What is cisco port security? How to secure switches ports? | What are the violations of port security? | How to configure?
Cisco Port Security is a feature that enhances network security by restricting access to a network switch port based on the Media Access Control (MAC) address of the connected device. It helps prevent unauthorized devices from connecting to the network through switch ports.
As we already know, switches are essential network devices and with the help of switches, we connect, create and maintain communication channels between various devices such as routers, computers, and others. Switches identify devices by their MAC addresses and provide services.
How to enable switchport port-security
Port security is disabled by default. switchport port-security command is used to enables it.
Port security feature does not work on three types of ports.
- Trunk ports
- Ether channel ports
- Switch port analyzer ports
Port security features only work on host ports/access ports. In order to configure port security we need to set it as access port first. It could be done easily by switchport mode access command.
To secure switch ports using Cisco Port Security, follow these steps:
Enable Port Security: Enter global configuration mode on the switch and enable port security on the interface using the command `switchport port-security`.
Switchport port-security Aging:-There are two kinds of port security ageing and these are as defined below:
Absolute: The secure addresses on that port are deleted after the specified aging time.
Inactivity: The secure addresses on this port are deleted only if the secure addresses are inactive for the specified aging time.
Aging is when we configure the maximum number of MAC addresses on the particular port, we can also configure aging with the help of aging we specify how long the address on the port is secure, once the time is expired, the MAC address on that port will be insecure, by default all addresses on a port are secured permanently. <1–1440> Aging time in minutes. Enter a value between 1 and 1440.
Switchport port-security mac-address:-We have two options static and dynamic to associate mac address with interface.
In static method we have to manually define the exact mac address of host with switchport port-security mac-address MAC_address command. This is the most secure method but requires a lot of manual works.
In dynamic method we use sticky feature that allows interface to learn mac address automatically. Interface will learn mac addresses until it reaches maximum number of allowed hosts.
Switchport port-security maximum: by default, only 1 MAC address is allowed by the cisco switch on a single port. if other devices try to connect using this port our switch shutdown the port automatically. we can set this limit from 1 to 132. the maximum number is 132.
Set the Maximum Number of Secure MAC Addresses : Determine how many MAC addresses you want to allow on the port. You can set this limit using the `switchport port-security maximum` command, e.g., `switchport port-security maximum 2` to allow only 2 MAC addresses.
Switchport port-security violation:- when the MAC address of a connected device to a port is different from the list of secure addresses we are given on the interface, then a port violation occurs and the port enters the error-disable state. In violation, There are three violation modes: Protect, Restrict & Shutdown.
Protect: When configured for protect, a switch port drops frames with an unknown source MAC address after the switch port reaches its configured maximum number of secure MAC addresses. However, frames with known (that is, learned) source MAC addresses are transmitted. Also, no notifications are sent if a port security violation occurs
Restrict: The restrict option operates similarly to the protect option. However, under the restrict mode if the security violation occurs, all the data transfer is blocked and packets are dropped. also, Syslog messages are generated simultaneously.
Shutdown: The port is immediately disabled if a violation occurs.
Common violations of port security include:
1. Security Violation : When the number of allowed MAC addresses is exceeded on a port.
2. MAC Address Violation : Occurs when a different MAC address is detected on a secured port.
3. Aging Violation : Happens when a secure MAC address ages out due to inactivity.
Summary
Cisco Port Security is a valuable tool for network security, but it’s essential to plan your configuration carefully and regularly review logs to maintain an effective security posture.
The use of switchport port-security provides another level of security that can help in securing locally connected computers and the networks they connect to.