How to configure port-security on Cisco Switch

(Hussein Samir) #22

Hi Rene,

Can you please answer to this questions :-
1 - What are the different between the aging types ( absolute & inactivity ) ? and for what we use them ?
2 - What are the different between the aging time and errdisable recovery interval ?
3 - What is the use of this command “switchport port-security aging static” ?

Thanks,
Hussein Samir

0 Likes

(Andrew P) #23

Hussein
1.
Absolute = aging based on a clock, regardless of activity
Inactivity = aging based on whether frames have been received from the MAC in question. Once a frame has been received the configured aging value resets and starts to count down again

You might use Absolute in a public access setting–maybe a library where people can plug in, but after a certain amount of time, re-authentication must occur.

You might use Inactivity in a more semi-private setting, like the lobby of a business. The idea being that you want to limit the number of devices attached to a port, but so long as a device is remaining active, it is okay for it to remain.

These are very different. Aging time has to do with how long a switch associates a MAC address with a particular port using the options discussed in #1. Errdisable Recovery interval is how long a port remains in an err-disabled state (and there are lots of reasons why a port might be in this state) before it automatically “recovers” to being in a normal status. Of course, if the condition that caused the port to go into an errdisabled state still remains after the automatic recovery, the port will again return to an errdisabled state.

This command tells the switch that even manually defined MAC addresses are subject to the aging mechanisms defined (as was discussed in #1). By default, manually defined static MACs are not subjected to aging out. I suppose the thought is that if you went to the trouble of manually defining a MAC to Port association, you want that to be persistent.

0 Likes

(Hussein Samir) #24

Thanks Andrew it’s clear now,

one more question :-
What are the different between these two commands “switchport port-security aging time” & “mac-address-table aging-time” ?

0 Likes

(Lazaros Agapides) #25

Hello Hussein.

In order to clearly answer this question, we have to define two different functionalities of the switch: port security and the MAC address table.

Port security has been explained well in this lesson, so I’ll just mention that port security allows only devices with specific MAC addresses to connect and function on a specific interface.

The MAC address table is a table that records MAC addresses and the corresponding interface on which they can be found. This table exists to give a switch it’s most basic function which also distinguishes it from a hub: to eliminate collision domains.

So these are two very different functionalities that both use MAC addresses.

Now to your question:

Concerning switchport port-security aging time: When aging is configured on an interface that’s using port security, all the dynamically learned secure addresses age out when the aging time expires. This can be configured as an absolute value, where the aging time exires regardless of activity on the port, or it can be configured where it defines the period of inactivity after which all the dynamically learned secure addresses age out.

Concerning mac-address-table aging-time: This command configures the amount of time before a dynamically learned MAC address in the CAM table (or MAC address table) is removed. It defines the period of inactivity after which all the dynamically learned MAC addresses age out.

So, these are two very different functionalities that function in a similar manner.

I hope this has been helpful for you!

Laz

1 Like

(Hussein Samir) #26

Hello Laz,

Thank you for your answer, but I have A little ambiguity about secure addresses ?

What are the meaning of the secure addresses ? do you mean the addresses that cause the port-security violation or the addresses that we configured with “switchport port-security” command ? if the secure addresses are the addresses that we configured with “switchport port-security” command so when the the aging time expire ( absolute mode or inactivity mode ) that mean the protection will be canceled from the port ? is that correct or not ? Can you please clarify this ambiguity ?

Hussein Samir,
Regards

0 Likes

(Lazaros Agapides) #27

Hello Hussein.

That’s a very good point, and yes, it requires clarification.

In order for port security to function, the “allowed” MAC addresses are configured for each port. These are the secure addresses. Now there are several ways a switch can learn these addresses: Statically or dynamically.

The statically configured MAC addresses for port security DO NOT age out. They are permanent. These are the addresses that are configured using the command:

switchport port-security mac-address 1000.2000.3000

The switchport port-security aging time command only affects dynamically learned MAC addresses. These are the addresses that are configured using the command:

switchport port-security

So, the switchport port-security aging time command applies to MAC addresses learned in this way. However, when the the aging time expires, it does NOT mean that protection will be cancelled. It just means that the dynamically learned MAC address is no longer associated with the port. However, port-security is still configured, so the MAC address will just be “relearned”.

For example, let’s say I configure FastEthernet 0/3 with port security and allow only one MAC address to be dynamically learned. In other words:

Switch(config)#interface FastEthernet 0/3
Switch(config-if)#switchport port-security
Switch(config-if)#switchport port-security maximum 1

And I put an absolute timer of 60 minutes for aging out like this:

Switch(config-if)#switchport port-security aging type absolute
Switch(config-if)#switchport port-security aging time 60 

I plug in my laptop, the MAC address is learned and I can use it for 60 minutes. During that 60 minutes, if I remove it and place another device on the port, port-security will kick in and the device will not connect. After the 60 minutes are up, the MAC address is aged out. At that time, the MAC address of the connected device (either my original laptop or another device) will be relearned and port security will still be functioning for another 60 minutes.

If I choose to useaging type inactivity, then after 60 minutes of inactivity the MAC addresses will be aged out and a new MAC address will be learned.

I hope this has been helpful!

Laz

2 Likes

(Hussein Samir) #28

Wow that is a very good explanation, thank you very much Laz,

last question about “switchport port-security aging static” command :-

if we used this command that mean even statically configured MAC addresses will age out “as Andrew P answer me in the previous comment” ? and in this case the protection will be cancelled from the port ? is that right or not ? and if not what will happen ?

thanks again Laz,

Hussein Samir

0 Likes

(Lazaros Agapides) #29

Hello Hussein.

Just to confirm, I went to Cisco to make sure I give you the correct answer. According to Cisco aging applies ONLY to dynamically learned addresses. Quoting Cisco:

Static secure MAC addresses and sticky secure MAC addresses do not age out.

You can find out more information at the following link:

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/port_sec.html#wp1055928

I hope this has been helpful!

Laz

0 Likes

(Hussein Samir) #30

Hello Laz,

Thank you again for your answer…

So what is the benefit of the “switchport port-security aging static” command ? or when do we use it ?

Thanks,
Hussein Samir

0 Likes

(Lazaros Agapides) #31

Hello again Hussein.

This is yet another good question! Let’s say you have a waiting room, a common room or a meeting room where multiple people come in and out. You have an Ethernet plug (which is connected via structured cabling to a switch port) available and active for users to use. You want to allow multiple devices to connect to this port at different times, however, you want to have a level of security so that the service is not misused. It is not a good solution to go in and configure the MAC address in port security every time someone wants to connect!!

You can set up the switch port to have an “idle aging timer” of say 2 minutes and allow only one dynamically learned MAC address. This will allow a user to physically connect, use the service and disconnect the cable when done. After 2 minutes or longer, say after one meeting is over and another begins, the next set of users come in and someone connects her laptop to the port and uses the service.

What are the advantages? You still limit the use of the port so, for example, you cannot connect another switch to the port and have multiple PCs connect. Only 1 MAC address can connect any time. Also, the connection of an Access point to this port will be limited. The access point itself will connect, but none of the clients will be able to connect (assuming bridged mode).

Although it’s not in common use, the aging timer does have its uses. I’m sure you could come up with a few more uses of this feature.

I hope this has been helpful!

Laz

0 Likes

(Hussein Samir) #32

Hello Laz

I understand everything you said in your last answer, but I did not find an answer to my question about the uses of this command :-

“switchport port-security aging static”

Thanks in advance,
Hussein Samir

0 Likes

(Lazaros Agapides) #33

Hello Hussein

The switchport port-security aging static command explicitly enables the aging feature for statically assigned secure MAC addresses. An example of its usefulness follows:

Let’s say you have the scenario that I described in my previous message. A meeting will take place where the users want to connect a small switch to use three PCs. As the port security is set up to dynamically allow only 1 MAC, you as the administrator can ask for the MAC addresses of the three PCs, configure them statically and put in an static aging timer on. In this way, when the meeting is over and the switch and PCs are removed, you don’t have to go back and remove those MAC addresses. They will be timed out automatically for you.

In general, the usefulness of each command also depends on the “creativity” of the admin and of the way he or she wants to implement port security. Some features you might be able to find many uses for, others you may not be able to find uses for. It all depends on your needs.

After reading this example, you may be able to find more applications for this command.

I hope this has been helpful!

Laz

0 Likes

(Neelab S) #34

Hi Rene,
What do you mean by SNMP trap is sent during shutdown and restrict mode? I mean what is this SNMP trap?

Thanks in advance,

--Neelab

0 Likes

(Maher H) #35

Hi Neelab,

SNMP protocol is used to Monitor the routers, switches and other network peripherals in a centralized NMS such as Obeservium. A trap is a notification that it sent immediately as soon as something occurs in a network device, for example an interface goes down in a router.

To know more about SNMP, I advise you to read this lessons: Introduction to SNMP

Hope this can help.

0 Likes

(Raaman K) #36

Hi ,
I have come across the following commands in my office switch after observing fluctuations in LAN

Default config.

switchport port-security aging time 2

After troubleshooting the following were added.

switchport port-security aging time 5
 switchport port-security aging type inactivity

Kindly guide.

0 Likes

(Andrew P) #37

Raaman,
From your description, two changes have been made:
switchport port-security aging time 5
This command will time out out the MAC address on the secured port after 5 minutes.

The second command,
switchport port-security aging type inactivity
specifies what constitutes a time-out. By default, the timer is absolute–meaning 5 minutes (in this case) no matter what. However, since the option of “inactivity” was chosen, this simply means that if no traffic is received FROM the secure port for 5 minutes, then the age-out occurs. If traffic is received within that 5 minute period, the countdown clock is reset.

0 Likes

(Shantel - Networklessons.com) split this topic #38

19 posts were merged into an existing topic: How to configure port-security on Cisco Switch

0 Likes

(Thery E) #39

Hi everybody !

Thanks a million Rene for your amazing bite size tutorials ! They’re really helping me get a better grasp on networking !

I’ve got a simple question. I’m testing dynamic port security and I’ve read around that since it doesn’t store the setup in the running config, if I reload my switch the mac addresses are flushed. The thing is when I try a reload, that is the case but when I try to get the host mac addresses to show again, I actually need to change the ip addresses temporarily for it to take effect. Is this the only possible way to get the MAC addresses to register again ?

0 Likes

(Rene Molenaar) #40

Hello @mgtube

Glad to hear you like my work :smile:

The MAC addresses that your switch learns (for port-security) are not stored in your configuration but it is possible with the sticky parameter:

SW1(config)#interface FastEthernet 0/1
SW1(config-if)#switchport port-security mac-address sticky 

Once it has learned something, you will see an extra line in the running configuration under the interface with the MAC address.

You’ll need to receive at least one Ethernet frame to learn the MAC address. If you use routers for this then it might take a while since they don’t generate much traffic if you haven’t configured anything.

If you use a computer then it’s much faster since they generate a lot of network traffic even when you aren’t doing anything yourself.

0 Likes

(Brian C) #41

I have a question in regards to security and a possible effect that can be caused.

I am reviewing over security for my upcoming CCNP switch test and it was talking about two different kinds of attacks: Cam table overflow and Mac Address Spoofing.

When talking about Mac address spoofing it said the following when talking about a host having spoofed another host Mac on the network:

I always thought causing a Denial of Service meant that someone attacked and device and the ISP saw this and then shut down that traffic to that device/port, or that the traffic attack was so heavy that nothing else got through. I cold have sworn that ISP would turn something off if they saw these but maybe I am remembering wrong. I never fully explored knowledge wise the workings as I just always called it DoS and left it at a high level knowledge wise.

I never thought about an individual switch explicitly having a built in feature that would turn off a host being able to connect. Is that what it means by DoS? That the switch turns off a port or has a feature that blocks that host or port?

Or does it jut mean something more implicit in that since traffic is not getting to the host the effect is that of a denial of service.

I know once at our data center some server no longer had access to the internet caused by a DoS attack was that device turned off or the port blocked or by an ISP or the data center or a built in feature of the switch or did they just mean that the traffic attack was so heavy that nothing got through thus more of an implicit meaning that there was a denial of service.

Thanks for any feedback.

0 Likes