Port security
In Cisco routers all ports are shutdown and thus unusable by default. With switches though the opposite applies and all ports are open and usable by default. Thus, it is possible for anybody who has physical access to the switch to plug a device and either start using the network or at least extract information about the network topology. Port security should be implemented to thwart exactly that.
Port security controls what MACs are allowed on what ports. If a non-authorised MAC is plugged to a given port, the default action is to place the port in err-disabled state effectively shutting it down. The port will remain down until we manually bring it up. And even then, if the MAC detected is not the authorised one, the port will be err-disabled again.
We can manually configure the MACs authorised in a given port or let the switch learn them and accept the first N MACs detected. Usually we will only allow 1 MAC per port but in certain circumstances (e.g. Cisco phone + computer) we might need to allow 2 or more MACs.
It is fairly trivial to spoof the MAC address of the plugged device to fool the switch. But to do that we should know before-hand the allowed MAC on the port. So port security cannot be thought of as bullet-proof solution but as another layer of defense. What port security certainly prevents is DHCP starvation attacks.
Let’s see how to enable port security on a port:
SW1(config)# interface g0/1
SW1(config-if)# switchport port-security
Command rejected: GigabitEthernet0/1 is a dynamic port.
SW1(config-if)# do show int g0/1 switchport
Name: Gi0/1
Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode: static access
[…]
SW1(config-if)# switchport mode access
SW1(config-if)# do show int g0/1 switchport
Name: Gi0/1
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
[…]
SW1(config-if)# switchport port-security
SW1(config-if)#
In the example above the first attempt at enabling port security with switchport port-security fails because the port is in dynamic auto mode (so it can be in either trunk or access mode). After we explicitly set it to access mode (Administrative Mode: static access), the second attempt is successful.
Now the default port security settings are enforced for that port but… what are those settings? Let’s see…
SW1# show port-security interface g0/1
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0000.0000.0000:0
Security Violation Count : 0
In the output above we see the port security is enabled, port is up and if there was any violation the port would be shutdown forever forcing a manual intervention. We also see that a max of 1 MAC is allowed but none has yet been seen, manually configured or dynamically learnt. If we start using the interface plugged to port g0/1, the output of the same command would change to something like this as soon as the switch learns its MAC:
SW1# show port-security interface g0/1
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 000a.000a.000a:1
Security Violation Count : 0
If we now plug another interface to the same port and the output will change to something like this:
SW1# show port-security interface g0/1
Port Security : Enabled
Port Status : Secure-shutdown
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 000b.000b.000b:1
Security Violation Count : 1
As expected the switch shutdown the port as soon as the unauthorised MAC was detected. We can also detect the security violation with the command…
SW1# show interface status
Port Name Status Vlan Duplex Speed Type
Gi0/0 connected 1 auto auto unknown
Gi0/1 err-disabled 1 auto auto unknown
If we plug back the authorised interface in the port we will have to manually shutdown and bring up the port for things to back to normal:
SW1(config)# interface g0/1
SW1(config-if)# shutdown
SW1(config-if)# no shutdown
SW1# show port-security interface g0/1
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0000.0000.0000:0
Security Violation Count : 0
In certain situations we might prefer for the ports to come up again when the violation (or error) has been cleared. Let’s see how we can achieve that…
SW1# show errdisable recovery
ErrDisable Reason Timer Status
—————– ————–
arp-inspection Disabled
bpduguard Disabled
channel-misconfig (STP) Disabled
dhcp-rate-limit Disabled
dtp-flap Disabled
[…]
psecure-violation Disabled
security-violation Disabled
sfp-config-mismatch Disabled
storm-control Disabled
udld Disabled
unicast-flood Disabled
vmps Disabled
psp Disabled
dual-active-recovery Disabled
evc-lite input mapping fa Disabled
Recovery command: “clear Disabled
Timer interval: 300 seconds
Interfaces that will be enabled at the next timeout:
SW1(config)# errdisable recovery cause psecure-violation
SW1(config)# errdisable recovery interval 600
SW1# show errdisable recovery
ErrDisable Reason Timer Status
—————– ————–
arp-inspection Disabled
bpduguard Disabled
channel-misconfig (STP) Disabled
dhcp-rate-limit Disabled
dtp-flap Disabled
[…]
psecure-violation Enabled
security-violation Disabled
sfp-config-mismatch Disabled
storm-control Disabled
udld Disabled
unicast-flood Disabled
vmps Disabled
psp Disabled
dual-active-recovery Disabled
evc-lite input mapping fa Disabled
Recovery command: “clear Disabled
Timer interval: 600 seconds
Interfaces that will be enabled at the next timeout:
Interface Errdisable reason Time left(sec)
——— —————– ————–
Gi0/1 psecure-violation 578
Voilà! Provided we manually configured the authorised MAC, if we unplug the wrong interface and replug the right MAC, the interface will come up automatically after the given timeout expires. If we let the switch learn the first MAC it sees and accept it… then it might allow an extraneous interface on the network! Be careful when you enable auto recovery of port security!
The shutdown security mode is the default and most commonly used but there are two more: restrict and protect.
• In shutdown mode the switch disables the port and places it in err-disabled state. It generates one Syslog/SNMP messages and sets the violation counter to 1.
• In restrict mode the switch discards traffic from unauthorised MAC addresses and generates the Syslog/SNMP for each unauthorised MAC detected. But the port IS NOT disabled and the violation count is incremented by 1 for each unauthorised frame.
• In protect mode the switch also discards traffic from unauthorised MACs but keeps the port up (like restrict mode). However, it does not generate Syslog/SNMP messages.
Let’s switch the port security mode to restrict and see the output when a violation occurs:
SW1(config)# interface g0/1
SW1(config-if)# switchport port-security
SW1(config-if)# switchport port-security mac-address 000a.000a.000a
SW1(config-if)# switchport port-security violation restrict
As soon as we plug the wrong MAC on the port we should see something like this in our terminal:
*May 24 23:54:10.546: %PORT_SECURITY-2-PSECURE-VIOLATION: Security violation occurred, caused by MAC address 000b.000b.000b on port GigabitEthernet0/1.
If we check the security status of the port…
SW1# show port-security interface g0/1
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Restrict
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 1
Sticky MAC Addresses : 0
Last Source Address:Vlan : 000b.000b.000b:1
Security Violation Count : 14
By default MAC aging is disabled (see Aging Time: 0 mins in the output above) but we can enable it and it will apply to dynamically learnt MACs. For explicitly stated MACs (e.g. switchport port-security mac-address aaaa.bbbb.cccc) that behaviour has to be explicitly enabled. There are two aging modes:
• Absolute: the timer starts the countdown as soon as the MAC is learnt and it will be flushed from the MAC address table as soon as it hits zero. It will be relearnt as soon as another frame is received on the port.
• Inactivity: the timer starts the countdown every time it receives a frame.
To enable aging we use the following two commands where time is stated in minutes:
SW1(config)# interface g0/1
SW1(config-if)# switchport port-security aging time 10
SW1(config-if)# switchport port-security aging type inactivity
And to force MAC aging also for static MACs we should use:
SW1(config-if)# switchport port-security aging static
SW1# show port-security interface g0/1
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 10 mins
Aging Type : Inactivity
SecureStatic Address Aging : Enabled
Maximum MAC Addresses : 1
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0000.0000.0000:0
Security Violation Count : 0
If we want to check the security status of all ports it is more practical to use the following command:
SW1# show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
—————————————————————————-
Gi0/1 1 1 0 Shutdown
—————————————————————————-
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 4096
Dynamically learnt MACs are aged out if aging is enabled and that opens up the opportunity to plug a new interface to the secured port. If we want to make sure that the first dynamically learnt MAC plugged to a port becomes the only one ever accepted, we should run…
SW1# switchport port-security mac-address sticky
The command above will convert all the dynamic MACs to sticky secure MACs that won’t age out. We can list the secure MAC addresses in the MAC address table like this:
SW1# show mac address-table secure
Mac Address Table
———————————
Vlan Mac Address Type Ports
—- ———– ——– ——
1 000a.000a.000a STATIC Gi0/1
Total Mac Addresses for this criterion: 1
Configure console and remote access <- Previous Next -> Access Control Lists