Port security on a Cisco IOS switch is a security feature that restricts input to an interface by limiting and identifying MAC addresses that are allowed to access the port. This helps prevent unauthorized devices from connecting to your network.
Key Concepts:
- MAC Address Learning: The switch learns the MAC addresses of devices connected to the port.
- Maximum MAC Addresses: You can configure the maximum number of MAC addresses allowed on a port.
- Violation Modes: You can configure how the switch handles a security violation (when an unauthorized MAC address tries to connect).
- Sticky MAC Addresses: This feature allows the switch to dynamically learn MAC addresses and add them to the running configuration.
Violation Modes:
- Protect: Packets from unknown MAC addresses are dropped, but no notification is sent.
- Restrict: Packets from unknown MAC addresses are dropped, and a notification (syslog message) is sent.
- Shutdown: The port is placed in an error-disabled state, effectively shutting it down.
Cisco IOS Configuration Examples:
Here are some examples of how to configure port security on a Cisco IOS switch:
1. Basic Port Security:
Cisco CLI
interface GigabitEthernet0/1
switchport mode access
switchport port-security
switchport port-security maximum 1
switchport port-security violation shutdown
switchport mode access: Configures the port as an access port.switchport port-security: Enables port security.switchport port-security maximum 1: Limits the number of allowed MAC addresses to 1.switchport port-security violation shutdown: Configures the port to shut down if a violation occurs.
2. Configuring Specific MAC Addresses:
Cisco CLI
interface GigabitEthernet0/2
switchport mode access
switchport port-security
switchport port-security mac-address 000A.95BD.6842
switchport port-security mac-address 000B.96CE.7953
switchport port-security violation restrict
switchport port-security mac-address <MAC address>: Specifies the allowed MAC addresses.switchport port-security violation restrict: Configures the port to restrict traffic and send a notification upon violation.
3. Using Sticky MAC Addresses:
Cisco CLI
interface GigabitEthernet0/3
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security violation protect
switchport port-security mac-address sticky: 1 Enables sticky MAC addresses. The switch will dynamically learn the MAC address of the first device that connects and add it to the running configuration.1. forum.ciscoinpersian.comforum.ciscoinpersian.comswitchport port-security violation protect: Configures the port to protect traffic upon violation.
4. Configuring Maximum MAC addresses with sticky MAC addresses:
Cisco CLI
interface GigabitEthernet0/4
switchport mode access
switchport port-security
switchport port-security maximum 3
switchport port-security mac-address sticky
switchport port-security violation shutdown
- This configuration will allow the first 3 mac addresses to connect to the port, and will add them to the running configuration.
Verification Commands:
show port-security interface <interface>: Displays port security settings for a specific interface.show port-security address: Displays all secure MAC addresses on the switch.show running-config interface <interface>: Shows the configuration of a specific interface, including sticky MAC addresses.
Important Considerations:
- Port security is most effective on access ports.
- Carefully plan your violation mode based on your security requirements.
- Use sticky MAC addresses with caution, as they can lead to configuration issues if devices are frequently moved.
- Regularly monitor port security logs and alerts.
- When using sticky mac addresses, remember to use the copy run start command to save the mac addresses to the startup configuration, so that they are reloaded after a switch reboot.
- If you are using voice vlan, ensure that you configure port security for the voice vlan as well as the data vlan.
Port security is a valuable tool for enhancing network security by controlling device access at the port level.
Advanced port security methods on Cisco IOS, building upon the basic concepts:
1. DHCP Snooping and Dynamic ARP Inspection (DAI) Integration:
- These features enhance port security by preventing unauthorized DHCP servers and ARP spoofing.
- Integrating them with port security provides a more robust defense against network attacks.
Cisco CLI
ip dhcp snooping vlan 10
ip dhcp snooping
interface GigabitEthernet0/1
switchport mode access
switchport port-security
switchport port-security maximum 1
switchport port-security violation shutdown
ip arp inspection limit rate 15
ip arp inspection vlan 10
ip dhcp snooping vlan 10: Enables DHCP snooping for VLAN 10.ip dhcp snooping: enables dhcp snooping globally.ip arp inspection limit rate 15: Limits the ARP inspection rate to prevent ARP flooding.ip arp inspection vlan 10: Enables DAI for VLAN 10.- These commands, when used in conjunction with port security, ensure that only valid DHCP and ARP traffic is allowed on the port.
2. Voice VLAN Port Security:
- When using Voice VLANs, it’s crucial to apply port security to both the data and voice VLANs.
Cisco CLI
interface GigabitEthernet0/2
switchport mode access
switchport voice vlan 20
switchport port-security
switchport port-security maximum 2
switchport port-security mac-address sticky
switchport port-security violation restrict
switchport port-security voice vlan
switchport voice vlan 20: Configures the voice VLAN.switchport port-security voice vlan: extends port security to the voice vlan.switchport port-security maximum 2: Allows for a phone and a computer to connect.
3. Port Security Aging:
- Port security aging allows you to automatically remove learned MAC addresses after a specified period.
Cisco CLI
interface GigabitEthernet0/3
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security aging time 30
switchport port-security aging type inactivity
switchport port-security violation protect
switchport port-security aging time 30: Sets the aging time to 30 minutes.switchport port-security aging type inactivity: Configures aging based on inactivity.
4. Secure MAC Address Aging:
- This feature allows the aging of dynamically learned secure mac addresses.
Cisco CLI
switchport port-security aging time 60
switchport port-security aging type inactivity
- These commands will globally set the aging time and type for the secure mac addresses.
5. Protected Ports:
- Protected ports prevent traffic from being forwarded between ports that have the same protected port setting.
Cisco CLI
interface GigabitEthernet0/4
switchport mode access
switchport protected
- This is useful for isolating devices on the same VLAN.
6. Port Security with 802.1X:
- Combining port security with 802.1X authentication provides a very strong security solution. 802.1x handles authentication, and port security handles mac address limitations.
Key Considerations for Advanced Port Security:
- Network Design: Plan your port security implementation based on your network topology and security requirements.
- Monitoring and Logging: Regularly monitor port security logs and alerts for suspicious activity.
- Documentation: Document your port security configurations.
- Testing: Thoroughly test your configurations before implementing them in a production environment.
- Security Policies: Develop and enforce clear security policies for device access.
- Dynamic Environments: In dynamic environments, consider using sticky MAC addresses with aging to reduce administrative overhead.
- AAA Server Integration: For advanced authentication and authorization, integrate port security with an AAA (Authentication, Authorization, and Accounting) server.
These advanced methods provide a more comprehensive and robust approach to port security, helping to protect your network from a wider range of security threats.
Checkout free CCNA study notes at tutorialsweb.com
Ref:
- https://www.tutorialsweb.com/networking/cisco/security-fundamentals/security-fundamentals-8.htm
- https://www.tutorialsweb.com/networking/cisco/network-access/network-access-4.htm