Secure Network using Cisco Port Security, Part 1: Concept

This entry is part 1 of 2 in the series Secure Network using Cisco Port Security

In every organization or even a home that has a network, security is one of the important issue. Having a strong network security means you have decreased a success chance of hackers or malicious people that try to break into your network. Hence, reduce the loss of damage from them. I’m using the word ‘decrease’ mean that there is no way to completely secure the network without any threat and risk. It is a challenge task for network administrators to harden the network to be secure as possible.One way to enhance network security, you can implement Network Access Control (NAC) or Network Admission Control. This will allow only certain devices such as PC, laptop, PDA, etc. to access the network’s resources. Thus, limiting the potential damage from emerging security threats and risks. In this post, I’ll talk about a feature on Cisco’s products which is “Port Security”. Port Security is a feature on Cisco’s products that help you to protect unauthorized access to the network by restrict MAC Addresses that can be connected to interface on the switch. So only defined MAC Addresses can have accessed to the network. If a user attempts to connect a new device (E.g, laptop) on the port which has already enabled port security and the port has reach the maximum allow MAC Addresses, the device won’t have access to the network until an administrator changes the configuration on the swtich.

The features of Port Security are

  • Restrict only specified MAC Addresses on a certain port. Devices that have other MAC Addresses can’t connect to the network.
  • Restrict a number of MAC Addresses on a certain port. The port inserts MAC Address dynamically to the configuration when a new device has plugged in until it reach the maximum allowed MAC Addresses.
  • Set aging time and type for secure MAC Addresses. This feature, remove and add PCs on a secure port without manually deleting the existing secure MAC addresses while still limiting the number of secure addresses on a port.
  • Enable/Disable to send a SNMP Trap if there is any violation detected.

To configure a port security,

  • A secure port cannot be a trunk port.
  • A secure port cannot be a destination port for Switch Port Analyzer (SPAN).
  • A secure port cannot belong to an EtherChannel port-channel interface.
  • A secure port cannot be an 802.1X port. If you try to enable 802.1X on a secure port, an error message appears, and 802.1X is not enabled. If you try to change an 802.1X-enabled port to a secure port, an error message appears, and the security settings are not changed.
  • A secure port and static MAC address configuration are mutually exclusive.

Secure MAC Addresses

Types of secure MAC Addresses

  1. Static secure MAC addresses. These are manually configured by using the switchport port-security mac-address mac-address interface configuration command, stored in the address table, and added to the switch running configuration.
  2. Dynamic secure MAC addresses. These are dynamically configured, stored only in the address table, and removed when the switch restarts.
  3. Sticky secure MAC addresses. These can be dynamically learned or manually configured, stored in the address table, and added to the running configuration. If these addresses are saved in the configuration file, when the switch restarts, the interface does not need to dynamically reconfigure them.

You can configure an interface to convert the dynamic MAC addresses to sticky secure MAC addresses and to add them to the running configuration by enabling sticky learning. After you’ve enabled sticky learning, the interface converts all the dynamic secure MAC addresses, including those that were dynamically learned before sticky learning was enabled, to sticky secure MAC addresses. All sticky secure MAC addresses are added to the running configuration.

The sticky secure MAC addresses do not automatically become part of the configuration file, which is the startup configuration used each time the switch restarts. If you save the sticky secure MAC addresses in the configuration file, when the switch restarts, the interface does not need to relearn these addresses. If you do not save the sticky secure addresses, they are lost.

If sticky learning is disabled, the sticky secure MAC addresses are converted to dynamic secure addresses and are removed from the running configuration.

Port Security Options

Violation Mode

  1. Protect. Drops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value.
  2. Restrict. Drops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value and causes the SecurityViolation counter to increment.
  3. Shutdown. Puts the interface into the error-disabled state immediately and sends an SNMP trap notification. You can bring it out of this state by entering the errdisable recovery cause psecure-violation global configuration command, or you can manually re-enable it by entering the shutdown and no shut down interface configuration commands. This is the default mode.

Security Violation Mode Actions

Violation Mode Sends SNMP trap Sends syslog message Violation counter increments Shuts down port
protect No No No No
restrict Yes Yes Yes No
shutdown Yes Yes Yes Yes

Aging

  1. Static. Enables aging for statically configured secure addresses on this port.
  2. Time. Specifies the aging time for this port. Valid range for aging time is from 0 to 1440 minutes. If the time is equal to 0, aging is disabled for this port.
  3. Type. Sets the aging type as absolute or inactivity.

Aging Type

  1. Absolute. All the secure addresses on this port ago out exactly after the time (minutes) specified and are removed from the secure address list.
  2. Inactivity. The secure addresses on this port ago out only if there is no data traffic from the secure source address for the specified time period.

Now you have understand the basic. Next, I’ll show example configuration to enable port security on a Cisco Switch C2960 Serie. See Secure the Network using Cisco Port Security, Part II: Configuration.

Series NavigationSecure Network using Cisco Port Security, Part 2: Configuration >>

Leave a Reply