Enabling Port Security

Port Security


Today when I am trying to connect my external switch to internal network switch, the port to which it(Switch) got connected went down.This happens continously and when I troubleshoot the issue, i found the Port- Security feature is enabled on my layer 2 Cisco Catalyst switch.

This is weird but amazing feature i found in the Cisco Switches which prevents network from being extended illegally by dumb network devices.

Port Security feature enables an administrator configure individual switch ports to allow only a specified number of source MAC addresses ingressing the port. Its primary use is to deter the addition by users of "dumb" switches to illegally extend the reach of the network (e.g. so that two or three users can share a single access port). The addition of unmanaged devices complicates troubleshooting by administrators and is best avoided.

How to Enable port Security feature on Cisco Switches.

It is amazing that only one command can enable port security feature,


Switch(config)# interface f0/13
Switch(config-if)# switchport port-security
We can view the default port security configuration with show port-security:
Switch# show port-security interface f0/13
Port Security              : Enabled
Port Status                : Secure-down
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 0
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 0000.0000.0000:0
Security Violation Count   : 0
As you can see, there are a number of attributes which can be adjusted. We'll cover these in a moment. When a host connects to the switch port, the port learns the host's MAC address as the first frame is received:
Switch# show port-security interface f0/13
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 1
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 001b.d41b.a4d8:10
Security Violation Count   : 0
Now, we disconnect the host from the port, connect a small switch or hub, and reconnect the original host plus a second, unauthorized host so that they both attempt to share the access port. Observe what happens as soon as the second host attempts to send traffic:
%PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/13, putting Fa0/13 in err-disable state
%PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0021.55c8.f13c on port FastEthernet0/13.
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/13, changed state to down
%LINK-3-UPDOWN: Interface FastEthernet0/13, changed state to down
Inspecting the status of port security on the port again, we can see that the new MAC address triggered a violation:
Switch# show port-security interface f0/13
Port Security              : Enabled
Port Status                : Secure-shutdown
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 0
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 0021.55c8.f13c:10
Security Violation Count   : 1
Switch# show interfaces f0/13
FastEthernet0/13 is down, line protocol is down (err-disabled) 
  Hardware is Fast Ethernet, address is 0013.c412.0f0d (bia 0013.c412.0f0d)
  MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
...
By default, a port security violation forces the interface into the error-disabled state. An administrator must re-enable the port manually by issuing the shutdown interface command followed by no shutdown. This must be done afterthe offending host has been removed, or the violation will be triggered again as soon as the second host sends another frame.
Port Security Feature in Juniper Switches:
Although i had not seen any command line which enables port-security in switches, but Juniper switches are equally compatible of making port secure. We can configure DHCP snooping, dynamic ARP inspection (DAI), MAC limiting, persistent MAC learning, and MAC move limiting on the access ports of switches to protect the switches and the Ethernet LAN against address spoofing and Layer 2 denial-of-service (DoS) attacks. You can also configure a trusted DHCP server and specific (allowed) MAC addresses for the switch interfaces.

CLI Quick Configuration

To quickly configure basic port security on the switch, copy the following commands and paste them into the switch terminal window:
[edit ethernet-switching-options secure-access-port]
set interface ge-0/0/1 mac-limit 4
set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:80
set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:81
set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:83
set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:85
set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:88
set interface ge-0/0/2 mac-limit 4
set interface ge-0/0/1 persistent-learning 
set interface ge-0/0/8 dhcp-trusted
set vlan employee-vlan arp-inspection
set vlan employee-vlan examine-dhcp
set vlan employee-vlan mac-move-limit 5 

Step-by-Step Procedure

Configure basic port security on the switch:
  1. Enable DHCP snooping on the VLAN:
    [edit ethernet-switching-options secure-access-port]
    user@switch# set vlan employee-vlan examine-dhcp
  2. Specify the interface (port) from which DHCP responses are allowed:
    [edit ethernet-switching-options secure-access-port]
    user@switch# set interface ge-0/0/8 dhcp-trusted
  3. Enable dynamic ARP inspection (DAI) on the VLAN:
    [edit ethernet-switching-options secure-access-port]
    user@switch# set vlan employee-vlan arp-inspection
  4. Configure a MAC limit of 4 and use the default action, drop. (Packets are dropped, and the MAC address is not added to the Ethernet switching table if the MAC limit is exceeded on the interfaces):
    [edit ethernet-switching-options secure-access-port]
    user@switch# set interface ge-0/0/1 mac-limit 4
    user@switch# set interface ge-0/0/2 mac-limit 4
  5. Allow learned MAC addresses for a particular interface to persist across restarts of the switch and interface-down events by enabling persistent MAC learning:
    [edit ethernet-switching-options secure-access-port]
    user@switch# set interface ge-0/0/1 persistent-learning
  6. Configure a MAC move limit of 5 and use the default action, drop. (Packets are dropped, and the MAC address is not added to the Ethernet switching table if a MAC address has exceeded the MAC move limit):
    [edit ethernet-switching-options secure-access-port]
    user@switch# set vlan employee-vlan mac-move-limit 5
  7. Configure allowed MAC addresses:
    [edit ethernet-switching-options secure-access-port]
    user@switch# set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:80
    user@switch# set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:81
    user@switch# set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:83
    user@switch# set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:85
    user@switch# set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:88

Results

Check the results of the configuration:
[edit ethernet-switching-options secure-access-port]user@switch# show
interface ge-0/0/1.0 {mac-limit 4;persistent-learning;}
interface ge-0/0/2.0 {allowed-mac [ 00:05:85:3a:82:80 00:05:85:3a:82:81 00:05:85:3a:82:83 00:05:85:3a:82:85 00:05:85:3a:82:88 ];mac-limit 4;}
interface ge-0/0/8.0 {dhcp-trusted;}
vlan employee-vlan {arp-inspectionexamine-dhcp;mac-move-limit 5;}

Comments

Post a Comment