Switchport Security Concepts and Configuration
Date: Jul 1, 2011
One of the most overlooked security areas is the configuration of individual switchport security configuration. The reason may be that it requires a more granular configuration; this is because a typical configuration requires the knowledge of the specific MAC address(es) that will be connecting to each switchport. Keeping track of all of this information in a medium to large organization can be quite time consuming. There are a couple of different ways to configure the use of switchport security and this article will review the available options and requirements.
Switchport Security Overview
The switchport security feature offers the ability to configure a switchport so that traffic can be limited to only a specific configured MAC address or list of MAC addresses.
Secure MAC Address Types
To begin with, there are three different types of secure MAC address:
- Static secure MAC addresses—This type of secure MAC address is statically configured on a switchport and is stored in an address table and in the running configuration.
- Dynamic secure MAC addresses—This type of secure MAC address is learned dynamically from the traffic that is sent through the switchport. These types of addresses are kept only in an address table and not in the running configuration.
- Sticky secure MAC addresses—This type of secure MAC address can be manually configured or dynamically learned. These types of addresses are kept in an address table and in the running configuration.
The type of secure MAC address that is configured depends on the intended end result. Static secure MAC addresses are typically used when the MAC addresses used are known and do not change often. For example, if a single host is always connected to the same switchport.
Dynamic secure MAC addresses are typically used when the host(s) connecting to a specific switchport is constantly changing, and the intention is to limit the port to only be used by a specific number of hosts at once. For example, a switchport can be configured to only allow a single MAC address to be learned at a time and not permit hosts other than the one initially learned; the only way to change the host that connects to the switchport is to disable switchport security and reenable it, to delete the learned MAC address from the table directly, or to wait for the port-security aging time to expire if configured.
Sticky secure MAC addresses are a bit of a combination between the two prior secure MAC address types; not only are addresses able to be statically-configured but they can also be dynamically learned. The key difference here is that dynamically-learned addresses are automatically put into the running-configuration; if the engineer wants these addresses to be saved on device reboot, the option is available to save the running-configuration into the startup configuration, thus effectively making these addresses static.
Switchport Security Violations
The second piece of switchport port-security that must be understood is a security violation including what it is what causes it and what the different violation modes that exist. A switchport violation occurs in one of two situations:
- When the maximum number of secure MAC addresses has been reached (by default, the maximum number of secure MAC addresses per switchport is limited to 1)
- An address learned or configured on one secure interface is seen on another secure interface in the same VLAN
The action that the device takes when one of these violations occurs can be configured:
- Protect—This mode permits traffic from known MAC addresses to continue to be forwarded while dropping traffic from unknown MAC addresses when over the allowed MAC address limit. When configured with this mode, no notification action is taken when traffic is dropped.
- Restrict—This mode permits traffic from known MAC addresses to continue to be forwarded while dropping traffic from unknown MAC addresses when over the allowed MAC address limit. When configured with this mode, a syslog message is logged, a Simple Network Management Protocol (SNMP) trap is sent, and a violation counter is incremented when traffic is dropped.
- Shutdown—This mode is the default violation mode; when in this mode, the switch will automatically force the switchport into an error disabled (err-disable) state when a violation occurs. While in this state, the switchport forwards no traffic. The switchport can be brought out of this error disabled state by issuing the errdisable recovery cause CLI command or by disabling and reenabling the switchport.
- Shutdown VLAN—This mode mimics the behavior of the shutdown mode but limits the error disabled state the specific violating VLAN.
Switchport Security Aging
Another option that is available when configuring switchport security is the use of an aging timer. This provides for a MAC address to be removed from being learned after a configured amount of time. By default, aging is not enabled and addresses are not deleted unless the device is rebooted or the MAC addresses are cleared through a removal command being issued.
There are two different methods of implementing secure MAC address aging, these include:
- Absolute—When using this method, secure MAC addresses are deleted after a specific aging time expires.
- Inactivity—When using this method, secure MAC addresses are deleted only if the secure MAC address is inactive for a specific aging time.
Switchport Security Configuration
As with any feature configuration there are a number of different guidelines and requirements that need to be known before a configuration is implemented:
- Switchport security can only be configured on statically configured access or trunk ports (access or trunk); dynamic switchport modes are not supported.
- Switchport security is not supported on Switch Port Analyzer (SPAN) destination ports.
- Switchport security is not supported along with Etherchannel (Fast or Gigabit).
- When configuring switchport security on a switchport that is configured with a voice VLAN, ensure that the maximum number of MAC addresses is raised to account for the voice and data devices connected.
- Switchport security aging is not supported along with the Sticky secure MAC address type.
The configuration of switchport security is not overly complex; the following commands are used when initially configuring a switchport with security:
|
1 |
router#configure terminal |
Enters the device into global configuration mode |
|
2 |
router(config)#interface interface-id |
Enters the device into interface configuration mode |
|
3 |
router(config-if)#switchport mode {access | trunk} |
Statically configures the switchport into access or trunk mode |
|
4 |
router(config-if)#switchport port-security |
Enables switchport port security |
|
5 |
router(config-if)#switchport port-security maximum value [vlan {vlan-id | {access | voice}] |
Configures the maximum number of MAC addresses that are permitted by switchport security; by default this is set to 1 MAC address. |
|
6 |
router(config-if)#switchport port-security violation {protect | restrict | shutdown [vlan]} |
Configures the switchport security violation mode; by default this is set to shutdown. |
|
7 |
router(config-if)#switchport port-security mac-address mac-address [vlan {vlan-id | {access | voice}] |
Configures a static secure MAC address on a switchport |
|
8 |
router(config-if)#switchport port-security mac-address sticky |
Configures the use of sticky learning on a switchport |
|
9 |
router(config-if)#switchport port-security aging {static | time time| type {absolute | inactivity}} |
Configures the use of switchport port-security aging, the aging time and/or the aging type. The default is for switchport port-security aging to be disabled. |
Summary
The use of switchport port-security provides another level of security that can help in securing locally connected computers and the networks they connect to. This article was written to make the basic features of port-security more familiar to the reader and offered as an additional option when securing a network. Hopefully, the information contained within this article will help in this and be able to serve as a research base for securing the switched network of the reader.