How Switch Port Security Can Save You from Cyber Attacks
Introduction to Switch Port Security
Nowadays, networks are the core elements of businesses, which ensures seamless communication and data transfer. However, if our switches are insecure, then it will open a door for hackers. Hackers can easily connect to the switches, leading to data breaches and unauthorized access. Cisco switch ports are turned on by default, due to which any PC can connect to it. The switch port security feature enables our switches to permit or deny any computer connected to it within a network. In this article, we will know how to configure switch port security on Cisco switches step-by-step.
How Does Switch Port Security Work?
A switch learns the MAC addresses of each device connected to its ports. It allows only that device’s MAC address to communicate on that port. However, if an unauthorized device’s MAC address tries to connect to the same port, then port security will disable that port.
There are different types of port policy violation rules, which tell the switch what to do if the number of MAC addresses exceeds the configured limit of pre-configured MAC addresses. These rules help to protect our network switches from unauthorized access.
We cannot implement port security on trunk ports, Etherchannel, and switch port analyzer ports. It only works on end-point device interfaces such as access ports.
| Shutdown | Restrict | Protect |
|---|---|---|
| It is a default mode of port security violation if the MAC address exceeds the limit. The port converts into an err-disable state if it violates security policy. | This type of rule alerts the network administrator but does not shut down the port. | In protect mode security, the switch only allows traffic from the allowed MAC addresses and will drop packets from all unknown MAC addresses. It sends neither logs nor SNMP alerts to a network administrator. However, it silently drops packets from unknown MAC addresses without notifying the administrator. |
Comparison of Modes
| Mode | Port Behavior on Violation | Logs | SNMP Alerts |
| Shutdown | Disables the port (err-disabled) | Yes | Yes |
| Restrict | Drops unauthorized traffic | Yes | Yes |
| Protect | Drops unauthorized traffic | No | No |
Static vs. Dynamic MAC-Address Allocation: Which is Better?
Switch learns MAC addresses in two ways under port security, which are static and dynamic (sticky):
Static Learning: In static allocation, we define the maximum number of MAC addresses to be learned by the switch. It is manual work, which requires more attention.
Dynamic Learning (Sticky): The word “sticky” is added at the end of the command. When we use this feature, the switch will learn MAC addresses automatically. However, when it reaches its maximum number of MAC addresses, it will stop storing more MAC addresses.
How to Configure Switch Port Security (Static)
We will configure the following lab topology from Layer 2 security. It consists of one switch, one hub, and four computers. Later, we will add one more PC to the existing topology.
Check and note all the MAC addresses of each PC as below in the screenshot:
The above is the PC0 MAC address; in the same way, check and note all the IP addresses of each PC as shown below. Later we will use the following MAC or physical addresses in the port security.
Create VLAN 2 on the switch.
Configure the port fast Ethernet 0/1 as access port and assign it to the Vlan 2.
Enable the port security on the above port (Fast Ethernet 0/1).
Set the maximum number of addresses to be allow on fast Ethernet 0/1;
Configure the default violation mode, which is “shutdown”;
Now, manually associate the below addresses with the port security. This is the static way where we give addresses to the switch. The switch is not allowed to learn MAC addresses automatically.
As we have configured port security successfully on the switch. Now verify it through the command “show port-security interface fast Ethernet 0/1”.
Handling Security Violations
If an unauthorized device (such as a new PC (PC4)) attempts to connect to the port fast Ethernet 0/1 as below in the diagram,. Then the port will go into the “err-disable” state, effectively blocking the device.
As we connect PC4 to the hub, which is connected to the fast Ethernet 0/1 interface of the switch, the interface goes down. Let us check its status through the following command:
The interface violation mode is “shutdown,” and it has learned its MAC address. Similarly, the security violation count is “1.”
Run another following command to check the state of the interface:
The interface is in an err-disabled state. How to recover it? Let us follow the below steps.
First, remove the PC4 as shown below in the screenshot;
Secondly, go to the interface mode of fastetethernet 0/1, and first “shutdown” it and then “no shutdown” it through the following steps:
The interface has been changed to “upstate, which you can check through the following command:
Before few seconds ago, the interface was in an err-disabled state, and now it is in operation mode because its status is “connected”.
Alternatively, if you want to recover the interface from the err-disable state automatically after some interval of time, use the below command. (Note: this feature command is not supported in Cisco Packet Tracer):
Sticky Command (Dynamic)
In the previous commands, we manually entered each MAC address, which can be boring for a network administrator. However, with the sticky MAC feature, there is no need to manually input every MAC address. Instead, the switch automatically learns and stores them dynamically. When it hits the maximum number of MAC addresses, it stops learning new addresses. Here is the basic configuration of the sticky method with shutdown violation mode:
In the same way, you can configure the restricted and protected modes of the port security. By the way configure the following setting for restrict mode with sticky mac-address:
While below configuration is for protect mode.
That was the simple and easy configuration of Switchport security. If you are looking for more such CCNA practical labs, then explore more topics here at the link.
