Configure and verify switch port security

Home >
IT Guides >
Cisco >
200-301 >
Configure and verify switch port security

Configure and verify switch port security

Exam: Cisco 200-301 - Cisco Certified Network Associate (CCNA)

One of the important topics under the section Network device security is “configure and verify switch port security”. In this chapter we will try to discuss all the aspects of this topic so that you are better prepared for the exam and what you can expect from this section. Using the Cisco’s port security you can really boost the network security in this chapter we will discuss this aspect in more details. The biggest challenge for the organization today is to ensure that no one can access the network easily. One can just pull the Ethernet cable and connect to a network. The port security designed by Cisco works on the basic principal that only Ethernet MAC address connects to the switch port and it will not allow any other MAC address to communicate. Whenever a security solution is implemented a trade-off is involved. Another point about the port security is that it supports only the non-negotiating trunk.

StickyMAC

The static port security is a common configuration that is often used for copiers and printers. Dynamic port security is good but if you want to ensure that unauthorised device swapping is prevented then the sticky MAC is a good option. The sticky MAC can be configured in two ways. Firstly as and when you configure the port security at that time itself configure the static MAC address. The second way to configure the sticky MAC is to configure it and leave the max MAC address to pick up a default value. Some of the commands used are:

Switchport port-security mac-address – this command sets the MAC address.
Switchport port-security mac-address sticky – this command configures the MAC address as a static address.
Clear port-security all interface – this command can erase the current secure MAC address from the specific switch port.

Some points that one must keep in mind while configuring the MAC address sticky command is as follows:

The static secure MAC addresses can never be converted to sticky MAC address
All new dynamically learned secured MAC addresses are sticky
All the dynamically learned secure MAC address in a port are converted into a sticky secure MAC address.

MAC address limitation

The MAC limiting is a process that protects against the flooding of the Ethernet switching table. This table is also known as the MAC forwarding table and also layer 2 forwarding table. Anyone can enable this feature on any port. This helps to detect the MAC movement and also the MAC spoofing on the ports. This feature can be enabled on the VLANs. Some methods by which MAC address limiting can be done are mentioned below.

By limiting the number of the MAC addresses that can be learned on an interface the MAC limiting for port can be done. The maximum number of MAC addresses can be learned on any of the followings:
- The access ports
- A particular port
- Or on a particular port based on its membership with a VLAN
By specifying the MAC address that are allowed on a access interface the MAC address limiting for port can be achieved.
By monitoring the MAC address moves within the VLANs the MAC limiting for port can be done.

The MAC address limiting can be applied on all the VLANs and also to a one particular VLAN.

Static/dynamic

We will now discuss about the static and dynamic port security. The port security can be used with a dynamically learned and static MAC address. This helps to restrict the traffic on the network. If the port has a link down condition then all the addresses that are learned dynamically are removed. The port security is such that it will not populate the address table with learned MAC address unless the port gets traffic. The security violation can occur only if the maximum number of secure MAC address is added to the address table. The port can be configured in one following violation modes:

Shutdown
Restrict and
Protect

We will be discussing these in details in the next section. Before you configure a violation mode on a port one must do the following steps:

Select the LAN port to configure.
One must set the violation mode and also the action that must be taken when there is a security violation in the port. This step can be optional at times.
The last step is to verify the configuration of the violation mode.

Violation modes

ErrDisable–This is a type of violation mode that you will come across quite often. In order to secure a port and bring it out of error disable state one must enter the command errdisable recovery cause. This is a global configuration command.
Shutdown - This is a violation mode that puts the interface into an error disabled state. This also sends a SNMP trap notification. This ensures that no traffic can enter the secure port.
Protect restrict- The protect violation mode drops the packets that have unknown source address. This is done unless the user removes a certain number of secure MAC addresses to lower than the maximum value. The restrict violation mode on the other hand drops the packets that have unknown source address unless a sufficient number of secure MAC addresses drop below the maximum value. This causes the security violation counter to increase. These violation modes are generally used to protect the CPU from being over utilised. The pocket drop rate limiter must be configured for this purpose. You must remember that the truncated switching mode do not support the port security rate limiter. To configure the rate limiter you must take the following steps:

First configure the port security rate limiter and
Second verify the configuration.

These are some of the aspects of the topic “Configure and verify switch port security” that you must know well before you appear for the exam. Try to get a detailed knowledge on these topics for doing well in the exam.

Configure and verify switch port security

Related IT Guides