In the topology above someone connected a cheap (unmanaged) switch that they brought from home to the FastEthernet 0/1 interface of our Cisco switch. Sometimes people like to bring an extra switch from home to the office. As a result our Cisco switch will learn the MAC address of H1 and H2 on its FastEthernet 0/1 interface.
Of course we don’t want people to bring their own switches and connect it to our network so we want to prevent this from happening. This is how we can do it:
Switch(config)#interface fa0/1 Switch(config-if)#switchport port-security Switch(config-if)#switchport port-security maximum 1
Use the switchport port-security command to enable port-security. I have configured port-security so only one MAC address is allowed. Once the switch sees another MAC address on the interface it will be in violation and something will happen. I’ll show you what happens in a bit…
Besides setting a maximum on the number of MAC addresses we can also use port security to filter MAC addresses. You can use this to only allow certain MAC addresses. In the example above I configured port security so it only allows MAC address aaaa.bbbb.cccc. This is not the MAC address of my computer so it’s perfect to demonstrate a violation.
Switch(config)#interface fa0/1 Switch(config-if)#switchport port-security mac-address aaaa.bbbb.cccc
Use the switchport port-security mac-address command to define the MAC address that you want to allow. Now we’ll generate some traffic to cause a violation:
C:\Documents and Settings\H1>ping 1.2.3.4
I’m pinging to some bogus IP address…there is nothing that has IP address 1.2.3.4; I just want to generate some traffic. Here’s what you will see:
SwitchA# %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/1, putting Fa0/1 in err-disable state %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0090.cc0e.5023 on port FastEthernet0/1. %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to down
We have a security violation and as a result the port goes in err-disable state. As you can see it is now down. Let’s take a closer look at port-security:
Switch#show port-security interface fa0/1 Port Security : Enabled Port Status : Secure-shutdown Violation Mode : Shutdown Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 1 Total MAC Addresses : 1 Configured MAC Addresses : 1 Sticky MAC Addresses : 0 Last Source Address:Vlan : 0090.cc0e.5023:1 Security Violation Count : 1
Here is a useful command to check your port security configuration. Use show port-security interface to see the port security details per interface. You can see the violation mode is shutdown and that the last violation was caused by MAC address 0090.cc0e.5023 (H1).
Switch#show interfaces fa0/1
FastEthernet0/1 is down, line protocol is down (err-disabled)
Shutting the interface after a security violation is a good idea (security-wise) but the problem is that the interface will stay in err-disable state. This probably means another call to the helpdesk and you bringing the interface back to the land of the living! Let’s activate it again:
Switch(config)#interface fa0/1 Switch(config-if)#shutdown Switch(config-if)#no shutdown
To get the interface out of err-disable state you need to type “shutdown” followed by “no shutdown”. Only typing “no shutdown” is not enough!
It might be easier if the interface could recover itself after a certain time. You can enable this with the following command:
Switch(config)#errdisable recovery cause psecure-violation
After 5 minutes (300 seconds) it will automatically recover from err-disable state. Make sure you solve the problem though because otherwise it will just have another violation and end up in err-disable state again. You can speed this up by changing the timer. Let’s set it to 30 seconds:
SW1(config)#errdisable recovery interval 30
Instead of typing in the MAC address ourselves we can also make the switch learn a MAC address for port-security:
Switch(config-if)#no switchport port-security mac-address aaaa.bbbb.cccc Switch(config-if)#switchport port-security mac-address sticky
The sticky keyword will make sure that the switch uses the first MAC address that it learns on the interface for port-security. Let’s verify it:
Switch#show run interface fa0/1
Building configuration...
Current configuration : 228 bytes
!
interface FastEthernet0/1
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security mac-address sticky 000c.2928.5c6c
You can see that it will save the MAC address of H1 in the running-configuration by itself.
Shutting the interface in case of a violation might be a bit too much. There are other options, here’s what you can do:
Switch(config-if)#switchport port-security violation ?
protect Security violation protect mode
restrict Security violation restrict mode
shutdown Security violation shutdown mode
There are other options like protect and restrict.
- Protect: Ethernet frames from MAC addresses that are not allowed will be dropped but you won’t receive any logging information.
- Restrict: Ethernet frames from MAC addresses that are not allowed will be dropped but you will see logging information and a SNMP trap is sent.
- Shutdown: Ethernet frames from MAC addresses that are not allowed will cause the interface to go to err-disable state. You will see logging information and a SNMP trap is sent. For recovery you have two options:
- Manual: recover the interface yourself with a “shutdown” and “no shutdown”.
- Automatic: use the
errdisable recoverycommands to enable and tune automatic recovery.
hostname Switch
!
interface fastEthernet0/1
switchport port-security
switchport port-security maximum 1
switchport port-security mac-address sticky
switchport port-security violation shutdown
!
errdisable recovery cause psecure-violation
!
endThat’s all I wanted to show you about port-security. If you enjoyed this lesson please leave a comment!
No comments:
Post a Comment