Tuesday, July 26, 2011

Configure Cisco Port Security on Switches and Router Interfaces

Cisco Port Security is a features that can help secure access to the physical network. Any Network admins nightmare is an unauthorised device or a PC connecting to the network. This could be as simple as an innocent guest plugging his PC into a floor port hoping to get an internet connection or a malicious intruder connecting to the network trying to gain access to confidential information.
Consequences could as bad as

• Virus, Spyware or malware infection from a PC unprotected PC
• A malicious hacker or an intruder gaining access to the network
• A malicous attacker launching a Denial of Service attack using MAC Address flooding

Cisco IOS has the port-security feature which can be used to restrict the MAC-Address of the devices that connects to each of the physical switchports.
Cisco Port-Security can help to

• restrict the MAC-address or addresses that can connect through a switchport [default: first connected device MAC Address]
• restrict the number of MAC-Addresses that can connect through a switchport [default is 1 and maximum is 128]
• set aging in minutes of the MAC Addresses registed
• Action to take when there is a violation detected (default is to disable the port and send an SNMP Trap message to the SNMP management server (if any))

For a switch port to be security enabled,
• the switchport cannot be a Trunk Port
• the switchport cannot be a destination port for a Switchport Analyzer (SPAN)
• the switchport cannot belong to an EtherChannel port-channel interface
• the switchport cannot be an 802.1X port

If you try to enable 802.1X on a secure port, an error message appears, and 802.1X is not enabled. If you try to change an 802.1X-enabled port to a secure port, an error message appears, and the security settings are not changed.
To enable Port Security on a Cisco Switch or router interface
Enter the interface config mode (say fa0/1)

Switch# conf t
Switch(config)# interface fastethernet 0/1
Switch(config-if)# switchport mode access

This sets the switchport to access mode. Default mode of "Dynamic desirable" cannot be configured as a secure port

Switch(config-if)# switchport port-security

This enables the port security on the switchport with the defaults [1 MAC Address allowed, 1st connected MAC Address, disable port if there is a violation]
If you know the MAC Address of the device and that thats the only device that connects to the swicthport (for example, A server on a Serverfarm switch) then you can set the MAC-Address manually.

Switchport(config-if)# switchport port-security mac-address 1111.2222.3333
Where 1111.2222.3333 is the MAC Address of the server. This will disable the secure port, if any other device other than the one with the above MAC-Address connects to the switch port.

If there is a switch or a hub (say 12 port or a 24 port) that connects to the switchport which you want to secure then you can set the maximum number ofMAC-Addresses that connects to the port and/or set the MAC-Address optionally.

Switchport(config-if)# switchport port-security max 12
This sets the maximum number of mac-address allowed on the secure port (default is 128).

One step further, if you want to manually add some or all of these MAC-Addresses then you can specify using the following command one for each MAC-Address

Switchport(config-if)# switchport port-security mac-address 0000.0000.0000
Switchport(config-if)# switchport port-security mac-address 0000.0000.1111

If now, you need to set the maximum number of MAC Addresses on the switchport but are aware that some or most of them are temporary ones (guest users or temporary workers) then you can set the aging time on the port-security which allowsMAC-Addresses on the Secure switchport will be deleted after the set aging time.

This helps to avoid a situation where obsolete MAC-Address occupies the table and saturates causing a violation (when the max number exceeds).

Switchport(config-if)# switchport port-security aging time 10
Where time is specified in minutes (10 mins in the above)

Now, you can set the action to be taken when there is a violation. The default is to shutdown the port and mark the port err-disabled.
For example,

Switchport(config-if)# switchport port-security violation protect

Where protect is the action taken when a violation event is triggered.
The actions are

protect — Drops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value.

restrict — Drops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value and causes the Security Violation counter to increment.

shutdown (default) — Puts the interface into the error-disabled state immediately and sends an SNMP trap notification.

To show the port-security,
Switch# show port-security interface fastethernet 0/1
Switch# show port-security
Switch# show port-security address

No comments: