How to configure port-security on Cisco Switch

wilder7bc · August 11, 2017, 3:02pm

I have a question in regards to security and a possible effect that can be caused.

I am reviewing over security for my upcoming CCNP switch test and it was talking about two different kinds of attacks: Cam table overflow and Mac Address Spoofing.

When talking about Mac address spoofing it said the following when talking about a host having spoofed another host Mac on the network:

I always thought causing a Denial of Service meant that someone attacked and device and the ISP saw this and then shut down that traffic to that device/port, or that the traffic attack was so heavy that nothing else got through. I cold have sworn that ISP would turn something off if they saw these but maybe I am remembering wrong. I never fully explored knowledge wise the workings as I just always called it DoS and left it at a high level knowledge wise.

I never thought about an individual switch explicitly having a built in feature that would turn off a host being able to connect. Is that what it means by DoS? That the switch turns off a port or has a feature that blocks that host or port?

Or does it jut mean something more implicit in that since traffic is not getting to the host the effect is that of a denial of service.

I know once at our data center some server no longer had access to the internet caused by a DoS attack was that device turned off or the port blocked or by an ISP or the data center or a built in feature of the switch or did they just mean that the traffic attack was so heavy that nothing got through thus more of an implicit meaning that there was a denial of service.

Thanks for any feedback.

ReneMolenaar · August 18, 2017, 9:53am

Hi Brian,

A DoS (Denial of Service) is basically any attack where you overwhelm a device so that it can no longer provide service. A DDoS (Distributed) is usually when there are thousands or hundreds of thousands of devices, attacking something on the Internet…(web)servers or infrastructure devices like routers/firewalls. DDoses are a nightmare, ISPs will do their best to detect traffic patterns and block whatever they can.

Back to our switch…there are a number of attacks that could “prevent” the switch from doing its work. Let’s say we have a switch with three devices, a legitimate user (H1), a web server (S1) and an attacker (H2).

H1 and S1 are sending frames back and forth to each other. H2 isn’t doing anything. In the MAC address table of our switch, we’ll find the MAC addresses of H1 and S1. Now imagine that H2 sends dozens of bogus Ethernet frames with the MAC address of S1 as its source.

When the switch receives this frame, it will change its entry in the MAC address table, adding the interface that connects to H2 for the MAC address of S1. When H1 now sends a frame destined to S1, it ends up H2 instead.

This isn’t a direct attack on S1 but it does prevent S1 from being reachable…preventing it from providing service to H1

Here is an example btw:

By default, a switch won’t detect this but we can counter it with Dynamic ARP inspection.

Hope this helps!

Rene

wilder7bc · August 18, 2017, 3:22pm

Hi Rene,
Thanks for clarifying that for me!

rennie31 · January 27, 2018, 8:45pm

Rene

If you example to prevent users from connecting a unmanaged switch to the network you can enable bpdu guard and it would put the port in a err-disable state

lagapidis · January 28, 2018, 10:27am

Hello Rennie

If the switch you connect is unmanaged and it does not support STP, BPDUs will not be sent to the port. So even if portfast and BPDUGuard are set up, it will not block the port. However, in this case you can configure port security and allow only one MAC address on the port so if a second device connects to the unmanaged switch it will not be permitted traffic.

I hope this has been helpful!

Laz

steven.schramm91 · September 22, 2018, 2:49pm

Hi Rene,

I am a bit confused. I thought the “aging” feature of Port-Security is to set the aging time for the mac-address which was learned on the specific interface and not the timer to automatically recover the interface from status “error-disable”.

In your article you activated the error disable recovery mode with the command “errdisable recovery cause psecure-violation” and the default recovery time should be 300 seconds and not 10 minutes.

Did I miss something ot am I right?

Best Regrads
Steven

ReneMolenaar · October 15, 2018, 1:46pm

Hi Steven,

You are absolutely right, I just fixed this in the article. You only need to enable errdisable recovery cause psecure-violation and after 300 seconds, it will recover the interface. You can speed this up with the errdisable recovery interval command.

The “aging” commands are about removing MAC addresses, not about recovering the interface itself.

Rene

rtorres0486 · November 3, 2018, 5:38pm

Is it possible to configure port security on multiple ports at a time? Looks at the steps, it looks like it’s not possible because I have to get into the interface I’m configuring then use the command. I’m just curious and if it’s not possible is there a reason it’s not allowed?

Also, am I missing a command that will show me more details on why the port went down or am I suppose to use my troubleshooting knowledge to figure out the possible reasons why the port went down?

An example, I configured the switch to only allow a laptops mac address on fa0/1. I put a hub between the laptop and fa0/1 so I can plug a PC into the hub and test the port security. The port goes down but I only get (%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to administratively down).

I was hoping to get something else like, port down due to security violation or something.

lagapidis · November 11, 2018, 7:36am

Hello Rafael

It is possible to apply port security on multiple ports at the same time. Indeed it is possible to configure any feature on multiple ports at the same time. This is done using the “range” command. For example, you can configure fastethernet ports 0/1 to 0/10 by issuing the following command:

interface range fastethernet 0/1 - 10

The result will be the following prompt:

switch(config-if-range)#

All configurations you apply, including port security features, will be applied to all ports within the range. You can also choose specific ports rather than a range using:

interface range fastethernet 0/1, 5, 8

There are a multitude of commands that will allow you to discover the status of port security for specific ports and for a switch in general. More information about these can be found here:

I hope this has been helpful!

Laz

hroger · February 27, 2019, 3:54pm

about cam table :
Thank you for this presentation.
In your video, with no port-security enabled, you indicate that a user can connect his switch, then several host and then your switch learns all the host mac in the cam-table. I feel that your switch also learns the mac address of the user’s switch , but you do not indicate it : is it an oversight? Or can the user’s switch (arrange for) never send his own mac to your switch?
So, if all the hosts are yours, as long as you do not type “show cdp neighbors” on your switch, you can’t see this “shadow switch” mac-address on the cam-table for example?
am i wright ?

hroger · February 27, 2019, 4:14pm

(default values)
you confirm that the default values are:

switchport port-security 1
switchport port-security violation shutdown

and so that a
no switchport port-security 5
returns its value to 1

or
no switchport port-security restrict
reactivates the shutdown
thank you in advance

fugazz · February 28, 2019, 9:36am

Hello Roger Hugues,

Article is specifically mentioning “cheap” switch, you can understand it as “dumb switch”.

Dumb switches are unmanaged and do not support features like STP.
Dumb switch is not generating any traffic by itself, well because it has no features to do so. Therefore “smart” switch can not learn switchport MAC address of this dumb (“shadow”) switch. (Switches learn MAC addresses from “Source MAC Address” fields, located in ethernet frames.)

That is right, default values are:

max 1 mac address
violation shutdown

You can check this by yourself.

Switch2(config)# interface g1/1
Switch2(config-if)# switchport port-security

These values are not shown int running-config, because default values are never shown in running-config.

Switch2(config-if)# do show run interface g1/1
Building configuration...

Current configuration : 121 bytes
!
interface GigabitEthernet1/1
 switchport mode access
 switchport port-security
 media-type rj45
 negotiation auto
end

But you can verify them by using “show port-security”

Switch2(config-if)# do show port-security
Secure Port  MaxSecureAddr  CurrentAddr  SecurityViolation  Security Action
                (Count)       (Count)          (Count)
---------------------------------------------------------------------------
      Gi1/1              1            0                  0         Shutdown
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port)     : 0
Max Addresses limit in System (excluding one mac per port) : 4096

Or be more specific:

Switch2(config-if)# do show port-security interface g1/1
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 0
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 0000.0000.0000:0
Security Violation Count   : 0

The rest of your post is also correct. If you negate “switchport port-security maximum 5” and “switchport port-security violation restrict” with “NO” statement in front, then it goes back to its defaults (1, shutdown).

Switch2(config-if)# switchport port-security maximum 5
Switch2(config-if)# switchport port-security violation restrict
Switch2(config-if)# do show port-security
Secure Port  MaxSecureAddr  CurrentAddr  SecurityViolation  Security Action
                (Count)       (Count)          (Count)
---------------------------------------------------------------------------
      Gi1/1              5            0                  0         Restrict
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port)     : 0
Max Addresses limit in System (excluding one mac per port) : 4096

Negate previous commands.

Switch2(config-if)# no switchport port-security maximum 5      
Switch2(config-if)# no switchport port-security violation restrict
Switch2(config-if)# do show port-security
Secure Port  MaxSecureAddr  CurrentAddr  SecurityViolation  Security Action
                (Count)       (Count)          (Count)
---------------------------------------------------------------------------
      Gi1/1              1            0                  0         Shutdown
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port)     : 0
Max Addresses limit in System (excluding one mac per port) : 4096

lagapidis · February 28, 2019, 2:14pm

Hello Hugues

@fugazz has got it spot on, Thanks Michal.

Laz

hroger · March 5, 2019, 2:43pm

Hello Lazaros,
your answer suits me

deckspin74 · July 9, 2019, 2:37pm

Hi,
I need some clarification on port security when an ip phone is connected in between a switch and host pc. It maybe a problem I am having with packet tracer and GNS3 but I am unable to get the switch to learn 2 MAC addresses on a port. It seems to identify one MAC address but not the other then declare a duplication of MAC addresses when I attempt to add a new MAC address.

I have tried adding a MAC address manually or using the sticky method. Neither seem to work fully with this example but works perfectly with a single device connected to a port.

Please note I do have a home lab but have no IP phone to complete a live test.

Adrian

lagapidis · July 11, 2019, 5:53am

Hello Adrian

The methodology for port security with IP phones is well documented and quite straightforward. Take a look at this Cisco documentation that specifies some guidelines that should be followed for implementations using IP phones and PCs connected to them.

I hope this has been helpful!

Laz

lagapidis · October 10, 2019, 5:29am

A post was merged into an existing topic: Cisco IOS Router Password Recovery

neuralping · November 20, 2019, 9:42pm

I have port security enabled on fa0/11 to accept 3 devices. The show port-security command shows 3, show mac address-table interface fa0/11 shows 3 but show interface fa0/11 only show 2. 9c57.x.x.x is an IP phone, 3464.x.x.x is a desktop and 0800.x.x.x is a virtual machine that was added after increasing the limit from 2 to 3 to allow the VM to connect. Looking for reason I don’t the 0800.x.x.x int the running config. I assume it would also be a static entry since it was learned by port-security as Dynamic secure MAC addresses. Can you explain the Total addresses in System (excluding one mac per port). Thanks.

+++++++++++++++++++++++++++++++++++++++++++++++++++++

SW3#sh port-security
Secure Port  MaxSecureAddr  CurrentAddr  SecurityViolation  Security Action
                (Count)       (Count)          (Count)
---------------------------------------------------------------------------
     Fa0/11              3            3                  0         Shutdown
     Fa0/18              1            1                  0         Shutdown
     Fa0/19              1            1                  0         Shutdown
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port)     : 2
Max Addresses limit in System (excluding one mac per port) : 6144
SW3#

+++++++++++++++++++++++++++++++++++++++++++++++++++++

SW3#sh run int fa0/11
Building configuration...
 
 
Current configuration : 274 bytes
!
interface FastEthernet0/11
switchport mode access
switchport nonegotiate
switchport port-security maximum 3
switchport port-security
switchport port-security mac-address 3464.a918.d8d0 vlan access
switchport port-security mac-address 9c57.ad3e.f384 vlan access
end

+++++++++++++++++++++++++++++++++++++++++++++++++++++

SW3#sh mac address-table interface fa0/11
          Mac Address Table
-------------------------------------------
 
Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
   1    0800.27bd.9085    STATIC      Fa0/11
   1    3464.a918.d8d0    STATIC      Fa0/11
   1    9c57.ad3e.f384    STATIC      Fa0/11

lagapidis · November 21, 2019, 8:32am

Hello Donald

Port security has been enabled on Fa0/11, and two MAC addresses have been manually configured for that port security. Because you have a maximum of 3, two of these must match the configured MACs and the third (in your case the 0800.x.x address) can be anything. So at any time, on this port, only the two configured MACs plus one more can be seen. 0800.x.x will not appear in the configuration since it has not been manually configured.

With the configuration as you have it, the MAC of the VM will never appear in the configuration. In order for that to happen, you need this command:

switchport port-security mac-address sticky

The sticky keyword will cause the MAC of any connected device to be recorded and saved within the configuration. The two MAC addresses in the config were not put there by the “sticky” feature, but manually configured as I mentioned before. Otherwise, they would have had the following configuration:

switchport port-security mac-address sticky 3464.a918.d8d0 vlan access
switchport port-security mac-address sticky 9c57.ad3e.f384 vlan access

…which includes the “sticky” keyword.

So you have two choices. Either you manually configure the 0800.x.x MAC, or you add the switchport port-security mac-address sticky command which will automatically read and record the MAC of the VM.

Actually, strictly speaking it is a dynamic MAC address entry since it was not manually configured in the MAC address table. However, Cisco switches will record MAC addresses that appear on interfaces configured with port security as STATIC in the MAC address table, regardless of whether they were manually configured, configured using sticky, or not referenced at all in the interface config.

Finally, the statement “Total Addresses in System (excluding one mac per port)” shows the number of addresses that are being used in port security beyond the single MAC per port. So this number is the total number of MAC addresses in excess of the single MAC per port. So in your case, you have three ports with port security enabled, you have a single MAC address being used for Fa0/18 and Fa0/19, so those don’t count, and you have 3 MAC addresses on Fa0/11 minus the one, gives you a total of 2.

I hope this has been helpful!

Laz

neuralping · November 21, 2019, 5:16pm

I read your reply three times and now understand why the VM mac did not show up as a static entry in the running config and the meaning of the (Total addresses in system (excluding one mac per port). Great clear explanation! Thanks.