Port security features add
additional layer of security in LAN network. It is used to secure the switch
port. In this article we will explain port security with examples. We will illustrate
how a switch locks down the ports based on MAC address to prevent unauthorized
access. For demonstration purpose we will use packet tracer network simulator
software.
Port
Security
Anyone can access unsecure
network resources by simply plugging his host into one of our available switch
ports. A user can also change his physical location in LAN network without
telling the admin. You can secure layer two accesses as well as keep users in
their tracks by using port security. Thus port security feature enhances the
LAN security.
Create a simple topology
as illustrate in following figure
Click PC0 and Click Desktop
and Click IP Configuration and
select Static from radio options and
assign the IP address (10.0.0.10) and subnet mask (255.0.0.0)
Follow same process to
assign IP address (10.0.0.20) and subnet mask (255.0.0.0) to PC1.
Click Server0 and click Desktop
and click IP Configuration and
select Static from radio options and
assign IP address (10.0.0.100) and subnet mask (255.0.0.0)
That’s all initial
configuration we need to demonstrate the port security.
How to configure port security
To configure port security
we need to access the command prompt of switch. Click Switch and click CLI and
press Enter Key.
Port can be secure from interface
mode. Use enable command to move in Privilege Exec mode. From Privilege
Exec mode use configure terminal command to enter in Global Configuration
mode. From global configuration mode enter in specific interface.
Port security feature will
not work on three types of ports.
1. Trunk
ports
2. Ether
channel ports
3. Switch
port analyzer ports
Port security will work on
host port. In order to configure port security we need to set it as host port.
It could be done easily by switchport
mode access command. You can secure trunk connections with port security
but that is beyond the scope of this article. I will cover them in CCNP
section.
Following figure
illustrates available commands for port security.
How to enable switchport port-security
Port security is disabled
by default. switchport port-security
command enables it.
switchport port-security limit maximum number of hosts
According to our
requirements we can limit hosts that can be associated with an interface. We
can set this limit anywhere from 1 to 132. Maximum number of devices that can
be associated with the interface is 132. By default it is set to 1. switchport port-security maximum value command will set the maximum number
of hosts.
switchport
port-security mac address
We have two options static and dynamic to associate
mac address with interface.
In static method we have to manually define exact
host mac address with switchport
port-security mac-address MAC_address command. This is the most
secure method but it needs a lot of manual works. We need to enter all mac
addresses manually that is too much tedious job.
In dynamic mode we use sticky feature that allows
interface to learn mac address automatically. Interface will learn mac
addresses until it reaches maximum number of allowed hosts.
switchport
port-security violation
We need to specify what action; it should take in
security violation. Three possible modes are available:
Protect: - This mode will only work with sticky option. In this
mode frames from non-allowed address would be dropped. It will not make log
entry for dropped frames. Interface will learn address until it reach maximum
allowed number. Any additionally learned addresses would be dropped while
keeping interface operational.
Restrict: - In restrict mode frames from non-allowed address would
be dropped. But in this mode, switch will make a log entry and generate a
security violation alert.
Shutdown: - In this mode switch will generate the violation alert
and disable the port. Only way to re-enable the port is to manually enter no shutdown command. This is the
default violation mode.
switchport
port security example
Switchport
port security explained
|
Command
|
Description
|
|
Switch>enable
|
Move in privilege exec mode
|
|
Switch#configure terminal
|
Move in global configuration mode
|
|
Switch(config)#interface fastethernet 0/1
|
Move in interface mode
|
|
Switch(config-if)#switchport mode access
|
Assign port as host port
|
|
Switch(config-if)#switchport port-security
|
Enable port security feature on this port
|
|
Switch(config-if)#switchport port-security maximum 1
|
Set limit for hosts that can be associated with interface.
Default value is 1. Skip this command to use default value.
|
|
Switch(config-if)#switchport port-security violation
shutdown
|
Set security violation mode. Default mode is shutdown.
Skip this command to use default mode.
|
|
Switch(config-if)#switchport port-security mac-address
sticky
|
Enable sticky feature.
|
We have successfully secured F0/1 port of switch. We used
dynamic address learning feature of interface. Switch will associate first
learned mac address (on interface F0/1) with this port. You can check MAC
Address table for currently associated address.
So far no mac address is associated with F0/1 port. Switch
learns mac address from incoming frames. Check our following article to learn,
how a switch learn mac address or how it build MAC address table.
We need to generate frame from PC0 that would be receive on
F0/1 port of switch. ping command is
used to test the connectivity between two hosts. In our scenario we have
connectivity between server and pc. We can use this utility to generate frames
from PC0.
To access command prompt of PC0 click PC0 and click Desktop
menu item and click Command Prompt.
Use ping command to generate frames.
Now check again the MAC Address table on switch.
Switchport port
security testing
In our topology we have one additional PC. Assume that, this
is the cracker’s PC. To gain unauthorized access in network he unplugged the
Ethernet cable from pc (PC0) and plugged in his pc (PC1).
Click red x button on the right hand partition of packet
tracer window and place the X over the connection between Switch and PC0. This
will remove the connection.
Click lightning bolt button on the bottom left-handed corner
and click copper straight –through connection.
Click PC1 and select FastEthernet port. Next click Switch
and select the same F0/1 port.
From
the command prompt of PC1 try to ping the Server IP.
What happened this time? Why ping command did not get response from
server? Because switch detected the mac address change and shutdown the port.
Verify port security
We have three commands to verify the port security
show
port-security
This command displays port security
information about all the interfaces on switch.
show
port-security address
Display statically defined or
dynamically learned address with port security.
show
port-security interface interface
Display port security information about
the specific interface.
How to reset
an interface that is disabled due to violation of port security
When an interface is down due to port security violation, we
have two options to bring it back. First is following global configuration mode
command
Switch(config)# errdisable recovery cause psecure-violation
This command neither includes in CCNA exam nor available in packet
tracer.
Second option is manually restart the interface. Unplugged cable from
unauthorized pc and plugged back it to authorized pc.
Run following commands on switch and test connectivity from pc
No comments:
Post a Comment