Scribd
Upload
14 views28 pages

9-Port Security

The document discusses port security in network switches, detailing how switches learn MAC addresses through flooding and MAC address tables. It explains the importance of port security to prevent MAC flooding attacks and unauthorized access, and outlines configuration steps for enabling port security on Cisco switches. Additionally, it covers different violation modes and provides a case study for implementing port security in a network environment.

Uploaded by

talha.ali9ctn
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
14 views28 pages

9-Port Security

The document discusses port security in network switches, detailing how switches learn MAC addresses through flooding and MAC address tables. It explains the importance of port security to prevent MAC flooding attacks and unauthorized access, and outlines configuration steps for enabling port security on Cisco switches. Additionally, it covers different violation modes and provides a case study for implementing port security in a network environment.

Uploaded by

talha.ali9ctn
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 28

Port Security

Dr. Kashif Ishaq


Introduction

Wired Ethernet
Environment
Introduction

Limit the MAC Address


How does a switch learn MAC Addresses?

When a switch is first powered on, it does not know any MAC addresses
in the network.

The switch needs to learn the MAC addresses by examining the source
MAC address of incoming data packets.

There are two main ways that a switch can learn MAC addresses:

1. Flooding
2. MAC address table
How does a switch learn MAC Addresses?

1. Flooding
If the switch does not have a MAC
address in its table, it floods the
packet out of all ports except the
one it was received on. This
mechanism ensures that the data
packet reaches its intended
destination, even if the switch does
not know the destination MAC
address.
How does a switch learn MAC Addresses?

2. MAC address table

As data packets are sent through the switch, the switch will start
building a MAC address table. The table maps MAC addresses to the
physical ports on the switch.

When a switch receives a data packet, it examines the source MAC


address and updates its MAC address table with the MAC address and
the port it received the packet.

The switch then forwards the data packet to the appropriate port based
on the destination MAC address in its MAC address table.
How does a switch learn MAC Addresses?

2. MAC address table

Switch#show mac-address-table
How does a switch learn MAC Addresses?

Types of MAC address learning

There are two main types of MAC address learning:

1. Static MAC addresses learning

Static MAC address learning involves manually configuring the MAC


addresses in the switch’s MAC address table. This approach is commonly
used for devices that are always connected to the network, such as
servers or printers.
How does a switch learn MAC Addresses?

Add MAC address in a Switch

Configure a static MAC address, the following command is used:

SW1(config)#mac address-table static MAC_ADDRESS vlan ID interface INTERFACE

SW1(config)#mac address-table static 1111.1111.1111 vlan 1 interface fa0/2

To verify the configuration, we can use the show mac address table command:

SW1#show mac-address-table
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
1 1111.1111.1111 STATIC Fa0/2
How does a switch learn MAC Addresses?

2. Dynamic MAC addresses learning

Dynamic MAC address learning involves the switch automatically


learning MAC addresses as devices connect to the network.

This approach is commonly used for devices that are frequently added or
removed from the network, such as laptops or mobile devices.

Two MAC address are learned


How does a switch learn MAC Addresses?

NOTE:
By default, MAC addresses stay in the switch’s MAC address table for 5 minutes. So if host
A and host B decide to communicate inside the next 5 minutes, a new ARP process will not
be necessary.
How does a switch learn MAC Addresses?

MAC address aging

▪ MAC addresses are not permanent (devices change their MAC addresses over
time)

▪ A process to ensure the MAC address table is up to date, switches use


MAC address aging.
▪ MAC address aging involves removing MAC addresses from the table after
a certain period of time has elapsed since the switch last received a data
packet from the device.
▪ By default, most switches use a MAC address aging time of five minutes.
Port Security

One of the best practices in security is to try and stop security threats
from the entry-point of a LAN network.

A switch can play an important role in network security since it’s the
entry-point of the network.

For example, port-security on Cisco switches can be used to stop MAC-


flooding attacks or prevent non-authorized hosts to connect to the
switch.

In MAC-flooding, an attacker can connect a laptop into an empty Switch


port or empty RJ45 wall socket, and he can use hacking tools to
generate millions of Ethernet frames with fake source MAC addresses
and send them to the switch interface.
Port Security

The switch will learn these MAC addresses and once the switch reaches its
MAC address learning limit it will start flooding all the traffic to all of its
ports (i.e it will start behaving like a hub).

This means that the attacker can capture the traffic from connected
devices.

The solution to this kind of attacks (and also to other Layer 2 attacks) is
easy and simple. It’s called Port Security and you can use it to limit the
number of MAC addresses per interface or even to specify which MAC
address can connect to each physical port of the switch.
Example

In the topology above, someone connected a cheap (unmanaged) switch


that they brought from home to the FastEthernet 0/1 interface of our Cisco
switch. Sometimes people like to bring an extra switch from home to the
office. As a result, our Cisco switch will learn the MAC address of H1 and
H2 on its FastEthernet 0/1 interface.
Port-Security Violations
There are three actions for each port to take when there will be a
violation on the interface. These options are “Shutdown” (default),
“Protect” and “Restrict”.
protect restrict shutdown

Protect: Under this mode, data packets from defined MAC addresses are only
transferred within the network.

Restrict: When this mode is enabled and port security is violated, all the data transfer is
blocked and packets are dropped. Also, logs are generated simultaneously, to check,
which device was connected with Cisco switch.

Shutdown: This mode is enabled by default and port state is changed to error-disabled,
which restricts connected device to perform any function and also disables that
particular port.
How to configure port-security?

Switch(config)#interface fa0/1
Switch(config-if)#switchport mode access
Switch(config-if)#switchport port-security
Switch(config-if)#switchport port-security maximum 1

Use the switchport port-security command to enable port security.


How to configure port-security?

Besides setting a maximum on the number of MAC addresses, we can


also use port security to filter MAC addresses to allow specific MAC
addresses.

Use the switchport port-security mac-address command to define the


MAC address that you want to allow.

Switch(config)#interface fa0/1
Switch(config-if)#switchport port-security mac-address aaaa.bbbb.cccc
How to configure port-security?

SwitchA#

%PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/1,


putting Fa0/1 in err-disable state

%PORT_SECURITY-2-PSECURE_VIOLATION: Security violation


occurred, caused by MAC address 0090.cc0e.5023 on port
FastEthernet0/1.

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1,


changed state to down

%LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to


down
How to configure port-security?
Switch#show port-security interface fa0/1

Port Security : Enabled


Port Status : Secure-shutdown
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 1
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0090.cc0e.5023:1
Security Violation Count : 1
How to configure port-security?

Use show port-security interface to see the port security details per
interface. You can see the violation mode is shutdown and that the
last violation was caused by MAC address 0090.cc0e.5023 (H1).

Switch#show interfaces fa0/1


FastEthernet0/1 is down, line protocol is down (err-disabled)
How to configure port-security?

Shutting the interface after a security violation is a good idea


(security-wise), but the problem is that the interface will stay in err-
disable state.

This probably means another call to the helpdesk and you bringing
the interface back to the land of the living!

Switch(config)#interface fa0/1
Switch(config-if)#shutdown
Switch(config-if)#no shutdown
How to configure port-security?

Setting MAC address filtering with sticky command

There is another very useful way to filter MAC addresses. Instead of


typing in a MAC address manually, you can use the “sticky” command.

With this command, switch will learn the first MAC address connected
to the interface and save it for port security.

Switch(config)#interface fa0/1
Switch(config-if)#switchport port-security mac-address sticky

Switch#show running-configuration or show port-security address

You will see the port with “sticky” have learned a mac address.
Commands Summary
Following table explains above commands in detail

Command Description
Switch>enable Move in privilege exec mode
Switch#configure terminal Move in global configuration mode
Switch(config)#interface fastethernet 0/1 Move in interface mode
Switch(config-if)#switchport mode access Assign port as host port
Switch(config-if)#switchport port-security Enable port security feature on this port
Set limit for hosts that can be associated with
Switch(config-if)#switchport port-security
interface. Default value is 1. Skip this command
maximum 1
to use default value.
Set security violation mode. Default mode is
Switch(config-if)#switchport port-security violation
shutdown. Skip this command to use default
shutdown
mode.
Switch(config-if)#switchport port-security mac-
Enable sticky feature.
address sticky
Commands Summary
Following table explains above commands in detail

Command Description
Switch1#show port-security Showing the port-security settings
Switch1#show port-security address Showing the MAC address in port-security
Case Study
You are the network administrator at Ranet, and would like to enable Port-
Security on the access ports of Ranet-Sw to prevent the use of another switch
connected that let multiple hosts connect through the same port at same
time, and to prevent the unauthorized host connect via some port. So all you
have to do are:
▪ Enable Port-Security on all access ports (except Gig1/1, Gig1/2), and set parameter to
allow only 1 MAC address per port and the action when violation happened is shutdown
port.
▪ On port FA0/1, now there is the authorized host connected (Host1), set the allow MAC
address on this port by “Secure Sticky” method.
▪ On port FA0/3, now there is the unauthorized host connected (Rogue3), set the allow MAC
address to be 0030:F295:15C6
Configuration
Ranet-SW(config)#interface range fa0/1 – 24
Ranet-SW(config-if-range)#Switchport mode access
Ranet-SW(config-if-range)#Switchport port-security
Ranet-SW(config-if-range)#Switchport port-security maximum 1
Ranet-SW(config-if-range)#Switchport port-security violation shutdown
Ranet-SW(config)#Interface fa 0/1
Ranet-SW(config-if)#Switchport port-security mac-address sticky
Ranet-SW(config)#Interface fa 0/3
Ranet-SW(config-if)#Switchport port-security mac-address 0030.f295.15c6
Thank you

You might also like