Attackers’ task is comparatively very easy when they can enter the network they want to attack. Ethernet LANs are very much vulnerable to attack as the switch ports are open to use by default. Various attacks such as Dos attack at layer 2, address spoofing can take place. If the administrator has control over the network then obviously the network is safe. To take total control over the switch ports, the user can use a feature called port-security. If somehow prevent an unauthorized user to use these ports, then the security will increase up to a great extent at layer 2.
Users can secure a port in two steps:
- Limiting the number of MAC addresses to a single switch port, i.e if more than the limit, Mac addresses are learned from a single port then appropriate action will be taken.
- If unauthorized access is observed, the traffic should be discarded by using any of the options, or more appropriately, the user should generate a log message so that unauthorized access can be easily observed.
Port security –
Switches learn MAC addresses when the frame is forwarded through a switch port. By using port security, users can limit the number of MAC addresses that can be learned to a port, set static MAC addresses, and set penalties for that port if it is used by an unauthorized user. Users can either use restrict, shut down or protect port-security commands.
Let’s discuss these violation modes:
- protect – This mode drops the packets with unknown source mac addresses until you remove enough secure mac addresses to drop below the maximum value.
- restrict – This mode performs the same function as protecting, i.e drops packets until enough secure mac addresses are removed to drop below the maximum value. In addition to this, it will generate a log message, increment the counter value, and will also send an SNMP trap.
- shut down – This mode is mostly preferred as compared to other modes as it shut down the port immediately if unauthorized access is done. It will also generate a log, increment counter value, and send an SNMP trap. This port will remain in a shutdown state until the administrator will perform the “no shutdown” command.
- Sticky – This is not a violation mode. By using the sticky command, the user provides static Mac address security without typing the absolute Mac address. For example, if user provides a maximum limit of 2 then the first 2 Mac addresses learned on that port will be placed in the running configuration. After the 2nd learned Mac address, if the 3rd user wants to access then the appropriate action will be taken according to the violation mode applied.
Note – The port security will work on access port only i.e to enable port security, the user first has to make it an access port.
Configuration –
Applying port-security on fa0/1 interface of switch .first, convert the port to an access port and will enable port-security.
S1(config)#int fa0/1 S1(config-if)#switchport mode access S1(config-if)#switchport port-security
Use sticky command so that it will learn the Mac address dynamically and will provide the limit and the appropriate action that should be taken.
S1(config-if)#switchport port-security mac-address sticky S1(config-if)#switchport port-security maximum 2 S1(config-if)#switchport port-security violation shutdown
If the user wants to provide a static entry, then configure that by starting its Mac address.
S1(config-if)#switchport port-security S1(config-if)#switchport port-security violation shutdown S1(config-if)#switchport port-security mac-address aa.bb.cc.dd.ee.ff