Tuesday 21 February 2023

What is cisco port security? How to secure switches ports? | What are the violations of port security? | How to configure?

 As we already know switches are very important network devices and with the help of switches we connect and maintain communication channels between various devices. we also know ethernet ports are present on our switches and with these ports, we connect our devices like routers computers, and other devices. switches identify the devices by their MAC addresses and provide the services. the important thing is we need to secure these ethernet ports so that authorized users are able to connect network securely. 

here we can use the security feature of Cisco IOS Port-security to block the ethernet, fast ethernet, or Gig ports when the MAC address is different from the specified MAC on the port. we can use port security to filter traffic that is destined to or received from a specific host that is based on the host MAC address. These security features only be configured on access ports and by default this feature is disabled.  

before we start our lab and come to the direct point, what I always do but before we need to understand these points.

  • Aging 
  • mac-address
  • maximum
  • violation

Aging is when we configure the maximum number of MAC addresses on the particular port, we can also configure aging with the help of aging we specify how long the address on the port is secure,

 once the time is expired, the MAC address on that port will be insecure, by default all addresses on a port are secured permanently. <1-1440> Aging time in minutes. Enter a value between 1 and 1440.

MAC address_ when we configure the specific MAC address in the port security command, only that device will be authorized by the switch to connect through the available port. this is also called a static mac address.  

from the above output, we can see after the? mark. now have (H.H.H means configure static MAC address) and the second mode is (sticky) let's take a look at sticky.

Sticky before we understand what is sticky mode first, we must know, we have two configuration options for example 

Switch(config-if)#switchport port-security mac-address sticky 0000.0C39.6AEC

Switch(config-if)#switchport port-security mac-address sticky

whenever we enable sticky learning on an interface, the interface converts all the dynamic secure MAC addresses, and also those that were dynamically learned before sticky learning was enabled, to sticky secure MAC addresses and adds all sticky secure MAC addresses to the running configuration. all newly on-boarded clients are considered sticky MACs.

now we know that the switch can learn MAC addresses on a secure port in one of three ways. 

1. Manually the admin can manually configure a static MAC address. using the command

switchport port-security mac-address 0000.0C39.6AEC

2. Dynamically when we configure the command switchport port-security, whatever the current source MAC address on that port device will be secured but not added in running-config.  if we reboot the switch the port has to re-learn the MAC address. 

switchport port-security 

3. Dynamically-Sticky the admin can enable the switch to learn MAC address dynamically and stick them in running-config. 

switchport port-security mac-address sticky 

Maximum as per our requirements we can increase the limit of the number of hosts which is associated with the interface. by default, only 1 MAC address is allowed by the cisco switch on a single port. if other devices try to connect using this port our switch shutdown the port automatically. we can set this limit from 1 to 132. the maximum number is 132.  

Now we have the last mode violation

when the MAC address of a connected device to a port is different from the list of secure addresses we are given on the interface, then a port violation occurs and the port enters the error-disable state. In violation, we have three modes. as you can see in the picture below.

Protect_ under the Protect mode the data packets from the configured MAC addresses are only transferred within the network. this mode is the least secure of the security violation mode. the port dropped the packets with unknown MAC addresses until you remove a sufficient number of MAC addresses. no syslog message is sent.   

Restrict_ under the restrict mode if the security violation occurs, all the data transfer is blocked and packets are dropped. also, Syslog messages are generated simultaneously, 

Shutdown_ under the shutdown mode if the violation occurs on port security enable the port. the port changed to an error-disable state. this mode is enabled by default. 

{if you like this post, please take a look at our YouTube program}


No comments:

What is Virtual Router Redundancy Protocol (VRRP)? How to configure Virtual Router Redundancy Protocol (VRRP)?

 Virtual Router Redundancy Protocol (VRRP) is a gateway redundancy networking protocol used to create a virtual gateway similar to HSRP . VR...