Switch security configuration

Implement port security

Secure unused ports

A simple method that many administrators use to help secure the network from unauthorized access is to disable all unused ports on a switch.

S1(config)# interface range fa0/8 - 24
S1(config-if-range)# shutdown
%LINK-5-CHANGED: Interface FastEthernet0/8, changed state to administratively down
(output omitted)
%LINK-5-CHANGED: Interface FastEthernet0/24, changed state to administratively down
S1(config-if-range)#

If a port must be reactivated at a later time, it can be enabled with the no shutdown command.

Mitigate MAC address table attacks

The simplest and most effective method to prevent MAC address table overflow attacks is to enable port security. Port security limits the number of valid MAC addresses allowed on a port. It allows an administrator to manually configure MAC addresses for a port or to permit the switch to dynamically learn a limited number of MAC addresses.

By limiting the number of permitted MAC addresses on a port to one, port security can be used to control unauthorized access to the network, as shown in the figure.

Enable port security

Port security can only be configured on manually configured access ports or manually configured trunk ports. By default, Layer 2 switch ports are set to dynamic auto (trunking on).

S1(config)# interface f0/1
S1(config-if)# switchport mode access
S1(config-if)# switchport port-security
S1(config-if)# end

Use the show port-security interface command to display the current port security settings. Notice how port security is enabled, the violation mode is shutdown, and how the maximum number of MAC addresses is 1. If a device is connected to the port, the switch will automatically add the device’s MAC address as a secure MAC. In this example, no device is connected to the port.

S1# show port-security interface f0/1
Port Security              : Enabled
Port Status                : Secure-shutdown
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 0
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 0000.0000.0000:0
Security Violation Count   : 0
S1#

Note: If an active port is configured with the switchport port-security command and more than one device is connected to that port, the port will transition to the error-disabled state.

After port security is enabled, other port security specifics can be configured, as shown in the example.

S1(config-if)# switchport port-security ? 
  aging        Port-security aging commands
  mac-address  Secure mac address
  maximum      Max secure addresses
  violation    Security violation mode
  <cr>

Limit and learn MAC addresses

To set the maximum number of MAC addresses allowed on a port (default is one), use the following command:

Switch(config-if)# switchport port-security maximum <value> 

The switch can be configured to learn about MAC addresses on a secure port in one of three ways:

Manually configured

Switch(config-if)# switchport port-security mac-address <mac-address>

Dynamically learned

When the switchport port-security command is entered, the current source MAC for the device connected to the port is automatically secured but is not added to the startup configuration. If the switch is rebooted, the port will have to re-learn the device’s MAC address.

Dynamically Learned – Sticky

The administrator can enable the switch to dynamically learn the MAC address and “stick” them to the running configuration by using the following command:

Switch(config-if)# switchport port-security mac-address sticky 

Saving the running configuration will commit the dynamically learned MAC address to NVRAM.