Thursday, September 17, 2009

Switch Port Security

I've been having loads of fun playing with port security today and in this post I'll share that fun with you.


Port Security is a feature thats on all Cisco switches and it allows you to control what devices access which ports on a switch. The way Port Security works is it ties MAC Addresses (this is layer 2 remember) to switch ports. These MAC addresses can either be assigned statically or dynamically by the switch taking the first device connected and remembering it's address (this is called making the port sticky). Also the port can be configured to remember more than one address.

Depending on your appetite for security you can set ports to either do nothing, log an event or shutdown when an unauthorised device is connected to a port. As I'll describe below, using the "Protect" feature you can also restrict which ports can talk to each other. This feature could be useful in malware containment.

I'll be selecting a range of ports on my switch (9 - 16) and setting them up to be access ports and to be protected, this means they will not be able to talk to each other. Protected ports can only talk to unprotected ports (which would be my server and router). I'll also configure the ports to shutdown if they are accessed by any other devices other than the first device connected to them.

S1(config)#interface range fastEthernet 0/9 - 16
S1(config-if-range)#switchport mode access
S1(config-if-range)#switchport protected
S1(config-if-range)#switchport port-security violation shutdown
S1(config-if-range)#switchport port-security mac-address sticky
S1(config-if-range)#switchport port-security

Note, although setting ports as protected can be useful in helping stop the spread of malware, it can also be a pain in the arse for remote administration if not planned properly. Another thing that is a pain in the arse is waiting for interfaces to come back up after plugging devices in and out which is due to spanning tree protocol. To save me about 50 seconds of waiting round i'll enable portfast so the interfaces come up straight away.

S1(config-if-range)#spanning-tree portfast
S1(config-if-range)#exit

As I've set up port security to shutdown ports if unauthorised access occures I'll configure the switch to automatically re-enable the ports after 10 minutes. This will save me having to manually issue the no shutdown command on the ports.

S1(config)#errdisable recovery cause psecure-violation
S1(config)#errdisable recovery interval 600

After configuring the switch I look at the running-config and I see the MAC address of the host connected to port 9 is shown.

!
interface FastEthernet0/9
switchport mode access
switchport protected
switchport port-security
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0018.8bce.5855
no ip address
spanning-tree portfast
!



Okay set lets put it into pactice. I check that I cant communicate between hosts that have protected ports. My pings between the hosts on protected ports fail, and my pings to my router are fine. So far so good!

Now I swap over network cables of 2 hosts to make sure that the ports go into shutdown.

S1#show port-security interface fastethernet 0/9
Port Security : Enabled
Port status : Err-Disabled
Violation mode : Shutdown
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 1
Aging time : 0 mins
Aging type : Absolute
SecureStatic address aging : Disabled
Security Violation count : 1


After 10 mins the port gets re-enabled. However, unless the device that was origionally connected and has it's MAC address associated with the port is re-connected the port goes stright back into shutdown and clocks up another violation. Whats more, that device cannot be used on any other switch port because it's address is tied to the port it bacame sticky with.

Once the device is connected to it's origional port and the errdisable recovery interval has expired (or we issue a shut - no shut on the port) were happily pinging the router again and I can see the violation is logged.

S1#show port-security int fa 0/9
Port Security : Enabled
Port status : SecureUp
Violation mode : Shutdown
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 1
Aging time : 0 mins
Aging type : Absolute
SecureStatic address aging : Disabled
Security Violation count : 1

Or to see all interfaces that have had exceptions I could use:

S1#show port-security


Supposing I want to be able to connect another device to a port that I have configured for port-security or change the port of a device that has became sticky with a port? Well I would issue the following:

S1#clear port-security sticky interface fastEthernet 0/9

And then I could use that device on another port or use port 9 for a different device.

To see a list of ports that have devices tied to them either by statically assigning them by making the port sticky you can either issue:

S1#show port-security address


Or simply:

S1#show running-config


And that brings me to the end of another successful cisco adventure!

1 comment:

Anonymous said...

Thanks for the info. I was having trouble re-enabling my port after a mock security breach and your write up explained it.