Troubleshooting Cisco Switch Port Security

Port security is another Cisco IOS software tool that can be used to protect the data plane. This feature secures the CAM table by limiting the number of MAC addresses that can be learned on a particular port or interface. With the port security feature, the switch maintains a table that is used to identify which MAC address (or addresses) can access which local switch port. The primary purpose of the port security feature is to protect against CAM table overflow or MAC address flooding attacks. However, the same feature can also be used to protect against MAC spoofing attacks, which were described earlier in this chapter in the section on DHCP Snooping.

You can learn more about Cisco port security in our Cisco CCNA certification course.

CAM table overflow or MAC address flooding attacks work by flooding the switch with a large number of randomly generated invalid source and destination MAC addresses until the CAM table fills up and the switch is no longer able to accept new entries. In such situations, the switch effectively turns into a hub and simply begins to broadcast all newly received frames to all ports on the switch, essentially turning the VLAN into one big Broadcast domain.

The primary purpose of CAM table overflow or MAC address flooding attacks is to get the switch to go into a ‘fail-open’ state, which essentially means that all traffic is flooded or transmitted out of all ports. In such cases, the attacker is able to capture all data transiting the switch, as they can see all packets that are being sent by the switch.

The port security feature can be used to specify which specific MAC address is permitted access to a switch port, as well as to limit the number of MAC addresses that can be supported on a single switch port. The methods of port security implementation described in this section are as follows:

• Static secure MAC addresses
• Dynamic secure MAC addresses
• Sticky secure MAC addresses

Static secure MAC addresses are statically configured by network administrators and are stored in the MAC address table, as well as in the switch configuration. When static secure MAC addresses are assigned to a secure port, the switch will not forward frames that do not have a source MAC address that matches the configured static secure MAC address or addresses.

Dynamic secure MAC addresses are dynamically learned by the switch and are stored in the MAC address table. However, unlike static secure MAC addresses, dynamic secure MAC address entries are removed from the switch when the switch is reloaded or powered down. These addresses must then be re-learned by the switch when it boots up again.

Sticky secure MAC addresses are a mix of static secure MAC addresses and dynamic secure MAC addresses. These addresses can be learned dynamically or configured statically and are stored in the MAC address table, as well as the switch configuration (NVRAM). This means that when the switch is powered down or rebooted, it will not need to discover the MAC address dynamically again because it will already be saved in the configuration file.

Once port security has been enabled, administrators can define the actions the switch will take in the event of a port security violation. Cisco IOS software allows administrators to specify the following four actions to take when a violation occurs:

• Protect
• Shutdown (default)
• Restrict
• Shutdown VLAN

The protect option forces the port into a protected port mode. In this mode, all Unicast or Multicast frames with unknown source MAC addresses will simply be discarded by the switch. When the switch is configured to protect a port, it will not send out a notification when operating in protected port mode, meaning that administrators would never know when any traffic was prevented by the switch port operating in this mode.

The shutdown option places a port in an errdisabled state when a port security violation occurs. The corresponding port LED on the switch is also turned off when a port security violation occurs and this configured action mode is used. In shutdown mode, the switch sends out an SNMP trap and a syslog message, and the violation counter is incremented. This is the default action taken when port security is enabled on an interface.

The restrict option is used to drop packets with unknown MAC addresses when the number of secure MAC addresses reaches the administrator-defined maximum limit for the port. In this mode, the switch will continue to restrict additional MAC addresses from sending frames until a sufficient number of secure MAC addresses is removed or the number of maximum allowable addresses is increased. As is the case with the shutdown option, the switch sends out an SNMP trap and a syslog message, and the violation counter is incremented.

The shutdown VLAN option is similar to the shutdown option; however, this options shuts down a VLAN instead of the entire switch port. This configuration could be applied to ports that have more than one single VLAN assigned to them, such as a voice VLAN and a data VLAN, for example, as well as to trunk links on the switches.

When troubleshooting port security, it is important to check the configuration that has been implemented by first using the show running-config interface <name> command. As stated earlier in this guide, default port security configuration parameters can cause operational issues with other features, such as FHRPs (i.e., HSRP, VRRP, and GLBP) because only a single MAC address is allowed per port. This can be validated via the show port-security interface <name> command as illustrated below:

Switch#show port-security interface FastEthernet0/2 Port Security              : Enabled Port Status                : Secure-down Violation Mode             : Shutdown Aging Time                 : 0 mins Aging Type                 : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses      : 1 Total MAC Addresses        : 0 Configured MAC Addresses   : 0 Sticky MAC Addresses       : 0 Last Source Address:Vlan   : 0000.0000.0000:0 Security Violation Count   : 0

When looking at the output of this command, it is important to understand the information that is printed by the switch. The Port Status field indicates the operational state of the port (i.e., whether the port is up or down). In the example above, the port is down, which could be due to Layer 1 issues, or because the shutdown command was issued under the port, or because the switchport port-security command has not been issued under the interface or port.

The Violation Mode field indicates the configuration violation mode. The default mode is shutdown. The Aging Time and Aging Type fields specify the aging time and type parameters. By default, secure MAC addresses will not be aged out and will remain in the switch MAC table until the switch is powered off. However, this default behavior may be adjusted by configuring aging values for dynamic and secure static MAC addresses. The valid aging time range is 0 to 1440 minutes.

The aging type specifies how secure addresses are aged. This can be either an absolute value or following a configured period of inactivity. The absolute mechanism causes the secured MAC addresses on the port to age out after a fixed specified time. All references are flushed from the secure address list after the specified time and the address must then be relearned on the switch port. Once relearned, the timer begins again and the process is repeated as often as has been defined in the configured timer values. This is the default aging type for secure MAC addresses.

The inactivity time, also referred to as the idle time, causes secured MAC addresses on the port to age out if there is no activity (i.e., frames or data) received from the secure addresses learned on the port for the specified time period.

The Maximum MAC Addresses field specifies the number of allowed secure MAC addresses per port. The default is one and the maximum value depends on the switch platform. The Total MAC Addresses field indicates the current total MAC addresses learned on the port. The Configured MAC Addresses field specifies the number of statically configured secure addresses on the port. The Sticky MAC Addresses field specifies the number of sticky secure MAC addresses configured on the port. The Last Source Address:Vlan field specifies the MAC address of the last secure MAC address learned on the port. This is applicable only when port security is configured on a trunk link. Finally, the Security Violation Count field specifies the number of security violations on the port. To reinforce what has been discussed in this section further, consider the following output:

Switch#show port-security interface FastEthernet0/2 Port Security              : Enabled Port Status                : Secure-up Violation Mode             : Restrict Aging Time                 : 10 mins Aging Type                 : Inactivity SecureStatic Address Aging : Disabled Maximum MAC Addresses      : 10 Total MAC Addresses        : 6 Configured MAC Addresses   : 1 Sticky MAC Addresses       : 5 Last Source Address:Vlan   : 0000.0000.0000:0 Security Violation Count   : 0

From the port security interface output that is printed above, we can determine the following:

• The interface is up, and the switchport port-security command was issued under the interface. This is reflected in the Secure-up port status.

• The switchport port-security violation restrict command was issued under the interface because the default violation mode is Shutdown.

• The switchport port-security aging time 10 and switchport port-security aging type inactivity commands were issued under the interface because the aging time default is 0 minutes and the aging type default is absolute.

• The switchport port-security maximum 10 command was issued under the interface since by default only one MAC address is permitted when port security is enabled.
• Referencing the total MAC addresses, we can determine that the switchport port-security mac-address sticky command was issued and specified five secure sticky addresses, while the switchport port-security mac-address was issued and specified one secure address because, by default, these addresses are not defined.
• Finally, we can determine that no security violations have been detected on the interface or port as the counter still has a value of 0.

Read the Cisco port security notes here.