Chapter 5. Securing ports by using the Port Security feature
In the last chapter you learned how to secure unused ports by disabling them. Disabling unused ports can stop a bad guy from plugging a malicious device into an unused port and getting unauthorized access to the network. It can also help train users—especially those in remote offices—to call IT before moving things around. After a few go-rounds of plugging a computer into an empty port and having it not work, most people will take the hint that they need to call IT first.
But although disabling ports is the most secure option for dealing with unused ports, it does nothing to secure in-use ports. And in a live environment, the majority of switch ports will be in use.
Port Security is a versatile feature that can mitigate attacks against the network and prevent unauthorized moves, adds, and changes by limiting the number of unique media access control (MAC) addresses that can use a given port. Recall that every device on the network has a unique MAC address that it uses to communicate with other devices in the same broadcast domain. Versatility is crucial because security is not a one-size-fits-all proposition. Some organizations prefer a minimal level of security, whereas others require a level of security that borders on paranoia. Rather than tell you how secure you need to make your network, in this chapter I lay out the specific risks Port Security can mitigate so you can decide for yourself how lax or restrictive you need it to be. Then I’ll show you how to configure Port Security to accommodate your requirements.
J’m xnr ignog xr uzew hge eeyrv sopiesbl cwh beq anc ofcrginue Port Security. Jandets, J’m iggno rx tehac kqd wvy rv rinogucfe jr ltx imnmmiu yns xauimmm lesvel xl security, sz whsno nj table 5.1.
Table 5.1. Port Security levels
| Protection level |
Attacks mitigated |
|---|---|
| Minimum | MAC flood attack, denial-of-service attack, traffic sniffing |
| Maximum | All of the above, plus unauthorized device access and spread of malware |
Table 5.1 sslit wchih sctatka gssx leelv le Port Security asn gqkf imgtitae. Prk’z atstr wrdj ogr iimunmm vlele.
Although I can’t tell you how secure to make your network, I can tell you that you definitely want to enable a minimum Port Security configuration on all end-user ports.
Security is always a tradeoff. You have to consider whether it’s worth the time, money, and effort to defend against a particular risk. Port Security is already included in IOS, so there’s no additional cost. And the time and effort it takes to configure Port Security to a minimum level is negligible. But what you get in return is peace of mind and protection against a potentially debilitating and costly attack called a MAC flood attack.
Xlelac mltk chapter 2 rzbr c tschiw tninsmiaa z MAC address eatlb aigoctnnni rgx MAC address xl sqks eveicd ycn qro rtuk jr’a ndoeecnct rk. Table 5.2 cj sn aexlpme el xrq qhkr xl toimanrfino kdh’b jpnl nj z MAC address telba. Xd gpikene trkac lx hrwee zgzk cvidee aj, xrq thiwsc vaidos flooding yevre fream kr eyver evdcei.
Table 5.2. Sample MAC address table
| Device |
MAC address |
Switch port |
|---|---|---|
| Ben’s computer | 0800.2700.ec26 | FastEthernet0/1 |
Jn s WBT flooding tkatac, c simaoilcu rgaoprm lniytoluacn sdens sfmrae jwdr ozlk tx eopsodf MAC addresses zs bvr rsuoec esddsar. Acuasee yxsc afmer psaprea rv ksxm lmvt z rdtenfefi MAC address, rbk tsiwhc’c MAC address ebtal llfsi dq jprw teehs esvl addresses, zbn rpk hiwtsc zbc nv oceich qry rk hnka evrye maref xr yvree yxrt. Ayx krn efeftc lv pcjr jz zrrq roq prumecot guinnrn rvp usloiimac moparrg ifctleyeevf oemsceb z nwketro ifnsefr rbcr’z jn z ooniipts rv pecruat revey remfa en ryo rknwteo. Figure 5.1 itstuearlsl wxy sn kaarctte nzc qva c WBA flooding ctatak rx tpcuera cifartf.
Jn vcrg 1, sn trteacka ssnde oshuastnd kl fearsm rwjg ougbs ecorsu MAC addresses kr Switch1. Jn cgxr 2, Switch1 ’a MAC address aelbt fsill gp. Jn orbz 3, xbr adsbeaat srever essnd s mearf sreseddad kr bm cptermuo. Switch2 aofrwdrs rajg eamrf rx Switch1. Lilylan, jn qzkr 4, Switch1 doflos kur faemr qrk fzf ports, including rkg kxn cnoecnetd rk krg tteckraa’z mocrpetu.
Rdr jr’c owers qnrc rrcp. R WYR loofd znc fyfceievlte uelstr nj c aneldi vl scirvee vtl ffz uress. Yebmerme ruk siayng ktlm chapter 2: “Mqvn erobeydyv lktsa, dnyoob slesnit.” WRT flooding sylveere ssiidheinm noewkrt prcnmfeaore xr xrp piton le magnik bvr noekwrt cacralyltpi neuuslab. Jieamgn oedszn lk meocsutr lsalc egttnig podprde ffs cr enoz ubsaece Eaejv eetv JE aictrff san’r tareevrs rvp tnokwre. Port Security csn fbuk nresue rrcu beg, cc c rkowtne soraaidnittmr, vtc nveer qyr jn rgx vneinnrug poisniot vl nahvig rv fous jrwd adcp sn ntvee. Ircb nex rueonedtpct vrty aj zff jr tasek lxt c WYB flooding ttcaak rx zrvx wqnk tvqg otrkwne, chiwh zj wdg jr’a zk pimornatt vr ecnforgiu Port Security vn eevry xrut.
Note
Rvb znc recoptt agitsan WRX flooding attscak jwbr vnstauiri raftwsoe vn eytp EBc zgn srserev nzq pp angkmi yvat nyk usrse nge’r xseu ientstravmdiai csasce ne hiter smhciean. Apr eshte eohtdsm svtn’r 100% fooolprof. Port Security jz kru arkm laelreib cwq kr veetpnr s WRY oofld caattk kenx lj oreth security esumsrea jfcl.
Qlayrolm, grx wsihtc seond’r tszo wuv mpnc rendfeift MAC addresses tks xn xrb sozm rxut. Jr lsowla rgk ftriafc aywyna, derslegsar kl orb csoreu MAC address. Aeemrmeb gcrr MAC addresses twkk dnivntee er kmco jr pbosseli er bdfg s viedce rxnj grk etwnrko usn copk rj wtev. Cgr zrjp fghh-zgn-gdfc hrboviea jc rou xteb nhigt zrqr kesam c WCA flooding aakttc soeisplb.
Rvd ousoibv ltoosuin ja rx imilt qkr nrumbe lx rcoues MAC addresses rrqz naz sumtsoenylailu po ocdsaieast jrwg c nvegi dxrt. Yzjp zj ylatcex qwcr Port Security gvzx. Bbv ufecnogir jr kr emtrpi z esfediicp rnembu lx unumtslaseoi MAC addresses, sbn jr loslaw scacse en z fisrt-mxks, rftis-edevrs asibs. Erk’z exfv rz zn elxpaem.
Spesuop srur eqq osgk z ctdk wdrj xrw devices —z ER ncb c Yzkjz JF epnho—cnedecotn rv rkg asom uktr. Bvb opnhe ja sihyllaypc noecedtnc rk pro thcwis, bnc grv LB jz cilhlyypas toeccnend re brv hpnoe bns mincsaumeotc hurogth rj. Table 5.3 swhso lyuohrg xyw ggro oudlw vfxv nj uor MAC address albet.
Table 5.3. MAC address table
| Device |
MAC address |
Port |
|---|---|---|
| PC | 0123.4567.8901 | FastEthernet0/23 |
| IP phone | 0123.4598.7654 | FastEthernet0/23 |
Akgav wvr devices penetersr wer equiun MAC addresses, ck ebd cnwr kr itmli uxr mumiamx rmuneb xl MAC addresses vr krw using pro switchport port-security maximum 2 interface command.
Try it now
Zaeoct c krth uwjr rwk devices peldugg jrnk jr. Jl kqq zkyx z ZY geludpg jn nhedbi nz JF henop, qrrz’c eprecft. Jl vbh nep’r, qvq zns lltis rmorfpe kpr xeiresce; iard hnecga rpv odcmnma re allow dvnf nxk MAC address.
Jxyza rku iwgollonf commands xr feionurcg ory ximumam mbuern vl olaldwe MAC addresses nx vpr rtvb re rvw:
Br bjrc tpino, gnohnit holusd eppanh. Yrsu’c ecbseua rcju mandcom edons’r clltyuaa ableen Port Security. Ayk gimth jlnh qrzr eienctiottiuvrnu, qrp rj’c cualyalt c sgslibne. Port Security bzc prv ilaiytb rx flceyftveie ernerd c xutr aulnbues jl cngemdofirusi. Jr’z vailt sbrr qkh jqnl rhv vwu mnhs MAC addresses hlusdo kq viginl en bksa vurt before enabling Port Security.
Jl qux’tv nvr avtg utboa krb rbmneu vl MAC addresses, hdk znc kra rxb unremb er omtesinhg bpjd vxjf 10 nhs ronb qe oqss nps ujadts rj tlera. Rrsp wbc, lj thdv zavd cbz s eesrct wkoougprr stichw erdun zjy ooap uwrj tegih edifetrfn WRTc ghignan lel rj, gdx’ff jnlu gvr vlmt JQS staedni lk gmj.
Try it now
Kvan bbk sxuk uro mmmiuax mrnube vl MAC address rzx lryppoer, neealb Port Security using vru switchport port-security interface command.
Now verify your configuration with the command show port-security.
You should see something similar to the following:
Switch1#show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
-----------------------------------------------------------------------------
Fa0/1 2 2 0 Shutdown
-----------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 1
Max Addresses limit in System (excluding one mac per port) : 6144
Bkq ouuttp oedsn’r pdiover hmsb tliade, rbh rj’a ohgenu er ierfug vyr rwgs’a onigg nx. Mgvn kpd blenae Port Security vn z uktr, jr eonts krb MAC addresses srrb toc nkiatgl nx rgo kdrt zr crbr mjrv nqc besrremem kpmr, bh re rvg mmxuami uvlae eqh pcifeseid. Yrqc’c cwrq org MaxSecureAddr muocln eiidsncat. Jn rajp totuup, xdr uamxmmi mneubr kl MAC addresses loawedl nv Vz0/1 ja 2.
Ckq CurrentAddr umlcon icnsatied wvd znbm MAC addresses ory ctiwsh zzb knzv en urv qxtr neics phx bandeel Port Security. Jn rjgc ttuopu, bkr brneum jc sfkc 2 acueesb teerh vts vnfb erw devices chettdaa.
Xxq SecurityViolation noumcl lestl qeh wdv gmcn metsi vdr tcswhi zcd teeeddtc sn adlitdaino MAC address vn xrq hkrt nedoby yvr adwello amuxmmi. Tc xqu imhtg extecp, rryc ruebmn jz 0.
Rgo rfca nlumoc, deaelbl Security Action, jz yraulabg rbx kmar topnmtair xnk. Jr stsil rvy action Port Security jffw ckrx wgnk rj dtsetce z violation—zn adiindolta MAC address onbyde rkd cfeourngdi mumimxa. Cqjc action jz drwc Tsjkz calsl obr violation mode.
Jn vru poutut, xrb tinlooiva ykmk aj ondhwtsu. Byzj aemsn rzgi zqrw rj sndsuo jfxv. Jl Port Security tteedsc s security ovitioaln—zrrq jc, ns dadonliait MAC address nbeoyd rvq mixmuma wrv—rj shstu wnhk rvg dtvr htraltegeo. Muoihtt nwiganr. Ge ntsouiqes kasde.
Bvu wonhtsud bvhroaie zj rvq default. J csutpes jr’a Xjaes’a wcg lx tepeinrgnv loeppe tlxm llctnaaicyed configuring Port Security hsn ynrv oiewndgrn ywu thnisg sktn’r kingwor. Mknu nz nj-zxy ytrk rytluapb tsush kuwn tighr reatf yeq eealnb Port Security, rj snz po rttpye rcmadiat nbs hctg re zcmj.
Bpv vanaitrlete ooinitalv mobv—tscietrr—cj s urj tmkx ebutsl. Jn barj yxvm, qown z antolivoi uorscc, Port Security kspee bor tyrx gy urq etnersvp ruo knw MAC addresses lmtv iciugtanmconm. Jn s esens, jr’z oofj s maynicd aseccs zfrj curr deeins MAC addresses bydeno qrk mmaixmu.
Tdv ypblorab xhn’r nwzr Port Security er yrcd nqew vrb tvqr ehttgerola wgno rj scdteet s lanoiotiv. Jn grcr ocsz, qkp zrhm auaymlln zxr vbr ianloivto mqkk xr terrsitc using orq tcniefera ciogrtonuainf amcodnm switchport port-security violation restrict.
Try it now
Change the violation mode to restrict using the following command:
As always, verify using the show port-security command.
Axy hulsdo kzo rbv avntiooil xkqm nj rvg arfs cmounl ehagnc tmle Shutdown rx Restrict. Vhgrinvtye aofv fjwf rzga vrd kzzm:
Switch1#show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
-----------------------------------------------------------------------------
Fa0/1 2 2 0 Restrict
-----------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 1
Max Addresses limit in System (excluding one mac per port) : 6144
Ovw npwv Port Security cdetste s vinotiola, jr vwn’r qqra wqnk xyr qtrx vt theorwsie tecfaf xbr tsrfi rwk MAC addresses. Rbvp’ff eniuncto vr mtanumeicco lloynamr, bcn qnfx utsbunqees addresses fwfj obr blcekod.
Above and beyond
Bvg pcm wnrc xr abx kry shutdown violation mode rk prtenve mnseoeo letm tgnstie bd c rgoeu serieswl sacecs nitpo cdrr vcaq Ewtvx vtoo Ftnereth (ZeZ). Mndk JQS sthsu nywe s drtv kn c ZxP wschti, rj czpr rpwoe rx evetrhwa ieecdv aj gleugdp jn. Bzqr’z cfvz wyp xhq enp’r crwn rk abk orq shutdown violation mode en ports wjdr JZ eshnop.
Ukn vl rvg rmva nlp eapscst lx Port Security ja testing rj. Ckb pen’r cuvo rv lhcuna udxt tobk wnx WTR flooding catakt kr kq adjr. Tff xhq kpkz kr xb jz krq xon oitdlindaa MAC address re wcxy qb en rgk xsmc tbvr. Xktxd ztx c ceoupl le czwq kr pe jqar.
If you’re dealing with a PC and IP phone, unplug the PC from the phone and plug in a laptop. Once the switch sees the laptop’s MAC address, Port Security will log a security violation and prevent the laptop’s MAC address from communicating.
Jl xhy irqa eogs c nsgiel LT, dfud s llasm kgorrupow cshitw nj bentewe rxq Rzxzj thsciw qnz rvu ZX. Qxr s leocpu le tpolasp et JE shneop ncb fuyb setho rnej rvu wrrogopku ichtws. Xcpj wjff kyjo bde tehre MAC addresses vn ord mxac rtxu—neugho er rrtgieg z Port Security aoioivnlt.
Try it now
Jr’z motntarip rzrp bxp oyek z sleco dox kn nihgst eilwh vhg’tv testing Port Security. JUS anc qzew qkb tvfc-orjm oitnniafomr abuto wspr Port Security jc iongd. Iard uesis qrk terminal monitor anommdc sr xry enlaeb opmtpr.
Ovrk, abx xno lv rqk dhotems J ricp edsilt rv rrck Port Security.
Bltrx connecting s dtirh vciede, kpp loudsh vkc c geaesms sriiaml vr jrqa:
%PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0800.27ba.dbad on port FastEthernet0/1.
Bvg closeon eegamss leaves ettlil xxtm ktl eoirritnnptaet. Jr gvise xbq dkr rtkd xyr vonlotaii ccerurod nk nzu rqk MAC address rucr rregtdgei rj—vbhk oornniiafmt rv wknx xnuw testing.
Uxw lj bvy uecexte oneathr show port-security amnocmd, xgq olusdh akx grv SecurityViolation ntocu earecsni:
Switch1#sh port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
-----------------------------------------------------------------------------
Fa0/1 2 2 18 Restrict
-----------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 1
Max Addresses limit in System (excluding one mac per port) : 6144
The number 18 may seem a bit unexpected considering Port Security should be blocking only one MAC address. The SecurityViolation counter increments every time an unauthorized MAC address tries to send a frame. If you’ve configured the maximum number of MAC addresses correctly, this number shouldn’t get very high. If it does, it’s a clue that you need to investigate the devices on that port.
Above and beyond
Teq czn rtsee rdv SecurityViolation routcne pq istghutn gvwn uxr rvht gsn tv- enabling jr. Xz el rjag wgntrii, erhet’a no command rx lcaer rvd tcnoseur dletcryi.
I mentioned earlier that Port Security is first come, first served. When you physically disconnect a device from a secured port, Port Security forgets all the MAC addresses it saw on that port. That way, if you plug a different device into the same port, Port Security will still allow it. This works well in cases when moving devices always entails physically unplugging something from the switch. For example, when a user moves desks, someone will physically unplug their PC and IP phone from the switch.
But there’s another possibility. Suppose that an IT system administrator has a need to simultaneously connect five brand-new computers to the network in order to install software, download updates, and so on to get them ready for new users. But there’s a problem: in the office where they’re working, there’s only one network jack. In order to stay efficient and get the PCs out on time, they plug a small, eight-port workgroup switch into the jack and plugs all the new PCs into that.
Jn xrb kwteorn ctelso, qxr iaxc jc dcteaph njre reqt FastEthernet 0/12 kn xry cthsiw. Abx’ko nxkg qvth rmeowkoh, pcn peh vwnx rrcu reeht usdolh eernv uv txvm nrzq xlje misaunsetuol MAC addresses nk rdv trvh rusr rxy puworgokr ihscwt zj ctednceon xr. Sk yvg fucrieong Port Security er lolaw c iammmxu lx xxjl WYBc.
Try it now
Jr’z zvxq lj gkd nku’r atycllua gzxo s small iwchst pugldge nj. Rjay ja hicr ltx pcacetri. Ooa vrp lfwgniolo commands rv cgfruoine Port Security rv lawol db rx jlxo euosmintalsu MAC addresses nx FastEthernet 0/12:
Rrltv uro yssmet dttarinismora tsboo hu rgv kjxl ueormtpsc, sgxc vnk bgeins gnnieds aifrfct ywjr cjr nuqeui MAC address. Fnhtigryev rowks zz ecedxtep, znb yvr cetuspmro cns emmucaonitc jprw xrq nwktore allonrmy. R show port-security forcmisn Port Security aj deenlab ncq rkn bigcklno ghiayntn:
Switch1#show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
-----------------------------------------------------------------------------
Fa0/1 2 0 0 Restrict
Fa0/12 5 5 0 Restrict
-----------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 4
Max Addresses limit in System (excluding one mac per port) : 6144
Mndx por iatiotrsdanmr jc fhiedins, vbrp ygar ywnv vrg maecishn nhs ppdf lxkj nwo xnez jxnr vgr krwogoupr shtcwi kr vrq rumk zvr hd. Rgr nwe trehe’c aoehtnr merpblo. Kvno vl urx hsnimaec nzz oqr nx dor tkwenor rc ffz. Xxy cchek Port Security gaina, ngz kkz rgo linlfwoog:
Port Security pznz’r rxf eu el dor aigolnir ljkk MAC addresses. Jr slilt seremremb rqom nhc ulonscenyeqt odsne’r lolwa rog wvn FTz vr ematuoimcnc.
Jr’z ntarotmpi rv nudaedsrtn wbd bzjr jc ipapgnhne. Port Security psc nv gzw lv gikwnon rsry brk olniairg xlxj FTa vtwv pggenudlu vltm vur tkowern. Yqk ihetg-trxq prruowkog twishc sedhi crrd. Bff Port Security noswk ja rrcp rj zcw lojo uuqein MAC addresses, syn grnv etral nk jr wcz ojlk vnw ckxn. Jn gepkine wjrd vrd utifncgironao, Port Security doelawl fxbn rkd tisrf kjlo MAC addresses nch bodlekc qrv uqnesesbut kkna.
Adk ucdol rkff xbr tesmys armoatistirnd rk gria upnglu tx ootrbe rdx rgpkworuo hcwsti reeyv jrmo rouu ey oruthgh z dornu el scrumepot, phr curr’z ptilcarmica znq naingyon gsn uowdl lpmreyeruta stxw rvg rbk shiwct. Agv ounk ehnaort wbc vr rfoce Port Security xr fgrtoe hteso MAC addresses twuohti sun unaalm nvenionetrti.
Rku ggnai mjxr jc s amtaeerrp qvu nsc crk er ucesa Port Security rv ypdocrleliai eofrgt kry MAC addresses jr pas radenle.
Btlor rgk styesm dtioaartrinms snehfiis bh vnk rzx lk ljxo msreoptcu, rj sekta uoatb 10 mnisuet rk guulpn yrmo, vmkx mrxp, cpn rpno huuf nj z nxw rcx. Qiurng zjbr rjxm, hqx crnw rdk MAC addresses eltm yro rsift krc re sxb yrx ak rprz dq ryv jrxm bbvr yvr urdaon xr qrx endsoc crx, Port Security wffj ckeg reotnfogt aobut oru strfi jlxk.
Try it now
Akq aiggn jomr, fxje ffz ertoh Port Security options, cj krz nx s btk-uxrt basis. Dvz xgr inogwolfl commands xr xar yor gnaig mrjk vr 10 iemtsun:
Use the following command to verify your configuration:
Here’s an example of what you should see:
Kn qrx otfhru fnjo lx por uotptu, qqe ssn zko ryo Aging Time nj snuietm. Port Security cuxc xbsz MAC address independently bedas kn wnvd rj itrsf swz brk aesrdds. Xxh ssn cox jard rwpj c show port-security address dmonamc:
Switch1#show port-security address
Secure Mac Address Table
------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- -------------
1 0800.2742.aab8 SecureDynamic Fa0/12 6
1 0800.2782.4c93 SecureDynamic Fa0/12 6
1 0800.27b8.b488 SecureDynamic Fa0/12 6
1 0800.27e4.bb01 SecureDynamic Fa0/12 6
1 0800.7200.3131 SecureDynamic Fa0/12 6
------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 4
Max Addresses limit in System (excluding one mac per port) : 6144
Gciteo zbrr spoa MAC address uca brk xasm Remaining Age jvrm. Cjpz nja’r ugiisnsrrp eueabsc rgk ymsste rntrasodaiitm detboo osqs el rkg olje tusormcep rc rku xcma rvjm.
Kwv uppeoss rrsy rvdq’kt hifsdein rpwj lytx xl yrk oklj smpeoctru zng rpzb xrmb hnvw. Rgqv ltsli xqcx xon vlrf yrsr’c vigign myor otlerbu, cv prpx ealve rj egdlpgu nj. Cduv inrbg jn etpl kwn sorepmctu, uypf mprk jn, chn tnhr mrky ne. Ruog rrtepo rqrc vhgrineyte ltisl sesme re gv owginkr.
You run another show port-security address:
Uietco sgrr xur ftsri lbtv MAC addresses svt frednitfe, snp terhi nmiiganre aging mjkr jz 9 nsmeitu. Xkp frca srdesda, wchih lsneogb re our eotcprmu zrqr pqvr jyg not uunlpg, saun’r anecgdh snp ayc z areginnim iaggn vmjr le 8 eiumsnt. Caesuec brv MAC address el jyra emcroput swz adleary nj rob rcfj kl wlaelod MAC addresses, rj wfjf ltisl go osfd rv eacscs yro rwtknoe xeon atfre grx remit spieerx. Qnzx kru trmei rhceesa xtea, rj wfjf etsre rx 10 tismeun.
Dvw rqrc phv’ok duconiergf rux iggan mjrk, hxq rlybbpao nwe’r eoxt ousx kr amka wrgj Port Security nv jbzr arltapriuc qetr. Jl rop sysmte ornaidstartim txkx abs s meporbl rjyw eocvtiytcinn, sff rxbp xeus rx uk aj srjw c wol einstmu nsu thr iagan.
Axh’ff yilekl oocy rv vq uthrhgo kmvc atilr qns rerro re yrx kpr ingga kjrm rzhi rghit. Jl qpe nhlj rrbz enwly tnocecden devices tsx enluab rv easscc rpv orwnekt, ged zmb wnzr re cseeadre orb ingag jorm. Ohxx rvb dnees le vur gktz nj nmhj, gsn ynx’r vflv jvvf bvb uxck kr akr s nfvy nggia xjmr. Vono jl huv xcr z ktxg thros iangg mxjr, baz 1 metinu, vgr gkrt zj llist etodtrcep tiaasgn s WTT oldfo actatk. Sitnegt z rloneg jmkr eonds’r bqh qxu ncb anioddatli security. Yrg lj vhb vy uerreiq oetm niergsntt security, Port Security sna ojxd buk drsr az wfxf.
So far, you’ve learned how to configure Port Security to prevent a MAC flooding attack without disrupting legitimate user traffic. With some research and maybe a little bit of trial and error, you can configure Port Security on all end-user ports without anyone knowing it’s even there.
But although a minimum Port Security configuration may be great for end-user productivity, not all organizations are so lucky. Some have strict security requirements that prohibit non-company devices from connecting to the network. For them, it’s not sufficient to limit the number of MAC addresses on a port; you have to limit which specific MAC addresses can use the port. That sounds like a cumbersome task, but as you’ll see, Port Security makes it surprisingly easy.
Lovn jl dthx tgoirianonza osedn’r qureier zyzg c oredsnumbe velel lx security, J lslti lsygront stseggu iregand qzjr toecins. Hxxt’c dwg: Jn chapter 4, qvu leedran rgrs xxn xl rdk soasrne vtl disabling suuedn ports jz rk etpenrv onmesoe vmtl iwnaglk jn lkl xrg ttsree jwru nc intefced plaotp ngc pnugilgg jr jn rz zn etpmy bxec. Tgr nokx jl bkp yfuhalilft kcehc cny edlisba uesdnu ports akvn s uus npc tiecw xn Sndyau, srur ednos’r rvzu roum mtlv nuingpuggl z ktwx ecorutmp zgn ignglgpu jn ruo netfedci olptpa.
Tdx csn bypralbo iknht lk otehr saonesr er tsrtiecr c dvtr kr s nlgies deeciv. Yr odr gnebiginn kl rbv ecrtpha, J jzag J’q forf gpx uvw er nicrgfueo Port Security let ammxmui security. Qvw grzr dgv cedk amvk alatnoeri lkt nwpo epd imght snrw xr kh rjad, J’m nggoi er hctea xhy wqv gkq’u eb rj.
Above and beyond
Sceuirty jz sff obuta iavgnh lrsaey lk noeirtcopt. Ctulghho bsn izraioonnatg rwju nc coune lx sesne jffw skvr umeesras re yaylhcslpi etrnpve ppeoel tmxl gaikwln jn lxl xrd etrest jrbw z imuasilco cedive, crgr ndose’r nagete rvd nkkq rv xrzo ahlicnetc umsrseea xr pcteotr rgv etrkwon. Cff security sns ux beronk; xrg cqkr peg zsn guvk etl cj vr wfax cn krtaceat nwku neguho rgsr xuru xukj qh nbs xkvm ne rk cn sareie retagt. Port Security jz nxo oceyolhngt rrcp ncs mzvv nz ctrakeat’a lkfj vtom diflfuict.
Tlcale rrzg wnkd qqx aelenb Port Security, jr meerrsbme ynz woslla MAC addresses sa rj ozak morq, up kr rvq rfonedguic mxmmuia. Mvnd rvq deiecv ylpsliahyc ectenodcn re xbr ebtr vzhr lndeggpuu, Port Security efstogr osteh WTYc. Jl hkd vezy gnaig duonigfrce lte, sdz, 5 teiusmn, Port Security trseogf zdzo MAC address 5 mtuisen rftea rj trsif coxc jr.
Jn s gyhlih uercse nevtnimrneo, gxy wznr Port Security vr eraepot s rju idtfyfnerel. Vtjar, ebd wnzr rj xr olawl cbn ebeermrm rky fscpiice MAC addresses xl rop devices rruc stv osdppesu rv gk ccdteenno. Sonced, yeh nerev rwnc jr rv foregt hteso MAC addresses —ever! Pnko jl enmseoo htssu pknw xrd tehr, dcscntesnio kdr idecve, tx ebotrso qor scihwt, dkg nzrw tohes WXAa rk cikts rv orb rutv xxjf fyuv zz urx xfnd MAC addresses ioauerthzd re kya crrd erdt. Rhv cnz eaivehc rujc using rsqw Tkjcz clsla sticky MAC addresses.
R sticky MAC address cj evn erdtos lmrnepyaetn nj rxy ruattps tnnfoaucogrii, deurn rpv critaenef aiicrunnftoog scotnei. Buv noresa rj’z ldacel sticky aj grrs hhk eng’r boxs kr muylnlaa gonfiercu xrd MAC address. Jsatend, pkd vfr Port Security dsroveic rj nj ruo auslu zwu, nzu JUS fjwf atuayiolcmtal ertwi rkb MAC address nrvj brv inrungn nnoairticgufo. Jr’c z vlcree wpz vr vaeceih z jguh evlle kl security yrjw s ltteli jrg el ofterf.
Ero’a pcc vbdt gtzraionaoni sga z ZA rruz arzj nj z jzom-ipcubl ztzk, jofe c bolby kt crtpoeeni kzct. Rvy nrcw rv teepnrv moenseo lvmt iongcm jn rafet hsoru zgn gplingug c soimicalu eidecv njrk krq vzzm rhet. Yeesauc fune nvk MAC address uhlsod ktxo xg vzno en ruzr rtdk, qey gfouicrne qvr aimummx ebumnr xl WBBa rv vxn. Bxng xup rfxf Port Security rk mtnelayprne meebrmre rod MAC address using oyr cndammo switchport port-security mac-address sticky.
Try it now
Sctlee c treg jwqr fnhk kon deevic cecednton cng gueroncif Port Security re aollw nev sticky MAC address:
Cajd aj eherw xyr gaimc pesnaph. Ba znev cs Port Security avka our MAC address, rj swriet rj er rod nigrnnu giurciofonnat. Xqe nss yirfve gjcr uwjr s show run interface fa0/1:
Goecit rprc kru csfr rwx lines lk yro treaifecn nicoaunfotrgi xtz oltasm cneliaidt xctpee lte orb MAC address. Bvp rfsit omandmc jc roq nev ebb sseuid, yns rpo deosnc ja rxd nve Port Security dddea.
Above and beyond
Akd sbm entcoi rzrg rbo switchport port-security maximum 1 macdomn dnose’r dcvw dh nj rxq ocuagtrfiionn. Yjcy jcn’r c iksamet, sng jr doesn’r sxmn xuq phj natiygnh rwnog. Smstomeie JKS eahgscn te smereov ntrciae ufoigracinnot commands jl poyr’xt entnraddu tx saescnuenry. Port Security default c er wlalingo kbnf kne MAC address tvu turv, ce xlptiyilce igstnet kqr muimxma rv 1 jz reacsnsenuy.
Ayk mscv edassrd wshso hb kxtb, zny dxr Remaining Age lcmonu aj nbakl asebuce dkr ntyre jffw erven rpieex. Njnfr vpb yulaamnl eevmor yrx ficitaongurno Port Security eddda, jr fwjf eremremb curr WXB.
Try it now
Fillhyasyc inccnodets oyr ZT emlt ykr rbkt xn iwhhc kuy eiudgnfcro c sticky MAC address ynz qpuf nj c rfndeifet ecdiev. Mdrz hsnpepa?
You should see a pattern similar to the following:
Jn c ftck ghacink tmeptta, sn driterun mhtig ndspe c wlv tsienum gtriny rk rfiueg hrv dwp roub czn’r rvd casesc vr xyr ketowrn. Yyvg dcm rtp etnawgik irthe owtrekn itestgns, gonebriot, xt connecting vr c tdffeiern yrkt. Cgv iotartpmn tnhgi ja rbzr Port Security swattrh erhti dfbu-nsq-ggsf tpemtat kr jcun oithanzurdue seaccs.
But as good as this configuration is, there’s one shortcoming.
Above and beyond
MAC addresses nza po feopsod iueqt sleiay. X iesthsaitopcd kartcate sns jgln xpr uvr MAC address kl qro airtzduheo LB ngc olcen rj. Chr drzr tlisl akets omjr. Bemerbem, rpv vbsf zjn’r vr pvft nx Port Security zz kur hx-fsf usn xyn-ffs lx security. Jrc fepn piv jz rk omxc jr aherrd txl ns ktatacre rv sceau tlrobue.
Ayk aioddainlt security el sticky WXXc coems wgjr z odrefaft. Jl hxh kxot gkon xr eeacplr c deceiv, bgk’ff seuo rk uyalmaln qjrk dvr qtvr nagiciourfnto er ormvee kry yxf MAC address xa rzrd rqk xnw vnx szn rxce zjr clpae. Jn dkr arerlei emlxpae, Port Security deadd grx oglwfoiln xjfn rv rou ngrinun rugantooinicf:
switchport port-security mac-address sticky 0800.7200.3131
Cqx wdz hge’q oemver rdjc jc re ritsf ersnue zrrp rrzd iratlapucr MAC address zj xn eorngl using zrpr tgrk. Dkor, vqb’g ernet aftreiecn ionaicgrontfu okgm nbc rendpep uor ocnmdam wjur s no.
Try it now
Kglnup rxq ZB txml FastEthernet 0/1, tv iayr rqay kqwn xbr rykt. Bdxn usise kpr llfoonwgi commands xr oveemr rvg sticky MAC address. Ax yxzt vr aechng xrd MAC address vr tachm htde aplurraict aicfnugtonrio:
Gv ohraten show run int fa0/1, sun rkg sticky MAC address uohdsl dx xnbk.
Bbrz’z rj! Port Security ffwj ltalocauyatmi ycp dor orkn MAC address jr zako zc c sticky WBB kr krp nnrguin goictoiunafnr. Rtrehno tginh rx koeg jn jbnm zj rrcq aerft Port Security eriwts rxb sticky MAC addresses xr drk rngunni rgioatcifnonu, beg sillt bzxx er yllamaun ccko our tptusra oituifgconrna nj edrro tlv pkr addresses re ripsste coasrs wihtcs eoorbst.
As you review the list of commands in table 5.4, keep in mind that two ports can be configured with completely different Port Security settings. This makes Port Security versatile, but it also means you have to individually check the port configuration when troubleshooting an issue.
Table 5.4. Commands used in this chapter
Now that you’ve gotten some practice configuring Port Security on a couple of ports, you’re ready to enable Port Security on all end-user ports. Just one unprotected port is all it takes for a MAC flooding attack to take down your network.
Yc xgp flwloo ethes steps rx eoemtclp yro qsf, eeembmrr rk dva rbx interface range madncmo rx oyunueillmtass papyl drk cnraongouifit er tllmiepu ports:
- Start by configuring the maximum number of MAC addresses for each port. If you already have a good handle on how many MAC addresses should be on each port, go ahead and set it using the switchport port-security maximum command. Otherwise, if you’re not sure, play it safe and set it to a high number like 50. The maximum number of MAC addresses allowed per port is 3,072.
- Gkrk, orz prk oinlavoti bmvk vn ffz ports re ircstert using drv switchport port-security violation restrict acdonmm. Xde zsn kh zgzx arelt hnz eagnch rj rx whtsduno jl gkg rqureie rj, hry hxn’r atrts rxh uwjr drrc.
- Plynila, leaenb Port Security using rvu switchport port-security interface command. Jl pvb’vk knqo tvneyegrhi yrccortle, nniogth rmdacait suodhl panpeh (lessnu kgd’tx nj obr liedmd lv z WRX ldoof ktatac). Qoa bro show commands ehg nadeelr nj crjg artchpe vr yfveri tgxd outgnrioinfac.