Switch Port Security

It’s been a while since I wrote the last post, yeah I know I promissed but there’s been a lot around, college and so on. Well this time Im about to tell on how to secure our LAN from unauthorized access. Using a Cisco Catalyst switch we can restrict users to access the network based on the MAC address, the port-security command of the Cisco IOS is doing its job very well. Assume we will implement the port-security in the fastethernet 0/1 switch port. Ok let me show you how it looks like in the start, using the show port-security command we can see the default settings:

Leo#show port-security interface fastEthernet 0/1
Port Security : Disabled
Port Status : Secure-down
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0000.0000.0000:0
Security Violation Count : 0

Ok, as we see there is no Port Security enabled, but something that you can notice is the Maximum MAC Addresses line, which in default is 1, it means that if we enable the port-security the maximum mac addresses that are allowed to use this port is only ‘1’, and the first that is recognized will be the one that is allowed to transmit data along the network. And next we configure the port-security and allow only the first mac address connected to this port:

Leo(config)#interface fastEthernet 0/1
Leo(config-if)#switchport port-security
Leo(config-if)#switchport port-security mac-address sticky

Of course we can change the maximum allowed number, but for security reasons and best practice it is better to let it as ‘1’. Now the next step is to configure Violation mode, it means if we get in trouble like (someone is trying to get connected to this port) what should the switch do next. There are 3 options for this, the first one is ‘protect’ which allows the port to pass frames(data) only from the allowed mac address we talked above about, all other data that is trying to be transmitted from other mac address on this port will be dropped. The second option is ‘restrict’ which is the same like protect but it has an advantage over the first one because it generates a syslog messages and also increases the violation counter for one. And the last option is ‘shutdown’ from which we can instantly understand what it does, yes it shuts down the interface if there is an unknown mac address trying to get connected on this port. Below is an example where I tried to connect a second pc to a secured port, I used the shutdown Violation option in this case, you can also see the security violation count that increased to ‘1’.

Leo#show port-security interface fastEthernet 0/1
Port Security : Enabled
Port Status : Secure-shutdown
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 1
Last Source Address:Vlan : 00D0.5883.3668:1
Security Violation Count : 1

The mac address in this case 00D0.5883.3668 is from the first pc, it was recognized dynamically by the switch as I mentioned above.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s