Access Layer Security Features Part 1: Port Security

Ethernet and IP by themselves don’t really provide security at the access layer.  They can easily be spoofed and attacked by hosts connected to the same network.  Accordingly, over the years vendors have created a variety of mechanisms to secure the access ports where users physically connect.

These features are useful in a variety of environments – particularly on access ports for end users, and on service provider Ethernet access networks.  Some of them are also useful in the data center as well.

I’ll be making a series of posts on some of the common security features that are useful in access networks.  Some of these are commonly overlooked

Port Security

Port security is one of the more basic security features that most managed switches provide.  It limits the number of MAC addresses that the switch will learn on a particular port.

On Cisco switches, the switch can take one of three actions – “protect”, “restrict”, or “shutdown”.  Shutdown is obvious – it physically shuts the port down by putting it in “error disable” mode.

Protect is a little more complicated, but less drastic.  It will accept Ethernet frames with the first few MAC addresses that were received over that port, before the MAC address limit was reached.  So, if you were limiting the port to four MAC addresses, frames from first four MAC addresses that were learned on the port would be accepted, but any others would be dropped.  Restrict is basically the same as protect, except it also will send an SNMP trap to your network monitoring system.

Configuration Example:

interface GigabitEthernet0/3
 description "ACCESS PORT"
 switchport access vlan 3
 switchport mode access
 switchport port-security maximum 3
 switchport port-security
 switchport port-security violation restrict
 switchport port-security aging time 5
 switchport port-security aging type inactive

In the example above, port security is configured on an access port.  The switch will learn three MAC addresses on that port.  When it receives a fourth address, traffic from that MAC address will be dropped, and an SNMP trap will be generated.  If no violation action is configured, the default is to shutdown the port.

The aging configuration is necessary to make port security work when devices are disconnected and new devices are plugged in.  For example, lets say three MAC addresses have been learned on this port.  If no traffic from one of the MAC addresses learned on this port is received over a 5 minute period, that MAC address will be aged out.  So, there will then be only two MAC addresses tied to this port.

If the port is shutdown due to a port security violation, you can manually bring it out of error disable mode with a shut / no shut of the interface.  Also, error disable auto recovery can be configured to automatically reset the port after a few minutes.  This avoids having to manually reset the port once the user has fixed the problem.

Port security should not be configured on uplink interfaces.

What it Protects Against:

Port security will prevent an attacker from overflowing the CAM table on the switch, which could cause the switch to flood traffic out all ports within a VLAN, like a hub would.  This would obviously impact performance, but also could allow the attacker to see traffic flowing between other hosts.

It could be used to prevent users from connecting multiple devices to a single port…but someone could easily get around this with a router doing NAT.  It might also be used to provide some level of damage control if a loop is inadvertently formed.  It would limit the number of MAC addresses that would be flapping between different ports in the switches MAC address table.  But, if you have a loop you’ll have a bunch of other problems too.

Comments are closed.