Cisco Port Security is a features that can help secure access to the physical network. Any Network admins nightmare is an unauthorised device or a PC connecting to the network. This could be as simple as an innocent guest plugging his PC into a floor port hoping to get an internet connection or a malicious intruder connecting to the network trying to gain access to confidential information.
Consequences could as bad as
- Virus, Spyware or malware infection from a PC unprotected PC
- A malicious hacker or an intruder gaining access to the network
- A malicous attacker launching a Denial of Service attack using MAC Address flooding
Cisco IOS has the port-security feature which can be used to restrict the MAC-Address of the devices that connects to each of the physical switchports.
Cisco Port-Security can help to
- restrict the MAC-address or addresses that can connect through a switchport [default: first connected device MAC Address]
- restrict the number of MAC-Addresses that can connect through a switchport [default is 1 and maximum is 128]
- set aging in minutes of the MAC Addresses registed
- Action to take when there is a violation detected (default is to disable the port and send an SNMP Trap message to the SNMP management server (if any))
For a switch port to be security enabled,
- the switchport cannot be a Trunk Port
- the switchport cannot be a destination port for a Switchport Analyzer (SPAN)
- the switchport cannot belong to an EtherChannel port-channel interface
- the switchport cannot be an 802.1X port
If you try to enable 802.1X on a secure port, an error message appears, and 802.1X is not enabled. If you try to change an 802.1X-enabled port to a secure port, an error message appears, and the security settings are not changed.
To enable Port Security on a Cisco Switch or router interface
Enter the interface config mode (say fa0/1)
Switch# conf t
Switch(config)# interface fastethernet 0/1
Switch(config-if)# switchport mode access
This sets the switchport to access mode. Default mode of "Dynamic desirable" cannot be configured as a secure port
Switch(config-if)# switchport port-security
This enables the port security on the switchport with the defaults [1 MAC Address allowed, 1st connected MAC Address, disable port if there is a violation]
If you know the MAC Address of the device and that thats the only device that connects to the swicthport (for example, A server on a Serverfarm switch) then you can set the MAC-Address manually.
Switchport(config-if)# switchport port-security mac-address 1111.2222.3333
Where 1111.2222.3333 is the MAC Address of the server. This will disable the secure port, if any other device other than the one with the above MAC-Address connects to the switch port.
If there is a switch or a hub (say 12 port or a 24 port) that connects to the switchport which you want to secure then you can set the maximum number of MAC-Addresses that connects to the port and/or set the MAC-Address optionally.
Switchport(config-if)# switchport port-security max 12
This sets the maximum number of mac-address allowed on the secure port (default is 128).
One step further, if you want to manually add some or all of these MAC-Addresses then you can specify using the following command one for each MAC-Address
Switchport(config-if)# switchport port-security mac-address 0000.0000.0000
Switchport(config-if)# switchport port-security mac-address 0000.0000.1111
If now, you need to set the maximum number of MAC Addresses on the switchport but are aware that some or most of them are temporary ones (guest users or temporary workers) then you can set the aging time on the port-security which allows MAC-Addresses on the Secure switchport will be deleted after the set aging time. This helps to avoid a situation where obsolete MAC-Address occupy the table and saturates causing a violation (when the max number exceeds).
Switchport(config-if)# switchport port-security aging time 10
Where time is specified in minutes (10 mins in the above)
Now, you can set the action to be taken when there is a violation. The default is to shutdown the port and mark the port err-disabled.
Switchport(config-if)# switchport port-security violation protect
Where protect is the action taken when a violation event is triggered.
The actions are
protect — Drops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value.
restrict — Drops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value and causes the Security Violation counter to increment.
shutdown (default) — Puts the interface into the error-disabled state immediately and sends an SNMP trap notification.
To show the port-security,
Switch# show port-security interface fastethernet 0/1
Security Enabled:Yes, Port Status:SecureUp
Max. Addrs:5, Current Addrs:0, Configure Addrs:0
To display port-security info without any interface provided
Switch# show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security
(Count) (Count) (Count)
Fa0/1 11 11 0 Shutdown
Fa0/2 15 5 0 Restrict
Fa0/3 5 4 0 Protect
Total Addresses in System: 21
Max Addresses limit in System: 128
To display the security MAC-Address table
Switch# show port-security address
Secure Mac Address Table
Vlan Mac Address Type Ports Remaining Age
—- ———– —- —– ————-
1 0001.0001.0001 SecureDynamic Fa0/1 15 (I)
1 0001.0001.0002 SecureDynamic Fa0/1 15 (I)
1 0001.0001.0003 SecureConfigured Fa0/1 16 (I)
1 0001.0001.0004 SecureConfigured Fa0/1 –
1 0001.0001.0005 SecureConfigured Fa0/1 –
1 0005.0005.0006 SecureConfigured Fa0/5 23
1 0005.0005.0007 SecureConfigured Fa0/5 23
1 0005.0005.0008 SecureConfigured Fa0/5 23
1 0011.0011.0009 SecureConfigured Fa0/11 25 (I)
1 0011.0011.0010 SecureConfigured Fa0/11 25 (I)
Total Addresses in System: 10
Max Addresses limit in System: 128
For more information, check this Cisco documentation