{"id":748,"date":"2017-04-07T18:38:00","date_gmt":"2017-04-07T18:38:00","guid":{"rendered":"https:\/\/jay-miah.co.uk\/?p=748"},"modified":"2024-11-17T18:42:41","modified_gmt":"2024-11-17T18:42:41","slug":"cisco-port-security-concept-implementation","status":"publish","type":"post","link":"https:\/\/jay-miah.co.uk\/index.php\/cisco-port-security-concept-implementation\/","title":{"rendered":"Cisco Port-Security Concept\/Implementation"},"content":{"rendered":"

Cisco port security is a layer 2 traffic control feature used to protect the network from unknown devices which may be plugged into the network either via a network point in a publicly available space or by a malicious user who has physical access to a network point. Port security works by first setting a limit on the number of MAC addresses a port can learn and then specifying a violation action once the maximum is reached.<\/p>\n

Port security is configured the following way:<\/p>\n

1. Set the switch port to either \u201cAccess\u201d or \u201cTrunk\u201d (Dynamic ports cannot use port security)<\/strong><\/p>\n

2. Set a maximum number of MAC address the port can learn<\/strong><\/p>\n

3. Set the method the port will use to learn the MAC addresses, there are 3 modes we can use:<\/strong><\/p>\n

\u2013Dynamic<\/strong>\u00a0\u2013 Learn source MAC addresses dynamically as the frames enter the switch, and only remember them for the default 5 mins unless another frame enters the switch with the same source MAC in which case renew the timer.<\/p>\n

\u2013Static<\/strong>\u00a0\u2013 Statically set MAC addresses that are going to use the port<\/p>\n

\u2013Sticky<\/strong>\u00a0\u2013 let the switch learn the source MAC addresses as frames enter the switch however automatically put the MAC addresses into the running-configuration<\/p>\n

4. Set a violation action from either of the following four: \u00a0<\/strong><\/p>\n

\u2013Protect<\/strong>\u00a0\u2013 After the maximum is reached, take no further action when a violation occurs<\/p>\n

\u2013Restrict\u00a0<\/strong>\u2013 Same as \u201cProtect\u201d but sends SNMP alerts every time a violation occurs<\/p>\n

\u2013Shutdown the port<\/strong>\u00a0(The default) \u2013 once the maximum is reached if a violation occurs, the port is shut down or put into an \u201cerr disabled\u201d state, & SNMP alerts sent<\/p>\n

\u2013Shutdown the VLAN<\/strong>\u00a0\u2013once the maximum is reached if a violation occurs, the VLAN is shut down or put into an \u201cerr disabled\u201d state& SNMP alerts sent<\/p>\n

5. Enable port security on the interface<\/strong><\/p>\n

One of the main reasons for using port security is to mitigate a CAM table overflow attack by setting a limit on how many MAC addresses a port can learn.<\/p>\n

A CAM table is the \u201cContent Accessible Memory\u201d of a switch, this is used to store MAC addresses that the switch learns. This information is time stamped and stored for a total of 300 seconds unless it is renewed by a new frame with the same source MAC address entering the switch.<\/p>\n

A CAM table overflow attack is when a malicious user sends thousands of frames into the switch each with a different unique source MAC address. This type of attack causes the CAM table to become full, normally a switch has a limit on how many MAC addresses it can store \u2013 this is around 5000. As the CAM table becomes full the switch forgets the MAC addresses of the actual devices that are directly connected and ends up forwarding all frames that come into the switch out of all the interfaces. Primarily acting as a Hub.<\/p>\n

At this point a malicious user can capture the packets using Wireshark or something similar to gain valuable information.<\/p>\n

The other types of attacks that can be mitigated by using port security include:<\/p>\n

DHCP Starvation Attack \u2013 hundreds of frames with unique source MAC addresses request IP addresses from the real DHCP server thus exhausting out the IP scopes, a malicious user can then bring in a rouge DHCP server to issue IP addresses to users and carry out a \u201cMan in the Middle Attack\u201d (MITM) by making themselves the default gateway and routing traffic for the users. The malicious user would be able to capture all the traffic as it passes through them, and the users would not be aware. By setting a limit on the MAC addresses the switch can prevent the exhaustion on the IP addresses.<\/p>\n

Denial of Service (DOS) Attacks \u2013 As above, however only exhausting out the DHCP scopes so actual devices are unable to obtain a valid IP address from the DHCP server.<\/p>\n

 <\/p>\n

Configuration example:<\/strong><\/p>\n

#conf t\u00a0<\/strong>\u2013 Enter global configuration mode<\/p>\n

#interface gigabitethernet 0\/10<\/strong>\u00a0\u2013 Enter the interface configuration mode<\/p>\n

#switchport mode access\u00a0<\/strong>\u2013 set the port as an access port<\/p>\n

#switchport port-security maximum 5<\/strong>\u00a0\u2013 set the maximum no. of MAC addresses<\/p>\n

#switchport port-security mac-address sticky<\/strong>\u00a0\u2013 Set the method to learn MAC addresses<\/p>\n

#switchport port-security violation restrict<\/strong>\u00a0\u2013 set the violation action<\/p>\n

#switchport port-security<\/strong>\u00a0\u2013 enable port security<\/p>\n

<\/p>\n

#show port-security<\/strong>\u00a0\u2013 show the configured parameters for port security.\u00a0We can see that port security is configured and currently there are no violations<\/p>\n

<\/p>\n

If we now test out port security by flooding the switch port with MAC addresses we can see if port security works correctly. To do this we can use a tools called \u201cPacket Moderator\u201d<\/p>\n

Launch the tool, select the correct NIC that is connected to the switch, tick \u201cFlOOOOOOOOD!\u201d, tick \u201cOf course MACOF\u201d and click \u201cLaunch\u201d<\/p>\n

<\/p>\n

The \u201cpackets sent\u201d should shoot up to the thousands, this tool is sending thousands of frames into the switch.<\/p>\n

<\/p>\n

We can see that the switch is reporting the port security violation on the interface we configured port security on.<\/p>\n

<\/p>\n

If we have a look at the port security details, we can see that the Maximum is 5, \u201cCurrent Address Count\u201d is 5 and the \u201cSecurity Violation Count\u201d is \u201c19512\u201d This information is telling us that port security is doing its job and not allowing more than 5 MAC addresses on the port. It also is telling us that anything above the 5 is being recorded as a violation. Using this table we can identify whether the switch is under attack.<\/p>\n

#show port-security<\/strong><\/p>\n

<\/p>\n

To clear the counters the port needs to be shut down and then brought back up.<\/p>\n

#conf t<\/strong><\/p>\n

#int gig0\/10<\/strong><\/p>\n

#shutdown<\/strong><\/p>\n

#no shutdown<\/strong><\/p>\n

#exit<\/strong><\/p>\n

#show port-security<\/strong><\/p>\n

<\/p>\n

 <\/p>\n","protected":false},"excerpt":{"rendered":"

Cisco port security is a layer 2 traffic control feature used to protect the network from unknown devices which may be plugged into the network<\/p>\n","protected":false},"author":1,"featured_media":757,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5,6,9],"tags":[88,85,89,90,13,91],"class_list":["post-748","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-network","category-security","category-switching","tag-cam-table-overflow-attack","tag-dhcp-starvation-attack","tag-dos-attack","tag-port-security","tag-switching","tag-violation"],"_links":{"self":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/748","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/comments?post=748"}],"version-history":[{"count":1,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/748\/revisions"}],"predecessor-version":[{"id":758,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/748\/revisions\/758"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/media\/757"}],"wp:attachment":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/media?parent=748"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/categories?post=748"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/tags?post=748"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}