■ Protect: When configured for protect, a switch port drops frames with an unknown source MAC address after the switch port reaches its configured maximum number of secure MAC addresses. However, frames with known (that is, learned) source MAC addresses are transmitted. Also, no notifications are sent if a port security violation occurs.
■ Restrict: The restrict option operates similarly to the protect option. However, the restrict option sends an SNMP trap and a syslog message and increments a violation counter when a port security violation occurs.
■ Shutdown: The shutdown option is the strictest approach. Not only does the shutdown option generate the same notifications as the restrict option, but it also shuts down the port. Therefore, after a port security violation occurs, no traffic is transmitted on that port.
A port security violation doesn’t occur only after a port learns a maximum number of MAC addresses or after an unknown source MAC address attempts to enter the port. A violation also can occur when a MAC address on one secure port appears on a different secure port. Ports support one of three types of secure MAC addresses:
■ Static secure MAC address: An administrator can statically configure which MAC addresses exist off specific ports using the switchport port-security mac-address address command issued in interface configuration mode. These statically configured MAC addresses are added to a switch’s running configuration and CAM table.
■ Sticky secure MAC address: Similar to static secure MAC addresses, ports configured for sticky secure MAC addresses also store MAC address-to-port associations in their switch’s running configuration and CAM table. However, the MAC addresses do not need to be statically configured. Rather, a switch port dynamically learns the MAC addresses that exist off its ports.
■ Dynamic secure MAC address: Similar to sticky secure MAC addresses, ports configured for dynamic secure MAC addresses dynamically learn which MAC addresses exist off specific ports. However, dynamic secure MAC addresses are stored only in a switch’s CAM table, not in a switch’s running configuration.
By default, port security is not enabled on a Cisco Catalyst switch port. After enabling port security with the switchport port-security interface configuration mode command, the maximum number of secure MAC addresses on a port defaults to one, and the violation mode defaults to shutdown.
Example 1-1 offers a comprehensive example of configuring port security on a Cisco Catalyst switch. Commands might vary somewhat based on the switch platform. This example is configured on a CiscoCatalyst 3550 switch.
Notice that the administrator enters interface configuration mode for interface Gig 0/5. In interface configuration mode, the administrator prevents the port from forming a trunk by issuing the switchport mode access command. Next, port security is enabled using the switchport port-security command. Recall that with port security enabled for a port, only one MAC address can be learned on that port. That number is increased to five in this example with the switchport port-security maximum 5 command. The default action to take in the event of a security violation is to shut down the port.
The switchport port-security violation protect command is used to override the default behavior of shutting down. It also allows the learned (or configured) MAC addresses to be transmitted while not allowing unknown (that is, not learned or configured) MAC addresses to be transmitted. Also, notice that the switchport port-security mac-address 1234.1234.1234 command trains the switch about a MAC address available off interface Gigabit Ethernet 0/5. Finally, the switchport port-security mac-address sticky command causes learned MAC addresses to be dynamically entered into the switch’s running configuration, thus mitigating a MAC address spoofing attack.
Multiple show commands can be used to verify and troubleshoot an interface’s port security configuration. Example 1-2 shows the output from the show port-security command.
Example 1-3 shows output from the show port-security address command.
As an additional illustration, Example 1-4 shows how the show port-security interface interface-id command can be used to view detailed port security configuration information for an interface.
See Also:
biOos
No comments:
Post a Comment