Cisco Switch Port Security Configuration

Today I will discuss about Cisco Switch Port Security issue. Layer 2 interfaces on a Cisco switch are referred to as ports. A switch that does not provide port security allows an attacker to attach a system to an unused, enabled port and to perform information gathering or attacks. A switch can be configured to act like a hub, which means that every system connected to the switch can potentially view all network traffic passing through the switch to all systems connected to the switch. Thus, an attacker could collect traffic that contains usernames, passwords or configuration information about the systems on the network.

[bodyads]

Cisco Switch Port Security limits the number of valid MAC addresses allowed on a port. All switch ports or interfaces should be secured before the switch is deployed. In this way the security features are set or removed as required instead of adding and strengthening features randomly or as the result of a security incident. Note that port security cannot be used for dynamic access ports or destination ports for Switched Port Analyzer. Still, use port security for active ports on the switch as much as possible.

The following Cisco Switch Port Security examples show the commands to shut down a single interface or a range of interfaces:

Single interface:
Switch(config)# interface fastethernet 0/1
Switch(config-if)# shutdown

Range of interfaces:
Switch(config)# interface range fastethernet 0/2 – 8
Switch(config-if-range)# shutdown

The administrator can enable aging for statically configured MAC addresses on a port using the switchport port-security aging static command. The aging time command (e.g., switchport port-security aging time time) can be set in terms of minutes. Also, the aging type command can be set for inactivity (e.g., switchport port-security aging type inactivity), which means that the addresses on the configured port age out only if there is no data traffic from these addresses for the period defined by the aging time command. This feature allows continuous access to a limited number of addresses.

The following Cisco Switch Port Security example shows the commands for restricting a port statically on a Catalyst 3550 switch:

Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security violation shutdown
Switch(config-if)# switchport port-security maximum 1
Switch(config-if)# switchport port-security mac-address 0000.02b0.0388
Switch(config-if)# switchport port-security aging time 10
Switch(config-if)# switchport port-security aging type inactivity

To restrict a port dynamically on a Catalyst 3550 switch use the following Cisco Switch Port Security commands. Note that the aging commands cannot be used with sticky MAC addresses.

Note that when a port security violation occurs, the port will immediately become error-disabled and its LED will turn off. The switch also sends an SNMP trap, logs a syslog message and increments the violation counter. When a port is in the error-disabled state, the administrator can bring it out of this state by entering the errdisable recovery cause psecure-violation global configuration command or by entering the shutdown and no shutdown interface configuration commands.[boxads]

The following Cisco Switch Port Security example creates a strict security macro called unused to secure the ports, or interfaces, on a 3550 switch:

Switch(config)# macro name unused
macro description unused
shutdown
description *** UNUSED Port ***
no ip address
switchport

# Set secure defaults for access mode
switchport mode access
switchport access vlan 999
switchport nonegotiate

# Set secure defaults for trunking mode
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
switchport trunk allowed vlan none

# Only learn source MAC addresses
switchport block multicast
switchport block unicast

[adsense]

# Enable MAC control and set secure options
switchport port-security
switchport port-security maximum 1
switchport port-security aging time 10
switchport port-security aging type inactivity

# Apply any switch-wide access-lists
ip access-group ip-device-list in
mac access-group mac-device-list in

# Set secure defaults for misc. flags and protocols
mls qos cos override
dot1x port-control force-unauthenticated
storm-control broadcast level 0.00
storm-control multicast level 0.00
storm-control unicast level 0.00
no cdp enable

# Default Spanning-tree to secure host settings
spanning-tree portfast
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
spanning-tree guard root

After creating this strict security macro, unused, apply the macro to all switch ports as a secure baseline with the following commands:

Switch(config)# interface range fasteth0/1 – 24 , giga0/1 – 2
Switch(config-if-range)# macro apply unused

Shahed

Hi! I am Shahed Israr. I try to help GPON Technology users with their queries and provide them with relevant and accurate information to the best of my ability. My main goal is to assist and enhance GPON Technology user and help people find the answers they're looking for quickly and easily.

Follow Me: