Port Security

By stretch | Monday, May 3, 2010 at 4:21 a.m. UTC

Port security is a layer two traffic control feature on Cisco Catalyst switches. It enables an administrator configure individual switch ports to allow only a specified number of source MAC addresses ingressing the port. Its primary use is to deter the addition by users of "dumb" switches to illegally extend the reach of the network (e.g. so that two or three users can share a single access port). The addition of unmanaged devices complicates troubleshooting by administrators and is best avoided.

Enabling Port Security

Port security can be enabled with default parameters by issuing a single command on an interface: Switch(config)# interface f0/13 Switch(config-if)# switchport port-security Although only a single interface is used for illustration in this article, port security, if configured, is typically configured on all user-facing interfaces. We can view the default port security configuration with show port-security: Switch# show port-security Port Security Port Status Violation Mode Aging Time Aging Type SecureStatic Address Aging Maximum MAC Addresses Total MAC Addresses Configured MAC Addresses Sticky MAC Addresses Last Source Address:Vlan Security Violation Count interface f0/13 : Enabled : Secure-down : Shutdown : 0 mins : Absolute : Disabled : 1 : 0 : 0 : 0 : 0000.0000.0000:0 : 0

As you can see, there are a number of attributes which can be adjusted. We'll cover these in a moment. When a host connects to the switch port, the port learns the host's MAC address as the first frame is received: Switch# show port-security Port Security Port Status Violation Mode Aging Time Aging Type SecureStatic Address Aging Maximum MAC Addresses Total MAC Addresses Configured MAC Addresses Sticky MAC Addresses Last Source Address:Vlan Security Violation Count interface f0/13 : Enabled : Secure-up : Shutdown : 0 mins : Absolute : Disabled : 1 : 1 : 0 : 0 : 001b.d41b.a4d8:10 : 0

Now, we disconnect the host from the port, connect a small switch or hub, and reconnect the original host plus a second, unauthorized host so that they both attempt to share the access port. Observe what happens as soon as the second host attempts to send traffic:

http://packetlife.net/blog/2010/may/3/port-security/

Page 1

%PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/13, putting Fa0/13 in err-disable state %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0021.55c8.f13c %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/13, changed state to down %LINK-3-UPDOWN: Interface FastEthernet0/13, changed state to down Inspecting the status of port security on the port again, we can see that the new MAC address triggered a violation: Switch# show port-security interface f0/13 Port Security : Enabled Port Status : Secure-shutdown Violation Mode : Shutdown Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 1 Total MAC Addresses : 0 Configured MAC Addresses : 0 Sticky MAC Addresses : 0 Last Source Address:Vlan : 0021.55c8.f13c:10 Security Violation Count : 1 Switch# show interfaces f0/13 FastEthernet0/13 is down, line protocol is down (err-disabled) Hardware is Fast Ethernet, address is 0013.c412.0f0d (bia 0013.c412.0f0d) MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set ... By default, a port security violation forces the interface into the error-disabled state. An administrator must re-enable the port manually by issuing the shutdown interface command followed by no shutdown. This must be done after the offending host has been removed, or the violation will be triggered again as soon as the second host sends another frame.

Tweaking Port Security

Violation Mode
Port security can be configured to take one of three actions upon detecting a violation: shutdown (default) ; The interface is placed into the error-disabled state, blocking all traffic. protect ; Frames from MAC addresses other than the allowed addresses are dropped; traffic from allowed addresses is permitted to pass normally. restrict ; Like protect mode, but generates a syslog message and increases the violation counter. By changing the violation mode to restrict, we are still alerted when a violation occurs, but legitimate traffic remains unaffected: Switch(config-if)# switchport port-security violation restrict Switch(config-if)# ^Z Switch# %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0021.55c8.f13c Switch# show port-security interface f0/13 Port Security : Enabled Port Status : Secure-up Violation Mode : Restrict Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled http://packetlife.net/blog/2010/may/3/port-security/ Page 2

Maximum MAC Addresses Total MAC Addresses Configured MAC Addresses Sticky MAC Addresses Last Source Address:Vlan Security Violation Count

: : : : : :

1 1 0 0 0021.55c8.f13c:10 3

Unfortunately, violating traffic will continue to trigger log notifications, and the violation counter will continue to increase, until the violating host is dealt with.

Maximum MAC Addresses

By default, port security limits the ingress MAC address count to one. This can be modified, for example, to accommodate both a host and an IP phone connected in series on a switch port: Switch(config-if)# switchport port-security maximum 2 One also has the option to set a maximum MAC count for the access and voice VLANs independently (assuming a voice VLAN has been configured on the interface): Switch(config-if)# switchport port-security maximum 1 vlan access Switch(config-if)# switchport port-security maximum 1 vlan voice

MAC Address Learning

An administrator has the option of statically configuring allowed MAC addresses per interface. MAC addresses can optionally be configured per VLAN (access or voice). Switch(config-if)# switchport port-security mac-address 001b.d41b.a4d8 ? vlan set VLAN ID of the VLAN on which this address can be learned <cr> Switch(config-if)# switchport port-security mac-address 001b.d41b.a4d8 vlan access The configured MAC address(es) are recorded in the running configuration: Switch# show running-config interface f0/13 Building configuration... Current configuration : 259 bytes ! interface FastEthernet0/13 switchport access vlan 10 switchport mode access switchport voice vlan 20 switchport port-security switchport port-security violation restrict switchport port-security mac-address 001b.d41b.a4d8 spanning-tree portfast end Obviously, this is not a scalable practice. A much more convenient alternative is to enable "sticky" MAC address learning; MAC addresses will be dynamically learned until the maximum limit for the interface is reached. Switch(config-if)# no switchport port-security mac-address 001b.d41b.a4d8 Switch(config-if)# switchport port-security mac-address sticky http://packetlife.net/blog/2010/may/3/port-security/ Page 3

Switch(config-if)# ^Z Switch# show port-security Port Security Port Status Violation Mode Aging Time Aging Type SecureStatic Address Aging Maximum MAC Addresses Total MAC Addresses Configured MAC Addresses Sticky MAC Addresses Last Source Address:Vlan Security Violation Count

interface f0/13 : Enabled : Secure-up : Restrict : 0 mins : Absolute : Disabled : 1 : 1 : 0 : 1 : 001b.d41b.a4d8:10 : 0

After a MAC address has been learned, it is recorded to the configuration similarly to as if it were entered manually: Switch# show running-config interface f0/13 Building configuration... Current configuration : 311 bytes ! interface FastEthernet0/13 switchport access vlan 10 switchport mode access switchport voice vlan 20 switchport port-security switchport port-security violation restrict switchport port-security mac-address sticky switchport port-security mac-address sticky 001b.d41b.a4d8 spanning-tree portfast end

MAC Address Aging

By default, secure MAC addresses are learned (in effect) permanently. Aging can be configured so that the addresses expire after a certain amount of time has passed. This allows a new host to take the place of one which has been removed. Aging can be configured to take effect at regular intervals, or only during periods of inactivity. The following example configures expiration of MAC addresses after five minutes of inactivity: Switch(config-if)# switchport port-security aging time 5 Switch(config-if)# switchport port-security aging type inactivity Switch(config-if)# ^Z Switch# show port-security interface f0/13 Port Security : Enabled Port Status : Secure-up Violation Mode : Restrict Aging Time : 5 mins Aging Type : Inactivity SecureStatic Address Aging : Disabled Maximum MAC Addresses : 1 Total MAC Addresses : 1 Configured MAC Addresses : 0 Sticky MAC Addresses : 0 Last Source Address:Vlan : 001b.d41b.a4d8:10 http://packetlife.net/blog/2010/may/3/port-security/ Page 4

Security Violation Count

: 0

After five minutes of inactivity, we can see that the address has been purged: Switch# show port-security Port Security Port Status Violation Mode Aging Time Aging Type SecureStatic Address Aging Maximum MAC Addresses Total MAC Addresses Configured MAC Addresses Sticky MAC Addresses Last Source Address:Vlan Security Violation Count interface f0/13 : Enabled : Secure-up : Restrict : 5 mins : Inactivity : Disabled : 1 : 0 : 0 : 0 : 001b.d41b.a4d8:10 : 0

At this point, the old address will be re-learned the next time a frame is sent from that host, or a new host can take its place.

Auto-recovery
To avoid having to manually intervene every time a port-security violation forces an interface into the error-disabled state, one can enable auto-recovery for port security violations. A recovery interval is configured in seconds. Switch(config)# errdisable recovery cause psecure-violation Switch(config)# errdisable recovery interval 600 Ten minutes after a port was error-disabled, we can see that the port is automatically transitioned back into operation: %PM-4-ERR_RECOVER: Attempting to recover from psecure-violation err-disable state on Fa0/13 %LINK-3-UPDOWN: Interface FastEthernet0/13, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/13, changed state to up This is a great way to automatically clear port security violations after the user has been given an opportunity to remove the offending host(s). Note that is the cause is not cleared, the violation will trigger again after the port comes back up, re-initating the auto-recovery cycle.

Footnote
Although a deterrent, port security is not a reliable security feature, as MAC addresses are trivially spoofed, and multiple hosts can still easily be hidden behind a small router. IEEE 802.1X is a much more robust access edge security solution. Posted in Security, Switching

http://packetlife.net/blog/2010/may/3/port-security/

Page 5