Tuesday, 19 September 2023

Port Security

+ Port Security is a important feature in Switches.

+ Network Admin is responsible for protecting switchports from unauthorized access.

+ Security Breach happens when someone try to connect there own devices/laptops to office internal switch. 

+So how to protect Internal Network Switchports from unauthorized access, rather what is that thing which would helps Network Admin to achieve Switchport Security. 

  THE ANSWER IS " MAC -ADDRESS"

+ Yes , on basis of MAC Address Network Admin can restrict / allow workstations to access the internal network of the organization.

What all things can a Network Admin control using Port Security - 

+ Limit Max Mac Addresses allowed on the switchport. 

Default value is 1

+ Configure the  MAC address to be allowed on the switchport- 

this can be done Static or  Dynamic (Sticky) 

Static - Means Network Admin define by own which MAC address to be allowed on the switchport.

Dynamic (Sticky) - Dynamic MAC address is learned on the switchport is recorded and that MAC address/es are not only allowed on the switchport.

+ Configure Violation Mode

1) Protect - Ignore Unknow mac addresses. DROP 

2) Restrict - DROP + Trap | Also increase the violation counter

3) Shutdown - Err Disable + Trap | Also increase the violation counter 

SHUTDOWN IS DEFAULT AND MOST AGGRESSIVE 

WHERE TO APPLY SWITCHPORT SECURITY ? 

ON TRUNK OR ACCESS --> THE ANSWER IS ACCESS. 

Because on trunk port there is more multiple mac address, so there is no point of allowing or restricting any MAC Address on such port.


LAB 





+ 2 MAC addresses are learned on the interface fa0/1


Switch#sh mac address-table interfaces fa0/1

Mac Address Table

-------------------------------------------


Vlan Mac Address Type Ports

---- ----------- -------- -----


1 0001.c937.98b3 STATIC Fa0/1

1 0002.4ad4.3045 STATIC Fa0/1

+ Default Port Security setting on an switchport




Possible options for Port Security - 



Switch(config)#int fa0/1

Switch(config-if)#switchport mode access

Switch(config-if)#switchport port-security 

Switch(config-if)#switchport port-security ?

aging Port-security aging commands

mac-address Secure mac address

maximum Max secure addresses

violation Security violation mode

<cr>


Switch(config-if)#switchport port-security maximum 2






So now lets violate by adding one more PC on the HUB



Once PC5 is connected the interface fa0/1 of the switch gets into error-dis


%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to administratively down

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down


Switch>show interfaces fa0/1

FastEthernet0/1 is down, line protocol is down (err-disabled)

Hardware is Lance, address is 000a.f313.9701 (bia 000a.f313.9701)

BW 100000 Kbit, DLY 1000 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation ARPA, loopback not set

Keepalive set (10 sec)

Half-duplex, 100Mb/s

input flow-control is off, output flow-control is off

ARP type: ARPA, ARP Timeout 04:00:00

Last input 00:00:08, output 00:00:05, output hang never

Last clearing of "show interface" counters never

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

Queueing strategy: fifo

Output queue :0/40 (size/max)

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

956 packets input, 193351 bytes, 0 no buffer

Received 956 broadcasts, 0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 watchdog, 0 multicast, 0 pause input

0 input packets with dribble condition detected

2357 packets output, 263570 bytes, 0 underruns


So the violation has happened !


To recovery let disconnect PC5 and perform shut & no shut on interface fa0/1


Switch(config)#int fa0/1

Switch(config-if)#shut


%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to administratively down

Switch(config-if)#no shut


Switch(config-if)#

%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to up


%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up


Switch(config-if)#^Z

Switch#


===========

Let see the configuring port-security using static mac address.


Switch#show mac address-table interfaces fa0/2

Mac Address Table

-------------------------------------------


Vlan Mac Address        Type           Ports

----         ----------- -             ------- -----


1    00d0.bc4b.05ad   DYNAMIC  Fa0/2


Switch(config)#int fa0/2

Switch(config-if)#switchport mode access

Switch(config-if)#switchport port-security mac-address 00d0.bc4b.05ad 


Switch#show port-security interface fa0/2

Port Security : Enabled

Port Status : Secure-up

Violation Mode : Shutdown

Aging Time : 0 mins

Aging Type : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses : 1

Total MAC Addresses : 1

Configured MAC Addresses : 1

Sticky MAC Addresses : 0

Last Source Address:Vlan : 0000.0000.0000:0

Security Violation Count : 0


Switch#


Now lets disconnect PC1 and connect PC5 on int fa0/2





The interface gets down. 



Switch#

%LINK-5-CHANGED: Interface FastEthernet0/2, changed state to administratively down


%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/2, changed state to down



Now lets recover and change the volitation to protect 


<omitted the steps to recover>


We can see the traffic from PC1 is following 


C:\>ping 10.1.1.3


Pinging 10.1.1.3 with 32 bytes of data:


Reply from 10.1.1.3: bytes=32 time=1ms TTL=128

Reply from 10.1.1.3: bytes=32 time<1ms TTL=128


Switch(config)#int fa0/2

Switch(config-if)#switchport port-security violation restrict 


Now lets disconnect PC1 from port fa0/2 and connect PC5 for volitation . 


The interface fa0/2 is up but the traffic is dropping 





C:\>ping 10.1.1.3


Pinging 10.1.1.3 with 32 bytes of data:


Request timed out.

Request timed out.


Ping statistics for 10.1.1.3:

Packets: Sent = 3, Received = 0, Lost = 3 (100% loss),


Control-C

^C


+Also the Security Violation Count  increased from 0 to 3 


Switch#show port-security interface fa0/2

Port Security : Enabled

Port Status : Secure-up

Violation Mode : Restrict

Aging Time : 0 mins

Aging Type : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses : 1

Total MAC Addresses : 1

Configured MAC Addresses : 1

Sticky MAC Addresses : 0

Last Source Address:Vlan : 000C.CFA0.731E:1

Security Violation Count : 3






Lets change the volition to Protect


Switch(config-if)#switchport port-security violation protect 



Now lets disconnect PC1 from port fa0/2 and connect PC5 for volitation . 


Traffic drop is observed 


C:\>ping 10.1.1.3


Pinging 10.1.1.3 with 32 bytes of data:


Request timed out.


Ping statistics for 10.1.1.3:

Packets: Sent = 2, Received = 0, Lost = 2 (100% loss),


Switch#show port-security interface fa0/2

Port Security : Enabled

Port Status : Secure-up

Violation Mode : Protect

Aging Time : 0 mins

Aging Type : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses : 1

Total MAC Addresses : 1

Configured MAC Addresses : 1

Sticky MAC Addresses : 0

Last Source Address:Vlan : 000C.CFA0.731E:1

Security Violation Count : 0


Thanks for Reading!!!


NETWORK ENGINEER STUFF






 

















Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)