Monday, November 8, 2010

Lesson 25 - Switch Port Security

This post is the last one related to layer 2 technologies. With the next posts, I will shift my focus to layer 3 technologies. If you use GNS-3 or dynagen (dynamips emulator), you'll be able to perform all routing tasks on your computer as long as you have IOS image.

Switchport Port Security
This IOS feature (switch only) allows you to limit the number of MAC addresses that will be serviced on a given port. It comes with multiple options such as which MAC address(es) is/are going to be allowed on a given port, and what action should be taken when the violation of the policy occurs. This way, you can further protect your entry point in the network (access switches).

By default, the port security is turned off on all interfaces. In order to turn it on, a port must be in an access mode. Otherwise the command will be rejected. Check out the below attempt of enabling it when the port is in a 'dynamic desirable' rather than an access mode.

Pic. 1 - Port security (switchport port-security) command rejected.

The proper sequence of the commands to enable port security on F0/1 would be as follows:

SW1(config)#interface fastethernet0/1
SW1(config-if)#switchport mode access
SW1(config-if)#switchport port-security

The above configuration applies a default security policy on the port. What settings are going to be used here may vary between switch platforms. But typically, the port in a secure mode allows only a SINGLE MAC address (just one) to be serviced and in the case when the violation occurs, the port will be put in ERR-DISABLE state. This state will put the port down so, no traffic can traverse it.

For the purpose of my presentation, I will use very simple topology (Pic. 2).

Pic. 2 - Topology
Icons designed by: Andrzej Szoblik -

My router R1 is connected to SW1 port F0/1. The MAC address of the R1 (E0/0 port) is:

Now, I want accomplish the two goals:
  • R1 E0/0 port should be connected to SW1 port F0/1. In case, the R1 is connected to any other port on this switch, the communication with the R1 should not be allowed.
  • SW1 port F0/1 should service traffic to/from R1 E0/0 interface. In case, somebody connects more devices to port F0/1 than R1 port E0/0, and/or different device, the port F0/1 should be put in an ERR-DISABLE state.
Let us go ahead and configure it!

I need to show you what the current status of the SW1 port F0/1 is, before we apply port security.

Pic. 3 - SW1 port F0/1 Before Security is applied

As you see, the MAC address of the R1 E0/0 interface has been learned dynamically from the incoming frames on SW1 port F0/1. At this stage, I must explain the difference between dynamic and static entries in the MAC address table.
  • DYNAMIC - the entry is created from the incoming frames by reading the source MAC address field in the Ethernet header. The entry is valid for 5 minutes (300 seconds) by default. If the host with this source address (here R1) does not send any frame towards the port of the SW1 for 300 seconds, the entry is removed. Every time, the R1 sends a frame towards the SW1 F0/1, the entry timer is reset, or if the entry has already been removed, the same MAC address is mapped to the port again.
  • STATIC - the entry (MAC address) is permanently mapped to a specific port. It does not age like a 'dynamic' entry. The switch does not create this MAC address to port mapping by reading the source MAC address, but it is the administrator of the switch that creates it in the global config mode using 'mac address-table static' command.
 So, the question is: what is the difference in operation if you use static over dynamic method?

In case of static mapping of MAC address to a port, you CANNOT move this device to any other port as it will not work! The switch expects to receive the frames sourced from the device on the specific port. If it receives the frames with the MAC address on different port than assigned statically, it will drop the frames from that device.

If you rely on dynamic address learning (default), you can plug in a device to any port and quickly the switch flushes the entry from the old port (where the device was connected previously) and re-learns the MAC address on the new port you have just connected your device to.

Knowing that, we can proceed with our security plan now. I have applied the port access and port security commands like presented above. Now, take a look at the default settings applied on this specific switch platform I use (Catalyst 2950). Bear in mind, that your switch may have different default settings.

Pic. 4 - Port in Secure Mode.

Quick dissection of the output's essential information:
  • Secure Port - F0/1 is now working in a secure mode.
  • MaxSecureAddr - The maximum number of addresses allowed on this port is 1 MAC address.
  • CurrentAddr - At this moment, this maximum limit has been reached.
  • SecurityViolation - Currently there's been no security violation reported.
  • Security Action - In case there is a security violation detected, the port will go DOWN (err-disable).
Let's see which MAC address is now in the secure mode (it should be R1 E0/0).

Pic. 5 - Current Secure MAC Address.

Everything seems good so far. F0/1 port learned dynamically the MAC address of our R1, and is now considered a secured MAC address. One of our two goal plan seems to be working. What if we moved the R1 to another port? What would happen then?

Pic. 6 - MAC address with security enabled.

This specific switch (C2950) has also made the entry 'static' which means, that if you move R1 E0/0 port to another port of this switch, the traffic from R1 will be discarded!

Well, you can further improve the security of your R1. The problem is, that with current configuration, you can reboot the switch and while doing so, you can plug in a different device to F0/1. This way the newly learned MAC address upon reload of the switch becomes the secure one. 

In order to make it more secure, it is recommended that you configure the secure MAC address permanently. Just like in the example below:

SW1(config)#interface f0/1
SW1(config-if)#switchport port-security address 0050.500f.6600
SW1(config-if)#no shutdown

Pay attention to some of the commands presented. I shut the port down first to flush the current (the same) MAC address. Otherwise this command would be rejected (duplicate MAC address). Then, after adding the MAC address, I brought the port up and saved my configuration.

Now, the MAC address becomes the part of configuration and the security applied can withstand the reboot of the switch.

Pic. 7 - Configuration saved in NVRAM.

There is one more command that offers more detailed output (pic. 8).

Pic. 8 - Port security detailed output

Take a look at some interesting options shown below:

Pic. 9 - Port security options.

  • Aging - there are two types of secure MAC address aging: 'absolute' and 'inactivity'. The former, allows to specify how long the MAC address should be considered secure, the latter decides that MAC address is no longer secure if it is not transmitting data in a given time. Both parameters can be configured but, as per default, the secure MAC addresses do not age.
  • Mac-address - like in my configuration, this option specifies which address is to be secured. You can type in a specific MAC address (like I did) or use a 'sticky' keyword. When 'sticky' is used the MAC address(es) already learned on the port become part of the interface's configuration. However, adding MAC address manually is recommended. Just like I did.
  • Maximum - how many MAC addresses can be considered secure on a given port (platform dependent). The default is: 1.
  • Violation - this option allows to choose one of the three options as to what action must be taken if the violation of the security is detected. 
Port Violation Actions
  1. Protect - when the port receives the traffic from the MAC addresses which are not configured as secure, it silently drops those transmissions. There is NO notification logged about the violation occurring on a port.
  2. Restrict - similar to 'protect' only the switch logs the violations detected.
  3. Shutdown (default) - the port will transition to err-disable upon detecting the violation.
Let me quickly show you what happens if my switch detects the violation of the port security.

I am going to change the MAC address on my E0/0 port of R1 to:

As a result of that, the first frame sent towards the SW1 F0/1 will cause the violation of my policy (wrong MAC address, and the port allows only one MAC address previously assigned as the secure one).

Pic. 10 - The log generated after violation on the port occurred.

Below is the status of the port now.

Pic. 11 - Port in err-disable state upon violation of security.

The only way to rectify the situation is to do the following:
  1. Plug in the device with the right (secure) MAC address back to the port F0/1.
  2. Shut the port down manually (administrative mode shutdown).
  3. Bring the port up using: 'no shutdown' command.
This way has one major disadvantage. Well, it seems you have to perform the three steps mentioned above which looks like you are being punished for somebody else's security violation.

You can configure two additional commands in the global configuration mode which allow your switch to attempt to bring the port automatically after a period of time in err-disable mode. If the proper device is already connected, the port will be fully functional again.

SW1(config)#errdisable recovery cause psecure-violation
SW1(config)#errdisable recovery interval 60

The first command instructs the switch to pay attention to any ports in err-disable state. If such ports exist, the switch will attempt to bring them up after 60 seconds of putting the in err-disable mode (second command).

In my next post, we will start talking about layer 3. I propose that we refresh our knowledge of binary system which is essential to understand IP addressing scheme.


CCNA Basics | Cisco Advanced | Linux Last Update: 19/02/2019 - eBGP Peering CCNA Lessons: 01 - Connecting to Cisco Cons...