Practice: CISCO Switch Port Security

 

For many enterprise network administrators, switches are naturally the most commonly used equipment. So how much do you know about vswitches? Next we will use an example to discuss the practice of vswitch port configuration and access security protection!

 

Scenario: There is a CISCO3550 switch in a certain unit. For the sake of network security, the security requirements for some ports are high, that is, only the specified host can be connected, for example, if you set up an office, only one laptop can access the network. When you take the laptop out, even if the network interface is blank, other computers cannot use the network cable. Next we will look at how network managers gradually achieve this requirement.

 

 

 

I. How to Determine the vswitch port disconnection status

 

As a network administrator, before applying new functions, you must first pass the test. To ensure the stable operation of the network, you can only test new functions on idle ports. It is a way to find an idle port and view it directly before the switch. Of course, as a senior Network Administrator, this is generally not the case, we can find the answer we need by executing corresponding commands on the vswitch. I used the show inter command in the past, but this command displays too much information, which seems inconvenient. Now I am using the show inter status Command, this command displays the disconnected status of each port one by one (expressed by "connected" and "notconnect ), in this example, I found an idle Port 3 through this command for subsequent testing.

 

3550 # show inter status

 

Port Name Status Vlan Duplex Speed Type

 

Fa0/3 huangtun notconnect 66 autoauto 10/100 BaseTX

 

 

 

Ii. Basic Port Security Operations

 

(1) display the MAC address on Port 3

 

3550 # show mac-address-table int fa0/3

 

Mac Address Table

 

-------------------------------------------

 

Vlan Mac Address Type Ports

 

----------------------------

 

(Because no network cable is connected to the port, no MAC address is displayed on the port)

 

(2) Clear dynamically obtained MAC addresses

 

3550 # clear mac-address-table dynamic inter fa0/3

 

The above two steps aim to confirm that there is no MAC address record on the current port, so as to prove that our subsequent operations are valid.

 

(3) Close the port, configure it as the access port, and execute the command to configure Port Security

 

Port security is implemented through the switchport-security command. This is a core command, supplemented by other related commands, we can implement port security settings. Because most of the default settings are used, the function of this example is to allow only one specified MAC address to pass through Port 3 and disable the port in case of security violation, first, explain the related SETUP commands:

 

The switchport port-security command enables port security on the port. By default, only one MAC address is allowed to pass through and the interface is disabled in case of security violation .)

 

The switchport port-security mac-add sticky command informs the switch of the MAC address associated with the port, which will be included in the running configuration. If you save the running configuration to the startup configuration, the IP address is retained after the router is restarted.

 

After introducing the operations on core commands, let's talk about port security operations: first, disable port 3. Use the switchport mode access command to configure the port as the access port for port security configuration. Run the switchport port-securtiy command to enable port security. Then run the swithchport port-security mac-address sticky command to let the port know the IP address of the host on which it connects. Finally, execute the command no shutdown to re-enable the port so that it can be informed of the MAC address of the host. The command to achieve the above operation is as follows.

 

3550 # conf t

 

Enter configuration commands, one per line. End with CNTL/Z.

 

3550 (config) # inter fa0/3

 

3550 (config-if) # shutdown

 

3550 (config-if) # switchport mode access

 

3550 (config-if) # switchport port-security

 

3550 (config-if) # switchport port-security mac-address sticky (set the stickiness of the MAC address, my understanding of this command is that the switch will automatically learn the MAC address of the network device that received the port for the first time and record it to the current configuration file)

 

3550 (config-if) # end

 

(4) view configuration information

 

1. view the FA0/3 port information in the current configuration file.

 

3550 # show run inter fa0/3

 

Building configuration...

 

Current configuration: 281 bytes

 

!

 

Interface FastEthernet0/3

 

Switchport access vlan 66

 

Switchport mode access

 

Switchport port-security

 

Switchport port-security mac-address sticky

 

End

 

2. view the Security Information of port FA0/3.

 

Port Security: Enabled

 

Port Status: Secure-down

 

Violation Mode: Shutdown

 

Aging Time: 0 mins

 

Aging Type: Absolute

 

SecureStatic Address Aging: Disabled

 

Maximum MAC Addresses: 1

 

Total MAC Addresses: 0

 

Configured MAC Addresses: 0

 

Sticky MAC Addresses: 0

 

Last Source Address: 2.16.0000.0000

 

Security Violation Count: 0

 

(5) actual test

 

We took a laptop and connected it to port FA0/3. The status of this laptop Nic is displayed as connection. Because the VLAN66 network segment contains a DHCP server, we can also smoothly obtain the IP address and access the network. Then, connect the network cable connecting the laptop to another computer. The NIC status of the computer is displayed as disconnected, indicating that port security has taken effect.

 

(6) Existing Problems

 

The port security operation has been completed, but when the network cable is inserted back to the laptop, the network is still disconnected, check whether the port is in the "error disable" status. Although we can run the shutdown and no shutdown commands on port FA0/3 to restore the port to normal, this operation is too troublesome, it is also unrealistic. You cannot go to the network manager to execute the shutdown and no shutdonw commands every time you find that the port is closed.

 

 

 

Iii. in-depth research on Port Security Settings

 

Based on the implementation of port security (although there is still a gap between the effect and our requirements), we continue to study the relevant functions and check the port security status's "Violation (illegal) mode ", we found that the default processing is shutdown, so there are no other options. Through" "(help), we really find the other two options, respectively

 

3550 (config-if) # switchport port-security violation

 

Protect Security violation protect mode

 

Restrict Security violation restrict mode

 

Shutdown Security violation shutdown mode

 

By viewing the relevant information, we understand that the protect parameter means that when a security violation occurs, the packet is discarded, which is exactly what we imagine, that is to say, it is not to close the port that violates the rule, but to discard the packet that violates the rule. This is what we want. The specific setting command is as follows:

 

3550 # conf t

 

Enter configuration commands, one per line. End with CNTL/Z.

 

3550 (config) # inter fa0/3

 

3550 (config-if) # shut

 

3550 (config-if) # end

 

3550 # show port-security inter fa0/3

 

Port Security: Enabled

 

Port Status: Secure-down

 

Violation Mode: Protect

 

Aging Time: 0 mins

 

Aging Type: Absolute

 

SecureStatic Address Aging: Disabled

 

Maximum MAC Addresses: 1

 

Total MAC Addresses: 1

 

Configured MAC Addresses: 0

 

Sticky MAC Addresses: 1

 

Last Source Address: 485b. 39b8. a060

 

Security Violation Count: 0

 

The actual test results also meet our requirements. That is, after the port security settings take effect, you can first connect to the laptop to access the network. After changing to a desktop, the NIC status of the desktop is still displayed as connected, but the network data is not available. After the laptop is re-connected, the network communication returns to normal.