CCIE Security Blog

 

 

interface FastEthernet1/0/1
switchport voice vlan 100            !–VLAN 100 as the voice VLAN
switchport port-security              !–Configure SW1 to guard against MAC address flooding attacks
switchport port-security maximum 2                     !—max two MAC entries, one per vlan
switchport port-security maximum 1 vlan voice  !– for trunk ports, limit the number of MAC addresses learned simultaneously on a port to one per VLAN
switchport port-security maximum 1 vlan access
switchport port-security violation protect                  !–simply drop the traffic.
switchport port-security aging time 10
switchport port-security aging type inactivity
switchport port-security mac-address sticky !– Retain the MAC addresses learned on the port in the switch configuration.
switchport port-security violation restrict      !–drop offending packets and generate log records of the violation.
switchport port-security aging time 10           !– Age the learned secure entries after 10 minutes of inactivity
switchport port-security aging type inactivity

interface FastEthernet1/0/3
switchport port-security
switchport port-security maximum 2
switchport port-security maximum 1 vlan 133
switchport port-security maximum 1 vlan 143
switchport port-security violation shutdown vlan             !–apply the err-disabled state only to offending vlan
switchport port-security aging time 10
switchport port-security aging type inactivity

Global commands:

errdisable recovery cause psecure-violation
errdisable recovery interval 180               !– global config, automatic recovery after 3 minutes.

Port security is a layer 2 feature that enforces a limit on the number of MAC addresses allowed per port. The two main purposes are to prevent unauthorized connections (from unauthorized/unknown MAC addresses) on a port and to prevent MAC-address flooding attacks. A MAC address flooding attack consists of sending a barrage of packets with different source MAC addresses, forcing the switch to overpopulate its MAC address table. The latter may occur in cases when the switch starts behaving like a hub, flooding frames out all ports and all VLANs because the MAC address table overflows, exceeding the maximum number of MAC address that the switch can learn.

Port security works only on ports configured as static access or static trunk

On a port configured for port security, the switch keeps a table of secure MAC address entries.

#switchport port-security maximum-address <number> =  The total number of entries allowed on interface

On trunk ports, the above command specifies the maximum number of MAC addresses for all VLANs, the aggregate limit. Note that the switch treats the same MAC address on different VLANs as two different MAC addresses.

#switchport port-security maximum <number> vlan <vlan-number> = For trunk ports specify the maximum number of MAC addresses per VLAN

#switchport port-security maximum <number> vlan [access|voice] = impose restrictions on any of two vlans, If the port is an access-port configured with both data and voice VLANs.

When a switch has reached the maximum allowed number of MAC addresses on the port level or VLAN level, and a frame with a new source MAC address arrives on the port, the switch may take any of the following actions:

Shutdown: The port actually enters in an err-disabled state and all frames received on the port are discarded.

Shutdown VLAN: The VLAN enters in an err-disabled state but only for the port where the violation occurred, and all frames received on that port for the respective VLAN are discarded. In this case, a syslog message is also generated.

Protect: All frames are silently discarded on the VLAN where the violation occurred for the respective port. Protect mode is not recommended for trunk ports because as soon as any VLAN on a trunk reaches its MAC address limit, the port stops learning MAC addresses on any other VLAN. The worst thing about this mode is that the switch does not notify you with a logging message.

Restrict: All frames are discarded for the respective port, but a syslog message and SNMP trap are generated. You must additionally configure the SNMP hosts to send the actual traps.

The default port security violation action, unless otherwise configured, is shutdown. The switch does not allow the same MAC address to appear on more than one secure port at the same time. Thus, if a switch has learned a MAC address on a secure port, it will not allow the same address to appear on other layer 2 ports until the secure entry has expired. The switch ages out secure MAC address entries using a configurable timeout. You can set the timeout and its functional mode per port using following two commands:

switchport port-security aging timeout <timeout>

switchport port-security aging type {absolute|inactivity}

Absolute aging instructs the switch to age out each MAC address entry when the timeout period has elapsed, so it is unconditional.
Inactivity aging instructs the switch to age out each MAC address entry only if it has been inactive for an interval equal to the timeout period, so it is conditional.

If the port security feature has shutdown a port, the port can be restored to an operational state using the automatic error-disable recovery procedure, or manually by issuing a shutdown command followed by a no shutdown command on the port.

There are multiple possible reasons that can trigger a port to enter the err-disabled state, so we must specify both the cause for which the port entered in the err-disabled state, and the interval for keeping it in this state. The interval is a global value, which affects the switch behavior for all possible err-disabled causes:

errdisable recovery cause <cause>

errdisable recovery interval <seconds>

#errdisable recovery cause ?

all                      Enable timer to recover from all error causes
arp-inspection           Enable timer to recover from arp inspection error disable state
bpduguard                Enable timer to recover from BPDU Guard error
channel-misconfig (STP)  Enable timer to recover from channel misconfig error
dhcp-rate-limit          Enable timer to recover from dhcp-rate-limit error
dtp-flap                 Enable timer to recover from dtp-flap error
gbic-invalid             Enable timer to recover from invalid GBIC error
link-flap                Enable timer to recover from link-flap error
loopback                 Enable timer to recover from loopback error
mac-limit                Enable timer to recover from mac limit disable state
pagp-flap                Enable timer to recover from pagp-flap error
port-mode-failure        Enable timer to recover from port mode change failure
pppoe-ia-rate-limit      Enable timer to recover from PPPoE IA rate-limiterror
psecure-violation        Enable timer to recover from psecure violation error
security-violation       Enable timer to recover from 802.1x violation error
sfp-config-mismatch      Enable timer to recover from SFP config mismatch error
small-frame              Enable timer to recover from small frame error
storm-control            Enable timer to recover from storm-control error
udld                     Enable timer to recover from udld error
vmps                     Enable timer to recover from vmps shutdown error

#switchport port-security mac-address <mac-address> = configure static secure MAC address entries. The static entries also count against the maximum number of allowed MAC addresses on an interface.

#command switchport port-security aging static  = configure a port to age static secure MAC address entries. This may be useful when you need to set up guaranteed access for a specific MAC address for some amount of time.

# switchport port-security mac-address sticky  = port-security feature known as sticky learning. It allows you to transform dynamically learned MAC addresses into static secure MAC addresses. When a switch learns new MAC addresses on a port in sticky mode, it generates a configuration line for the corresponding MAC address as a secure static entry. This line appears in the running configuration, so you need to save it to make the static entry truly permanent; otherwise, if the switch reloads the command is lost. Intead of manual configuration saving, a kron policy or EEM script can be used to automatically save the configuration periodically or triggered by an event.

# switchport port-security  = enable security feature

 

 

#sh spanning-tree vl 13                              !–Determine which interfaces run STP in VLAN 13

VLAN0013

Spanning tree enabled protocol ieee

Root ID    Priority    32781

Address     b4a4.e354.4800
This bridge is the root
Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
Bridge ID  Priority    32781  (priority 32768 sys-id-ext 13)

Address     b4a4.e354.4800
Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
Aging Time  300 sec

Interface           Role Sts Cost      Prio.Nbr Type

——————- —- — ——— ——– ——————————–

Fa0/10              Desg FWD 19        128.10   P2p                                   !– trunking port
Fa0/11              Desg FWD 19        128.11   P2p                                   !– trunking port
Fa0/38              Desg FWD 19        128.38   P2p Edge                         !– port assigned to vl 13
Fa0/40              Desg FWD 19        128.40   P2p Edge                         !– port assigned to vl 13
Gi0/1               Desg FWD 4         128.49   P2p                                      !– trunking port between two switches

 

SW1-p25#sh int status

Port      Name               Status       Vlan       Duplex  Speed Type

Fa0/1     ** R1 et0/0 **  notconnect   11           auto   auto 10/100BaseTX
Fa0/10    *ESX LAN 2 *    connected    trunk      a-full  a-100 10/100BaseTX
Fa0/11    *ESX LAN 1 *   connected    trunk      a-full  a-100 10/100BaseTX
Fa0/38    R3 f0/1            connected    13         a-full  a-100 10/100BaseTX
Fa0/40                       connected    13         a-full  a-100 10/100BaseTX
Gi0/1     ** Trunk DM-CoreSW connected    trunk      a-full a-1000 10/100/1000BaseTX

 

SW1-p25#sh run int f0/38

interface FastEthernet0/38
description R3 f0/1
switchport access vlan 13
switchport mode access
switchport nonegotiate               !– this shows in config that DTP is disabled on the port.
spanning-tree portfast

!– You disabled DTP on the switch port by switchport mode access command but to have it more visible you can put in port configuration one extra line: switchport nonegotiate. If the remote end still runs DTP, as is our case for trunk ports because DTP is enabled on SW2, you’ll see the dropped packets counter increasing, as each DTP message received inbound is dropped.

SW1-p25#sh dtp int f0/38

DTP information for FastEthernet0/38:

TOS/TAS/TNS:                              ACCESS/OFF/ACCESS

TOT/TAT/TNT:                              802.1Q/802.1Q/802.1Q

Neighbor address 1:                       00000000000
Neighbor address 2:                       000000000000
Hello timer expiration (sec/state):       never/STOPPED                 !– shows DTP is disabled on the switch
Access timer expiration (sec/state):      never/STOPPED
Negotiation timer expiration (sec/state): never/STOPPED
Multidrop timer expiration (sec/state):   never/STOPPED
FSM state:                                S1:OF
# times multi & trunk                     0
Enabled:                                  no
In STP:                                   no

 

Statistics

———-

0 packets received (0 good)

0 packets dropped

0 nonegotiate, 0 bad version, 0 domain mismatches,

0 bad TLVs, 0 bad TAS, 0 bad TAT, 0 bad TOT, 0 other

0 packets output (0 good)

0 native, 0 software encap isl, 0 isl hardware native

0 output errors

0 trunk timeouts

0 link ups

14 link downs, last link down on Mon Dec 02 2013, 09:12:23

 

on trunk ports:

SW1-p25#sh dtp int f0/10

DTP information for FastEthernet0/10:

TOS/TAS/TNS:                              TRUNK/ON/TRUNK
TOT/TAT/TNT:                              802.1Q/802.1Q/802.1
Neighbor address 1:                       000000000000
Neighbor address 2:                       000000000000
Hello timer expiration (sec/state):       24/RUNNING
Access timer expiration (sec/state):      never/STOPPED
Negotiation timer expiration (sec/state): never/STOPPED
Multidrop timer expiration (sec/state):   never/STOPPED
FSM state:                                S6:TRUNK
# times multi & trunk                     0
Enabled:                                  yes
In STP:                                   no
Statistics

———-

0 packets received (0 good)

0 packets dropped

0 nonegotiate, 0 bad version, 0 domain mismatches,

0 bad TLVs, 0 bad TAS, 0 bad TAT, 0 bad TOT, 0 other

51672 packets output (51672 good)

51672 native, 0 software encap isl, 0 isl hardware native

0 output errors

0 trunk timeouts

1 link ups, last link up on Fri Nov 15 2013, 10:19:26

0 link downs

 

SW1-p25#sh int f0/38 switchport                          !–A commonly used method to identify DTP state for interfaces is to view layer 2 port state information

Name: Fa0/38
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off    !!!
Access Mode VLAN: 13 (VLAN0013)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none

SW1-p25#

 

##### Theory #####

DTP is the protocol that makes two switches negotiate the interconnecting links as trunk, as well as the trunking protocol (802.1q or ISL, with ISL having priority over 802.1q), without any required configurations. There are two possible DTP default port states:
     Dynamic Desirable (DTP Active):  the port actively sends DTP messages so it initiates trunk formation.
     Dynamic Auto (DTP Passive):  the port waits for DTP messages from the other end in order to respond and negotiate the trunk formation.

If you connect two switches that outside of the box have ports in Dynamic Auto mode, no trunk would be formed because there is no switch to initialize the DTP negotiation.
In common trunk port configurations, at a minimum you specify the trunking protocol and administratively set the port as trunk, with the following interface-level commands:

          switchport trunk encapsulation dot1q
switchport mode trunk

In common access port configuration, at a minimum you specify the VLAN membership and administratively set the port as access, with the following interface-level commands:

          switchport access vlan 13
switchport mode access

Ports administratively configured as trunks still have DTP enabled, whereas ports administratively configured as access have DTP disabled. Even if you configure a port as static trunk, you still want DTP enabled because the other end of the link might not yet be configured as static trunk, and you don’t want to break it. After you have configured a port as static access, you do not want it to be trunk, so there is no need to leave DTP enabled.

The inteface-level command to manually disable DTP is switchport nonegotiate.
You might want to use this command on access ports just to make it visible in the configuration, whereas on trunk ports it is mandatory to disable DTP.
The command that implicitly disables DTP on access ports is switchport mode access