Cisco switches offer a tool called port security using it we can:
Port security is used to mitigate MAC Flooding Attacks and can prevent rogue devices from connecting to your Network.
- Limit who connects (based on layer 2 address)
- Control how many can connect to a port
- Set an action when a violation occurs
Before we can configure it we should take a look on the modes available, and note before the actual configuration what we want to achieve:
- Note the ports that will get configured, usually we use port security to the ports that connect end devices.
- What violation mode is appropriate for your network policy?
- How many devices are allowed on a given port? Be EXTRA CAREFUL when you are on this step, you could deny access to a legitimate device if you allow fewer but you can have a security hole if they are more.
Port security has 3 violation modes :
- Shutdown (default): when used the port shuts down, it can sent an SNMP trap , creates a syslog message and increments the violation counter.
- Restrict: The port ignores any packets from the rogue device, stays up, creates a syslog message and increments the violation counter.
- Protect: This mode is similar with Restrict but it just wont do anything to let you know if there is a violation , the port stays up and ignores the offending device packets.
Configuring Port security
switch# configure terminal
switch(config)# interface fa0/1
switch(config-if)# switchport mode access \ port security needs the port to be in access mode to \function
switch(config-if)# switchport port-security \ this enables the feature
switch(config-if)#switchport port-security maximum 1 \ it configures the port to allow for 1 \device.
switch(config-if)#switchport port-security violation shutdown \ it configures the violation \mode to shutdown
What happened in the previous commands :
Note that you can even hard code the MAC Addresses of the devices you want to allow with the following command:
- We go to interface configuration
- Enable access mode (it is required for port security to function)
- Enable the port security feature
- Set the number of devices that can connect
- Configure the violation mode
switch(config-if)#switchport port-security mac-address 1a2a.1ba1.a111
// the 1a2a.1ba1.a111 is an example how to correctly write the mac address .
Personally i believe it is better to hard code the devices if they are not changing places on your network . Always be careful with this feature ! You can cause a Denial Of Service if configured poorly!