CCIE Security Blog

 

 

interface FastEthernet1/0/1
switchport voice vlan 100            !–VLAN 100 as the voice VLAN
switchport port-security              !–Configure SW1 to guard against MAC address flooding attacks
switchport port-security maximum 2                     !—max two MAC entries, one per vlan
switchport port-security maximum 1 vlan voice  !– for trunk ports, limit the number of MAC addresses learned simultaneously on a port to one per VLAN
switchport port-security maximum 1 vlan access
switchport port-security violation protect                  !–simply drop the traffic.
switchport port-security aging time 10
switchport port-security aging type inactivity
switchport port-security mac-address sticky !– Retain the MAC addresses learned on the port in the switch configuration.
switchport port-security violation restrict      !–drop offending packets and generate log records of the violation.
switchport port-security aging time 10           !– Age the learned secure entries after 10 minutes of inactivity
switchport port-security aging type inactivity

interface FastEthernet1/0/3
switchport port-security
switchport port-security maximum 2
switchport port-security maximum 1 vlan 133
switchport port-security maximum 1 vlan 143
switchport port-security violation shutdown vlan             !–apply the err-disabled state only to offending vlan
switchport port-security aging time 10
switchport port-security aging type inactivity

Global commands:

errdisable recovery cause psecure-violation
errdisable recovery interval 180               !– global config, automatic recovery after 3 minutes.

Port security is a layer 2 feature that enforces a limit on the number of MAC addresses allowed per port. The two main purposes are to prevent unauthorized connections (from unauthorized/unknown MAC addresses) on a port and to prevent MAC-address flooding attacks. A MAC address flooding attack consists of sending a barrage of packets with different source MAC addresses, forcing the switch to overpopulate its MAC address table. The latter may occur in cases when the switch starts behaving like a hub, flooding frames out all ports and all VLANs because the MAC address table overflows, exceeding the maximum number of MAC address that the switch can learn.

Port security works only on ports configured as static access or static trunk

On a port configured for port security, the switch keeps a table of secure MAC address entries.

#switchport port-security maximum-address <number> =  The total number of entries allowed on interface

On trunk ports, the above command specifies the maximum number of MAC addresses for all VLANs, the aggregate limit. Note that the switch treats the same MAC address on different VLANs as two different MAC addresses.

#switchport port-security maximum <number> vlan <vlan-number> = For trunk ports specify the maximum number of MAC addresses per VLAN

#switchport port-security maximum <number> vlan [access|voice] = impose restrictions on any of two vlans, If the port is an access-port configured with both data and voice VLANs.

When a switch has reached the maximum allowed number of MAC addresses on the port level or VLAN level, and a frame with a new source MAC address arrives on the port, the switch may take any of the following actions:

Shutdown: The port actually enters in an err-disabled state and all frames received on the port are discarded.

Shutdown VLAN: The VLAN enters in an err-disabled state but only for the port where the violation occurred, and all frames received on that port for the respective VLAN are discarded. In this case, a syslog message is also generated.

Protect: All frames are silently discarded on the VLAN where the violation occurred for the respective port. Protect mode is not recommended for trunk ports because as soon as any VLAN on a trunk reaches its MAC address limit, the port stops learning MAC addresses on any other VLAN. The worst thing about this mode is that the switch does not notify you with a logging message.

Restrict: All frames are discarded for the respective port, but a syslog message and SNMP trap are generated. You must additionally configure the SNMP hosts to send the actual traps.

The default port security violation action, unless otherwise configured, is shutdown. The switch does not allow the same MAC address to appear on more than one secure port at the same time. Thus, if a switch has learned a MAC address on a secure port, it will not allow the same address to appear on other layer 2 ports until the secure entry has expired. The switch ages out secure MAC address entries using a configurable timeout. You can set the timeout and its functional mode per port using following two commands:

switchport port-security aging timeout <timeout>

switchport port-security aging type {absolute|inactivity}

Absolute aging instructs the switch to age out each MAC address entry when the timeout period has elapsed, so it is unconditional.
Inactivity aging instructs the switch to age out each MAC address entry only if it has been inactive for an interval equal to the timeout period, so it is conditional.

If the port security feature has shutdown a port, the port can be restored to an operational state using the automatic error-disable recovery procedure, or manually by issuing a shutdown command followed by a no shutdown command on the port.

There are multiple possible reasons that can trigger a port to enter the err-disabled state, so we must specify both the cause for which the port entered in the err-disabled state, and the interval for keeping it in this state. The interval is a global value, which affects the switch behavior for all possible err-disabled causes:

errdisable recovery cause <cause>

errdisable recovery interval <seconds>

#errdisable recovery cause ?

all                      Enable timer to recover from all error causes
arp-inspection           Enable timer to recover from arp inspection error disable state
bpduguard                Enable timer to recover from BPDU Guard error
channel-misconfig (STP)  Enable timer to recover from channel misconfig error
dhcp-rate-limit          Enable timer to recover from dhcp-rate-limit error
dtp-flap                 Enable timer to recover from dtp-flap error
gbic-invalid             Enable timer to recover from invalid GBIC error
link-flap                Enable timer to recover from link-flap error
loopback                 Enable timer to recover from loopback error
mac-limit                Enable timer to recover from mac limit disable state
pagp-flap                Enable timer to recover from pagp-flap error
port-mode-failure        Enable timer to recover from port mode change failure
pppoe-ia-rate-limit      Enable timer to recover from PPPoE IA rate-limiterror
psecure-violation        Enable timer to recover from psecure violation error
security-violation       Enable timer to recover from 802.1x violation error
sfp-config-mismatch      Enable timer to recover from SFP config mismatch error
small-frame              Enable timer to recover from small frame error
storm-control            Enable timer to recover from storm-control error
udld                     Enable timer to recover from udld error
vmps                     Enable timer to recover from vmps shutdown error

#switchport port-security mac-address <mac-address> = configure static secure MAC address entries. The static entries also count against the maximum number of allowed MAC addresses on an interface.

#command switchport port-security aging static  = configure a port to age static secure MAC address entries. This may be useful when you need to set up guaranteed access for a specific MAC address for some amount of time.

# switchport port-security mac-address sticky  = port-security feature known as sticky learning. It allows you to transform dynamically learned MAC addresses into static secure MAC addresses. When a switch learns new MAC addresses on a port in sticky mode, it generates a configuration line for the corresponding MAC address as a secure static entry. This line appears in the running configuration, so you need to save it to make the static entry truly permanent; otherwise, if the switch reloads the command is lost. Intead of manual configuration saving, a kron policy or EEM script can be used to automatically save the configuration periodically or triggered by an event.

# switchport port-security  = enable security feature