Port security Confusion

sarahanandsarahanand Member Posts: 52 ■■□□□□□□□□
Port security allows to restriction to the LAN. So, we are setting a restriction on the port of an interface like for example FastEthernet 0/1 which connects to PC1. When I set using port-security "switch port-security maximum 5120", I am allowing a maximum of 5120 MAC addresses to at a time right? So am I correct in thinking that through that one cable, from PC1 to SW1, I am allowing 5120 mac addresses to connect to the switch? And all those 5120 addresses are incoming through PC1? And that means that I can have more than a single SSH or Telnet session through the PC1 to the switch?

I suddenly feel I've lost the connection between the previous chapters and this.


  • Dieg0MDieg0M Member Posts: 861
    Port-security is layer 2 security feature and has nothing to do with upper-layer protocols like SSH or telnet. Applying the port-security maximum feature on a port simply means that it will restrict this port's ingress traffic by limiting the number of MAC addresses that are allowed to send traffic into the port. These MAC addresses can be learned dynamically, statically or with the sticky mac-address feature.
    Follow my CCDE journey at www.routingnull0.com
  • sarahanandsarahanand Member Posts: 52 ■■□□□□□□□□

    I thought, the SSH or TELNET would be accessing the switch through the port I'm setting the security on. So If I would be setting the MAC address of the PC the telnet or ssh operates on. I would be able to explicitly set that MAC on that port.

    I've got my concept so wrong here. Please correct me.

  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    5120 MACs seem rather excessive, but in theory could be needed in cases where the workstation connected to that port has virtualization software with 5000 guest VMs (with the VMs connected to the network in bridged mode). Normally you'd see a port-security max value under 5 or 10 (or even 1).

    In regards to SSH or telnet, those are protocols working above L2. The port-security function has no understanding of them; it merely counts the number of MACs in the switch CAM for that port and sets a limitation with a specified result if there's an exceeding of that limit (shutting down the port, merely blocking new MACs that exceed the threshold, or sending an SNMP trap).

    It sounds like you're not clear on how the different protocols stack on top of each other in the TCP/IP four-layer model or the OSI seven-layer model. This is understandable as it's a concept that takes most people quite some time to grasp. What's also partly to blame is how this model has been taught to students based on the books that I've read over the years.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • bdepak.003bdepak.003 Member Posts: 16 ■□□□□□□□□□
    The port-security has nothing to do with Telnet or SSH.

    The exact use of this command "switch port-security maximum 5120" is; this command s[FONT=Arial, Helvetica, sans-serif]ets the maximum number of (1 - 3072) MAC addresses for the interface[/FONT]

    [FONT=Arial, Helvetica, sans-serif]Then after you can use violation command to restrict or shut-down when your specified number of mac-address exceeds.

    Hope this helps you.
  • TechGuru80TechGuru80 Member Posts: 1,539 ■■■■■■□□□□
    A good example of using port security is to prevent rogue access points...some user brings in a linksys router and plugs in so they can have wireless. Port-security can prevent this from allowing multiple computers to hook up and shutdown the port if detected. It will not have anything to do with telnet or ssh.

    Where you could sort of turn what you said into a truth is if you had several VM's on the computer and tried to do a telnet/ssh with all of them since VMs usually each have unique MAC addresses...somebody correct me if that won't cause a violation if over the maximum amount as I haven't tried it.
  • SerpenteSerpente Member Posts: 15 ■□□□□□□□□□
    Even though you have 1 cable it doesn't mean that you can't connect more than 1 PC. For example, someone may plug in a hub into that single fastethernet 0/1 port and then plug multiple PCs into the hub (assuming the port isn't set to access). Each PC will have its own MAC address and the switch will have multiple MAC addresses associated with that port. If you don't want people daisy chaining hubs and connecting many PCs to a single switchport then you can use the switchport-security maximum command to restrict how many unique MAC addresses can be associated with that port.

    As the others stated, Telnet and SSH have nothing to do with port security. I think you may be thinking of the VTY lines. If I remember correctly, a Cisco switch (2950) has 16 VTY lines and a router has 5. If you enable all the lines - set a password and give the login command - then you will have the maximum concurrent telnet/ssh sessions possible (unless you give the no login command in which case anyone can get in and there is no limit to concurrent users). If you want to restrict how many concurrent connections you can have then you enable the number of VTY lines that you want and leave the others disabled. 1 VTY line = 1 remote user.
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    The term "port" is one of those things used across different layers which may confuse those new to networking. When dealing with the Cisco switch "port-security" function, this is a feature for physical switch ports. We're not talking about layer 4 ports. Not sure if that's an actual point of confusion with the OP here, but thought I'd add that in.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • mendysuemendysue Member Posts: 22 ■■■□□□□□□□
    When it comes to port security I'm pretty sure it's entirely based on SOURCE MAC addresses. That's what was drilled in my content.
Sign In or Register to comment.