Tuesday, 24 October 2017

Configuring Port Security

Cisco switches offer a tool called port security using it we can :
  • Limit who connects 
  • Control how many can connect to a port
  • Set an action when a violation occurs

Port security is used to mitigate MAC Flooding Attacks and can prevent rogue devices from connecting to your Network.

Before we can configure it we should take a look on the modes available , and note before the actual configuration what we want to achieve :
  1. Note the ports that will get configured , usually we use port security to the ports that connect end devices .
  2. What violation mode is appropriate for your network policy ? 
  3. How many devices are allowed on a given port ? Be EXTRA CAREFUL when you are on this step , you could deny access to a legitimate device if you allow fewer but you can have a security hole if they are more. 

Port security has 3 violation modes
  • Shutdown (default) : when used the port shuts down, it can sent an  SNMP trap , creates a syslog message and increments the violation counter.
  • Restrict : The port ignores any packets from the rogue device , stays up  , creates a syslog message and increments the violation counter.
  • Protect : This mode is similar with Restrict but it just wont do anything to let you know if there is a violation , the port stays up and ignores the offending device packets.

Configuring Port security

First you have to enable port security on the ports you want to protect :
switch# configure terminal
switch(config)# interface fa0/1
switch(config-if)# switchport mode access \\ port security needs the port to be in access mode to function
switch(config-if)# switchport port-security    \\ this enables the feature
switch(config-if)#switchport port-security maximum 1  \\ it configures the port to allow for 1 device.
 switch(config-if)#switchport port-security violation shutdown \\ it configures the violation mode to shutdown

What happened in the previous commands :  

  • We go to interface configuration
  • Enable access mode as it is required for port security to function
  • Enable the port security feature
  • Set the number of devices that can connect
  • Configure the access mode
 Note that you can hard code the MAC Address of the devices you want to allow with the following command:
  switch(config-if)#switchport port-security mac-address 1a2a.1ba1.a111
// the 1a2a.1ba1.a111 is an example how to correctly write the mac address .

Personally i believe it is better to hard code the devices if they are not changing places on your network .

Always be careful with this feature ! You can cause a Denial Of Service if configured poorly!


No comments:

Post a Comment