ads

Port Security

 Port Security

The basic  form of switch security is using port level security. When using port level security, the MAC address(es) and/or number of MAC addresses of the connected devices is controlled.

 In a nutshell, port security entails having  the switch look at the source MAC address of an incoming packet  and asking itself: "Do I trust the source of this frame?"

Port security is enable with the switchport port-security command ,Before everything else we need to make sure the port is a non-trunking port.Port security can be configure in a port that has a  possibility of becoming a trunk.



 Port security feature will not work on three types of ports.

  1. Trunk ports
  2. Ether channel ports
  3. Switch port analyzer ports


Let's use this diagram



To check on that use the command show int trunk


Switch>enable
Switch#show int trunk

Switch#


So, let's make sure it's an access port:

 Switch>en
Switch#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)#int fa0/1
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlan 30
% Access VLAN does not exist. Creating vlan 30



Now let's check our actual configuration

 Switch(config-if)#do show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
               (Count)       (Count)        (Count)
--------------------------------------------------------------------
        Fa0/1        1          1                 0         Shutdown
----------------------------------------------------------------------
Switch(config-if)#



We can see different options as well:



.Let's start with Maximum that defines  the number of secure Mac address the port can learn and the default is one.

 Switch(config)#int fa0/1
Switch(config-if)#switchport port-security maximum ?
  <1-132>  Maximum addresses




There are three different ways that MAC addresses can be configured onto a port:
  • Statically
  • Dynamically
  • Sticky
A statically-configured MAC address is rather simple; a single MAC address is configured to be allowed on a port:
In static method we have to manually define exact host mac address with switchport port-security mac-address MAC_address command. This is the most secure method but it needs a lot of manual works. We need to enter all mac addresses manually that is too much tedious job.


A dynamic MAC address is one that is learned on an interface and is held in the Content-Addressable Memory (CAM) table until it times out (5 minutes); these are enabled by default.
 In dynamic mode we use sticky feature that allows interface to learn mac address automatically. Interface will learn mac addresses until it reaches maximum number of allowed hosts


Here is an example




A sticky address is dynamically learned and then immediately converted into a sticky secure MAC address; this “sticks” the specific MAC address to this port alone. Sticky MAC addresses are lost on reboot unless the running configuration is saved.

Part 1 Configure port Security

We will enable port security, set  the sticky mac address , set the maximum of allow mac address


 Switch>en
Switch#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)#int range fa0/1-2

 Switch(config)#switchport mode access
Switch(config-if)#switchport port-security mac-address ?
  H.H.H   48 bit mac address
  sticky  Configure dynamic secure addresses as sticky
   
Switch(config-if-range)#switchport port-security maximum 1
Switch(config-if-range)#switchport port-security mac-address sticky




Now the switch  learn automatically  (dynamically) the MAC Address of the two PCs

Along with configure these mac address , a port can be configure with a maximum number of allowed mac address (the default is one) We set them in one
 Switch(config-if)#switchport port-security maximum ?
  <1-132>  Maximum addresses
Switch(config-if)#switchport port-security maximum 1




Use the aging option to define how long dynamically learned secure MAC address should be considered secure.You have the rarely used option of enabling aging for the static entries







If a port security violation should occur, there are three different methods that can be configured based on the intended device reaction:
  • Protect—When using this method, the packets from the unknown source addresses will be dropped.
  • Restrict—When using this method, the packets from the unknown source addresses will be dropped, AND the security violation counter will be incremented and a management message will be sent.
  • Shutdown—When using this method, the port will shut down upon receipt of packets from unknown addresses, AND the security violation counter will be incremented, and a management message will be sent. (This is the default.)
 Switch>en

Switch#conf t

Enter configuration commands, one per line. End with CNTL/Z.

Switch(config)#int  range fa0/1-2

Switch(config-if)#switchport port violation ?

protect Security violation protect mode

restrict Security violation restrict mode

shutdown Security violation shutdown mode

 The default port security mode is shutdown , which does just that , the port is place into error-disable state (err-disable)

Let's check with an example

Command                                                

Description
Switch>enableMove in privilege exec mode
Switch#configure terminalMove in global configuration mode
Switch(config)#interface fastethernet 0/1Move in interface mode
Switch(config-if)#switchport mode accessAssign port as host port
Switch(config-if)#switchport port-securityEnable port security feature on this port
Switch(config-if)#switchport port-security maximum 1Set limit for hosts that can be associated with interface. Default value is 1. Skip this command to use default value.
Switch(config-if)#switchport port-security violation restrictSet security violation mode. Default mode is shutdown. Skip this command to use default mode.
Switch(config-if)#switchport port-security mac-address stickyEnable sticky feature.


                                Part 2 : Verify Port security

1.-We will disable the rest of the ports

 Switch(config)#int range fa0/3-24, gi1/1-2
Switch(config-if-range)#shutdown
%LINK-5-CHANGED: Interface FastEthernet0/3, changed state to administratively down

2.-We will check the ip address of the PCs and ping one to another.That way packet tracert can read the mac address


3.-We will verify the port security and the learned MAC address














  4.-  A)We will attach a rogue laptop and check how the connection becomes red.
      B)Eventually we will enable the port  and  will ping pc0.
      C)We will end shutting down the port again










Now the connection turns red again

5.- We will disconnect pc1 and in the previous port fa0/2 we will connect the laptop.From laptop ping pc0.Them show it's port security





The ping failed because there is a breach in the port security of port fa0/2, in that port only can be used pc1 with it's proper MAC address

 Four  times violation of security in ping..the same in security violation count

6.- Now we will disconnect the rogue laptop and we will connect  again the PC1.From there we will ping pc0




The reason pc1 can ping pc0 is that in this case,Switch learned only ONE mac address in fa0/2: the one from PC1



We want to confirm that it was learned dynamically:



But what happens if you allow multiple secure MAC Address on a port , and you statically  configure a few without hitting  the maximum.Let's find out on port fa0/2 , where  I will  allow three  addresses to be considered  secure while configuring  two static secure address

Switch#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)#int fa0/2
Switch(config-if)#switchport port-security
Switch(config-if)#switchport port-security maximum 3

Switch(config-if)#switchport port-security mac-address aaaa.bbbb.cccc
Switch(config-if)#switchport port-security mac-address aaaa.aaaa.aaaa

Now we will ping fa0/2 and go back to the switch to check it's port security








We see three entries for fa0/2 , two of them statically configured and one of them dynamically learned

So far this lab was successful!

 Please comment and share  thanks for watching this lab!
Port Security Port Security Reviewed by ohhhvictor on 7:52:00 AM Rating: 5

No comments:

 photo imagen120.jpg
Theme images by 5ugarless. Powered by Blogger.