Home > Articles > Cisco Certification > CCIE > Basic Cisco IOS Software and Catalyst 3550 Series Security

Basic Cisco IOS Software and Catalyst 3550 Series Security

Chapter Description

Become comfortable with basic Cisco IOS Software and Catalyst 3550 security features with an introduction to password management, disabling unnecessary services, setting up secure HTTP and NTP services, and SSH.

Catalyst 3550 Security

Because the 3550 family of Catalyst switches uses the IOS-based command-line interface, the handling of the basic security features on the switch is virtually the same as it is on the router. By the time this book is released, the 3550 switches will even offer full support of routing protocol security. For now, use Access Control Lists (ACLs), covered in Chapter 16, to enforce remote administration security.

A few security concepts, however, remain specific to the Catalyst switch. Among them is the network security configuration with ACLs, mentioned in the preceding paragraph, and L2VPN, covered in Chapter 25, "Internet Service Provider Security Services." In this lesson, you concentrate on port-based traffic control configuration.

Lesson 15-4: Port-Based Traffic Control

This lesson discusses how to configure the port-based traffic control features on your switch. The lesson consists of the following configuration tasks:

  • Configuring storm control
  • Configuring protected ports
  • Configuring port blocking
  • Configuring port security
  • Port security aging

Configuring Storm Control

A LAN storm takes place when packets overflow the LAN, causing unnecessary traffic and diminishing network stability. Storm control or the traffic suppression feature configured on a physical interface prevents switchports on a LAN from being overwhelmed by a broadcast, multicast, or unicast storm. Storm control screens the incoming traffic over a period of 1 second and compares the amount with the control level threshold if one exists. If the threshold is exceeded, additional traffic is blocked until the continuing monitoring determines that incoming traffic fell below the threshold level, and traffic is then allowed to be forwarded again.

The switch handles separate storm control thresholds for broadcast, multicast, and unicast traffic. Interestingly, when broadcast or unicast thresholds are reached, traffic is suppressed for only that specific type. On the other hand, when the multicast traffic rate exceeds the threshold, all incoming traffic, except spanning-tree packets, including broadcast and unicast, is throttled until the level drops below the specified threshold.

Storm control on an interface is enabled separately for each type of traffic. The configured threshold level is the percentage of total available bandwidth that you want to serve as a limit indicator. The percentage can be from 1 to 100, with an optional fraction. The higher the level, the more packets are allowed to pass through. The default is no storm control, which translates into 100 percent threshold. In contrast, a value of 0.0 means that all port traffic is blocked for a particular type. The syntax for configuring traffic suppression is as follows:

3550-A(config-if)#storm-control [broadcast | multicast | unicast] level level [.level]

Configuring Protected Ports

A protected port feature is used in those environments where no traffic can be forwarded between two ports on the same switch. This way, one neighbor connected to one port does not see the traffic that is generated by another neighbor connected to the second port. The blocking of traffic (unicast, broadcast, or multicast) only works when both ports are protected. When a protected port is communicating with an unprotected port, the traffic is forwarded in the usual manner. Once the ports are protected, traffic between them can only be forwarded by a Layer 3 device.

By default, the protected port feature is not enabled. You can configure protected ports on either a physical interface or an EtherChannel group. Once you enable the protected port feature on the latter, it is extended to all the group's ports. The following command sets port protection:

3550-A(config-if)#switchport protected

Configuring Port Blocking

The default behavior of a switch is to forward the packets with unknown destination MAC addresses to all its ports. This might not always be desirable, especially in terms of security. If you configure a port block feature, then depending on what type of traffic you specified, unicast or multicast packets are not forwarded from one port to another. Blocking unicast or multicast traffic is not automatically enabled, even on a protected port; you must manually define it.

As with the protected interface, you can configure blocking on a physical interface and an EtherChannel group. If blocking is configured on an EtherChannel, it applies to all ports in the group. To block unknown multicast or unicast packets from a port, use the following command:

3550-A(config-if)#switchport block [multicast | unicast]

Configuring Port Security

The port security feature is used to limit access to an interface to only those devices whose MAC address is identified as allowed and as long as the maximum number of allowed addresses is not already reached. In other words, if a port that is configured as secure recognizes that a station is trying to gain access, it checks whether the configured maximum number of secure MAC addresses has been exceeded. If it has not, the port checks the table of secure MAC addresses, and if the MAC address in question is not there yet, the port learns it and marks it as secure. If the preset maximum number has been reached, and the MAC address is not a member of the secure addresses, a security violation is noted. Similarly, the violation occurs when a device whose MAC address is known as secure on one secure port tries to access another secure port.

To configure a secure port, first set the physical interface's mode to "access" because an interface in the default mode cannot be configured as a secure port:

3550-B(config-if)#switchport mode access

Then, enable port security on that interface by using the following command:

3550-B(config-if)#switchport port-security

Placement of the following three commands is optional because the exact commands you choose depend on the desired functional effect. The following command specifies the maximum number of secure MAC addresses for the interface (the number ranges from 1 to 128, with 128 being default):

3550-B(config-if)#switchport port-security maximum value

Next, you can configure the interface to take one of the following actions in case of a security violation:

  • The protect keyword causes the packets with unknown source addresses to be dropped when the maximum threshold is reached.

  • The restrict keyword increments a violation counter.

  • The shutdown keyword, the default, deactivates the port immediately and sends an SNMP trap notification.

3550-B(config-if)#switchport port-security violation [protect | restrict | shutdown]


If a secure port has been shut down as a result of a security violation, you can bring it out of this state by entering the errdisable recovery cause psecure-violation global configuration command, or you can manually reenable it by entering the shutdown and no shut down interface configuration commands.

Finally, to enter a secure MAC address for the interface, use the following command. If the number of manually defined addresses is less than the configured maximum, the rest are learned dynamically.

3550-B(config-if)#switchport port-security mac-address mac-address

Port Security Aging

You can define an optional security-aging feature to cause all secure addresses to become obsolete without having to manually remove each of them. The types of aging mechanisms are as follows:

  • Absolute—Specifies an aging period after which the secure addresses on that port are deleted

  • Inactivity—Discards secure addresses only if they have been inactive for the specified aging time

The aging time command includes a number of arguments. The static keyword involves the manually configured addresses for the interface. The time keyword specifies the aging time, ranging from 0 to 1440 minutes. The type identifier indicates either absolute or inactivity, as follows:

3550-B(config-if)#switchport port-security aging [static] time time type [absolute |  inactivity]


The following examples display the outputs from a number of show commands on both switches that assist in the verification and monitoring of port-based traffic control.

Example 15-22 captures a portion of the 3550-A running configuration for interface FastEthernet0/1.

Example 15-22 Running Configuration of 3550-A

interface FastEthernet0/1
switchport mode access
switchport port-security maximum 2
switchport port-security mac-address 1000.2000.3000
switchport port-security violation protect
switchport port-security aging time 600
no ip address
storm-control broadcast level 10.00
storm-control multicast level 10.00
storm-control unicast level 10.00

Example 15-23 shows a portion of the 3550-B running configuration for interface FastEthernet0/2.

Example 15-23 Running Configuration of 3550-B

interface FastEthernet0/2
switchport mode dynamic auto
switchport block multicast
switchport block unicast
no ip address

Example 15-24 shows the output of the show interfaces fastEthernet switchport command for the 0/1 and 0/2 ports.

Example 15-24 The show interfaces fastEthernet switchport Command Output

3550-A#show interfaces fastEthernet 0/1 switchport
Name: Fa0/1
Switchport: Enabled
Administrative Mode: static access
Operational Mode: up
Administrative Trunking Encapsulation: negotiate
Negotiation of Trunking: Off
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Protected: false

Unknown unicast blocked: disabled

Unknown multicast blocked: disabled

Voice VLAN: none (Inactive)
Appliance trust: none

3550-A#show interfaces fastEthernet 0/2 switchport
Name: Fa0/2
Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode: down
Administrative Trunking Encapsulation: negotiate
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001

Protected: false
Unknown unicast blocked: enabled
Unknown multicast blocked: enabled

Example 15-25 shows the output of the show storm-control command. You can use this command to view your storm control configuration per port.

Example 15-25 The show storm-control Command Output

3550-A#show storm-control
Interface Filter State  Level  Current
--------- ------------- ------- -------
Fa0/1     Forwarding     10.00% 0.00%
Fa0/2     inactive      100.00% N/A
Fa0/3     inactive      100.00% N/A
Fa0/4     inactive      100.00% N/A
Fa0/5     inactive      100.00% N/A
Fa0/6     inactive      100.00% N/A
Fa0/7     inactive      100.00% N/A
Fa0/8     inactive      100.00% N/A
Fa0/9     inactive      100.00% N/A
Fa0/10    inactive      100.00% N/A

Example 15-26 shows the ports configured as secure.

Example 15-26 The show port-security Command Output

3550-A#show port-security address

     Secure Mac Address Table
Vlan  Mac Address    Type        Ports
----  -----------    ----        -----
  1  1000.2000.3000  SecureConfigured   Fa0/1