Accessing the Internet is almost taken for granted today by most workers. They get very comfortable simply opening the lid to their laptop, turning on the wireless or connecting a cable and having access. For many of our clients, this notion of "open access" has been a continual challenge. On the one hand, visiting sales reps, partners, or instructors should have access to the internet from the corporate back bone. On the other hand, their PCs may be infected by viruses, trojans, or worms and we want to protect the network from any disasters. Ask yourself, can anyone just walk in your office and have access to the Internet? Is there a wall jack in the lobby area? What about your wireless?

We suggest separating the traffic of visitors and internal users by separating the ports into different VLANs for wired traffic. We also suggest using two wireless networks: one for internal, and one for external. But what if that seems like a bit much? What can you do today?

Well, there is a way to manage the problem in Cisco IOS - it is called Port Security. Here is how is works: in the simplest configuration, the Port Security feature remembers the Ethernet MAC address connected to the switch port and allows only that MAC address to communicate on that port. In the event that any other MAC address tries to communicate through the same port, IOS port security will disable the port. You can even configure the switch to send a SNMP trap to their network monitoring solution that the port's disabled for security reasons. The downside is that the network administrator is the only one who can "unlock" the port, which can cause problems when there are legitimate reasons to change out devices. So the trade-off is convenience vs. security.

Example Configuration

Proper configuration first requires that an already enabled switch port exists and you will enter the port-security Interface Mode command.Here's an example:

Cell_Switch# config t
Cell_Switch(config)# int f0/12
Cell_Switch(config-if)# switchport port-security ?
aging Port-security aging commands
mac-address Secure mac address
maximum Max secure addresses
violation Security violation mode


Cell_Switch(config-if)# switchport port-security
Cell_Switch(config-if)#^Z

The command entered above is the default, and as stated earlier, once a single MAC address is learned on that port, no other MACS will be allowed. The port will be shut down.

Port Security Options

There are options, however, as shown in the CLI above.

switchport port-security maximum {max # of MAC addresses allowed}: This option to allows more than one default number of MAC addresses. For example, if you had a 5-port hub connected to this switch port, you would want to allow 5 MAC addresses-one for each device. The maximum number of secure MAC addresses per port is 132.

switchport port-security violation {shutdown | restrict | protect}: This command configures the switch action when the number of MAC addresses on the port has exceeded the maximum configured. The default action is to shut down the port, however you can also choose to alert the network administrator (i.e., restrict) or only allow traffic from the secure port and drop packets from other MAC addresses (i.e., protect).

switchport port-security mac-address {MAC address}: This option is used to manually define the MAC address allowed for this port rather than letting the port dynamically determine the MAC address.

The aging commands allow you to configure timers and actions for port security.

Of course, you can also configure port security on a range of ports. Here's an example:

Cell_Switch)# config t
Cell_Switch(config)# int range fast 0/1 - 12
Cell_Switch(config-if)# switchport port-security

Note: You need to be very careful with this option if you enter this command on an uplink port that goes to more than one device. As soon as the second device sends a packet, the entire port will shut down.

Viewing the Status of Port Security

Once you've configured port security and the Ethernet device on that port has sent traffic, the switch will record the MAC address and secure the port using that address. To find out the status of port security on the switch, you can use the show port-security address and show port-security interface commands. Below are examples for each command's output:

Cell_Switch# show port-security address

Secure Mac Address Table
-------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age(mins)
---- ----------- ---- ----- -------------
1 0004.00d5.1a3c SecureDynamic Fa0/12 -

-------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 1024
CellSwitch# show port-security interface f0/12
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address : 0004.00d5.1a3c
Security Violation Count : 0

We hope this helps you to begin to understand port security.

Comments powered by CComment

Did you learn something?
Did I save you time? 

Buy me a coffeeBuy me a coffee!