Cybersecurity For Beginners: Cisco Port Security Configuration

Configuring Port Security

This feature allows you to create a boundary to the number of MAC addresses you can learn on a port and also identify actually which MAC addresses you allow in a certain port. This is effectively layer 2 security and it aids in physical security and allows you to define strategies in terms of who can connect to a particular switch port and how many machines can connect to that port.

The configuration is fairly straightforward. It starts with this command at the interface configuration level, , followed by certain keywords that allow you to customize and tune the way the feature works. Let us take a look at some of those options by looking at a standard example configuration. The scheduler configuring for interface fa0/5, the first thing you need to do is enable the port as an access port, as opposed to a trunk port. An access port is the one that connects to endpoints like workstations and laptops. The second step is to enable port security with that command; even though the other command starts port security, you actually have to enable the feature with switchport port-security enter and no other keywords. The third step is to define the maximum number of MAC addresses, with the same command, switchport port-security, maximum 1 means you are going to allow only one MAC address to connect and be learned through that port.

Switch(config)#interface fa0/5
Switch(config-if)#switchport mode access
Switch(config-if)#switchport port-security
Switch(config-if)#switchport port-security maximum 1
Switch(config-if)#switchport port-security mac-address sticky
Switch(config-if)#switchport port-security violation shutdown

As we know, switches learn MAC addresses, and so this is going to be dynamic. Once a switch learns a MAC address, it will not accept anything beyond that maximum number, and with that you can play with one or more. You can actually say five, ten, and determine the number of machines that can connect to port. If a switch reloads, those MAC addresses are forgotten. So if you want to remember them, across switch reloads, you would have to make them sticky with this keyword here.

So with that and with a machine connected to the port, the switch would learn the MAC address dynamically and then that MAC address would become commands on the configuration file of the switch. And then you would have them and remember them across bootups. Finally, you need to define the action you want to take upon violation of the maximum limits. You have several options with this keyword violation you can find shutdown, which would effectively shut down the port, which would require manual intervention of the administrator to enable the port again. But you have several other options like disabling the port temporarily or actually leave the port enabled but send a syslog message so that administrators know that the limits have been reached.

After port security has been configured, you could display the settings and the status with the command. You can do it for all interfaces or for specific interfaces like in this example, and you can also use the address keyword to actually display the secured MAC addresses per the interface. This is the basic command that will display whether port security is enabled on the interface and the status of it. In this case, secure up means that no security violations have occurred. Violation mode though is shut down and so as soon as an unknown MAC address or MAC address goes beyond the limits and the port is connected, then the switch port will be shut down.

Here is the aging time, where a value in minutes is specified for registered MAC addresses, to be able to time out entries without having to manually remove them. The aging time in this case is absolute. Finally, the number of MAC addresses and the total current MAC addresses that the port has learned. Sticky configurations will also be displayed and the number of security violations that have occurred on the switch port.

Securing Unused Ports

Best practices call for securing the unused ports on a switch that can create a security hole because again ports will be enabled by default. If you have DHCP on a certain network and are not providing physical security or your physical security may not have consistent policies, then you could allow unwanted access into the network. The best practice is to disable the interfaces for unused ports.

For that we use a shutdown command by going into the interface configuration mode and setting down specific interfaces. In more recent version of the IOS operating system, you will find the option to include ranges of interfaces and go into a range configuration mode and shut down multiple interfaces at the same time. Remember, you can enable the interface again by issuing the no version of the command. In other words, shutdown would administratively disable the interface; no shutdown will administratively enable the interface.

Full Cisco Firewall Hands-On Guide PDF