect the cable or shutdown the switchport to reset the dynamic entries in the address table. When using sticky MAC addresses either the MAC addresses must be manually removed from the running configuration or the switch must be rebooted to remove the contents from the address table. If the switchport is configured with a static secure MAC address, they must be manually removed from the running configuration to remove the contents from the address table. Only after the initial address has been removed from the address table can a device with a new MAC address be connected to the switchport (this is by default, as the maximum number of MAC addresses allowed per switchport is 1).

Summary

There are certainly a number of different concepts to learn to make the port security feature work well in an organizational environment, if configured badly it can quickly become more of a hindrance than a help. The purpose of this article is to cover the basic concepts behind the switchport security feature as preparation switchport security configuration. Hopefully, this article is able to be used as a starting point when learning about the switchport security feature and provides enough detail so that the configuration is easier to understand.

Ready to test your skills in CISCO? See how they stack up with this assessment from Smarterer, the newest addition to the Pluralsight family. Start thisCISCO test now

Switchport Security Concepts (2024)
Top Articles
Cardano Gets On-Chain Gaming Boost as Paima Layer 2 Goes Live
More trouble for Solana, will the Ethereum-killer survive in 2023
neither of the twins was arrested,传说中的800句记7000词
The UPS Store | Ship & Print Here > 400 West Broadway
Pangphip Application
J & D E-Gitarre 905 HSS Bat Mark Goth Black bei uns günstig einkaufen
Belle Meade Barbershop | Uncle Classic Barbershop | Nashville Barbers
Collision Masters Fairbanks
Lichtsignale | Spur H0 | Sortiment | Viessmann Modelltechnik GmbH
Chase Claypool Pfr
Blue Ridge Now Mugshots Hendersonville Nc
Weekly Math Review Q4 3
Saberhealth Time Track
Arboristsite Forum Chainsaw
Gino Jennings Live Stream Today
Mzinchaleft
Salem Oregon Costco Gas Prices
Iu Spring Break 2024
Honda cb750 cbx z1 Kawasaki kz900 h2 kz 900 Harley Davidson BMW Indian - wanted - by dealer - sale - craigslist
White Pages Corpus Christi
FDA Approves Arcutis’ ZORYVE® (roflumilast) Topical Foam, 0.3% for the Treatment of Seborrheic Dermatitis in Individuals Aged 9 Years and Older - Arcutis Biotherapeutics
18889183540
Puretalkusa.com/Amac
‘The Boogeyman’ Review: A Minor But Effectively Nerve-Jangling Stephen King Adaptation
Sherburne Refuge Bulldogs
Znamy dalsze plany Magdaleny Fręch. Nie będzie nawet chwili przerwy
Tokyo Spa Memphis Reviews
Gopher Carts Pensacola Beach
Generator Supercenter Heartland
Best Laundry Mat Near Me
Craigslist In Myrtle Beach
Mp4Mania.net1
Darrell Waltrip Off Road Center
Sinfuldeeds Vietnamese Rmt
Indiefoxx Deepfake
Craigslist List Albuquerque: Your Ultimate Guide to Buying, Selling, and Finding Everything - First Republic Craigslist
How To Paint Dinos In Ark
Evil Dead Rise (2023) | Film, Trailer, Kritik
Compare Plans and Pricing - MEGA
Frommer's Philadelphia & the Amish Country (2007) (Frommer's Complete) - PDF Free Download
Express Employment Sign In
Mcalister's Deli Warrington Reviews
LoL Lore: Die Story von Caitlyn, dem Sheriff von Piltover
Parent Portal Pat Med
Valls family wants to build a hotel near Versailles Restaurant
Wordle Feb 27 Mashable
56X40X25Cm
Conan Exiles Tiger Cub Best Food
300+ Unique Hair Salon Names 2024
French Linen krijtverf van Annie Sloan
Where and How to Watch Sound of Freedom | Angel Studios
Cognitive Function Test Potomac Falls
Latest Posts
6 Best Exchanges To Buy Bitcoin in Malaysia (2024)
Freewallet Reviews - 3.8 Stars
Article information

Author: Reed Wilderman

Last Updated:

Views: 5947

Rating: 4.1 / 5 (52 voted)

Reviews: 91% of readers found this page helpful

Author information

Name: Reed Wilderman

Birthday: 1992-06-14

Address: 998 Estell Village, Lake Oscarberg, SD 48713-6877

Phone: +21813267449721

Job: Technology Engineer

Hobby: Swimming, Do it yourself, Beekeeping, Lapidary, Cosplaying, Hiking, Graffiti

Introduction: My name is Reed Wilderman, I am a faithful, bright, lucky, adventurous, lively, rich, vast person who loves writing and wants to share my knowledge and understanding with you.