Port security is a way of protecting our network from rogue devices. Knowing what devices are communicating in the network is as important as the network itself, especially in the current era of BYOD (Bring Your Own Device). BYOD essentially means that the employees/students can bring the devices they are comfortable working with, maybe their laptops, tablets or smart phones and connect to the corporate network and start working. The idea is to boost the productivity of the employees by providing them with the resources and continuity to keep their momentum up.
The problem with BYOD model is that the who-knows-what’s-inside-devices that connect to our network are not trust worthy. They can sniff the corporate traffic, infect other PCs with malware or eat up all the bandwidth (if they initiate peer to peer file sharing via torrent). Thanks to port security we can narrow the network access only to some specific devices. Port security gives two ways to restrict the devices that connect to the switch:
1. Limiting the number of devices on a port
Consider a scenario wherein a user connects a Wireless Access Point to one of the ports of the switch and all the devices that connect to that Wi-Fi network are now part of the LAN. This leads to all the security ramifications we talked about. Port security allows you to limit the number of MAC addresses on a switch port so that if the limit is crossed, the port becomes inactive.
2. Limiting port to specific MAC addresses
We can statically bind a specific MAC address on a switch port so that if a different device gets connected to the port, the port becomes inactive. Thereby allowing only the trusted devices to be a part of the LAN.
Port Security Violation:
When a port security violation occurs on the switch port, be it by crossing the limit of MAC addresses on the port or by connecting a device with a different MAC address that’s different from the one bound to the port, the switch can put the port into one of the three modes:
1. Shutdown : This is the default behavior of port security violation. While it’s tempting to think that the port has shutdown, the switch actually puts the port into a state called ERR-DISABLE, which is deceiving. The port seems to be down similar to when the cable is unplugged, but it’s not. Special show commands should be run to see actual the port status.
The protect and restrict modes are kinder and gentler than the shutdown mode. Meaning they ignore the MAC addresses that violate the port security rule. They don’t shutdown the port so when the right MAC address is learned on the port, the port resumes to active state.
2. Protect : On port security violation, the protect mode doesn’t shutdown the port; but the port just doesn’t work.
3. Restrict : Same as protect mode. The only difference between protect mode and restrict mode is protect mode doesn’t generate a syslog message while the restrict mode will.
Consider the following topology wherein I’ve connected three hosts to the Switch. The diagram though created in GNS3, the actual network is physical. I’m using Cisco Catalyst 3560 switch.
Switch#sh ip int br Interface IP-Address OK? Method Status Protocol Vlan1 unassigned YES NVRAM up up GigabitEthernet0/1 unassigned YES unset up up GigabitEthernet0/2 unassigned YES unset up up GigabitEthernet0/3 unassigned YES unset up up
Before configuring port security on any port, it should be converted into an access port. An access port unlike a trunk port can support only one VLAN traffic (the default VLAN 1 if none exists).
Switch#conf t Enter configuration commands, one per line. End with CNTL/Z. Switch(config)#int range gig 0/1-3 ! Range of interfaces GigabitEthernet 0/1, 0/2 & 0/3 Switch(config-if-range)#switchport mode access
There are two steps: configure the settings and activate the configuration.
Let me configure the maximum number of devices allowed on a port say GigabitEthernet 0/1 be one, meaning only one device at a time can connect to this port and access the network.
Switch(config)#int gig0/1 Switch(config-if)#switchport port-security ? aging Port-security aging commands mac-address Secure mac address maximum Max secure addresses violation Security violation mode <cr> Switch(config-if)#switchport port-security maximum 1
Note this doesn’t say this device or that device. As long as there’s one device (any device) connected to the port, it’s fine.
Next configuration step is the violation policy. What should the port do if more than one (the maximum number of devices configured) device starts connecting to the port? The default mode is shutdown. Running the command doesn’t hurt, however.
Switch(config-if)#switchport port-security violation ? protect Security violation protect mode restrict Security violation restrict mode shutdown Security violation shutdown mode Switch(config-if)#switchport port-security violation shutdown
If I want to restrict access to a specific MAC address, we need to bind it to the port like so:
Switch(config-if)#switchport port-security ? aging Port-security aging commands mac-address Secure mac address maximum Max secure addresses violation Security violation mode <cr> Switch(config-if)#switchport port-security mac-address ? H.H.H 48 bit mac address sticky Configure dynamic secure addresses as sticky Switch(config-if)#switchport port-security mac-address B8-CA-3A-8A-23-D7
The MAC address of the machine can be seen by running “ipconfig /all” in Windows or “ifconfig” in Linux.
Here’s another way to know the MAC address. Running show mac address-table lists all the MAC addresses the switch has learned and from which we can pick the MAC address to be bound to the port.
Switch#sh mac address-table Mac Address Table ------------------------------------------- Vlan Mac Address Type Ports ---- ----------- -------- ----- All 0100.0ccc.cccc STATIC CPU All 0100.0ccc.cccd STATIC CPU All 0180.c200.0000 STATIC CPU All 0180.c200.0001 STATIC CPU All 0180.c200.0002 STATIC CPU All 0180.c200.0003 STATIC CPU 1 0001.e66c.aaf0 DYNAMIC Gi0/23 1 0009.0f09.0004 DYNAMIC Gi0/23 1 000c.2904.149b DYNAMIC Gi0/23 1 000c.2904.606b DYNAMIC Gi0/23 1 000c.2909.7b45 DYNAMIC Gi0/23 1 000c.2928.6c2b DYNAMIC Gi0/23 1 000c.2944.a15d DYNAMIC Gi0/23 ...
The list is really huge. The static MACs are the addresses of the switch itself which the switch uses while it communicates. The dynamic MACs are the ones the switch has learnt as the devices communicate through its ports.
There’s yet another way of specifying the MAC address. That’s sticky. With sticky the switch binds the MAC address it has learnt previously on the port to it.
Switch(config-if)#switchport port-security mac-address sticky
The sticky command works within the context of maximum mac addresses we configured previously. If I configure the maximum mac addresses be 5, the sticky command will bind the previous five mac addresses it learnt on the port to it. Pretty cool huh!
Switch(config-if)#switchport port-security maximum 5 Switch(config-if)#switchport port-security mac-address sticky ! bind last 5 MAC addresses learnt on the port
As long as the devices are there, the sticky works fine. But if a guy brings in his laptop and connects to the switch, the switch learns his MAC address and sticks it to the port. If another PC is connected to that port, switch shuts the port down. Hence manually typing the MAC addresses to be bound to the port gives a much better control over the events than the sticky.
Let’s review the configuration.
Switch#sh run int gig0/1 Building configuration... Current configuration : 170 bytes ! interface GigabitEthernet0/1 switchport mode access switchport port-security mac-address sticky end
Note that switchport port-security maximum 1 and switchport port-security violation shutdown are not being shown in the running-config, because those are the default commands. Meaning if I run switchport port-security, by default the maximum is 1 and violation mode is shutdown. Default commands do not usually show up in the running-config.
The port security is not yet enabled. It can be enabled like so:
Switch(config-if)#switchport port-security ! enables the port security
Now I’ll connect a different PC to the port GigabitEthernet 0/1. After a few seconds the syslog message of port-security violation shows up on the console.
*Mar 1 02:44:16.580: %PM-4-ERR_DISABLE: psecure-violation error detected on Gi0/1, putting Gi0/1 in err-disable state *Mar 1 02:44:16.580: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 782b.cb86.3291 on port GigabitEthernet0/1. *Mar 1 02:44:17.587: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to down *Mar 1 02:44:18.585: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to down
The port Gi0/1 is put to ERR-DISABLE state. Plus it tells the MAC address that caused the violation (782b.cb86.3291) which we can investigate later on.
The port security configuration is verified using the following commands.
Switch#sh port-security Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action (Count) (Count) (Count) --------------------------------------------------------------------------- Gi0/1 1 1 1 Shutdown --------------------------------------------------------------------------- Total Addresses in System (excluding one mac per port) : 0 Max Addresses limit in System (excluding one mac per port) : 6144
The port security is configured on only one port Gi0/1 with maximum address 1. And there’s been one security violation and the default mode on violation is shutdown.
To know the MAC address bound on the port, we can run show port-security address.
Switch#sh port-security address Secure Mac Address Table ------------------------------------------------------------------------ Vlan Mac Address Type Ports Remaining Age (mins) ---- ----------- ---- ----- ------------- 1 b8ca.3a8a.23d7 SecureSticky Gi0/1 - ------------------------------------------------------------------------ Total Addresses in System (excluding one mac per port) : 0 Max Addresses limit in System (excluding one mac per port) : 6144
The most detailed port security configuration can be seen using the interface option.
Switch#sh port-security interface gig0/1 Port Security : Enabled Port Status : Secure-shutdown Violation Mode : Shutdown Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 1 Total MAC Addresses : 1 Configured MAC Addresses : 0 Sticky MAC Addresses : 1 Last Source Address:Vlan : 782b.cb86.3291:1 Security Violation Count : 1
Note that the Port status is Secure-shutdown because of the violation. Otherwise, it would be Secure-up. The Last Source Address is the MAC address that is responsible for the violation.
We can also configure the Aging, which essentially means after been idle for so and so time say 9 hours, remove the sticky address.
The last piece of the port security puzzle is to know how to bring back the port after it has gone down because of violation.
If I run show ip interface brief, there’s no way of telling whether the port Gi0/1 is down because of port-security violation or because the cable is unplugged since the status says “down” not “Administratively down”.
Switch#sh ip int br Interface IP-Address OK? Method Status Protocol Vlan1 unassigned YES NVRAM up up GigabitEthernet0/1 unassigned YES unset down down GigabitEthernet0/2 unassigned YES unset up up GigabitEthernet0/3 unassigned YES unset up up GigabitEthernet0/4 unassigned YES unset down down GigabitEthernet0/5 unassigned YES unset down down
If want see the actual status of the port, I should run show ip interface gig0/1.
Switch#sh interfaces gig0/1 GigabitEthernet0/1 is down, line protocol is down (err-disabled) Hardware is Gigabit Ethernet, address is 24e9.b3ca.1881 (bia 24e9.b3ca.1881) MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) ...
Notice the first line. The Gi0/1 is down, line protocol is down; within the parentheses err-disabled. That’s the giveaway. I now realize that the port is down because of port security violation.
To bring back the port, we need to run the following commands on the port which restarts the port. This causes the sticky address be flushed on the port and brings back the port.
Switch(config)#int gig0/1 Switch(config-if)#shutdown ! Shuts and sticky address gets flushed Switch(config-if)#no shut ! brings back the port
Now the port security status can be verified to see if the port is Secure-up.
Switch#sh port-security int gig0/1 Port Security : Enabled Port Status : Secure-up Violation Mode : Shutdown Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 1 Total MAC Addresses : 1 Configured MAC Addresses : 0 Sticky MAC Addresses : 1 Last Source Address:Vlan : 782b.cb86.3291:1 Security Violation Count : 0
Note that the Security Violation Count is 0. This is because on shutdown it clears the count. The security violation count doesn’t go greater than 1 if the mode is shutdown. It will in other modes — protect and restrict.
Let’s listen to Joe Astorino’s class on port security.