4.9. Port security

Port security is a range of features on switches and routers to make sure that certain security policies are upheld.

The maximum number of MAC addresses policy can interfere with the operation of the Steelhead appliance: Normally a link between a switch and a router only has two devices on it. With an in-path device in it, that will increase and thus the number of MAC addresses seen by the router or switch increases.

On a Cisco switch or router, the status of the port security can be seen with the command show port-security.

Figure 4.19. Port security show commands

Switch# show port-security 
Secure Port  MaxSecureAddr  CurrentAddr  SecurityViolation  Security Action
(Count)       (Count)          (Count)
---------------------------------------------------------------------------
      Gi0/1              1            1                  0          Protect
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port)     : 0
Max Addresses limit in System (excluding one mac per port) : 1024

Switch#sh port-security interface gi0/1
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Protect
Aging Time                 : 5 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 1
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address        : 00a0.1234.5678
Security Violation Count   : 0

Port-security can be disabled for a particular interface using command no switchport port-security. The number of MAC addresses allowed on an interface can be changed with the command switchport port-security maximum <number>.

Figure 4.20. Port security configuration commands

switch (config) # interface gig 0/1
switch (config-if) # no switchport port-security
switch (config-if) # switchport port-security maximum 3