Port Security Basics

Security

Overview:

Catalyst switch port security is so often recommended. This is because of a couple of important points:

  • There are many attacks that are simple to carry out at Layer 2.
  • There tends to be a gross lack of security at Layer 2.
  • Port Security can guard against so many different types of attacks. Just a few to mention are MAC flooding, MAC spoofing, and rouge DHCP and APs.

There are often two main points that are confusing for engineers about this feature, however.

1.What is Sticky Learning and how does it work?

2.What is the difference between the different violation modes and how can I remember them?

Port Security Sticky Learning:

Sticky learning is a convenient way to set static MAC address mappings for MAC addresses that you allow on your network. What you do is confirm that the correct devices are connected to the appropriate switch ports. You then turn on sticky learning and the port security feature itself, for example:

switchport port-security maximum 2
switchport port-security mac-address sticky
switchport port-security

Now what happens is the 2 MAC addresses for the two devices you trust (perhaps an IP Phone and a PC) are dynamically learned by the switch. The switch automatically writes static port security entries in the running configuration for those two devices. All you have to do is save the running configuration, and poof, you are now configured with the powerful static MAC port security feature.

Please note that it is easy to forget to actually turn on port security after setting the parameters. This is what the third line is doing in the configuration above. Always use your show port-security commands to confirm you remembered this important step of the process!

This post continues – be sure to click Read More below!

E-Book Deal of the Day!icon

Port Security Violation Modes:

The violation modes are Shutdown, Protect, and Restrict. Shutdown is the default and the most severe. If there is a violation, the port is error-disabled and notifications are sent (SNMP traps can be used and violation counters are incremented, etc.). With Restrict mode, the bad MAC cannot communicate on the port, but the port does not error-disable. There are notifications sent. With the Protect mode, the bad MAC cannot communicate and there is no error-disabling, but the problem is, there are no notifications sent. Cisco does not recommend this mode as a result. Why do they even present it to us as an option? Only John Chambers knows…

How can you remember these easily? Just think of the alphabet. P the R then S gives you the levels of severity. 🙂 Thanks to @kbarker for that one.

There is also a shutdown VLAN option by the way that would allow you to target, let’s say a data VLAN and leave the Voice VLAN alone. Cool.

Want even more information on port security? Check this out!

 

9 thoughts on “Port Security Basics

  1. Hi Anthony. Great and informative post as usual. Just to mention that port-security works on access and trunk ports.
    I am taking my ccna r&s next week. I have been using loot of your videos. I wiil keep u update how it went.

  2. Hello Mr SEQUEIRA,

    I hope you are fine.

    Please a question for you the Expert 🙂

    I’m preparing for my CCIE Security written exam and I’m planning to pass it in June 2016.
    I’m focusing now on the “Cisco ASA All-in-One Next Generation Firewall, IPS and VPN Services” Third Edition. Because it covers a lot of topics.

    What you recommend me for this exam: most theory and less labs or 50% for each?

    Thank you for your time to help others.

    Best regards.

    1. The exam is like 75% theory – so yes – it is time to focus on theory for all of those areas. The exam is very difficult because of the scope of the exam – make sure you study all areas in the large blueprint.

  3. thanks Anthony, I’m up to chapter 12 of your book. It took me a while but down to the home stretch.

Leave a Reply

Your email address will not be published.