One of the best practices in network security is to try and stop security threats from the entry-point of a LAN network. This means that the switch can play an important role in network security since it’s the entry-point of the network.
For example, port- security on Cisco switches can be used to stop MAC-flooding attacks. In MAC-flooding, an attacker can connect a laptop into an empty Switch port or empty RJ45 wall socket, and he can use hacking tools to generate millions of Ethernet frames with fake source MAC addresses and send them to the switch interface. The switch will learn these MAC addresses and once the switch reaches its MAC address learning limit it will start flooding all the traffic to all of its ports (i.e it will start behaving like a hub). This means that the attacker can capture the traffic from connected devices.
The solution to this kind of attacks (and also to other Layer 2 attacks) is easy and simple. It’s called Port Security and you can use it to limit the number of MAC addresses per interface or even to specify which MAC address can connect to each physical port of the switch.
Configuration of Port Security
Let’s now see the basic port-security configuration on Cisco switches.
I will be using Cisco 3560 Switch version 15.0, for this tutorial.
Cisco IOS Software, C3560E Software (C3560E-IPBASEK9-M), Version 15.0(2)SE7, RELEASE SOFTWARE (fc1)
Setting MAC address limits per port
Below is an example of Port Security where only one MAC address is allowed on interface g0/1.
TestSwitch(config-if)#switchport mode access
TestSwitch(config-if)#switchport port-security maximum 1
Now, interface g0/1 is allowed to learn only one MAC address. If this interface receives any more MAC addresses it will go to err-disabled state.
Setting MAC address filtering per port
Besides setting a maximum limit on the number of MAC addresses, you can also use port security to filter MAC addresses. In the following example I configured port security so it only allows MAC address f1d3.2c9f.abdc.ccba to connect to the specific port of the switch.
TestSwitch(config-if)#switchport mode access
TestSwitch(config-if)#switchport port-security mac-address f1d3.2c9f.abdc.ccba
Any device having different MAC address than this will violate the rule and the interface will go to err-disabled state.
You will see the message below if there would be any violation.
%PM-4-ERR_DISABLE: psecure-violation error detected on Gi0/1, putting Gi0/1 in err-disable state
%PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address f02d.3f4e.2dcc on port GigabitEthernet0/1.
As you can see from the log message above, a device with MAC address f02d.3f4e.2dcc violated the port-security and interface went into err-disabled state.
Setting MAC address filtering with sticky command
There is another very useful way to filter MAC addresses. Instead of typing in a MAC address manually, you can use the “sticky” command. With this command, switch will learn the first MAC address connected to the interface and save it for port security.
First you have to remove the existing command (if you have configured manual MAC filtering):
TestSwitch(config-if)#no switchport port-security mac-address f1d3.2c9f.abdc.ccba
TestSwitch(config-if)#switchport port-security mac-address sticky
To See what MAC address is learned/“sticks” on the interface, type “show run interface” command
TestSwitch#sh run int g0/1
Building configuration. . .
Current configuration : 544 bytes
switchport mode access
switchport port-security aging time 15
switchport port-security mac-address sticky
switchport port-security mac-address sticky f02d.3f4e.2dcc
As you can see from above, the switch has learned MAC address f02d.3f4e.2dcc and from now on only this address will be allowed to connect to this port.
You can see the switch ports which have entered into error-disabled state (because of security violation) with the following command:
TestSwitch#show int status err-disabled
Port Name Status Reason Err-disabled Vlans
Gi0/1 err-disabled psecure-violation
You can also verify this with show “interface g0/1 command”
TestSwitch#sh int g0/1
GigabitEthernet0/1 is down, line protocol is down (err-disabled)
To take this interface out of err-disabled state you have to unplug the device and run commands “Shutdown” followed by “no shutdown”.
To verify, run the commands “show interface status err-disabled” or “show interface g0/1”
Recovering from error-disabled stated
You can also set an automatic recovery on a switch-port with the following commands:
TestSwitch(config)#errdisable recovery cause psecure-violation
TestSwitch(config-if)#switchport port-security aging time 15
After 15 minutes the interface g0/1 will automatically recover from err-disable state. Make sure in these 15 minutes you solve the problem because otherwise it will have another violation and the interface will end up in err-disable state again. And don’t forget to enable automatic recovery in global configuration mode with “errdisable recovery cause psecure-violation” command.
Other Port Security Commands
TestSwitch(config-if)#switchport port-security violation ?
protect [Security violation protect mode]
restrict [Security violation restrict mode]
shutdown [Security violation shutdown mode]
There are three actions for each port to take when there will be a violation on the interface. These options are “Shurdown” (default), “Protect” and “Restrict”.
Protect: From the restricted MAC addresses, the frames will be dropped but there won’t be any logging information.
Restrict: From the restricted MAC addresses, the frames will be dropped but you will see logging information and SNMP trap will be sent.
Shutdown: This is the default action of the interface. If an interface receives frames from a restricted MAC address, the interface will go to err-disable state and will be practically shutdown. There will be logging and an SNMP trap will be sent. For recovery you have to enable the interface manually or set automatic recovery.