Port Security
Layer 2 devices are said to be the weakest link within an infrastructure when it comes to security, since attacks on such devices, are some of the easiest for actors to perform, therefore they can be easily mitigated with some common Layer 2 solutions.
All Switch Ports or Switch Interfaces should always be secured before a switch starts being used in production.
First and foremost it’s highly recommended to administratively disable any unused ports/interfaces on a switch by using the “shutdown” command on such ports/interfaces.
[NOTE] To speed up the process, you may also use the “range” command to manage multiple interfaces at once.
Disabling unused Switchports / Interfaces
Shutdown unused port range from Fa0/5 through Fa0/22 on S1
S1(config)# interface range fa0/5 - 22 S1(config-if-range)# shutdown %LINK-5-CHANGED: Interface FastEthernet0/5, changed state to administratively down (output omitted) %LINK-5-CHANGED: Interface FastEthernet0/22, changed state to administratively down S1(config-if-range)# exit S1(config)#
Enabling Port Security
First and foremost, port security can only be configured on manually configured access ports or manually configured trunk ports. As mentioned earlier, by default L2 Switch Ports are automatically set to Dynamic Auto (Trunking).
This means that we will need to configure out Switch Ports in access mode before enabling Port Security.
Configuring the Switch Port as Access Mode
S1(config)# interface fa0/3 S1(config-if)# switchport mode access
Enabling Port Security on Switch Port
S1(config-if)# switchport port-security
Port Security Complete Configuration Example
S1> enable S1# configure terminal S1(config)# interface fa0/3 S1(config-if)# switchport mode access S1(config-if)# switchport port-security S1(config-if)# exit S1(config)#
Other Port Security options
Once Port Security is enabled, other Port Security options can be configured as per below
Other Port Security options
S1(config-if)# switchport port-security ? aging Port-security aging commands mac-address Secure mac address maximum Max secure addresses violation Security violation mode <cr>
(aging) Port Security Aging
This command can be used to configure an aging time for static and dynamic addresses on a port/interface. There is a total of 2 types of aging timers
| 1. Absolute |
| The addresses are deleted after the specified aging time |
| 2. Inactivity |
| The addresses are deleted only if they are inactive for the specified aging time |
[NOTE] Aging timers can be used to remove MAC addresses on a port/interface without manually deleting the existing secure MAC addresses.
The following are the available parameters for the aging configuration:
| static |
| Will enable aging for statically configured addresses on the port/interface |
| time [time] |
| Will specify the aging time for the port/interface in a range of between 0 and 1440 minutes. 0 means “disabled” and no timer will be configured |
| type absolute |
| All the Addresses on this port/interface will age out exactly after the time specified and removed from the list |
| type inactivity |
| All the Addresses on this port/interface will only age out if there is no activity/traffic from the source over the specified aging time |
Configuring Aging Timers (static)
S1(config-if)# switchport port-security aging static
Configuring Aging Timers (time)
S1(config-if)# switchport port-security aging time [time]
Configuring Aging Timers (type absolute)
S1(config-if)# switchport port-security aging type absolute
Configuring Aging Timers (type inactivity)
S1(config-if)# switchport port-security aging type inactivity
Configuring the aging timer to 30 minutes of inactivity on port/interface fastEthernet0/5 Complete Configuration Example
S1(config)# interface fa0/5 S1(config-if)# switchport port-security aging time 30 S1(config-if)# switchport port-security aging type inactivity S1(config-if)# exit S1(config)#
(mac-address) Learning and Limiting MAC Addresses
This is the default “static” mac address configuration and is very simple to implement as previously exhibited
Configuring a static mac-address to port-security
S1(config-if)# switchport port-security mac-address [mac-address]
Configuring a static mac-address to port-security Complete Configuration Example
S1(config)# interface f0/10 S1(config-if)# switchport port-security mac-address abac.acad.4321 S1(config-if)# exit S1(config)#
(maximum) Learning and Limiting MAC Addresses
By default, Port Security’s maximum value will be set to 1. This means that the maximum number of MAC Addresses that can be connected to such port is 1.
This can be of course modified to allow more (ex. Hub/Switch) up to a maximum of 8192.
Increasing the Maximum MAC Address limit on a port/interface
S1(config-if)# switchport port-security maximum [value]
Increasing the MAC Address limit on a port/interface to a maximum of 5 Complete Configuration Example
S1(config)# interface f0/10 S1(config-if)# switchport port-security maximum 5 S1(config-if)# exit S1(config)#
There is a total of 3 methods of how the switch can learn about MAC Addresses on a secure port:
- Manually Configured (Static MAC Address)
- Dynamically Learned
- Dynamically Learned – Sticky
1. Manually Configured (Static MAC Address)
A static MAC Address entry will be configured and only that static MAC Address will be allowed on the port
Configuring a manually configured MAC Address
S1(config-if)# switchport port-security mac-address [mac-address]
2. Dynamically Learned
When the Port Security command is used, the current source MAC of the device connected the port/interface is automatically secured but will not be added to the startup configuration. Once the switch gets rebooted, the port/interface will have to learn the device’s MAC Address again. This is the default state.
3. Dynamically Learned – Sticky
This command can be used to “stick” the learned MAC Addresses to the running configuration. In other words, the addresses will be stored and once the switch is rebooted and it won’t have to learn them all over again.
Configuring a MAC Address to “Stick” to the configuration
S1(config-if)# switchport port-security mac-address sticky
[NOTE] Once you save the running configuration the dynamically learned MAC Addresses will be stored to the NVRAM so you will have to manually modify the configuration if the plugged-in devices change.
(violation) Port Security Violation modes
Of course if a new device is connected to the port/interface, the new device’s MAC Address will differ from the one on the list of secure addresses, therefore a port-violation will take place.
By default, the port will enter the “error-disabled” state.
The following are the available parameters for the “violation mode“ configuration:
| shutdown (default mode) |
| This is the default violation mode configured on Port Security. The port will transition to an error-disabled state immediately, sends a Syslog message, and turn off the port LED. When this happens, the port must be re-enabled via the “no shutdown” command. – A Syslog message will be sent – The Violation counter will be incremented |
| restrict |
| If this parameter is configured, the port will drop any packets with an unknown source address until a sufficient number of MAC Addresses are removed from the list or the maximum value is increased. – A Syslog message will be sent – The Violation counter will be incremented |
| protect |
| This is the least secure option out of all the Violation modes available. The port will still drop any packets with an unknown source address until a sufficient number of MAC Addresses are removed from the list or the maximum value is increased but will not send a Syslog message – A Syslog message will NOT be sent – The Violation counter will NOT be incremented |
Violation Modes Comparison Chart
| Violation Mode | Drops Traffic | Syslog Messages | Violation Counter | Shuts Down Port/Interface |
|---|---|---|---|---|
| Shutdown | + | + | + | + |
| Restrict | + | + | + | – |
| Protect | + | – | – | – |
Configuring Violation Mode (shutdown)
S1(config-if)# switchport port-security violation shutdown
[NOTE] If a port is “shutdown” due to a violation, to re-enable the port you must first use the “shutdown” command followed by the “no shutdown” command to make the port operational again
Configuring Violation Mode (restrict)
S1(config-if)# switchport port-security violation restrict
Configuring Violation Mode (protect)
S1(config-if)# switchport port-security violation protect