Port security is the primary method to protect yourself from MAC spoofing and CAM table overflow attacks. We won't cover these topics here but we will cover port security theory and configuration. It's covered in exams from CompTIA Network+, Security+, Cisco CCNA and many others.
Port Security Overview
Port security is a dynamic Cisco Catalyst switch feature that secures switch ports, and ultimately the CAM table, by limiting the number of MAC addresses that can be learned on a particular port or interface. Port security can be implemented in the following three ways:
- Static Secure MAC Addresses
- Dynamic Secure MAC Addresses
- Sticky Secure MAC Addresses
Static secure MAC addresses are statically configured by network administrators and are stored in the MAC address table, as well as in the switch configuration. When static secure MAC addresses are assigned to a secure port, the switch will not forward frames that do not have a source MAC address that matches the configured static secure MAC address or addresses.
Dynamic secure MAC addresses are dynamically learned by the switch and are stored in the MAC address table. However, unlike static secure MAC addresses, dynamic secure MAC address entries are removed from the switch when the switch is reloaded or powered down.
Sticky secure MAC addresses are a combination of static secure MAC addresses and dynamic secure MAC addresses. These addresses can be learned dynamically or configured statically and are stored in the MAC address table, as well as in the switch configuration. This means that when the switch is powered down or rebooted, it will not need to dynamically discover the MAC addresses again because they will already be saved in the configuration file.
Once port security has been enabled, administrators can define the actions the switch will take in the event of a port security violation. Cisco IOS software allows administrators to specify three different actions to take when a violation occurs:
The protect option forces the port into a protected port mode. In this mode, all Unicast or Multicast frames with unknown source MAC addresses, i.e. MAC addresses not presently in the CAM table, are discarded by the switch. When the switch is configured to protect a port, it will not send out a notification when operating in protected port mode, meaning that administrators would never know when an attack was prevented in this mode.
The shutdown option places a port in an error-disabled state when a security violation occurs. The corresponding LED on the switch port is also turned off in this state. In shutdown mode, the switch sends out an SNMP trap and a Syslog message, and the violation counter is incremented.
The restrict option is used to drop packets with unknown MAC addresses, i.e. MAC addresses not presently in the CAM table, when the number of secure MAC addresses reaches the administrator-defined maximum limit for the port. In this mode, the switch will continue to restrict additional MAC addresses from sending frames until a sufficient number of secure MAC addresses is removed, or the number of maximum allowable addresses is increased. As is the case with the shutdown option, the switch sends out an SNMP trap and a Syslog message, and the violation counter is incremented.
Configuring Port Security
Port security is configured via the switchport port-security interface configuration command. The options available with this command are illustrated in the following output:
Sw1(config)#int faste 0/1
Sw1(config-if)#switchport port-security ?
aging Port-security aging commands
mac-address Secure mac address
maximum Max secure addrs
violation Security Violation Mode
The printed options are listed and described in the following list:
aging – This keyword is used to specify the aging time for secure MAC addresses.
mac-address – This keyword is used to configure a static secure MAC address or to utilize sticky learning.
maximum – This keyword is used to specify the maximum number of secure MAC addresses that can be learned on an interface.
violation – This keyword is used to specify the action the switch will take in the event of a violation.
The following example illustrates how to enable port security on an interface using a static secure MAC address of 001f:3c59:d63b to be forwarded by the switch:
Sw1(config-if)#switchport port-security mac-address 001f.3c59.d63b
Port security configuration can be validated by issuing the show port-security command, as illustrated in the following switch output:
NOTE: Keep in mind that, as illustrated in the output above, the default action in the event of a violation is to shut down the port. This default behavior can be modified by using the switchport port-security violation interface configuration command.
The following example illustrates how to configure port security to dynamically learn no more than two secure MAC addresses on a particular switch port. In the event that this value is exceeded, the switch has been configured to restrict frames from any other MAC addresses:
Sw1(config-if)#switchport port-security maximum 2
Sw1(config-if)#switchport port-security violation restrict
In the event of a security violation, and assuming that the switch has been configured for logging capabilities, the local switch log would reflect the following:
Syslog logging: enabled (0 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns)
Console logging: disabled
Monitor logging: level debugging, 0 messages logged
Buffer logging: level informational, 243 messages logged
Exception Logging: size (4096 bytes)
File logging: disabled
Trap logging: level informational, 247 message lines logged
Log Buffer (4096 bytes):
01:06:16: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0013.1986.0a20 on port Fa0/2.
01:06:36: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 000c.cea7.f3a0 on port Fa0/2.
01:06:41: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0004.c16f.8741 on port Fa0/2.
Additionally, a remote Syslog server would show the following port security messages:
The increments in the port security violation counter can be viewed by using the show port-security command, as illustrated in the following output:
The following example illustrates how to enable sticky learning on a port for a maximum of ten MAC addresses. In the event that unknown MAC addresses are detected on the port, the port is configured to go into protected port mode:
Sw1(config-if)#switchport port-security mac-address sticky
Sw1(config-if)#switchport port-security maximum 10
Sw1(config-if)#switchport port-security violation protect
The configuration is validated via the show port-security [options] command, as follows:
An important aspect to remember regarding sticky learning is that the learned addresses are automatically added to the switch configuration and this configuration is retained between reboots. The show running-config interface [name] command can be used to view the learned and saved sticky MAC addresses per interface, as illustrated in the following output:
Sw1#show running-config interface fastethernet 0/2
Current configuration : 550 bytes
switchport access vlan 2
switchport mode access
switchport port-security maximum 10
switchport port-security violation protect
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0004.c16f.8741
switchport port-security mac-address sticky 000c.cea7.f3a0
switchport port-security mac-address sticky 0013.1986.0a20
switchport port-security mac-address sticky 001d.09d4.0238
switchport port-security mac-address sticky 0030.803f.ea81
no ip address
Additionally, the show port-security address command can be used to view sticky addresses on a per-interface basis, as illustrated in the following output:
In addition to configuring the different port security parameters, it is important to completely understand the implications of port security on MAC address aging. By default, the secure MAC address will not be aged out and will remain in the switch MAC table until the switch is powered off. This means that even if a host with a secured MAC address is removed from the switch port, the MAC address entry will be retained in the switch CAM table. To address this issue, and the potential problems it may cause, the Cisco IOS software allows administrators to configure port security aging. There are two types of aging mechanisms that can be used:
The absolute mechanism causes the secured MAC addresses on the port to age out after a fixed specified time, upon which all references are flushed from the secure address list. The inactivity mechanism, also referred to as the idle time mechanism, causes the secured MAC addresses on the port to age out if there is no activity (i.e. frames) during the specified time period.
The following example illustrates how to configure an aging time of two hours for inactive secured MAC addresses on FastEthernet0/2:
Sw1(config-if)#switchport port-security aging time 120
Sw1(config-if)#switchport port-security aging type inactivity
The following example illustrates how to configure a switch port so that all secured MAC addresses are flushed every eight hours:
Sw1(config-if)#switchport port-security aging time 480
Sw1(config-if)#switchport port-security aging type absolute
The remaining valid time for secure MAC addresses, based on the port security timer configuration, can be viewed by issuing the show port-security address command, as follows:
Here is a lab you can follow along with. We used Cisco Packet Tracer for this lab because it's free and very powerful.
We teach port security in many of our courses including Cisco CyberOps Associate, Cisco CCNA, Security+ and more. Check out the top menu for our list of courses. Members get access to all courses, practice tests and live Cisco racks 24/7.