Sunday, October 4, 2015

Switchport port-security

Switchport port-security


Security feature
- allows to limit maximum number of devices
- to control type / vendor of devices connected to switch









- Violations
- MAC categories
- Causes of violations
- Causes of violations

********************************************************************************

Switchport Violations

Before getting into the mechanics of how switchport security operates; it is important to review what happens should a violation occur. On Cisco equipment there are three different main violation types: shutdown, protect, and restrict. These are described in more detail below:
  • Shutdown – When a violation occurs in this mode, the switchport will be taken out of service and placed in the err-disabled state. The switchport will remain in this state until manually removed; this is the default switchport security violation mode.
  • Protect – When a violation occurs in this mode, the switchport will permit traffic from known MAC addresses to continue sending traffic while dropping traffic from unknown MAC addresses. When using this mode, no notification message is sent when this violation occurs.
  • Restrict – When a violation occurs in this mode, the switchport will permit traffic from known MAC addresses to continue sending traffic while dropping traffic from unknown MAC addresses. However, unlike the protect violation type, a message is also sent indicating that a violation has occurred.
**********************************************************************************

Switchport Security MAC Addresses

When using the switchport security feature, source MAC addresses are separated into three different categories, these include:
  • Static – Static secure MAC addresses are statically configured on each switchport and stored in the address table. The configuration for a static secure MAC address is stored in the running configuration by default and can be made permanent by saving them to the startup configuration.
  • Dynamic – Dynamic secure MAC addresses are learned from the device (or devices) connected to the switchport. These addresses are stored in the address table only and will be lost when the switchport state goes down or when the switch reboots.
  • Sticky – Sticky secure MAC addresses are a hybrid. They are learned dynamically from the devices connected to the switchport, are put into the address table AND are entered into the running configuration as a static secure MAC address (sometimes referred to as a static sticky MAC address). Like a static secure MAC address, these MAC addresses will be lost unless saved to the startup confi
  • guration.
The type of secure MAC addresses that an organization uses depends on the specific network environment (i.e.: Cisco phones / vendor, POS / type of device etc.)

**********************************************************************************

What causes a Switchport Violation?

  • The next question to ask is what causes a switchport violation; there are two situations that can cause a violation, these two situations include:

  • When the maximum number of secure MAC addresses has been added to a switchport’s address table and traffic from another MAC address is received on the switchport.
  • When an address that has been seen on a secure switchport has already been seen on another secure switchport in the same VLAN.
By default, one MAC is configured. What this means is that if more than one MAC address is seen on any given port a violation will occur.
By default, dynamic MAC entries in the address table will never time out (dynamic is the default method used for learning secure MAC addresses) as long as the switchport state remains up.

*********************************************************************************

Tshooting port security violation


When using dynamic MAC addresses
- engineers must physically disconnect the cable or shutdown the switchport to reset the dynamic entries in the address table. 

When using sticky MAC addresses
- the MAC address has to be manually removed from the running config or the switch must be rebooted to remove the contents from the address table.

If static secure MAC address
- must be manually removed from the running config to allow remove from the MAC address table. After that the device with a new MAC address can be connected to the switchport


----------------------------------------------------
Author's note:

DIY WiFi Microcontroller for hacking
Cisco was criticized in last months that their security focus is not ... powerful enough. On the other side many features used in production enviroment today were bring by Cisco.

Port security is very useful and NetOps Engineers should check more deeply in case that no device is found, alarms are raising OOBH etc.
With a raise of IoT even very small devices can do almost miracles
- See for example http://raspberrypi.com

Computer of creditcard size


at
Štítky: ,

No comments:

Post a Comment

Thank you for your comment. Will try to react as soon as possible.

Regards,

Networ King

Subscribe to: Post Comments (Atom)