learned and statically configured addresses. When
this feature is configured on an interface, the interface
converts dynamically learned addresses to “sticky secure”
addresses. The addresses are added to the running configuration
as if they were configured using the switchport
port-security mac-address command. Scenario Imagine
five individuals whose laptops are allowed to connect to a
specific switch port when they visit an area of the building.
We want to restrict switch port access to the MAC addresses of
those five laptops and allow no addresses to be learned
dynamically on that port. Figure describes the process for
achieving this. Note: Port security cannot be applied to
trunk ports where addresses might change frequently.
Implementations of port security vary by Cisco Catalyst
platform. Check your documentation to see if and how your
particular hardware supports this feature.
Content
8.1 Understanding Switch Security Issues
8.1.6 Configuring Port Security on a Switch Figure
describes what is involved in configuring port security to
limit switch port access to a finite, specific set of
end-device MAC addresses. Figure lists the configuration steps.
You should be aware of the following things: Step 1 Port
security is enabled on a port-by-port basis. Step 2 By
default, only one MAC address is allowed access through a given
switch port when port security is enabled. This parameter
increases that number. It places no restriction on specific MAC
addresses, just on the total number of addresses that can be
learned by the port. Learned addresses are not aged out by
default, but can be configured to do so after a specified time
using the switchport port-security aging command. The
value parameter can be any number from 1 to 1024, with some
restrictions regarding the number of ports on a given switch
with port security enabled. Note: Be sure to set the
value parameter to a value of 2 when you are configuring
a port to support VoIP and requires a phone and computer
accessible on the port. If the default value is used, a port
security violation occurs. Step 3 Access to the switch
port can be restricted to one or more specific MAC addresses.
If the number of MAC addresses assigned is lower than the value
parameter set in Step 2, the remaining allowed addresses can be
learned dynamically. If you specify a set of MAC addresses that
is equal to the maximum number allowed, access is limited to
that set of MAC addresses. Step 4 By default, if the
maximum number of connections is achieved and a new MAC address
attempts to access the port, the switch must take one of the
following actions: - Protect: Frames from the
non-allowed address are dropped, but there is no log of the
violation.
Note: The protect argument
is platform or version dependent. - Restrict:
Frames from the non-allowed address are dropped, a log message
is created, and a Simple Network Management Protocol (SNMP)
trap is sent.
- Shut down: If any frames are seen
from a non-allowed address, the interface is errdisabled, a log
entry is made, an SNMP trap is sent, and manual intervention or
errdisable recovery must be used to make the interface usable.
Use show commands to verify the port
security configuration. The show port-security command
lists the ports on which port security has been enabled. It
also displays count information and security actions to be
taken per interface. The full command syntax is as follows:
Switch#show port-security [interface
interface_id] address You can view port
security status by interface or by the addresses associated
with port security on all interfaces. Figure displays output
from the show port-security command when you do not
enter an interface. Use the interface keyword to provide
output for a specific interface. Figure displays output from
the show port-security command for a specified
interface. Use the address keyword to display MAC
address table security information. Figure displays output from
the show port-security address privileged EXEC command.
The Remaining Age column is populated only if specifically
configured for a given interface.
Content 8.1
Understanding Switch Security Issues 8.1.7
Port Security with Sticky MAC Addresses Port security can
be used to mitigate spoof attacks by limiting access through
each switch port to a single MAC address. This prevents
intruders from using multiple MAC addresses over a short period
of time but does not limit port access to a specific MAC
address. The most restrictive port security implementation
would specify the exact MAC address of the single device that
is to gain access through each port. Implementing this level of
security, however, requires considerable administrative
overhead. Port security has a feature called “sticky MAC
addresses” that can limit switch port access to a single,
specific MAC address without the network administrator having
to determine the MAC address of every legitimate device and
manually associate it with a particular switch port. When
sticky MAC addresses are used, the switch port converts
dynamically learned MAC addresses to sticky MAC addresses, and
adds them to the running configuration as if they were static
entries for a single MAC address allowed by port security.
Sticky secure MAC addresses are added to the running
configuration but do not become part of the startup
configuration file, unless the running configuration is copied
to the startup configuration after addresses have been learned.
If they are saved in the startup configuration, they do not
have to be relearned when the switch is rebooted, which
provides a higher level of network security. The following
command converts all dynamic port security–learned MAC
addresses to sticky secure MAC addresses: switchport
port-security mac-address sticky This command cannot be
used on ports where voice VLANs are configured.
Content
8.1 Understanding Switch Security Issues
8.1.8 Authentication, Authorization, and
Accounting Authentication, authorization, and accounting
(AAA) network security services provide the primary framework
through which access control is set up on a switch. AAA is an
architectural framework for configuring a set of three
independent security functions in a consistent manner. AAA
provides a modular way of performing these services. For
purposes of this course, only authentication is discussed.
Authentication is the way a user is identified before being
allowed access to the network and network services. AAA
authentication is configured by defining a list of named
authentication methods and then applying that list to various
interfaces. The method list defines the types of authentication
to be performed and in which sequence they are performed. The
method list must be applied to a specific interface before any
of the defined authentication methods are performed. If there
is no defined method list, the default method list (named
“default”) is applied. A defined method list overrides the
default method list. In many circumstances, AAA uses protocols
such as RADIUS, TACACS+, or 802.1x to administer security
functions. If the switch is acting as a network access server,
AAA is the means through which a switch establishes
communication between the network access server and the RADIUS,
TACACS+, or 802.1x security server.
Content 8.1
Understanding Switch Security Issues 8.1.9
Authentication Methods The AAA security services
facilitate a variety of login authentication methods. The
list-name argument is the name of the list being created. The
method argument refers to the actual method the authentication
algorithm tries. Additional authentication methods are used
only if the previous method returns an error, not if it fails.
For example, to specify RADIUS as the default method for user
authentication during login, enter the following command: