Port Security
Port Security
The basic form of switch security is using port level security. When using port level security, the MAC address(es) and/or number of MAC addresses of the connected devices is controlled.
In a nutshell, port security entails having the switch look at the source MAC address of an incoming packet and asking itself: "Do I trust the source of this frame?"
Port security is enable with the switchport port-security command ,Before everything else we need to make sure the port is a non-trunking port.Port security can be configure in a port that has a possibility of becoming a trunk.
Port security feature will not work on three types of ports.
- Trunk ports
- Ether channel ports
- Switch port analyzer ports
Let's use this diagram
To check on that use the command show int trunk
Switch>enable
Switch#show int trunk
Switch#
So, let's make sure it's an access port:
Switch>en
Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#int fa0/1
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlan 30
% Access VLAN does not exist. Creating vlan 30
Now let's check our actual configuration
Switch(config-if)#do show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
--------------------------------------------------------------------
Fa0/1 1 1 0 Shutdown
----------------------------------------------------------------------
Switch(config-if)#
We can see different options as well:
.Let's start with Maximum that defines the number of secure Mac address the port can learn and the default is one.
Switch(config)#int fa0/1
Switch(config-if)#switchport port-security maximum ?
<1-132> Maximum addresses
- Statically
- Dynamically
- Sticky
In static method we have to manually define exact host mac address with switchport port-security mac-address MAC_address command. This is the most secure method but it needs a lot of manual works. We need to enter all mac addresses manually that is too much tedious job.
A dynamic MAC address is one that is learned on an interface and is held in the Content-Addressable Memory (CAM) table until it times out (5 minutes); these are enabled by default.
In dynamic mode we use sticky feature that allows interface to learn mac address automatically. Interface will learn mac addresses until it reaches maximum number of allowed hosts
Here is an example
A sticky address is dynamically learned and then immediately converted into a sticky secure MAC address; this “sticks” the specific MAC address to this port alone. Sticky MAC addresses are lost on reboot unless the running configuration is saved.
Part 1 Configure port Security
We will enable port security, set the sticky mac address , set the maximum of allow mac address
Switch>en
Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#int range fa0/1-2
Switch(config)#switchport mode access
Switch(config-if)#switchport port-security mac-address ?
H.H.H 48 bit mac address
sticky Configure dynamic secure addresses as sticky
Switch(config-if-range)#switchport port-security maximum 1
Switch(config-if-range)#switchport port-security mac-address sticky
Now the switch learn automatically (dynamically) the MAC Address of the two PCs
Along with configure these mac address , a port can be configure with a maximum number of allowed mac address (the default is one) We set them in one
Switch(config-if)#switchport port-security maximum ?
<1-132> Maximum addresses
Switch(config-if)#switchport port-security maximum 1
Use the aging option to define how long dynamically learned secure MAC address should be considered secure.You have the rarely used option of enabling aging for the static entries
If a port security violation should occur, there are three different methods that can be configured based on the intended device reaction:
- Protect—When using this method, the packets from the unknown source addresses will be dropped.
- Restrict—When using this method, the packets from the unknown source addresses will be dropped, AND the security violation counter will be incremented and a management message will be sent.
- Shutdown—When using this method, the port will shut down upon receipt of packets from unknown addresses, AND the security violation counter will be incremented, and a management message will be sent. (This is the default.)
Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#int range fa0/1-2
Switch(config-if)#switchport port violation ?
protect Security violation protect mode
restrict Security violation restrict mode
shutdown Security violation shutdown mode
The default port security mode is shutdown , which does just that , the port is place into error-disable state (err-disable)
Let's check with an example
Command
| Description | |
| Switch>enable | Move in privilege exec mode |
| Switch#configure terminal | Move in global configuration mode |
| Switch(config)#interface fastethernet 0/1 | Move in interface mode |
| Switch(config-if)#switchport mode access | Assign port as host port |
| Switch(config-if)#switchport port-security | Enable port security feature on this port |
| Switch(config-if)#switchport port-security maximum 1 | Set limit for hosts that can be associated with interface. Default value is 1. Skip this command to use default value. |
| Switch(config-if)#switchport port-security violation restrict | Set security violation mode. Default mode is shutdown. Skip this command to use default mode. |
| Switch(config-if)#switchport port-security mac-address sticky | Enable sticky feature. |
Part 2 : Verify Port security1.-We will disable the rest of the ports
Switch(config)#int range fa0/3-24, gi1/1-2
Switch(config-if-range)#shutdown
%LINK-5-CHANGED: Interface FastEthernet0/3, changed state to administratively down
2.-We will check the ip address of the PCs and ping one to another.That way packet tracert can read the mac address
 3.-We will verify the port security and the learned MAC address  |
| |
| 4.- A)We will attach a rogue laptop and check how the connection becomes red. B)Eventually we will enable the port and will ping pc0. C)We will end shutting down the port again | ||
|
| ||
 Now the connection turns red again 5.- We will disconnect pc1 and in the previous port fa0/2 we will connect the laptop.From laptop ping pc0.Them show it's port security   | ||
The ping failed
because there is a breach in the port security of port fa0/2, in that
port only can be used pc1 with it's proper MAC address 6.- Now we will disconnect the rogue laptop and we will connect again the PC1.From there we will ping pc0   The reason pc1 can ping pc0 is that in this case,Switch learned only ONE mac address in fa0/2: the one from PC1   But what happens if you allow multiple secure MAC Address on a port , and you statically configure a few without hitting the maximum.Let's find out on port fa0/2 , where I will allow three addresses to be considered secure while configuring two static secure address Switch#conf t Enter configuration commands, one per line. End with CNTL/Z. Switch(config)#int fa0/2 Switch(config-if)#switchport port-security Switch(config-if)#switchport port-security maximum 3 Switch(config-if)#switchport port-security mac-address aaaa.bbbb.cccc Switch(config-if)#switchport port-security mac-address aaaa.aaaa.aaaa Now we will ping fa0/2 and go back to the switch to check it's port security    We see three entries for fa0/2 , two of them statically configured and one of them dynamically learned So far this lab was successful! Please comment and share thanks for watching this lab! |
Port Security
Reviewed by ohhhvictor
on
7:52:00 AM
Rating:
Reviewed by ohhhvictor
on
7:52:00 AM
Rating:
No comments: