Port security limits the number of MAC addresses that can be learned on a switch port to prevent MAC address flooding attacks. It can be configured with the switchport port-security command. The lab demonstrates configuring port security on interface Fa0/1 of SW1 to allow a maximum of 3 MAC addresses and shutdown the port if exceeded. Testing validated the configuration works as expected, shutting down the port after 3 MAC address changes on connected router R1's Fa0/0 interface.
1. How to Configure Dynamic Switchport Security?
Due to the limited feature support of the NM-16ESW, this lab CANNOT be completed
using the Free CCNA Workbook GNS3 topology. However, this lab can be completed
using the Stub Lab.
Real World Application & Core Knowledge
It’s common knowledge that when a switch reaches the maximum limit for its mac
address table it starts flooding traffic out all ports like a hub. Hackers know this and
they will use this to gain access into a network. They know if they can flood the
switch with thousands of fake mac addresses then the switch will become basically a
hub and all traffic will be forwarded to their machine, in this case they could sniff
telnet or any other insecure protocol used in the environment to gain further access
into the network.
A way to prevent this “mac address table poisoning” vulnerability is to use a feature
called “Port Security”
Port Security is essentially a layer 2 securitymechanisms that can limit the number of
mac addresses that can be learned on a single switch port or perhaps be used as a
security barrier to prevent anyone from unplugging a network device and plugging in
a new device without authorization.
Ideally, no more than three MAC addresses should be learned at any given time on a
Cisco network. Why 3? Most Networks envision a future where VoIP will be utilized
on their network and when using a Cisco VoIP Solution, the Cisco VoIP Phone has a
built in mini switch. When you connect a phone to the network it will advertise three
MAC addresses to the switch. one MAC for the built in phone switch, another MAC
for the phone its self and the last mac for the directly connected PC.
There are several configuration requirements to enable port-security correctly such
as port security mac address aging which sets a timeout timer which is used to
determine how long a MAC address should stay associated with a particular port.
Port security mac-address which can be dynamic or sticky (Discussed in the next lab),
the maximum MAC addresses that can be associated with a particular port and the
violation action; rather it protect, restrict or shutdown the port once the max MAC
address limit has been exceeded or a device does not match the configured MAC
address on the port security configuration.
There are three different types of violation methods you can use with Port Security,
the first being a protected port. A Protected port security violation will still allow
permissible traffic from authorized MAC addresses but all other traffic with unknown
MAC addresses will be dropped. A Restricted port security violation will restrict all
2. traffic and generate an SNMP trap to the SNMP Server for administrative reference.
The last port mode is “shutdown”, which places the port into “Err-Disabled” Mode
once a port security violation has occurred.
In this lab you will familiarize yourself with the following commands;
Lab Prerequisites
If you are using GNS3 than load the Free CCNA Workbook GNS3 topology
than start devices; R1 and SW1.
Establish a console session with devices R1 than configure the devices
respected hostname(s).
Assign the IP Address 10.1.1.1/24 to R1 Fa0/0 and the IP Address
10.1.1.10/24 to SW1′ s Vlan1 interface than verify IP connectivity between R1
and SW1.
Command Description
switchport port-security
This command is executed in interface configuration mode
and enables port security on the configured port.
switchport port-security aging
This command is executed in interface configuration mode
and sets the MAC address aging timer, which determines how
long a MAC address is associated to a particular port with
port-security enabled.
switchport port-security mac
{hhhh.hhhh.hhhh | sticky}
This command is executed in interface configuration mode
and specifies a static MAC address or a converts the the learn
MAC addresses into static configured MAC addresses.
switchport port-security maximum #
This command is executed in interface configuration mode
and specifies the maximum limit of mac addresses that can
be learned on that switchport before a violation is triggered.
switchport port-security {protected |
restricted | shutdown}
This command is executed in interface configuration mode
and specifies the action to be taken upon a port security
violation.
show port-security
This command is executed in privileged mode to view the
current status of all ports on the switch if they are
participating in port-security.
show port-security interface
interfacename#/#
This command is executed in privileged mode to view the
details of port-security on a particular port including status,
timeout, violation type, max mac addresses and other
configurable options.
show port-security interface
interfacename#/# address
This command is executed in privileged mode to view the
port’s current port-security associated mac addresses.
3. Lab Objectives
Enable port-security on SW1 interface Fa0/1 and allow a maximum of 3 MAC
addresses.
Configure interface Fa0/1 on SW1 to shut down the port if there is a
port-security violation.
Verify your port-security configuration on SW1 by changing the MAC
addresses on R1′ s FastEthernet0/0 interface to aaaa.aaaa.aaaa then
aaaa.aaaa.aaab and finally aaaa.aaaa.aaac to trigger a violation.
Lab Instruction
Step1. –Enable port-security on SW1 interface Fa0/1 and allow a maximum of 3 MAC
addresses
To enable port security on a specific port you use the switchport
port-security command in interface configuration mode as shown below;
SW1 con0 is now available
Press RETURN to get started.
SW1>enable
SW1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
SW1(config)#interface fa0/1
SW1(config-if)#switchport port-security
SW1(config-if)#switchport port-security maximum 3
SW1(config-if)#
Step2.–Configure interface Fa0/1 on SW1 to shut down the port if there is a
port-security violation.
To shut down a port once a violation is triggered you’ll use the switchport
port-security violation shutdown command in interface configuration mode as
shown below;
SW1(config-if)#switchport port-security violation shutdown
Step3.–Verify your port-security configuration on SW1 by changing the MAC
addresses on R1′ s FastEthernet0/0 interface to aaaa.aaaa.aaaa then aaaa.aaaa.aaab
and finally aaaa.aaaa.aaac to trigger a violation.
You can first verify your configuration by using the show port-security interface
fa0/1 command in privileged mode to view current port-security configuration on a
per-port basis as shown below;
SW1(config-if)#end
SW1#
%SYS-5-CONFIG_I: Configured from console by console
4. SW1#show port-security interface fa0/1
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 3
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 000f.242e.bf80:1
Security Violation Count : 0
SW1#
As you can see from above the port status is currently “Secure-Up” meaning port
security is enabled and the maximum address count is 3. You can test this
port-security configuration by changing the MAC address on R1 3 times, and after
the 3rd change, a violation will occur due to the MAC addresses associated with the
switch port exceeding the limit of 3.
You can change the MAC address of a routers interface by using the mac-address
xxxx.xxxx.xxxx command in interface configuration mode as shown below;
R1 con0 is now available
Press RETURN to get started.
R1#enable
R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#interface fa0/0
R1(config-if)#mac-address aaaa.aaaa.aaaa
R1(config-if)#mac-address aaaa.aaaa.aaab
R1(config-if)#mac-address aaaa.aaaa.aaac
R1(config-if)#
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed
state to down
R1(config-if)#
If you were keeping track on SW1 after changing the MAC address each time on R1
then you’d see the following changes until the port was automatically placed into
5. Err-Disabled mode as shown below;
SW1#show port-security interface fa0/1 address
Secure Mac Address Table
------------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- -------------
1 000f.242e.bf80 SecureDynamic Fa0/1 -
------------------------------------------------------------------------
Total Addresses: 1
SW1#show port-security interface fa0/1 address
Secure Mac Address Table
------------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- -------------
1 000f.242e.bf80 SecureDynamic Fa0/1 -
1 aaaa.aaaa.aaaaSecureDynamic Fa0/1 -
------------------------------------------------------------------------
Total Addresses: 2
SW1#show port-security interface fa0/1 address
Secure Mac Address Table
------------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- -------------
1 000f.242e.bf80 SecureDynamic Fa0/1 -
1 aaaa.aaaa.aaaaSecureDynamic Fa0/1 -
1 aaaa.aaaa.aaabSecureDynamic Fa0/1 -
------------------------------------------------------------------------
Total Addresses: 3
SW1#
%PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/1, putting Fa0/1 in
err-disable state
SW1#
%PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by
MAC address aaaa.aaaa.aaac on port FastEthernet0/1.
SW1#
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state
to down