In this second blog post on port security, we’ll jump directly into best practices. If you need to go back to the basics, please read: Port Security and Why It Is Important (I/II).
A network administrator can use port security to associate specific MAC addresses with an interface, preventing an attacker from connecting his device. You can restrict access to an interface in this manner so that only authorized devices can use it. If an unauthorized device connects, you can specify what action the switch should take, such as discarding the traffic and shutting down the port.
Three steps are required to configure port security:
Step 1: Use the switchport mode access interface subcommand to define the interface as an access interface.
Step 2: Allow port security with the use of the switchport port-security interface subcommand.
Step 3: Use the switchport port-security mac-address MAC_ADDRESS interface subcommand or the switchport port-security mac-address sticky interface subcommand to dynamically learn the MAC address of the currently connected host.
Note: Port security will only work on access ports. Therefore, in order to enable port security, the user must first make the port an access port.
Using port-security on the switch’s fa0/1 interface. First, the port will be converted to an access port, which will enable port security.
S1(config)#int fa0/1
S1(config-if)#switchport mode access
S1(config-if)#switchport port-security
Use the sticky command to dynamically learn the Mac address and provide the limit and appropriate action that should be taken.
S1(config-if)#switchport port-security mac-address sticky
S1(config-if)#switchport port-security
maximum 2
S1(config-if)#switchport port-security violation shutdown
If the user wishes to provide a static entry, begin it with its Mac address.
S1(config-if)#switchport port-security
S1(config-if)#switchport port-security violation shutdown
S1(config-if)#switchport port-security mac-address aa.bb.cc.dd.ee.ff
Users can use port-security commands to restrict, shut down, or protect ports.
Here’s a little more insight on these violation modes:
- Protect: This mode drops packets with unknown source mac addresses. This is until enough secure mac addresses are removed to drop below the maximum value.
- Restrict: This mode does the same thing as protecting in that it drops packets until enough secure mac addresses are removed to bring the total value below the maximum value. Furthermore, it will generate a log message, increment the counter value, and send an SNMP trap.
- Shut down: This mode is generally preferred over others because it immediately shuts down the port if unauthorized access is attempted. It will also generate a log, increase the value of the counter, and send an SNMP trap. This port will remain shut down until the administrator issues the “no shutdown” command.
- Sticky: This is not exactly a violation mode. The sticky command allows the user to provide static Mac address security without having to type the absolute Mac address.
For instance, if the user specifies a maximum limit of two, the first two Mac addresses learned on that port are added to the running configuration. If the third user tries to access the system after the second learned Mac address, the appropriate action will be taken based on the violation mode.
What are the benefits of port security?
Now that you’ve learned about port security, why it is important, and how to go about it; you should also learn about some of its benefits.
- It enables the restriction of the number of MAC addresses on a given port.
- Packets that have a matching MAC are forwarded, and all other packets are restricted.
- When locked, only packets with allowable MAC addresses will be forwarded.
- It supports both dynamic and static locking.
- It helps secure networks by preventing unknown devices from forwarding packets.
In conclusion, it is critical to detect (by scanning for all open ports) and close all ports that are not in use by the server or system in order to prevent a security breach. Proper and up-to-date firewalls also aid in the verification of data packets sent and received by your system over the network. Logical port blocking techniques will inevitably restrict ports that are not used by that system.
