Port Security
Port security is a layer 2 traffic control feature that enables you to limit port access to a specific number of MAC addresses or specific MAC addresses so that the port does not forward ingress traffic from undefined source addresses (static MAC).
You can configure what action to take when there is a port security violation (drop packets or put the port into protodown state) and add a timeout for the action to take effect. The default setting mode is to drop packets.
Port security supports 802.1X interfaces, layer 2 interfaces in trunk or access mode but not interfaces in a bond. For information about how port security and 802.1X work together, see 802.1x multi host mode.
Configure Port Security
To configure port security:
To enable security on a port, run the nv set interface <interface> port-security enable on command:
cumulus@switch:~$ nv set interface swp1 port-security enable on
cumulus@switch:~$ nv config apply
You can disable port security on an interface with the nv set interface <interface> port-security enable off command.
To configure the maximum number of MAC addresses allowed to access the port, run the nv set interface <interface> port-security mac-limit command. You can specify a value between 1 and 512. The default value is 32.
cumulus@switch:~$ nv set interface swp1 port-security mac-limit 100
cumulus@switch:~$ nv config apply
To configure specific MAC addresses allowed to access the port, run the nv set interface <interface> port-security static-mac command.
You can configure a maximum of 450 static MAC addresses per interface.
cumulus@switch:~$ nv set interface swp1 port-security static-mac 00:02:00:00:00:05
cumulus@switch:~$ nv set interface swp1 port-security static-mac 00:02:00:00:00:06
cumulus@switch:~$ nv config apply
To enable sticky MAC port security to track specific dynamically learned MAC addresses on a port, run the nv set interface <interface> port-security sticky-mac enabled command.
Cumulus Linux maintains learned sticky MAC addresses through interface flaps and reboots if the source MAC address is still sending traffic; otherwise learned sticky MAC addresses age out according to the sticky MAC aging time.
cumulus@switch:~$ nv set interface swp1 port-security sticky-mac enabled
cumulus@switch:~$ nv config apply
To enable sticky MAC aging, run the nv set interface <interface> port-security sticky-aging enabled command.
cumulus@switch:~$ nv set interface swp1 port-security sticky-ageing enabled
cumulus@switch:~$ nv config apply
To configure the time period after which learned sticky MAC addresses age out and no longer have access to the port, run the nv set interface <interface> port-security sticky-timeout command. You can specify a value between 0 and 3600 minutes. The default setting is 1800 minutes.
cumulus@switch:~$ nv set interface swp1 port-security sticky-timeout 20
cumulus@switch:~$ nv config apply
To configure violation mode, either run the nv set interface <interface> port-security violation-mode protodown command to put a port into a protodown state or run the nv set interface <interface> port-security violation-mode restrict command to drop packets.
cumulus@switch:~$ nv set interface swp1 port-security violation-mode protodown
cumulus@switch:~$ nv config apply
cumulus@switch:~$ sudo ip link set swp2 protodown_reason portsecurity off
cumulus@switch:~$ sudo ip link set swp2 protodown off
To configure the number of minutes after which the violation mode times out, run the nv set interface <interface> port-security violation-timeout command. You can specify a value between 0 and 60 minutes. The default value is 30 minutes.
cumulus@switch:~$ nv set interface swp1 port-security violation-timeout 60
cumulus@switch:~$ nv config apply
Add the configuration settings you want to use to the /etc/cumulus/switchd.d/port_security.conf file, then reload switchd with the sudo systemctl reload switchd.service command to apply the changes.
Setting | Description |
|---|---|
interface.<port>.port_security.enable | Enables and disables port security. 1 enables security on the port. 0 disables security on the port. The default setting is 0. |
interface.<port>.port_security.mac_limit | Configures the maximum number of MAC addresses allowed to access the port. You can specify a number between 0 and 512. The default value is 32. |
interface.<port>.port_security.static_mac | Configures the specific MAC addresses allowed to access the port. To specify multiple MAC addresses, separate each MAC address with a space. |
interface.<port>.port_security.sticky_mac | Enables and disables sticky MAC port security to track specific dynamically learned MAC addresses on a port. 1 enables sticky MAC. 0 disables sticky MAC. Cumulus Linux maintains learned sticky MAC addresses through interface flaps and reboots if the source MAC address is still sending traffic; otherwise learned sticky MAC addresses age out according to the sticky MAC aging time. |
interface.<port>.port_security.sticky_timeout | The time period after which learned sticky MAC addresses age out and no longer have access to the port. You can specify a value between 0 and 3600 minutes. The default aging timeout value is 1800. |
interface.<port>.port_security.sticky_aging | Enables and disables sticky MAC aging. 1 enables sticky MAC aging. 0 disables sticky MAC aging. |
interface.<port>.port_security.violation_mode | Configures the violation mode: 0 (protodown) puts a port into a protodown state. 1 (restrict) drops packets. The default setting is 1. |
interface.<port>.port_security.violation_timeout | Configures the number of minutes after which the violation mode times out. You can specify a value between 0 and 3600. The default value is 1800. |
The following shows an example /etc/cumulus/switchd.d/port_security.conf configuration file:
cumulus@switch:~$ sudo nano /etc/cumulus/switchd.d/port_security.conf
...
## Interface Port security
interface.swp1.port_security.enable = 1
interface.swp1.port_security.mac_limit = 100
interface.swp1.port_security.sticky_mac = 1
interface.swp1.port_security.sticky_timeout = 2000
interface.swp1.port_security.sticky_aging = 1
interface.swp1.port_security.violation_mode = 0
interface.swp1.port_security.violation_timeout = 3600
interface.swp1.port_security.static_mac = 00:02:00:00:00:05 00:02:00:00:00:06
Clear the Protodown State
If there is a port security violation and the port goes into a protodown state, you can clear the protodown state after you mitigate the MAC address causing the violation with the following commands:
cumulus@switch:~$ sudo ip link set swp1 protodown_reason portsecurity off
cumulus@switch:~$ sudo ip link set swp1 protodown off
Troubleshooting
To show port security configuration, run the nv show interface <interface-id> port-security command:
cumulus@switch:~$ nv show interface swp1 port-security
operational applied
----------------- ----------- --------
enable on on
mac-limit 32 32
sticky-mac disabled disabled
sticky-timeout 1800 1800
sticky-ageing disabled disabled
violation-mode restrict restrict
violation-timeout 30 30
mac-addresses
================
entry-id MAC address Type Status
-------- ----------------- ------- ---------
1 00:01:02:03:04:05
2 00:02:00:00:00:ab Static
3 00:02:00:00:00:05 Static
4 00:02:00:00:01:05 Static
5 00:02:00:00:01:06 Static
6 00:02:01:00:01:06 Static
7 01:02:01:00:01:06 Static
8 00:02:00:00:00:11 Dynamic Installed
- To show port security static MAC address information, run the
nv show interface <interface-id> port-security static-maccommand. - To show port security MAC address information, run the
nv show interface <interface-id> port-security mac-addressescommand.