New York, NY1

support@computeractivity.com

Changing Lives One Smile At A Time!
IT Networking Tutorials
IT Networking Tutorials
Call Us

+123 456 789

Opening Hours

Mon-Sat: 9:00 A.M - 5:00 PM

Book Appointment

Port Security

Home 2020 July 4 Port Security
04 Jul 2020 Jamesin: CCENT2

The Enemies Within

It’s easy to think about network security in terms of playing defense from attackers outside our network.

Thing is, plenty of successful attacks have been launched from inside a network, utilizing seemingly innocent network services and protocols such as DHCP, ARP, CDP, Telnet, and even VLANs.

Port Security

A basic Cisco security feature that’s somewhat overlooked, port security uses the source MAC address of incoming frames as a kind of password.

The port compares that incoming source MAC to a list of secure MAC addresses, learned by the port either statically or dynamically.

If the source MAC is found on the list, the frame is processed normally. If source

MAC is not on that list, the frame is dropped and certain other actions are taken, depending in the level of port security running on that port.

Use switchport port-security to enable port security.

Before doing so, run show cdp neighbor to make sure the port you’re about to work with is connected to the host you think it’s connected to.

We’re going to use a couple of Cisco routers R1 and R2 to masquerade as hosts here, Host1 and Host2, and the frames are coming from Host1.

So I want to go on my switch and make sure that I’m going to be configuring port security on the port that’s connected to Host1 which in this case is Fas 0/1.

In the real world network I would definitely run show cdp neighbor first because if you’re configuring port security on the incorrect port,  two  things are going to happen:

First off you’re not going to get the desired security on the port that you wanted to secure, and then on the other port that you didn’t want to configure, you’re probably going to end up shutting somebody down. So here is what we do:

Note :  <cr> means that ‘port security’ by itself is a legal command and it is going to enable port security on that port or not.

 We’ve been rejected!  Because this port is a dynamic port. In many Cisco switch models (not all of them) , all of the ports on the switch are going to run in dynamic desirable mode by default, which means they are actively attempting to trunk. So the rejection message means that the port is trying to trunk.

You can’t run port security on a trunk port or a port that’s even actively attempting to trunk.

What kind of port do we need ?

We want it to belong to one VLAN ,(and one VLAN only !) and that is an “access port”

Let’s go ahead and run our first verification command:

These dashes you see across the screen are dividers.

Right now we don’t have anything! Because I didn’t put switchport port security on the port after I made it an access port.

As you see, MaxSeureAddr is 1. That is the default number of secure MAC addresses that a port can have. So by default, it can have one secure address that knows about current addresses at 0, that’s because we haven’t configured one and it hasn’t learned anything dynamically yet.  

Note: Security Action shut down doesn’t mean that the port is shut down! It’s not the status of the port. It’s the security action that is what’s going to happen if port security detects a violation. It doesn’t mean it’s happened yet.

Port Security Options

By default, dynamically learned secure MAC addresses do not age out. If you need to change this, use the aging options. The option to age out static addresses is rarely used, but it is there.

Use time to set the number of minutes an address should remain secure. You can’t set this to zero., since by default it’s already set to zero and the addresses are not aging out.

You can run one of two timer types, absolute or inactivity. The absolute timer runs whether or not the source MAC address is heard from, and when it hits zero, the address is no longer considered secure. The inactivity timer refreshes when the source MAC is heard from.

The maximum option allows us to define the number of secure MAC addresses the port can learn. The default is always one, but the maximum number depends on your switch model. The lowest number I’ve seen is 132, so you will have plenty of working room.

The mac-address option allows us to define static secure MAC addresses and sticky secure MAC addresses. The last one sounds gross, but it’s actually helpful at times, as we’ll see later in this section.

The violation option defines the action taken by the port when a non-secure source  MAC is detected, in addition to dropping the offending frame, which all three modes do.

Shutdown is the default mode and it offers the strongest security actions of the three. Upon detection of a non-secure source MAC, this mode puts the port into error-disabled state, and manual intervention is needed to reopen the port. An SNMP (Simple Network Management Protocol) message is also generated.

Restrict mode generates both an SNMP message and a syslog message. The port remains open.

Besides dropping a frame, protect mode offers no further protection or action.

Port Security In Action
Port Security Static Lab

We’ll start with PS fundamentals and move on from there. The switch ports leading to the hosts have been configured as access ports. Host1 can ping Host2 with no problem. (I’m using Cisco routers as hosts, which is why the pings look like they do.)

In our first lab, We only want to use port security to authenticate Host1 so we’re going to be concentrating our efforts on the switch on Fast0/1, ( we actually don’t need the MAC  address of Host2 for this lab )

Off screen, I sent a ping from 1 to 2 and everything was fine, and on the switch I have totally initialized that except for giving it a hostname when it came back up. So I haven’t done anything with port security and we should expect the switch to be at its defaults.

What command should I use to make sure I’m configuring the port that leads to the host that I think I’m configuring?    ‘show cdp neighbor’

So we’re definitely working on local interface 0/1.

And the first thing I’m actually going to do is shut the port while put port security on it just in case any traffic comes in while I’m doing the configuration.

Then I do ‘no service timestamp log’ to make it easier to read the messages.

Then we’ll go back to the interface, and we’re going to configure port security.

We got rejected because the switch is running all its ports in dynamic desirable. So we’ll make an access port (one VLAN and one VLAN only).

So this time if we do ‘switchport port-security’, it would be ok.

For MAC address, I can do two different things here. I can just put in an address statically and that’s going to be a secure MAC address and we know the default is 1, so it’s actually going to be the default (the only secure MAC address)

Sticky address will be covered in a separate lab. Right now I’ll put in a MAC address that probably isn’t going to match anybody but definitely is not going to match the device we have on the port 0/1.

I’ve got my config there and everything is fine.  Now we want to test it, and let’s see what happens when an address comes in that is non-secure.

We open the port first, and will do some pings for Host1

Let’s look at these four messages.

When it comes to debug messages or console messages or that kind of thing, sooner or later we’re going to see messages that we’ve never seen before. The debugs can be a little hard to read at times but if you go through them, you’ll see exactly what’s going on.

For it says that the port will come down logically and physically  because the port is being put in err-disabled state. The line protocol the logical state in the interface goes to down and Fast 0/1 changed state to down so everything has gone down.

So when you encounter these messages, the first thing you do is ‘show port-security’

We can do ‘ show int fast 0/1’

This is not port security related but you could definitely walk into this or see it on a question.

The highlighted part shows you why the interface is down.

Note: Port Security is not the only service that can put a port into error-disabled state. Another useful command here would be ‘port-security int fast 0/1

Note:

  • Aging time and type are the defaults.
  •  Configured Mac addresses is the number of static secure addresses that we’ve configured .
  • Last source address shows the MAC address of the last frames that came in the source MAC address , and at the end it even shows you the VLAN.

Now what we’re going to do to fix it? And in what order should we do the next couple of tasks? We have to get that port up and running and at the same time we have to fix the issue that caused it. We have to resolve the issue first and then reset the port. Because if you open the port first and reset the port right now, it’s going to be fine until frames come in from Host1 again that trigger port security and we’re right back where we started from.

In order to fix the issue, we need to get the host address (the actual Host1 MAC address) of the interface that’s sending the traffic, and one way we could do that is with ‘show port-security int fast 0/1’  in this case, because it’ll tell us  the MAC address that actually came in the last source address.

You could actually go over to Host1 and do a ‘show int fast 0/0’ . That’s actually the interface.

And you can see line protocol is down because of course the switch host switch port that it’s connected to is in err-disabled state. So we would expect to see this.

Copy the MAC address in the third line. And do this:

So I didn’t take port security off. I just took my previous command off  that had the incorrect static address. So I just arrowed up and went to my history and press Ctrl A to move cursor to the beginning of the line and type the word ‘no’ in front of it. Then I put the correct address by pasting what I copied earlier.

Now I just need to do a ‘shut’ and then ‘no shut’ to reset the port and one I see it coming back up, I’ll go over 1 , and then send some pings

Then we go over 6 and wait to see any error message ( which didn’t happen and means the ping didn’t set off  the port security violation which of course it shouldn’t since it is correct now )

Then we’ll go to the verification commands.

As you see in the first line, it’s still up physically and still up logically and still connected.

So we don’t see any error-disabled message there.

Let’s run ‘show port-security’

 We’ve got current address of 1, so our address is definitely in there (the latest one we put in) but we have no security violation which is really good.

Now let’s run ‘show port-security int fast0/1’

The first two lines are what we want to see, and the rest is the same as before except the last line which tells us that security violation count is at zero, and there is the last source MAC address to come in ( the one we expected and it is a member of VLAN1)

Port Security Dynamic Learning Lab

Having seen standard secure MAC addresses in action, we’re not going to work with dynamic addresses. Same MAC address, same IP addresses, everything is the same and actually we’re picking up on the router and switch exactly where we were at the end of the last video.

I’ll do a ‘shut’ and then take that one secure static MAC from the last lab and take that one off. Then we’re going to do a verification:

No current addresses.

What happens if we don’t configure a static address? How does the dynamic learning take place?

Config > no shut > send pings again

Let’s see if we see any kind of violations or anything come up.

Nothing happened.

So let’s go and start verifying because right now the only command we have on that port is ‘switchport port-security’. That’s it! We haven’t changed maximum addresses, we don’t have a static address configured, Nothing!

So let’s do a ‘show port-security’

Now current address is 1, so this gives us a huge hint and tells us that the port  has learned an address or it’s got a secure address from somewhere. So we definitely suspect it’s dynamically. How can we prove that and how can we see it?

Now we see more hints here.

Port Security Enabled, Port Status is Secure and up, Maximum Mac address is set to 1, Total MAC address is set to 1, Configures MAC address is set to 0 ! So we must have a dynamically learned address in there somewhere because the sticky MAC addresses which we haven’t gotten to yet, is zero too, and we know this is the last source MAC address seen by that port, so we even know what the address is right now. But we need a little more verification.

We use this command :   show port-security address

This is a great table to refer to, because this is your secure MAC address table. This is like the list a club doorman has if who is letting in that port and who is not. You can see the VLAN number of the secure MAC addresses or in this case the secure MAC address, we have one and the type is secure dynamic. That’s the word ‘dynamic’ that we’ve been looking for.

So to allow a port to learn and address dynamically just leave the static ones off. That’s all you have to do if you’re only going to have one secure address.

But what about a scenario where you wanted to mix them? Can we do that? Sometimes in Cisco we get in trouble when we start mixing things.

Can we have a port learn an address dynamically and also have a static entry on that same port?

Let’s go to  conf t > int fast 0/1 > go back to the MAC address line that was obviously wrong > Ctrl A > get rid of the ‘no’

 I tried at a secure MAC address right now and you can see the message ‘Total secure mac-addresses on interface fast0/1 has reaches maximum limit’. Of course we know that maximum limit is ‘1’ by default. We also know how to change it.

Shut > ^z > show port-security address

As you noticed, dynamic entry is gone now. If you reset the port that’s going to get rid of the dynamic entries. So while we didn’t see anything in the remaining age because we’re not aging them out, they will leave the table if you close that port. So it’s a good way to initialize the port of course.

Let’s go back to fast0/1

And max is what we want here because we’re going to change the maximum number values.  ( Do NOT set 6144 ! )

We’ll go with ‘3’ here because I think it’s a pretty safe number.

Then let’s try the MAC address (again the static one)  >> No problem ! no Error message!

So right now let’s run show port security.

Notice that max secure address has already taken effect when you have to open the port for that  It’s set to ‘3’ . Current address is ‘1’ because it knows the ‘one’ static address that we gave it.

Let’s take a look at show port-security address

You can see the different ‘secure configured’. So this is a great command to go in and see not only what your security MAC address are, but which ones are configured and which ones are dynamically learned.

Now let’s take a quick look at the config.

Wr > show config

At the end we’ll see this on the screen:

 Fast0/1 is the access port we know that we enabled switch port security with that fundamental command. Then we added one secure static address and changed the maximum overall value to ‘3’.

So what’s going to happen when Host1 sends in some traffic with an address that does not match the static one but it looks like it still has room to learn two more addresses?

Our line protocol is just coming up so we might need to send some more pings.

Let’s do a show port-security at this point.

We can see that current address is ‘1’, so let’s go over and send that ping again

Now we would expect the first one to age out.

And there we go:

Current address is now at ‘2’. It seems and we know now that the port can have a static address or multiple static addresses configured on (secure static addresses) and still learn the next address dynamically (or the next addresses as long as we left some room). So we’re allow for three addresses configure one statically, so that means the next two source MAC addresses that that port sees, it’s going to learn dynamically as a secure MAC address.

Let’s go to show port-security address:

So no problem with dynamic and static secure MAC addresses living together on the same port, and actually this configuration again leaves one address, because we’re at the maximum of ‘3’ and  current  address of ‘2’, so you could configure another static on here and that would be fine. if it learned another dynamic address so I might just change laptops and another source address came in, it could learn that one as dynamic as well.

So if you want to leave yourself some breathing room with learning addresses that’s how you’d do it.

Port Security Sticky Addresses  Errdisable Recovery Command

We’re taking a look at our secure address table on switch one. It’s got one address that it’s learned. It’s that dynamic address from Host1. We recognize that address by now.

Right now the only port security commands I have running on the switch, are on that port and I’ve enabled port security and that was it. So there are no other configs, no static addresses, no nothing.

The reason I wanted to go back to this is to show you that if that interface get shut down or the switches reset, what’s going to happen to our dynamic entries?

They’re going to be lost! And maybe we don’t want that. Maybe we want them to remain in the table if the port is shut down for any reason (error disabled or otherwise) or if we just reload the switch. That’s what sticky address is all about. What happens there is the dynamic addresses stick around on a reload or a reset of that port.

Let’s put that into action:

So now we’ll do a ‘no shut’. Then we’ll go over to ‘1’ and send those pings again.

We see the secure MAC address but this time the type is ‘securesticky’, That’s all there is to it.

Now if I shut that port down, and do ‘show port-security address’ :

Note: dynamically learned address is still in the table, and if I reload the switch right now we’ll see the exact same thing.

Let’s reopen that port :

Look at another command here. We’re going to get away from port security exclusively port security that is.

Previously we mentioned to you that while it’s great to run ‘show interface fast0/1’ (whichever interface is on the host) to see the ‘error disabled’ message, that port security is hardly the only event that will cause an error disabled message.

This is the error disable recovery command, and the options are cause and interval

 I wanted to see cause first of all because all of this list can cause a port to go into error disabled state. The option we’re really interested in right now is ‘psecure-violation’

You have to be careful with this command because it enables automatic recovery from an error disable state and you can define which event you want to have this automatic recovery from, and there is an ‘all’ option at the very top there where you can say ok I want the ports to recover from an error disable status for that’s caused for any reason.

You have to be careful because first its convenience sounds great, but you may not want it automatically reset! You may have the feeling that if this port is put in error disabled state, I want to stay there until I personally got there and reset it.  The other issue is of course what are you doing kind of at an order here. You’re not resolving the issue that actually caused the error disable state. You’re just resetting the port. So if the same thing happens after this reset that’s going to go into err disabled state again. You just get into a vicious circle.

So let’s go with ‘errdisable recovery cause psecure-violation’

Note: This is a global (globally configured) command. You’re enabling it at the interface level. The default recovery for this is 300 seconds. If you want to change that time, you have to go with ‘interval’  (here we choose 30 seconds)

Let’s assume that we set up a situation that would trigger an error disabled port and let it recover and I want you to see the messaging that we get.

I’ll show you the actual config but it’s exactly what we did earlier. I set the single secure MAC address on port 01 to be aaaabbbbcccc and we know that wasn’t going to work, but I sent a ping in from router 1 which did what we saw earlier. It’s triggered the psecure-violation. Now put the time stamps back on so we could see about how many seconds the reset is going to take, and here is a message we haven’t seen before: error-recovery and attempting to recover from psecure violation.

This is a result of the error recovery that we configured. So it’s attempting to come out of error disabled state and you can see it was about 30 seconds.

And you can see now that we’ve got frames coming in from Host1 that are triigering port security again and this is what I was talking about where you have to be careful with this command because it was ok until we had some more traffic coming from Host1 which triggered the violation again, and now in about another 30 seconds it’s going to recover or try to recover again.

So let’s let it do that and then I’ll shut the port and we’ll do a couple of show commands.

So you can see that the  port went into error disabled state at 00:23:43 and about 30 seconds later at 00:24:13  the error recovery starts (from psecure-violation), and as you see at 00:24:17 and 00:24:18, the port is up and up physically and logically, and just a few seconds later we have some more traffic coming from Host1 triggered the whole situation again (00:24:33) and that’s what I was talking about! You’ve got to be careful with this because it’s probably just going to keep on happening if that host stays connected.

And at 00:25:03 there’s an error recovery again about 30 seconds later… and that’s all there is to it.

So let’s show you a couple of show commands here.

“show errdisable recovery” is going to give you the full list of error disable reasons and that psecure-violation is the only one that we had enabled.

(you can run this after you configured too and you don’t have to wait for it to actually be triggered) At the very bottom, timer enabled 30 seconds.

And right now interfaces that will be enabled at the next timeout are unlisted because we shut the port down.

Let’s reopen that port:

You can see now at the bottom the interfaces that will be enabled at the next timeout(with errordisable reason and the seconds left before it’s going to try a reset again).

James

Related Articles

  • 17th Jul

    IP Addresses
  • 30th Jun

    Memories, Bootups, and Securing Our Switches

Leave a Reply

Your email address will not be published. Required fields are marked *