3. Port security
3.1. Enabling portsecurity
In our switch, we set all ports on VLAN 10. For most interfaces, we set:
interface FastEthernet0/1 switchport access vlan 10 switchport mode access switchport port-security switchport port-security mac-address sticky
For most interfaces; not for all:
-
I noticed some strange behaviour when the Raspberry Pi boots. It triggers a port security violation, but only sometimes.
-
I do not have a console cable, so I left port 23 and port 24 without port security to prevent locking myself out.
Let's examine the configuration.
switchport access vlan 10
Port security in this older versions can onl be applied on access ports.
switchport port-security switchport port-security mac-address sticky
This defines the port security.
Here, we have chosen to use sticky. You have the folowing options:
type
|
command
|
explanation
|
fixed
|
switchport port-security mac-address xxxx.yyyy.zzzz
|
Puts a fixed MAC ID on the port
|
sticky
|
switchport port-security mac-address sticky
|
Allows MAC ID to be dynamically learned and stores the MAC ID in the config
|
dynamic
|
(no additional command)
|
Allows MAC ID to be dynamically learned but does not store the MAC ID in the config
|
In general, sticky will be the preferred option. If you have a very good administration
of devices, MAC IDs and cabling, fixed could be an option.
Dyanamic is the default.
There are some additional options, for which I have chosen the default.
switchport port-security maximum 1
Defines the maximum number of MAC IDs allowed on the port. The default is 1.
switchport port-security violation {protect | restrict | shutdown}
Default is shutdown; this means that if a port has a vioaltion, it will be closed.
Options are:
protect
|
Drops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value.
|
restrict
|
Drops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value and causes the SecurityViolation counter to increment.
|
shutdown
|
Puts the interface into the error-disabled state immediately and sends an SNMP trap notification.
|
You can also put some aging parameters on the port security. When the aging type
is configured with the absolute keyword, all the dynamically learned secure addresses age out when
the aging time expires. When the aging type is configured with the inactivity keyword,
the aging time defines the period of inactivity after which all the dynamically learned secure addresses
age out. I have not tried this.
3.2. And testing it...
I have tested two scenario's with mac address sticky.
3.2.1. Abusing the port and restoring the original situation
In this scenario, we removed one of the fixed computers and attached the rogue laptop. If the
laptop is blocked, we put back the original computer.
This is our original situation (an extract from
sh run
for the two interfaces):
interface FastEthernet0/1 switchport access vlan 10 switchport mode access switchport port-security switchport port-security mac-address sticky 0080.6494.adba interface FastEthernet0/2 switchport access vlan 10 switchport mode access switchport port-security switchport port-security mac-address sticky 0080.6494.b208
The two MAC adresses are dynamically learned.
So now we put our rogue laptop on the switch. The port will be blocked and in our syslog we see:
Oct 3 16:10:09 192.168.10.1 311: 08:51:11: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/1, putting Fa0/1 in err-disable state Oct 3 16:10:10 192.168.10.1 312: 08:51:11: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 847b.eb43.c06d on port FastEthernet0/1.
Puting back the cable in the original computer will still block any trafic; the port is still shut.
To get things working again, we have to issue:
config t int fa0/1 shut no shut end
Which will result in the following syslog:
Oct 3 13:11:41 192.168.10.1 182: 05:52:42: %SYS-5-CONFIG_I: Configured from console by cisco on vty0 (192.168.10.13) Oct 3 13:12:31 192.168.10.1 183: 05:53:31: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down Oct 3 13:12:32 192.168.10.1 184: 05:53:32: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to down Oct 3 13:12:36 192.168.10.1 185: 05:53:37: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up Oct 3 13:12:36 192.168.10.1 186: 05:53:38: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
Now the port is back up after some manual intervention.
3.2.2. Put a new device in
This time, we do not put in a rogue laptop, but a replacement device.
Attaching the device will ofcourse lead to a port security violation:
Oct 3 23:49:53 192.168.10.1 678: 3d01h: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/2, putting Fa0/2 in err-disable state Oct 3 23:49:54 192.168.10.1 679: 3d01h: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 847b.eb43.c06d on port FastEthernet0/2.
This time, we not only need to reset the port, but will also need to remove the sticky
MAC ID to allow a new one to be learned:
config t int fa0/2 shut no switchport port-security mac-address sticky 0080.6494.b208 no shut end
And, as expected, the new MAC ID is learned and the port comes back up.
3.3. Some problems I encountered
If the MAC ID of computer_1 is allowed on Fa0/1, connecting that computer to a new port (for example Fa0/5) will cause
a port security violation. In other words: if your computer connects to a specific port, you cannot
just connect it to another port. This means that you need to keep an administration of which port has which MAC ID.
For some inexplicable reason, the portsecurity sticky did not learn the MAC ID correctly. A reload of the
switch did nothing to improve the situation. I had to remove all cables, remove all MAC IDs and disable/re-enable
port security to get everything working again.