PORT SECURITY

Date: 2-2-2014

Table of Contents

• Mitigating MAC Spoofing and MAC Table Overflow Attacks

• Configuring Port Security

• Static Secure MAC Addresses

• Port Aging

• Sticky Secure Addresses

• Port Security on trunk interfaces

• Port Security on interfaces that use voice VLANs

• MAC Address Notification

• Verifying Port Security

Mitigating MAC Spoofing and MAC Table Overflow Attacks

By limiting the number of permitted MAC addresses on a port, port security can be used to control unauthorized expansion of the network.

Once MAC addresses are assigned to a secure port, the port does not forward frames with source MAC addresses outside the group of defined addresses.

 

To prevent MAC Address flooding, Port Security can be used. Enabling port security limits MAC flooding attacks and locks down the port.

• Configure port security to define the number of MAC addresses allowed on a given port.

• It’s a Cisco-proprietary feature on Catalyst switches (disabled by default).

• You can use port security with dynamically learned and static MAC addresses.

• Port security is configured on untrusted user ports.

• “Sticky learning” combines dynamically learned and statically configured addresses.

• Port Security restricts a port’s ingress traffic by limiting the MAC addresses that are allowed to send traffic into the port.

• When you assign secure MAC addresses to a secure port, the port does not forward ingress traffic that has source addresses outside the group of defined addresses.

• If you limit the number of secure MAC addresses to one and assign a single secure MAC address, the device attached to that port has the full bandwidth of the port.

 

Port Security can also mitigate spoofing attacks by limiting access through each switch port to a single MAC address. This prevents intruders from using multiple MAC addresses over a short time period but does not limit port access to a specific MAC address. The most restrictive port security implementation would specify the exact MAC address of the single device that is to gain access through each port. Implementing this level of security, however, requires considerable administrative overhead.

 

Port security has a sticky MAC addresses feature that can limit switch port access to a single, specific MAC address without the network administrator having to gather the MAC address of every legitimate device and manually associate it with a particular switch port.

When sticky MAC addresses are used, the switch port converts dynamically learned MAC addresses to sticky MAC addresses and subsequently adds them to the running configuration as if they were static entries for a single MAC address to be allowed by port security. Sticky secure MAC addresses will be added to the running configuration but will not become part of the startup configuration file unless the running configuration is copied to the startup configuration after addresses have been learned. If they are saved in the startup configuration, they will not have to be relearned upon switch reboot, and this provides a higher level of network security.

 

Port security also sets an SNMP trap alerting of any violation. Port security allows the frames from already secured MAC address below the maximum number of MAC addresses enabled on that port, and any frame with a new MAC address over the limit is dropped.

 

The switch supports these types of secure source MAC addresses:

• Static secure MAC addresses—These are manually configured by using the switchport port-security mac-address mac-address interface configuration command, stored in the address table, and added to the switch running configuration.

• Dynamic secure MAC addresses—These are dynamically configured (by using the switchport port-security interface configuration command), stored only in the address table, and removed when the switch restarts.

• Sticky secure MAC addresses—These can be dynamically learned or manually configured, stored in the address table, and added to the running configuration. If these addresses are saved in the configuration file, when the switch restarts, the interface does not need to dynamically reconfigure them and they are treated as static secure MAC address.

Configuring Port Security

To enable port security on the interface (learning dynamic secure MAC addresses, disabled by default):

Switch(config-int)# switchport port-security

 

Specify the maximum number of  MACs allowed (default is 1):

Switch(config-int)# switchport port-security maximum number              (range: 1 to 132)

 

For example, if the maximum number of hosts allowed is 5, an attacker can not flood the switch with many source MAC addresses and so we are preventing MAC flooding attacks.

 

Note If you try to set the maximum value to a number less than the number of secure addresses already configured on an interface, the command is rejected.

 

Specify the violation action when requirements defined are not met or exceeded:

Switch(config-int)# switchport port-security violation {shutdown | restrict | protect}

• Shutdown (default action) puts theinterface in err-disable state and sends an SNMP trap, and manual intervention (shutdown and no shutdown) or errdisable recovery must be used to make the interface usable.

• Restrict will drop violator’s frames, a syslog message is created and an SNMP trap is sent and the violation counter increments.

• Protect will drop frames quietly from MACs not specified or non allowed, but there is no log of violation (not recommended).

Note: in restrict and protect modes the port is allowed to stay up, but all packets from violating MAC addresses are dropped.

 

Switch(config-int)# switchport port-security violation shutdown vlan   In this mode, only the VLAN on which the violation occurred is error-disabled.

 

Tip: If an interface is undergoing the restrict or protect condition, you might need to clear the learned MAC addresses so that a specific host can use the switch port.

 

To dynamically bring all secure ports out of the error-disabled state:

switch(config)# errdisable recovery cause psecure-violation

 

To clear all dynamically learned secure addresses:

Switch(config)# clear port-security dynamic [address mac-addr | interface int_id]

Static Secure Mac Addresses

Statically assign MAC addresses (optional, by entering a 48-bit MAC address):

Switch(config-if)# switchport port-security mac-address  MAC-address

 

Additional secure MAC addresses can be added up to the maximum value.

 The MAC address is given in dotted-triplet format. If the number of static addresses configured is less than the maximum number of addresses secured on a port, the remaining addresses are learned dynamically.

 

Example: Switch(config-if)# switchport port-security mac-address 0000.0000.0003

0000.0000.0003 is an static secure MAC address

Port Aging

Port security aging can be used to set the aging time for static and dynamic secure addresses on a port.

Two types of aging are supported per port:

• absolute - The secure addresses on the port are deleted after the specified aging time.

• inactivity - The secure addresses on the port are deleted only if they are inactive for the specified aging time.

Switch(config-if)# switchport port-security aging {static | time minutes | type {absolute | inactivity}}

static: Enable aging for statically configured secure addresses on this port.

time:

• Specify the aging time for this port.

• The range is 0 to 1440 minutes.

• If the time is 0, aging is disabled for this port.

type absolute:

• Set absolute aging type.

• All the secure addresses on this port age out exactly after the time (minutes) specified and are removed from the secure address list.

type inactivity:

• Set the inactivity aging type.

• The secure addresses on this port age out only if there is no data traffic from the secure source address for the specified time period.

 

Set the aging time for each assigned MAC:

Switch(config-if)# switchport port-security aging time [0-1440] {restrict | protect}

*  0-1440 in minutes. Use this feature to remove and add PCs on a secure port without manually deleting the existing secure MAC addresses; all the secure addresses on this port age out exactly after the time specified and are removed from the secure address list, while still limiting the number of secure addresses on a port.  If the aging time is set to 0 (default), aging is disabled. By default, no aging occurs.

 

Enable aging for the statically configured secure address on the port:

Switch(config-if)# switchport port-security aging static

This configuration tells the switch to age out for statically configured secure MAC addresses.

Sticky secure addresses

Allows the switch to dynamically learn up to the maximum number of MAC addresses (optional):

Switch(config-if)# switchport port-security mac-address sticky

After enabling, you will notice the currently connected MAC address(es) will appear in the running config as:

switchport port-security mac-address sticky sticky-mac-address (static sticky MAC configuration)

 

Note Sticky MAC addresses can be dynamically learned or manually configured, stored in the address table, and added to the running configuration. Although sticky secure addresses can be manually configured, it is not recommended. "This configuration isn’t necessary”.

 

When enabling port security with sticky MAC addresses, note the following information:

•When you enter the switchport port-security mac-address sticky command:

–All dynamically learned secure MAC addresses on the port are converted to sticky secure MAC addresses.

–Static secure MAC addresses are not converted to sticky MAC addresses.

–Secure MAC addresses dynamically learned in a voice VLAN are converted (or not converted) to sticky MAC addresses, it depends on the IOS platform.

–New dynamically learned secure MAC addresses are sticky.

•When you enter the no switchport port-security mac-address sticky command, all sticky secure MAC addresses on the port are converted to dynamic secure MAC addresses.

Port Security on trunk interfaces

Port security can only be configured on static access ports (switchport mode access) or static trunk ports (DTP  disabled: switchport mode trunk; switchport nonegotiate). A secure port cannot be a dynamic access port.

 

On a trunk port only, specify the VLAN ID and the MAC address.

Switch(config-if)# switchport port-security mac-address a.b.c vlan vlan-id                              (vlan-id: 1 – 4094)

If no VLAN ID is specified, the native VLAN is used.

 

For trunk ports, you can set the maximum number of secure MAC addresses on a VLAN:

Switch(config-if)# switchport port-security maximum value vlan {vlan-id | vlan-list}

• Vlan vlan-id: set a per-VLAN maximum value.

• vlan vlan-list: set a per-VLAN maximum value on a range of VLANs separated by a hyphen or a series of VLANs separated by commas.

If the vlan keyword is not entered, the default value is used.

Port Security on interfaces that use voice VLANs

Switch(config)# interface fastethernet0/1

Switch(config-if)# switchport mode access

Switch(config-if)# switchport access vlan 2

Switch(config-if)# switchport voice vlan 3

Switch(config-if)# switchport port-security

Switch(config-if)# switchport port-security maximum 3

Switch(config-if)# switchport port-security violation restrict

Switch(config-if)# switchport port-security a.b.c vlan voice

Switch(config-if)# switchport port-security d.e.f vlan access

Switch(config-if)# switchport port-security maximum 2 vlan access

Switch(config-if)# switchport port-security maximum 1 vlan voice

Note: The voice keyword is available only if voice VLAN is configured on a port and if that port is not the access VLAN.

MAC Address Notification

The MAC Address Notification feature sends SNMP traps to the network management station (NMS) whenever a new MAC address is added to or an old address is deleted from the forwarding tables.

 

switch(config)# mac address-table notification ?

  change  Enable/Disable MAC Notification feature on the switch

 

switch(config)# mac address-table notification change ?

  history-size  Number of MAC notifications to be stored

  interval      Interval between the MAC notifications

  <cr>

Verifying Port Security

To display a summary of the port-security status:

Switch# show port-security

 

To verify the port security settings of an specific interface:

Switch# show port-security interface interface-id

 

To display MAC address table security information:

Switch# show port-security address

The “Remaining age” column is populated only when specifically configured for a given interface.

 

To see a quick summary of only ports in the Errdisable state, along with the reason for errdisable:

Switch# show interfaces status err-disabled