Implement Port Security
Summary
This topic implement port security to mitigate MAC address table attacks. Start learning CCNA 200-301 for free right now!!
Table of Contents
Secure Unused Ports
Layer 2 devices are considered to be the weakest link in a company’s security infrastructure. Layer 2 attacks are some of the easiest for hackers to deploy but these threats can also be mitigated with some common Layer 2 solutions.
All switch ports (interfaces) should be secured before the switch is deployed for production use. How a port is secured depends on its function.
A simple method that many administrators use to help secure the network from unauthorized access is to disable all unused ports on a switch. For example, if a Catalyst 2960 switch has 24 ports and there are three Fast Ethernet connections in use, it is good practice to disable the 21 unused ports. Navigate to each unused port and issue the Cisco IOS shutdown command. If a port must be reactivated at a later time, it can be enabled with the no shutdown command.
To configure a range of ports, use the interface range command.
Switch(config)# interface range type module/first-number – last-number
For example, to shutdown ports for Fa0/8 through Fa0/24 on S1, you would enter the following command.
S1(config)# interface range fa0/8 - 24 S1(config-if-range)# shutdown %LINK-5-CHANGED: Interface FastEthernet0/8, changed state to administratively down (output omitted) %LINK-5-CHANGED: Interface FastEthernet0/24, changed state to administratively down S1(config-if-range)#
Mitigate MAC Address Table Attacks
The simplest and most effective method to prevent MAC address table overflow attacks is to enable port security.
Port security limits the number of valid MAC addresses allowed on a port. It allows an administrator to manually configure MAC addresses for a port or to permit the switch to dynamically learn a limited number of MAC addresses. When a port configured with port security receives a frame, the source MAC address of the frame is compared to the list of secure source MAC addresses that were manually configured or dynamically learned on the port.
By limiting the number of permitted MAC addresses on a port to one, port security can be used to control unauthorized access to the network, as shown in the figure.
Enable Port Security
Notice in the example, the switchport port-security command was rejected. This is because port security can only be configured on manually configured access ports or manually configured trunk ports. By default, Layer 2 switch ports are set to dynamic auto (trunking on). Therefore, in the example, the port is configured with the switchport mode access interface configuration command.
S1(config)# interface f0/1 S1(config-if)# switchport port-security Command rejected: FastEthernet0/1 is a dynamic port. S1(config-if)# switchport mode access S1(config-if)# switchport port-security S1(config-if)# end S1#
Use the show port-security interface command to display the current port security settings for FastEthernet 0/1, as shown in the example. Notice how port security is enabled, the violation mode is shutdown, and how the maximum number of MAC addresses is 1. If a device is connected to the port, the switch will automatically add the device’s MAC address as a secure MAC. In this example, no device is connected to the port.
S1# show port-security interface f0/1 Port Security : Enabled Port Status : Secure-shutdown Violation Mode : Shutdown Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 1 Total MAC Addresses : 0 Configured MAC Addresses : 0 Sticky MAC Addresses : 0 Last Source Address:Vlan : 0000.0000.0000:0 Security Violation Count : 0 S1#
After port security is enabled, other port security specifics can be configured, as shown in the example.
S1(config-if)# switchport port-security ? aging Port-security aging commands mac-address Secure mac address maximum Max secure addresses violation Security violation mode <cr> S1(config-if)# switchport port-security
Limit and Learn MAC Addresses
To set the maximum number of MAC addresses allowed on a port, use the following command:
Switch(config-if)# switchport port-security maximum value
The default port security value is 1. The maximum number of secure MAC addresses that can be configured depends the switch and the IOS. In this example, the maximum is 8192.
S1(config)# interface f0/1 S1(config-if)# switchport port-security maximum ? <1-8192> Maximum addresses S1(config-if)# switchport port-security maximum
The switch can be configured to learn about MAC addresses on a secure port in one of three ways:
1. Manually Configured
The administrator manually configures a static MAC address(es) by using the following command for each secure MAC address on the port:
Switch(config-if)# switchport port-security mac-address mac-address
2. Dynamically Learned
When the switchport port-security command is entered, the current source MAC for the device connected to the port is automatically secured but is not added to the startup configuration. If the switch is rebooted, the port will have to re-learn the device’s MAC address.
3. Dynamically Learned – Sticky
The administrator can enable the switch to dynamically learn the MAC address and “stick” them to the running configuration by using the following command:
Switch(config-if)# switchport port-security mac-address sticky
Saving the running configuration will commit the dynamically learned MAC address to NVRAM.
The following example demonstrates a complete port security configuration for FastEthernet 0/1. The administrator specifies a maximum of 4 MAC addresses, manually configures one secure MAC address, and then configures the port to dynamically learn additional secure MAC addresses up to the 4 secure MAC address maximum. Use the show port-security interface and the show port-security address command to verify the configuration.
S1(config)# interface fa0/1 S1(config-if)# switchport mode access S1(config-if)# switchport port-security S1(config-if)# switchport port-security maximum 4 S1(config-if)# switchport port-security mac-address aaaa.bbbb.1234 S1(config-if)# switchport port-security mac-address sticky S1(config-if)# end S1# show port-security interface fa0/1 Port Security : Enabled Port Status : Secure-up Violation Mode : Shutdown Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 4 Total MAC Addresses : 1 Configured MAC Addresses : 1 Sticky MAC Addresses : 0 Last Source Address:Vlan : 0000.0000.0000:0 Security Violation Count : 0 S1# show port-security address Secure Mac Address Table ----------------------------------------------------------------------------- Vlan Mac Address Type Ports Remaining Age (mins) ---- ----------- ---- ----- ------------- 1 aaaa.bbbb.1234 SecureConfigured Fa0/1 - ----------------------------------------------------------------------------- Total Addresses in System (excluding one mac per port) : 0 Max Addresses limit in System (excluding one mac per port) : 8192 S1#
Port Security Aging
Port security aging can be used to set the aging time for static and dynamic secure addresses on a port. Two types of aging are supported per port:
- Absolute – The secure addresses on the port are deleted after the specified aging time.
- Inactivity – The secure addresses on the port are deleted only if they are inactive for the specified aging time.
Use aging to remove secure MAC addresses on a secure port without manually deleting the existing secure MAC addresses. Aging time limits can also be increased to ensure past secure MAC addresses remain, even while new MAC addresses are added. Aging of statically configured secure addresses can be enabled or disabled on a per-port basis.
Use the switchport port-security aging command to enable or disable static aging for the secure port, or to set the aging time or type.
Switch(config-if)# switchport port-security aging { static | time time | type {absolute | inactivity}}
The parameters for the command are described in the table.
Parameter | Description |
---|---|
static |
Enable aging for statically configured secure addresses on this port. |
time time |
Specify the aging time for this port. The range is 0 to 1440 minutes. If the time is 0, aging is disabled for this port. |
type absolute |
Set the absolute aging time. All the secure addresses on this port age out exactly after the time (in minutes) specified and are removed from the secure address list. |
type inactivity |
Set the inactivity aging type. The secure addresses on this port age out only if there is no data traffic from the secure source address for the specified time period. |
The example shows an administrator configuring the aging type to 10 minutes of inactivity and by using the show port-security interface command to verify the configuration.
S1(config)# interface fa0/1 S1(config-if)# switchport port-security aging time 10 S1(config-if)# switchport port-security aging type inactivity S1(config-if)# end S1# show port-security interface fa0/1 Port Security : Enabled Port Status : Secure-shutdown Violation Mode : Restrict Aging Time : 10 mins Aging Type : Inactivity SecureStatic Address Aging : Disabled Maximum MAC Addresses : 4 Total MAC Addresses : 1 Configured MAC Addresses : 1 Sticky MAC Addresses : 0 Last Source Address:Vlan : 0050.56be.e4dd:1 Security Violation Count : 1
Port Security Violation Modes
If the MAC address of a device attached to the port differs from the list of secure addresses, then a port violation occurs. By default, the port enters the error-disabled state.
To set the port security violation mode, use the following command:
Switch(config-if)# switchport port-security violation { protect | restrict | shutdown}
The following tables show how a switch reacts based on the configured violation mode.
Security Violation Mode Descriptions
Mode | Description |
---|---|
shutdown (default) |
The port transitions to the error-disabled state immediately, turns off the port LED, and sends a syslog message. It increments the violation counter. When a secure port is in the error-disabled state, an administrator must re-enable it by entering the shutdown and no shutdown commands. |
restrict |
The port drops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value or increase the maximum value. This mode causes the Security Violation counter to increment and generates a syslog message. |
protect |
This is the least secure of the security violation modes. The port drops packets with unknown MAC source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value or increase the maximum value. No syslog message is sent. |
Security Violation Mode Comparison
Violation Mode | Discards Offending Traffic | Sends Syslog Message | Increase Violation Counter | Shuts Down Port |
---|---|---|---|---|
Protect | Yes | No | No | No |
Restrict | Yes | Yes | Yes | No |
Shutdown | Yes | Yes | Yes | Yes |
The following example shows an administrator changing the security violation to “restrict”. The output of the show port-security interface command confirms that the change has been made.
S1(config)# interface f0/1 S1(config-if)# switchport port-security violation restrict S1(config-if)# end S1# S1# show port-security interface f0/1 Port Security : Enabled Port Status : Secure-shutdown Violation Mode : Restrict Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 4 Total MAC Addresses : 1 Configured MAC Addresses : 1 Sticky MAC Addresses : 0 Last Source Address:Vlan : 0050.56be.e4dd:1 Security Violation Count : 1 S1#
Ports in error-disabled State
When a port is shutdown and placed in the error-disabled state, no traffic is sent or received on that port. A series of port security related messages display on the console, as shown in the following example.
*Sep 20 06:44:54.966: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/18, putting Fa0/18 in err-disable state *Sep 20 06:44:54.966: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 000c.292b.4c75 on port FastEthernet0/18. *Sep 20 06:44:55.973: %LINEPROTO-5-PPDOWN: Line protocol on Interface FastEthernet0/18, changed state to down *Sep 20 06:44:56.971: %LINK-3-UPDOWN: Interface FastEthernet0/18, changed state to down
In the example, the show interface command identifies the port status as err-disabled. The output of the show port-security interface command now shows the port status as secure-shutdown. The Security Violation counter increments by 1.
S1# show interface fa0/18 FastEthernet0/18 is down, line protocol is down (err-disabled) (output omitted) S1# show port-security interface fa0/18 Port Security : Enabled Port Status : Secure-shutdown Violation Mode : Shutdown Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 1 Total MAC Addresses : 1 Configured MAC Addresses : 1 Sticky MAC Addresses : 0 Last Source Address:Vlan : c025.5cd7.ef01:1 Security Violation Count : 1 S1#
The administrator should determine what caused the security violation If an unauthorized device is connected to a secure port, the security threat is eliminated before re-enabling the port.
To re-enable the port, first use the shutdown command, then, use the no shutdown command to make the port operational, as shown in the example.
S1(config)# interface fa0/18 S1(config-if)# shutdown *Sep 20 07:11:18.845: %LINK-5-CHANGED: Interface FastEthernet0/18, changed state to administratively down S1(config-if)# no shutdown *Sep 20 07:11:32.006: %LINK-3-UPDOWN: Interface FastEthernet0/18, changed state to up *Sep 20 07:11:33.013: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/18, changed state to up S1(config-if)#
Verify Port Security
After configuring port security on a switch, check each interface to verify that the port security is set correctly, and check to ensure that the static MAC addresses have been configured correctly.
Port Security for All Interfaces
To display port security settings for the switch, use the show port-security command. The example indicates that all 24 interfaces are configured with the switchport port-security command because the maximum allowed is 1 and the violation mode is shutdown. No devices are connected. Therefore , the CurrentAddr (Count) is 0 for each interface.
S1# show port-security Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action (Count) (Count) (Count) --------------------------------------------------------------------------- Fa0/1 1 0 0 Shutdown Fa0/2 1 0 0 Shutdown Fa0/3 1 0 0 Shutdown (output omitted) Fa0/24 1 0 0 Shutdown --------------------------------------------------------------------------- Total Addresses in System (excluding one mac per port) : 0 Max Addresses limit in System (excluding one mac per port) : 4096 Switch#
Port Security for a Specific Interface
Use the show port-security interface command to view details for a specific interface, as shown previously and in this example.
S1# show port-security interface fastethernet 0/18 Port Security : Enabled Port Status : Secure-up Violation Mode : Shutdown Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 1 Total MAC Addresses : 1 Configured MAC Addresses : 0 Sticky MAC Addresses : 0 Last Source Address:Vlan : 0025.83e6.4b01:1 Security Violation Count : 0 S1#
Verify Learned MAC Addresses
To verify that MAC addresses are “sticking” to the configuration, use the show run command as shown in the example for FastEthernet 0/19.
S1# show run | begin interface FastEthernet0/19 interface FastEthernet0/19 switchport mode access switchport port-security maximum 10 switchport port-security switchport port-security mac-address sticky switchport port-security mac-address sticky 0025.83e6.4b02 (output omitted) S1#
Verify Secure MAC Addresses
To display all secure MAC addresses that are manually configured or dynamically learned on all switch interfaces, use the show port-security address command as shown in the example.
S1# show port-security address Secure Mac Address Table -------------------------------------------------------------- Vlan Mac Address Type Ports Remaining Age (mins) ---- ----------- ---- ----- ------------- 1 0025.83e6.4b01 SecureDynamic Fa0/18 - 1 0025.83e6.4b02 SecureSticky Fa0/19 - -------------------------------------------------------------- Total Addresses in System (excluding one mac per port) : 0 Max Addresses limit in System (excluding one mac per port) : 8192 S1#
Syntax Checker – Implement Port Security
Implement port security for a switch interface based on the specified requirements
You are currently logged into S1. Configure FastEthernet 0/5 for port security by using the following requirements:
- Use the interface name fa0/5 to enter interface configuration mode.
- Enable the port for access mode.
- Enable port security.
- Set the maximum number of MAC address to 3.
- Statically configure the MAC address aaaa.bbbb.1234.
- Configure the port to dynamically learn additional MAC addresses and dynamically add them to the running configuration.
- Return to privileged EXEC mode.
S1(config)#interface fa0/5 S1(config-if)#switchport mode access S1(config-if)#switchport port-security S1(config-if)#switchport port-security maximum 3 S1(config-if)#switchport port-security mac-address aaaa.bbbb.1234 S1(config-if)#switchport port-security mac-address sticky S1(config-if)#end
Enter the command to verify port security for all interfaces.
S1#show port-security Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action (Count) (Count) (Count) --------------------------------------------------------------------------- Fa0/5 3 2 0 Shutdown --------------------------------------------------------------------------- Total Addresses in System (excluding one mac per port) : 0 Max Addresses limit in System (excluding one mac per port) : 8192
Enter the command to verify port security on FastEthernet 0/5. Use fa0/5 for the interface name.
S1#show port-security interface fa0/5 Port Security : Enabled Port Status : Secure-up Violation Mode : Shutdown Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 3 Total MAC Addresses : 2 Configured MAC Addresses : 1 Sticky MAC Addresses : 1 Last Source Address:Vlan : 0090.2135.6B8C:1 Security Violation Count : 0
Enter the command that will display all of the addresses to verify that the manually configured and dynamically learned MAC addresses are in the running configuration.
S1# port-security address Secure Mac Address Table ----------------------------------------------------------------------------- Vlan Mac Address Type Ports Remaining Age (mins) ---- ----------- ---- ----- ------------- 1 0090.2135.6b8c SecureSticky Fa0/5 - 1 aaaa.bbbb.1234 SecureConfigured Fa0/5 - ----------------------------------------------------------------------------- Total Addresses in System (excluding one mac per port) : 0 Max Addresses limit in System (excluding one mac per port) : 8192
You have successfully configured and verified port security for the interface.
Packet Tracer – Implement Port Security
In this activity, you will configure and verify port security on a switch. Port security allows you to restrict a port’s ingress traffic by limiting the MAC addresses that are allowed to send traffic into the port.
Ready to go! Keep visiting our networking course blog, give Like to our fanpage; and you will find more tools and concepts that will make you a networking professional.