Professional Documents
Culture Documents
Cisco Switch Port Security Configuration and Best Practices
Cisco Switch Port Security Configuration and Best Practices
NETWORKS TRAINING
Cisco Switches
You are here: Home / Cisco Switches / Cisco Switch Port Security Configuration and Best Practices
Table of Contents
Introduction
One of the best practices in network security is to try and stop security threats from the entry-point of a LAN network.
This means that the switch can play an important role in network security since it’s the entry-point of the network.
For example, port- security on Cisco switches can be used to stop MAC-flooding attacks or prevent non-authorized
hosts to connect to the switch.
In MAC-flooding, an attacker can connect a laptop into an empty Switch port or empty RJ45 wall socket, and he can
use hacking tools to generate millions of Ethernet frames with fake source MAC addresses and send them to the
switch interface.
The switch will learn these MAC addresses and once the switch reaches its MAC address learning limit it will start
flooding all the traffic to all of its ports (i.e it will start behaving like a hub).
This means that the attacker can capture the traffic from connected devices.
The solution to this kind of attacks (and also to other Layer 2 attacks) is easy and simple. It’s called Port Security and
you can use it to limit the number of MAC addresses per interface or even to specify which MAC address can connect
to each physical port of the switch.
TestSwitch(config)#int g0/1
TestSwitch(config-if)#switchport mode access
TestSwitch(config-if)#switchport port-security
TestSwitch(config-if)#switchport port-security maximum 1
Now, interface g0/1 is allowed to learn only one MAC address. If this interface receives any more MAC addresses it
will go to err-disabled state.
TestSwitch(config)#int g0/1
TestSwitch(config-if)#switchport mode access
TestSwitch(config-if)#switchport port-security
TestSwitch(config-if)#switchport port-security mac-address f1d3.2c9f.abdc.ccba
Any device having different MAC address than this will violate the rule and the interface will go to err-disabled state.
You will see the message below if there would be any violation.
As you can see from the log message above, a device with MAC address f02d.3f4e.2dcc violated the port-security
and interface went into err-disabled state.
With this command, switch will learn the first MAC address connected to the interface and save it for port security.
First you have to remove the existing command (if you have configured manual MAC filtering):
To See what MAC address is learned/“sticks” on the interface, type “show run interface” command
As you can see from above, the switch has learned MAC address f02d.3f4e.2dcc and from now on only this address
will be allowed to connect to this port.
Verification Commands
You can see the switch ports which have entered into error-disabled state (because of security violation) with the
following command:
You can also verify this with show “interface g0/1 command”
To take this interface out of err-disabled state you have to unplug the device and run commands “Shutdown” followed
by “no shutdown”.
TestSwitch(config)#int g0/1
TestSwitchconfig-if)#shut
TestSwitchconfig-if)#no shut
To verify, run the commands “show interface status err-disabled” or “show interface g0/1”
After 15 minutes the interface g0/1 will automatically recover from err-disable state. Make sure in these 15 minutes
you solve the problem because otherwise it will have another violation and the interface will end up in err-disable state
again.
And don’t forget to enable automatic recovery in global configuration mode with “errdisable recovery cause psecure-
violation” command.
There are three actions for each port to take when there will be a violation on the interface. These options are
“Shurdown” (default), “Protect” and “Restrict”.
Protect: From the restricted MAC addresses, the frames will be dropped but there won’t be any logging information.
Restrict: From the restricted MAC addresses, the frames will be dropped but you will see logging information and
SNMP trap will be sent.
Shutdown: This is the default action of the interface. If an interface receives frames from a restricted MAC address,
the interface will go to err-disable state and will be practically shutdown. There will be logging and an SNMP trap will
be sent. For recovery you have to enable the interface manually or set automatic recovery.
Related Posts
How to Find a Device MAC Address on a Cisco Switch (show mac address-table)
How to Configure a Loopback Interface on Cisco Router & Switch
Cisco Switch Layer2 Layer3 Design and Configuration
Description of Switchport Mode Access vs Trunk Modes on Cisco Switches
What is an SFP Port-Module in Network Switches and Devices
Email
sami says
August 3, 2016 at 9:10 pm
Hi
thank u so much
i think if u add topology to lesson maybe is more easy
Leave a Reply
Your email address will not be published. Required fields are marked *
Comment *
Name *
Email *
POST COMMENT
We Provide Technical Tutorials and Configuration Examples As an Amazon Associate I earn from qualifying purchases.
about TCP/IP Networks with focus on Cisco Products and Amazon and the Amazon logo are trademarks of
Technologies. This blog entails my own thoughts and ideas, Amazon.com, Inc. or its affiliates.
which may not represent the thoughts of Cisco Systems Inc.
This blog is NOT affiliated or endorsed by Cisco Systems SEARCH
Inc. All product names, logos and artwork are
copyrights/trademarks of their respective owners.