Module 11: Switch Security

Configuration-Part1
Switching, Routing and
Wireless Essentials v7.0
(SRWE)
Module Objectives
Module Title: Switch Security Configuration

Module Objective: Configure switch security to mitigate LAN attacks

Topic Title Topic Objective

Implement Port Security Implement port security to mitigate MAC address table attacks.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
11.1 Implement Port
Security

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Implement Port Security
Secure Unused Ports
Layer 2 attacks are some of the easiest for hackers to deploy but these threats can also
be mitigated with some common Layer 2 solutions.
• All switch ports (interfaces) should be secured before the switch is deployed for
production use. How a port is secured depends on its function.
• A simple method that many administrators use to help secure the network from
unauthorized access is to disable all unused ports on a switch. Navigate to each
unused port and issue the Cisco IOS shutdown command. If a port must be
reactivated at a later time, it can be enabled with the no shutdown command.
• To configure a range of ports, use the interface range command.

Switch(config)# interface range type module/first-number – last-number

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Implement Port Security
Mitigate MAC Address Table Attacks
The simplest and most effective method to prevent MAC address table overflow attacks is
to enable port security.
• Port security limits the number of valid MAC addresses allowed on a port. It allows an
administrator to manually configure MAC addresses for a port or to permit the switch
to dynamically learn a limited number of MAC addresses. When a port configured with
port security receives a frame, the source MAC address of the frame is compared to
the list of secure source MAC addresses that were manually configured or
dynamically learned on the port.
• By limiting the number of permitted MAC addresses on a port to one, port security can
be used to control unauthorized access to the network.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Implement Port Security
Enable Port Security
Port security is enabled with the switchport port-security interface configuration command.

Notice in the example, the switchport port-security command was rejected. This is because
port security can only be configured on manually configured access ports or manually
configured trunk ports. By default, Layer 2 switch ports are set to dynamic auto (trunking on).
Therefore, in the example, the port is configured with the switchport mode access interface
configuration command.

Note: Trunk port security is beyond the scope of this course.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Implement Port Security
Enable Port Security (Cont.)
Use the show port-security interface command to
display the current port security settings for
FastEthernet 0/1.
• Notice how port security is enabled, the violation
mode is shutdown, and how the maximum
number of MAC addresses is 1.
• If a device is connected to the port, the switch will
automatically add the device’s MAC address as a
secure MAC. In this example, no device is
connected to the port.

Note: If an active port is configured with the switchport

port-security command and more than one device is
connected to that port, the port will transition to the error-
disabled state.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
Implement Port Security
Enable Port Security (Cont.)
After port security is enabled, other port security specifics can be configured, as shown in
the example.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
Implement Port Security
Limit and Learn MAC Addresses
To set the maximum number of MAC addresses allowed on a port, use the following
command:

Switch(config-if)# switchport port-security maximum value

• The default port security value is 1.

• The maximum number of secure MAC addresses that can be configured depends the
switch and the IOS.
• In this example, the maximum is 8192.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Implement Port Security
Limit and Learn MAC Addresses (Cont.)
The switch can be configured to learn about MAC addresses on a secure port in one of
three ways:
1. Manually Configured: The administrator manually configures a static MAC
address(es) by using the following command for each secure MAC address on the port:
Switch(config-if)# switchport port-security mac-address mac-address
2. Dynamically Learned: When the switchport port-security command is entered,
the current source MAC for the device connected to the port is automatically secured
but is not added to the running configuration. If the switch is rebooted, the port will
have to re-learn the device’s MAC address.

3. Dynamically Learned – Sticky: The administrator can enable the switch to

dynamically learn the MAC address and “stick” them to the running configuration by
using the following command:
Switch(config-if)# switchport port-security mac-address sticky
Saving the running configuration will commit the dynamically learned MAC address to NVRAM.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Implement Port Security
Limit and Learn MAC Addresses (Cont.)
The example demonstrates a complete
port security configuration for
FastEthernet 0/1.
• The administrator specifies a
maximum of 4 MAC addresses,
manually configures one secure MAC
address, and then configures the port
to dynamically learn additional secure
MAC addresses up to the 4 secure
MAC address maximum.
• Use the show port-security
interface and the show port-
security address command to verify
the configuration.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Implement Port Security
Port Security Aging
Port security aging can be used to set the aging time for static and dynamic secure
addresses on a port and two types of aging are supported per port:
• Absolute - The secure addresses on the port are deleted after the specified aging time.
• Inactivity - The secure addresses on the port are deleted if they are inactive for a specified time.

Use aging to remove secure MAC addresses on a secure port without manually deleting
the existing secure MAC addresses.
• Aging of statically configured secure addresses can be enabled or disabled on a per-port basis.

Use the switchport port-security aging command to enable or disable static aging for
the secure port, or to set the aging time or type.

Switch(config-if)# switchport port-security aging {static | time time | type {absolute | inactivity}}

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Implement Port Security
Port Security Aging (Cont.)
The example shows an
administrator configuring the
aging type to 10 minutes of
inactivity.

The show port-security

command confirms the
changes. interface command
to verify the configuration.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
Implement Port Security
Port Security Violation Modes
If the MAC address of a device attached to a port differs from the list of secure addresses,
then a port violation occurs and the port enters the error-disabled state.
• To set the port security violation mode, use the following command:
Switch(config-if)# switchport port-security violation {shutdown | restrict | protect}

The following table shows how a switch reacts based on the configured violation mode.

Mode Description

The port transitions to the error-disabled state immediately, turns off the port LED, and sends a syslog
shutdown message. It increments the violation counter. When a secure port is in the error-disabled state, an
(default) administrator must re-enable it by entering the shutdown and no shutdown commands.

The port drops packets with unknown source addresses until you remove a sufficient number of secure MAC
addresses to drop below the maximum value or increase the maximum value. This mode causes the
restrict
Security Violation counter to increment and generates a syslog message.

This is the least secure of the security violation modes. The port drops packets with unknown MAC source
addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value
protect
or increase the maximum value. No syslog message is sent.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
Implement Port Security
Port Security Violation Modes (Cont.)
The example shows an administrator
changing the security violation to
“Restrict”.

The output of the show port-security

interface command confirms that the
change has been made.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
Implement Port Security
Ports in error-disabled State
When a port is shutdown and placed in the error-disabled state, no traffic is sent or
received on that port.
A series of port security related messages display on the console, as shown in the
following example.

Note: The port protocol and link status are changed to down and the port LED is turned off.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Implement Port Security
Ports in error-disabled State (Cont.)
• In the example, the show
interface command identifies the port status
as err-disabled. The output of the show
port-security interface command now
shows the port status as secure-shutdown.
The Security Violation counter increments by
1.
• The administrator should determine what
caused the security violation If an
unauthorized device is connected to a
secure port, the security threat is eliminated
before re-enabling the port.
• To re-enable the port, first use
the shutdown command, then, use the no
shutdown command.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
Implement Port Security
Verify Port Security
After configuring port security on a switch, check each interface to verify that the port
security is set correctly, and check to ensure that the static MAC addresses have been
configured correctly.

To display port security settings for the switch, use the show port-security command.
• The example indicates that all 24
interfaces are configured with
the switchport port-security command
because the maximum allowed is 1 and
the violation mode is shutdown.
• No devices are connected, therefore, the
CurrentAddr (Count) is 0 for each
interface.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Implement Port Security
Verify Port Security (Cont.)
Use the show port-security
interface command to view
details for a specific interface, as
shown previously and in this
example.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
Implement Port Security
Verify Port Security (Cont.)

To verify that MAC addresses are

“sticking” to the configuration, use
the show run command as shown
in the example for FastEthernet
0/19.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
Implement Port Security
Verify Port Security (Cont.)

To display all secure MAC

addresses that are manually
configured or dynamically learned
on all switch interfaces, use
the show port-security
address command as shown in
the example.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
Implement Port Security
Packet Tracer – Implement Port Security
In this Packet Tracer, you will complete the following objectives:
• Part 1: Configure Port Security
• Part 2: Verify Port Security

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22