By limiting
the number of permitted MAC addresses on a port to one, port security can be
used to control unauthorized expansion of the network.
Once MAC
addresses are assigned to a secure port, the port does not forward frames with
source MAC addresses outside the group of defined addresses.
To prevent MAC
Address flooding, port security can be used. Enabling port security limits
MAC flooding attacks and locks down the port.
§
Configure port security to define the number of
MAC addresses allowed on a given port.
§
It’s a Cisco-proprietary feature on Catalyst
switches (disabled by default).
§
You can use port
security with dynamically learned and static MAC addresses.
§
Port security is configured on untrusted user
ports.
§
“Sticky learning” combines dynamically learned
and statically configured addresses.
§
Port Security restricts
a port’s ingress traffic by limiting the MAC addresses that are allowed to send
traffic into the port.
§ When you assign secure
MAC addresses to a secure port, the port does not forward ingress traffic that
has source addresses outside the group of defined addresses.
§ If you limit the number of secure MAC addresses to
one and assign a single secure MAC address, the device attached to that port
has the full bandwidth of the port.
Port security can also mitigate spoofing attacks by limiting access through each switch port to a
single MAC address. This prevents intruders from using multiple MAC addresses
over a short time period but does not limit port access to a specific MAC
address. The most restrictive port security implementation would specify the
exact MAC address of the single device that is to gain access through each
port. Implementing this level of security, however, requires considerable
administrative overhead.
Port security has a sticky MAC addresses feature that can
limit switch port access to a single, specific MAC address without the network
administrator having to gather the MAC address of every legitimate device and
manually associate it with a particular switch port.
When sticky MAC addresses are used, the switch port converts
dynamically learned MAC addresses to sticky MAC addresses and subsequently adds
them to the running configuration as if they were static entries for a single
MAC address to be allowed by port security. Sticky secure MAC addresses will be
added to the running configuration but will not become part of the startup
configuration file unless the running configuration is copied to the startup
configuration after addresses have been learned. If they are saved in the
startup configuration, they will not have to be relearned upon switch reboot,
and this provides a higher level of network security.
Port security also sets an SNMP trap alerting of any
violation. Port security allows the frames from already secured MAC address
below the maximum number of MAC addresses enabled on that port, and any frame
with a new MAC address over the limit is dropped.
The
switch supports these types of secure
source MAC addresses:
•
Sticky secure
MAC addresses—These can be dynamically learned or manually configured,
stored in the address table, and added to the running configuration. If these
addresses are saved in the configuration file, when the switch restarts, the
interface does not need to dynamically reconfigure them and they are treated as
static secure MAC address.
Configuring Port Security
To enable port
security on the interface (learning dynamic secure MAC addresses, disabled
by default):
Switch(config-int)# switchport
port-security
Specify the maximum number
of MACs allowed (default is 1):
Switch(config-int)# switchport
port-security maximum number (range: 1 to 132)
For example, if the maximum number of hosts allowed is 5, an
attacker can not flood the switch with many source MAC addresses and so we are
preventing MAC flooding attacks.
Note If you try to set the maximum
value to a number less than the number of secure addresses already configured
on an interface, the command is rejected.
Specify the violation action when requirements defined
are not met or exceeded:
Switch(config-int)# switchport port-security violation {shutdown | restrict | protect}
· Shutdown (default action) puts int
interface in err-disable state and sends an SNMP trap, and manual intervention
(shutdown and no shutdown) or errdisable recovery must be used to make the
interface usable.
· Restrict will drop violator’s frames,
a syslog message is created and an SNMP trap is sent and the violation counter increments.
· Protect will drop frames quietly
from MACs not specified or non allowed, but there is no log of violation (not
recommended).
Note: in rectric and protect
modes the port is
allowed to stay up, but all packets from violating MAC addresses are dropped.
Switch(config-int)#
switchport port-security violation shutdown vlan In this mode, only the VLAN on which the violation
occurred is error-disabled.
Tip: If
an interface is undergoingsufriendo the restrict or protect
condition, you might need to clear the learned MAC addresses so that a specific
host can use the switch port.
To dynamically bring all secure ports out of
the error-disabled state:
switch(config)#
errdisable recovery cause
psecure-violation
To clear a clear all
dynamically learned secure addresses:
Switch(config)# clear
port-security dynamic [address mac-addr | interface type mod/num]
Static
Secure Mac Addresses
Statically assign MAC addresses (optional, by entering a 48-bit MAC address):
Switch(config-if)# switchport
port-security mac-address MAC-address
Additional
secure MAC addresses can be added up to the maximum value.
The MAC address is given in dotted-triplet
format. If the number of static addresses configured is less than the maximum
number of addresses secured on a port, the remaining addresses are learned
dynamically.
Example: Switch(config-if)# switchport
port-security mac-address 0000.0000.0003
0000.0000.0003 is an static secure MAC address
Port
Aging
•
Port security aging can be used to
set the aging time for static and dynamic secure addresses on a port.
•
Two types of aging are supported per
port:
–
absolute -
The secure addresses on the port are deleted after the specified aging time.
–
inactivity - The secure addresses on the port are deleted only if they are
inactive for the specified aging time.
Switch(config-if)# switchport
port-security aging {static | time minutes | type {absolute | inactivity}}
static: Enable aging for statically configured secure addresses on this port.
time:
•
Specify the aging time for this
port.
•
The range is 0 to 1440 minutes.
•
If the time is 0, aging is disabled
for this port.
type
absolute:
•
Set absolute aging type.
•
All the secure addresses on this
port age out exactly after the time (minutes) specified and are removed from
the secure address list.
type
inactivity:
•
Set the inactivity aging type.
•
The secure addresses on this port
age out only if there is no data traffic from the secure source address for the
specified time period.
Set the aging time
for each assigned MAC:
Switch(config-if)# switchport
port-security aging time [0-1440] {restrict | protect}
* 0-1440 in minutes. Use this feature to remove
and add PCs on a secure port without manually deleting the existing secure MAC
addresses; all the secure addresses on this port age out exactly after the time
specified and are removed from the secure address list, while still limiting
the number of secure addresses on a port.
If the aging time is set to 0 (default), aging is disabled. By default, no aging occurs.
Enable aging for the
statically configured secure address on the port:
Switch(config-if)# switchport
port-security aging static
This
configuration tells the switch to age out for statically configured secure
MAC addresses.
Sticky secure addresses
Allows the switch to dynamically learn up to the maximum
number of MAC addresses (optional):
Switch(config-if)# switchport
port-security mac-address sticky
After enabling, you will notice the currently connected MAC
address(es) will appear in the running config as:
switchport port-security mac-address sticky sticky-mac-address (static sticky MAC configuration)
Note Sticky MAC addresses can be
dynamically learned or manually configured, stored in the address table, and
added to the running configuration. Although sticky secure addresses can be manually
configured, it is not recommended. "This
configuration isn’t necessary”.
When enabling port security with sticky MAC addresses, note
the following information:
•When you enter the switchport port-security mac-address
sticky command:
–All dynamically learned secure MAC addresses on the port
are converted to sticky secure MAC addresses.
–Static secure MAC addresses are not converted to sticky MAC
addresses.
–Secure MAC addresses dynamically learned in a voice VLAN
are converted (or not converted) to sticky MAC addresses, it depends on the IOS
platform.
–New dynamically learned secure MAC addresses are sticky.
•When you enter the no
switchport port-security mac-address sticky command, all sticky secure MAC
addresses on the port are converted to dynamic secure MAC addresses.
Port Security on trunk interfaces
Port security can only be configured on static
access ports (switchport mode access) or static trunk ports (DTP disabled: switchport mode trunk; switchport
nonegotiate). A secure port cannot be a dynamic access port.
On a
trunk port only, specify the VLAN ID and the MAC address.
Switch(config-if)# switchport
port-security mac-address a.b.c vlan vlan-id (vlan-id: 1 – 4094)
If no VLAN ID is specified, the native VLAN is used.
For trunk ports, you can set the maximum number
of secure MAC addresses on a VLAN:
Switch(config-if)# switchport
port-security maximum value vlan {vlan-id | vlan-list}
•
Vlan vlan-id: set a per-VLAN maximum value.
•
vlan vlan-list:
set a per-VLAN maximum value on a range of VLANs separated by a hyphen or a
series of VLANs separated by commas.
If the vlan
keyword is not entered, the default value is used.
Port Security on interfaces that use voice VLANs
Switch(config)# interface
fastethernet0/1
Switch(config-if)#
switchport mode access
Switch(config-if)#
switchport access vlan 2
Switch(config-if)#
switchport voice vlan 3
Switch(config-if)#
switchport port-security
Switch(config-if)#
switchport port-security maximum 3
Switch(config-if)#
switchport port-security violation restrict
Switch(config-if)#
switchport port-security a.b.c vlan
voice
Switch(config-if)#
switchport port-security d.e.f vlan
access
Switch(config-if)#
switchport port-security maximum 2 vlan
access
Switch(config-if)#
switchport port-security maximum 1 vlan
voice
Note: The voice keyword is available only if voice VLAN is configured
on a port and if that port is not the access VLAN.
MAC Address Notification
The MAC Address Notification
feature sends SNMP traps to the network management station (NMS) whenever a new
MAC address is added to or an old address is deleted from the forwarding
tables.
switch(config)#mac address-table
notification ?
change Enable/Disable MAC Notification feature on
the switch
switch(config)#mac address-table
notification change ?
history-size Number of MAC notifications to be stored
interval Interval between the MAC notifications
<cr>
Verifying Port Security
To display a summary
of the port-security status:
Switch# show
port-security
To verify the port
security settings of an specific interface:
Switch# show
port-security interface interface-id
To display MAC
address table security information:
Switch# show
port-security address
The “Remaining
age” column is populated only when specifically configured for a given
interface.
To see a quick
summary of only ports in the Errdisable
state, along with the reason for errdisable:
Switch# show
interfaces status err-disabled
No hay comentarios:
Publicar un comentario