Port Security on Cisco Switches

-
Port Security : 

Port security is a security feature on Cisco switches that restricts access to Ethernet ports based on the Media Access Control (MAC) addresses of connected devices. By default, all interfaces on a Cisco switch are in an enabled state, allowing any device to connect. Port security enhances network security by controlling which devices can access specific ports.

How Does Port Security Work?

  • MAC Address Learning: When a device connects to a port, the switch learns its MAC address.  
  • MAC Address Filtering: The switch compares the MAC address of incoming frames with the allowed MAC addresses configured for the port.  
  • Violation Mode: If an unauthorized device attempts to access the port (i.e., its MAC address is not in the allowed list), the switch triggers a violation mode.


    • Violation Modes:

    • Restrict: Drops the unauthorized frames, but the port remains operational.
    • Shutdown: Shuts down the port, blocking all traffic.  
    • Protect: Drops the unauthorized frames and sends a notification (e.g., syslog message).

    Configuring Port Security on Cisco Switches

    1. Enable Port Security:

      Switch(config)# interface <interface-name>
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security

    2. Set Maximum Allowed MAC Addresses:

      Switch(config-if)# switchport port-security maximum <number>

      (e.g., switchport port-security maximum 2)

    3. (Optional) Define Static MAC Addresses:

      Switch(config-if)# switchport port-security mac-address <mac-address>

    4. (Optional) Enable Sticky Learning:

      Switch(config-if)# switchport port-security mac-address sticky

    Sticky learning dynamically learns MAC addresses and saves them to the startup configuration.  

    1. Set Violation Mode: 
      Switch(config-if)# switchport port-security violation <mode>
      (e.g., switchport port-security violation restrict)

    Example Configuration:

    Switch(config)# interface FastEthernet0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum 2
Switch(config-if)# switchport port-security violation restrict

    Benefits of Port Security:

    • Enhanced Network Security: Prevents unauthorized access to network resources.  
    • Improved Network Performance: Reduces broadcast traffic by limiting the number of devices on a port.
    • VLAN Security: Can be used to enforce VLAN membership based on MAC addresses.  

    Additional Considerations:

    • Port Security Aging: You can configure aging timers to automatically remove unused MAC addresses from the port's allowed list.
    • Violation Counters: Monitor violation counters to identify potential security threats.
    • Port Security with VLANs: Port security can be combined with VLANs to further enhance network segmentation and security.  

    By implementing port security on your Cisco switches, you can significantly improve the security and performance of your network.



    Comments

    Post a Comment