Port Security on Switches

A growing challenge facing network administrators is determining how to control who can access the organization's internal network--and who can't. Understand the basics In its most basic form, the Port Security feature remembers the Ethernet MAC address connected to the switch port and allows only that MAC address to communicate on that port. If any other MAC address tries to communicate through the port, port security will disable the port. Most of the time, network administrators configure the switch to send a SNMP trap to their network monitoring solution that the port's disabled for security reasons. You can use the port security feature to restrict input to an interface by limiting and identifying MAC addresses of the workstations that are allowed to access the port. When you assign secure MAC addresses to a secure port, the port does not forward packets with source addresses outside the group of defined addresses. If you limit the number of secure MAC addresses to one and assign a single secure MAC address, the workstation attached to that port is assured the full bandwidth of the port. If a port is configured as a secure port and the maximum number of secure MAC addresses is reached, when the MAC address of a workstation attempting to access the port is different from any of the identified secure MAC addresses, a security violation occurs. Also, if a station with a secure MAC address configured or learned on one secure port attempts to access another secure port, a violation is flagged. Secure MAC Addresses • Static secure MAC addresses—These are manually configured by using the switchport portsecurity mac-address mac-address interface configuration command, stored in the address table, and added to the switch running configuration. Dynamic secure MAC addresses—These are dynamically configured, stored only in the address table, and removed when the switch restarts. Sticky secure MAC addresses—These can be dynamically learned or manually configured, stored in the address table, and added to the running configuration. If these addresses are saved in the configuration file, when the switch restarts, the interface does not need to dynamically reconfigure them.

• •

Security Violations It is a security violation when one of these situations occurs: • The maximum number of secure MAC addresses have been added to the address table and a station whose MAC address is not in the address table attempts to access the interface. • An address learned or configured on one secure interface is seen on another secure interface in the same VLAN. When configuring port security violation modes, note the following information: • protect—Drops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value. • restrict—Drops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value and causes the SecurityViolation counter to increment. • shutdown—Puts the interface into the error-disabled state immediately and sends an SNMP trap notification. Table 1 Security Violation Mode Actions Sends SNMP traps No Yes Yes Sends Syslog msg No Yes Yes Displays Error Msg No No No Violation counter increments No Yes Yes Shuts down ports No No Yes

Violation Mode protect restrict shutdown

Traffic is forwarded No No No

Port security Guidelines & Restrictions

Follow these guidelines when configuring port security: • • • A secure port cannot be a trunk port. A secure port cannot be a destination port for Switch Port Analyzer (SPAN). A secure port cannot belong to an EtherChannel port-channel interface.

• A secure port cannot be an 802.1X port. If you try to enable 802.1X on a secure port, an error message appears, and 802.1X is not enabled. If you try to change an 802.1X-enabled port to a secure port, an error message appears, and the security settings are not changed. • A secure port and static MAC address configuration are mutually exclusive.

Configuring Port Security

Static

Switch(config)# interface gigabitethernet0/2 Switch(config-if)# switchport mode access Switch(config-if)# switchport access vlan 21 Switch(config-if)# switchport port-security Switch(config-if)# switchport port-security mac-address 0000.02000.0004

Dynamic

For Single Vlan
Switch(config)# interface FastEthernet0/1 Switch(config-if)# switchport access vlan 21 Switch(config-if)# switchport mode access Switch(config-if)# switchport port-security Switch(config-if)# switchport port-security maximum 20 Switch(config-if)# switchport port-security violation restrict Switch(config-if)# switchport port-security mac-address sticky

For Multiple Vlans
Switch(config)# interface FastEthernet0/1 Switch(config-if)# switchport access vlan 21 Switch(config-if)# switchport mode access Switch(config-if)# switchport voice vlan 22 Switch(config-if)# switchport port-security Switch(config-if)# switchport port-security maximum 20 Switch(config-if)# switchport port-security violation restrict Switch(config-if)# switchport port-security mac-address sticky Switch(config-if)# switchport port-security maximum 10 vlan access Switch(config-if)# switchport port-security maximum 10 vlan voice

Note I have extracted this white paper from various technical documents and blogs for knowledge sharing purpose. Please use and share it judiciously.

Sign up to vote on this title
UsefulNot useful