Using Port Security to Mitigate Layer 2 Attacks

Get rid of the MAC flooding attacks on your switch and all kinds of other attacks that will mitigate you network security by implementing switch port security.
All about the issues to consider when configuring port security on a switch will be written here. Also we will show you how to configure port security on the Cisco IOS. It will be configuration of both static and dynamic port security.

Port Security

Check out some more security articles:

A switch that does not provide port security allows an attacker to attach a system to an unused, enabled port and to perform information gathering or attacks. On the switch that is not protected we can expect that attacker will easily perform a MAC address flooding attack in which a switch can be configured to act like a hub. In this case every system connected to the switch can potentially view all network traffic passing through the switch to all systems connected to the switch. An attacker could collect traffic that contains all user data and private information, passwords or configuration information about the machines on the network.

All switch ports or interfaces should have switch port security enabled before the switch is deployed into the real world use. Port security reduces the number of valid MAC addresses allowed on a port. When you assign secure MAC addresses to a secure port, the switch will not accept connections from machines that have different source MAC address from MAC addresses configured by you as secure MAC addresses. In other words, you decide which machines with which specific MAC addresses can access the switch.

If you limit the number of secure MAC addresses to one address and assign a single secure MAC address to that port, the machine attached to that port is assured the full bandwidth of the port, and only that machine with that particular secure MAC address can successfully connect to that switch port.

If a port is configured as a secure port and the maximum number of secure MAC addresses is reached, a security violation occurs when the MAC address of a machine attempting to access the port is different from any of the identified secure MAC addresses.

Secure MAC Address Types

There are three different types of Secure MAC addresses. This means that there is three ways to configure port security. Now we will see what’s the difference and how you can configure port security on a Cisco switch:

  • Static secure MAC addresses:MAC addresses are manually configured on the switch simply by using configuration command:
    Switch1(config)#interface FastEthernet 0/1
    Switch1(config-if)#switchport port-security mac-address 01:23:46:68:88:AB

    MAC addresses configured in this way are stored in the address table and are added to the running configuration on the switch.

  • Dynamic secure MAC addresses: MAC addresses are dynamically learned by this system and stored in the address table. MAC addresses configured in this way are removed after restart.
  • Sticky secure MAC addresses: You can configure a port to dynamically learn MAC addresses and then save these MAC addresses to the running configuration.

Sticky MAC Addresses

Sticky secure MAC addresses have interesting characteristics. When you enable sticky mode on the switch interface the interface converts all the dynamic secure MAC addresses, including those that were dynamically learned before sticky learning was enabled, to sticky secure MAC addresses and adds all sticky secure MAC addresses to the running configuration. You do this by typing:

Switch1(config)#interface FastEthernet 0/1
Switch1(config)#switchport port-security mac-address sticky

If you decide to disable sticky learning by using:

Switch1(config)#interface FastEthernet 0/1
Switch1(config)#no switchport port-security mac-address sticky

The sticky secure MAC addresses remain in the address table but are removed from the running configuration. When you configure sticky secure MAC addresses by using configuration command:

Switch1(config)#interface FastEthernet 0/1
Switch1(config)#switchport port-security mac-address sticky mac-address

These addresses are added to both the address table and the running configuration. If port security is then disabled, the sticky secure MAC addresses remain in the running configuration. If you save the sticky secure MAC addresses in the configuration file, when the switch restarts or the interface shuts down, the interface does not need to relearn these addresses. If you do not save the sticky secure addresses, they are lost.

If you disable sticky address learning and try to enter the:

Switch1(config)#switchport port-security mac-address sticky mac-address

interface configuration command, an error message appears, and the sticky secure MAC address is not added to the running configuration.

Security Violation Modes

We said before in this article that the switch with configured with switch port security and a maximum number of secure MAC addresses will provoke a security violation to occur when the maximum number of secure MAC addresses is reached. The security violation are triggered when either of these situations occurs:

  • The maximum number of secure MAC addresses have been added to the switch address table, and a machine whose MAC address is not in the address table attempts to access the interface.
  • An address learned or configured on one secure interface is seen on another secure interface in the same VLAN.

You can configure the interface for one of three violation modes. That depends of what you want the switch to do when a violation occurs.

  • protect: When the number of secure MAC addresses that we have set on the switch port reaches the limit, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum acceptable addresses.
    The main characteristic of this mode is that you as a network administrator will not be notified that a security violation has occurred.
  • restrict: When the number of secure MAC addresses that we have set on the switch port reaches the limit, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum acceptable addresses. In this mode, you are notified that a security violation has occurred. An SNMP trap that will be sent, a syslog message is logged, and the violation counter increments. All this mechanism will notify you about security violation on the switch port.
  • shutdown: a port security violation causes the interface to immediately become error-disabled and turns off the port LED. It also sends an SNMP trap, increments the violation counter and makes a syslog message. When a secure port is in the error-disabled state, you can wake it back up by entering the shutdown and no shutdown interface configuration commands. This is the default mode.

 

Leave a Reply