CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide by Omar Santos

Author:Omar Santos [Omar Santos]
Language: eng
Format: epub, pdf
Publisher: Cisco Press
Published: 2020-03-30T00:00:00+00:00

Port Security

How many MAC addresses should legitimately show up inbound on an access port?

Port security controls how many MAC addresses can be learned on a single switch port. This feature is implemented on a port-by-port basis. A typical user uses just a single MAC address. Exceptions to this may be a virtual machine or two that might use different MAC addresses than their host, or if there is an IP phone with a built-in switch, which may also account for additional MAC addresses. In any case, to avoid a user connecting dozens of devices to a rogue switch that is then connected to their access port, you can use port security to limit the number of devices (MAC addresses) on each port.

This also protects against malicious applications that may be sending thousands of frames into the network, with a different bogus MAC address for each frame, as the user tries to exhaust the limits of the dynamic MAC address table on the switch, which might cause the switch to forward all frames to all ports within a VLAN so that the attacker can begin to sniff all packets. This is referred to as a CAM table overflow attack. Content-addressable memory (CAM) is a fancy way to refer to the MAC address table on the switch.

Port security also prevents the client from depleting DHCP server resources, which could have been done by sending thousands of DHCP requests, each using a different source MAC address. DHCP spoofing attacks take place when devices purposely attempt to generate enough DHCP requests to exhaust the number of IP addresses allocated to a DHCP pool.

With the port security feature, the default violation action is to shut down the port. Alternatively, we can configure the violation response to be to “protect,” which will not shut down the port but will deny any frames from new MAC addresses over the set limit. The “restrict” action does the same as protect but generates a syslog message as well.

To implement port security, follow Example 6-18.

Example 6-18 Implementing Port Security

SW2(config-if)# interface Gi0/2 ! Enable the feature per interface SW2(config-if)# switchport port-security ! Set the maximum to desired number. Default is 1. If we administratively ! set the maximum to 1, the command won't show in the running configuration ! because the configuration matches the default value. It is handy to know ! this behavior, so you won't be surprised by what may seem to be a missing ! part of your configuration. SW2(config-if)# switchport port-security maximum 5 ! Set the violation action. Default is err-disable. Protect will simply ! not allow ! frames from MAC addresses above the maximum. SW2(config-if)# switchport port-security violation protect ! This will cause the dynamic mac addresses to be placed into running ! -config to save them to startup config, use copy run start SW2(config-if)# switchport port-security mac-address sticky ! To verify settings, use this command SW2# show port-security Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action (Count) (Count) (Count) --------------------------------------------------------------------------- Gi0/2 5 1 0 Protect ---------------------------------------------------------------------------

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.