One of the most overlooked security areas is the configuration of individual switchport security configuration. The reason may be that it requires a more granular configuration; this is because a typical configuration requires the knowledge of the specific MAC address(es) that will be connecting to each switchport. Keeping track of all of this information in a medium to large organization can be quite time consuming. There are a couple of different ways to configure the use of switchport security and this article will review the available options and requirements.
Switchport Security Overview
The switchport security feature offers the ability to configure a switchport so that traffic can be limited to only a specific configured MAC address or list of MAC addresses.
Secure MAC Address Types
To begin with, there are three different types of secure MAC address:
Dynamic secure MAC addresses are typically used when the host(s) connecting to a specific switchport is constantly changing, and the intention is to limit the port to only be used by a specific number of hosts at once. For example, a switchport can be configured to only allow a single MAC address to be learned at a time and not permit hosts other than the one initially learned; the only way to change the host that connects to the switchport is to disable switchport security and reenable it, to delete the learned MAC address from the table directly, or to wait for the port-security aging time to expire if configured.
Sticky secure MAC addresses are a bit of a combination between the two prior secure MAC address types; not only are addresses able to be statically-configured but they can also be dynamically learned. The key difference here is that dynamically-learned addresses are automatically put into the running-configuration; if the engineer wants these addresses to be saved on device reboot, the option is available to save the running-configuration into the startup configuration, thus effectively making these addresses static.
Switchport Security Violations
The second piece of switchport port-security that must be understood is a security violation including what it is what causes it and what the different violation modes that exist. A switchport violation occurs in one of two situations:
Switchport Security Aging
Another option that is available when configuring switchport security is the use of an aging timer. This provides for a MAC address to be removed from being learned after a configured amount of time. By default, aging is not enabled and addresses are not deleted unless the device is rebooted or the MAC addresses are cleared through a removal command being issued.
There are two different methods of implementing secure MAC address aging, these include:
Switchport Security Configuration
As with any feature configuration there are a number of different guidelines and requirements that need to be known before a configuration is implemented:
...
The use of switchport port-security provides another level of security that can help in securing locally connected computers and the networks they connect to. This article was written to make the basic features of port-security more familiar to the reader and offered as an additional option when securing a network. Hopefully, the information contained within this article will help in this and be able to serve as a research base for securing the switched network of the reader.
More Related Cisco CCNA Tips:
Port Forwarding a Range of Ports on Cisco IOS
What the Main Difference between HSRP, VRRP and GLBP Protocols
Root Port Selection on a Switch
Switchport Security Overview
The switchport security feature offers the ability to configure a switchport so that traffic can be limited to only a specific configured MAC address or list of MAC addresses.
Secure MAC Address Types
To begin with, there are three different types of secure MAC address:
- Static secure MAC addresses—This type of secure MAC address is statically configured on a switchport and is stored in an address table and in the running configuration.
- Dynamic secure MAC addresses—This type of secure MAC address is learned dynamically from the traffic that is sent through the switchport. These types of addresses are kept only in an address table and not in the running configuration.
- Sticky secure MAC addresses—This type of secure MAC address can be manually configured or dynamically learned. These types of addresses are kept in an address table and in the running configuration.
Dynamic secure MAC addresses are typically used when the host(s) connecting to a specific switchport is constantly changing, and the intention is to limit the port to only be used by a specific number of hosts at once. For example, a switchport can be configured to only allow a single MAC address to be learned at a time and not permit hosts other than the one initially learned; the only way to change the host that connects to the switchport is to disable switchport security and reenable it, to delete the learned MAC address from the table directly, or to wait for the port-security aging time to expire if configured.
Sticky secure MAC addresses are a bit of a combination between the two prior secure MAC address types; not only are addresses able to be statically-configured but they can also be dynamically learned. The key difference here is that dynamically-learned addresses are automatically put into the running-configuration; if the engineer wants these addresses to be saved on device reboot, the option is available to save the running-configuration into the startup configuration, thus effectively making these addresses static.
Switchport Security Violations
The second piece of switchport port-security that must be understood is a security violation including what it is what causes it and what the different violation modes that exist. A switchport violation occurs in one of two situations:
- When the maximum number of secure MAC addresses has been reached (by default, the maximum number of secure MAC addresses per switchport is limited to 1)
- An address learned or configured on one secure interface is seen on another secure interface in the same VLAN
- Protect—This mode permits traffic from known MAC addresses to continue to be forwarded while dropping traffic from unknown MAC addresses when over the allowed MAC address limit. When configured with this mode, no notification action is taken when traffic is dropped.
- Restrict—This mode permits traffic from known MAC addresses to continue to be forwarded while dropping traffic from unknown MAC addresses when over the allowed MAC address limit. When configured with this mode, a syslog message is logged, a Simple Network Management Protocol (SNMP) trap is sent, and a violation counter is incremented when traffic is dropped.
- Shutdown—This mode is the default violation mode; when in this mode, the switch will automatically force the switchport into an error disabled (err-disable) state when a violation occurs. While in this state, the switchport forwards no traffic. The switchport can be brought out of this error disabled state by issuing the errdisable recovery cause CLI command or by disabling and reenabling the switchport.
- Shutdown VLAN—This mode mimics the behavior of the shutdown mode but limits the error disabled state the specific violating VLAN.
Switchport Security Aging
Another option that is available when configuring switchport security is the use of an aging timer. This provides for a MAC address to be removed from being learned after a configured amount of time. By default, aging is not enabled and addresses are not deleted unless the device is rebooted or the MAC addresses are cleared through a removal command being issued.
There are two different methods of implementing secure MAC address aging, these include:
- Absolute—When using this method, secure MAC addresses are deleted after a specific aging time expires.
- Inactivity—When using this method, secure MAC addresses are deleted only if the secure MAC address is inactive for a specific aging time.
Switchport Security Configuration
As with any feature configuration there are a number of different guidelines and requirements that need to be known before a configuration is implemented:
- Switchport security can only be configured on statically configured access or trunk ports (access or trunk); dynamic switchport modes are not supported.
- Switchport security is not supported on Switch Port Analyzer (SPAN) destination ports.
- Switchport security is not supported along with Etherchannel (Fast or Gigabit).
- When configuring switchport security on a switchport that is configured with a voice VLAN, ensure that the maximum number of MAC addresses is raised to account for the voice and data devices connected.
- Switchport security aging is not supported along with the Sticky secure MAC address type.
...
The use of switchport port-security provides another level of security that can help in securing locally connected computers and the networks they connect to. This article was written to make the basic features of port-security more familiar to the reader and offered as an additional option when securing a network. Hopefully, the information contained within this article will help in this and be able to serve as a research base for securing the switched network of the reader.
More Related Cisco CCNA Tips:
Port Forwarding a Range of Ports on Cisco IOS
What the Main Difference between HSRP, VRRP and GLBP Protocols
Root Port Selection on a Switch