CCNA2 v7.0 Curriculum: Module 11 - Switch
Security Configuration
11.0 Introduction
11.0.1 Why should I take this module?
Welcome to Switch Security Configuration!
An important part of your responsibility as a network professional is to keep the
network secure. Most of the time we only think about security attacks coming
from outside the network, but threats can come from within the network as well.
These threats can range anywhere from an employee innocently adding an
Ethernet switch to the corporate network so they can have more ports, to
malicious attacks caused by a disgruntled employee. It is your job to keep the
network safe and ensuring that business operations continue uncompromised.
How do we keep the network safe and stable? How do we protect it from
malicious attacks from within the network? How do we make sure employees are
not adding switches, servers and other devices to the network that might
compromise network operations?
This module is your introduction to keeping your network secure from within!
11.0.2 What will I learn in this module?
Module Title: Switch Security Configuration
Module Qbjective: ____Configure switch security to mitigate LAN attacks.
Topic Title Topic Objective
Implement Port
Security Implement port security to mitigate MAC address table attacks.
Mitigate VLAN
Attacks
Explain how to configure DTP and native VLAN to mitigate VLAN
attacks.
Mitigate DHCP
Attacks
Explain how to configure DHCP snooping to mitigate DHCP
attacks.
Mitigate ARP Attacks Explain how to configure ARP inspection to mitigate ARP attacks.

Topic Title Topic Objective
Mitigate STP Attacks
Explain how to configure PortFast and BPDU Guard to mitigate
STP attacks.
11.1 Implement Port Security
11.1.1 Secure Unused Ports
Layer 2 devices are considered to be the weakest link in a company's security
infrastructure. Layer 2 attacks are some of the easiest for hackers to deploy but
these threats can also be mitigated with some common Layer 2 solutions.
All switch ports (interfaces) should be secured before the switch is deployed for
production use. How a port is secured depends on its function.
A simple method that many administrators use to help secure the network from
unauthorized access is to disable all unused ports on a switch. For example, if a
Catalyst 2960 switch has 24 ports and there are three Fast Ethernet connections
in use, it is good practice to disable the 21 unused ports. Navigate to each
unused port and issue the Cisco IOS shutdown command. If a port must be
reactivated at a later time, it can be enabled with the no shutdown command.
To configure a range of ports, use the interface range command.
Switch(config)# interface range type module/first-number - last-
number
For example, to shutdown ports for Fa0/8 through FaO/24 on SI, you would enter
the following command.
SI (config)# interface range faO/8 - 24
S1(config-if-range)# shutdown
%LINK-5-CHANGED: Interface FastEthemetO/8, changed state to
administratively down
(output omitted)
%LINK-5-CHANGED: Interface FastEthemetO/24, changed state
to administratively down
S1(config-if-range)#
11.1.2 Mitigate MAC Address Table Attacks
The simplest and most effective method to prevent MAC address table overflow
attacks is to enable port security.

Port security limits the number of valid MAC addresses allowed on a port. It
allows an administrator to manually configure MAC addresses for a port or to
permit the switch to dynamically learn a limited number of MAC addresses. When
a port configured with port security receives a frame, the source MAC address of
the frame is compared to the list of secure source MAC addresses that were
manually configured or dynamically learned on the port.
By limiting the number of permitted MAC addresses on a port to one, port
security can be used to control unauthorized access to the network, as shown in
the figure.
Note : MAC addresses are shown as 24 bits for simplicity.
11.1.3 Enable Port Security
Notice in the example, the switchport port-security command was
rejected. This is because port security can only be configured on manually

configured access ports or manually configured trunk ports. By default, Layer 2
switch ports are set to dynamic auto (trunking on). Therefore, in the example, the
port is configured with the switchport mode access interface configuration
command.
Note : Trunk port security is beyond the scope of this course.
SI (config)# interface fO/1
S1(config-if)# switchport port-security
Command rejected: FastEthemetO/1 is a dynamic port.
SI (config-if)#
SI (config-if)#
SI (config-if)#
SI#
switchport mode access
switchport port-security
end
Use the show port-security interface command to display the current port
security settings for FastEthemet 0/1, as shown in the example. Notice how port
security is enabled, the violation mode is shutdown, and how the maximum
number of MAC addresses is 1. If a device is connected to the port, the switch
will automatically add the device's MAC address as a secure MAC. In this
example, no device is connected to the port. ___________________________________
SI# show port-security interface fO/1
Port Security : Enabled
Port Status : Secure-shutdown
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type
SecureStatic Address Aging : Disabled
: Absolute
Maximum MAC Addresses 1
Total MAC Addresses 0
Configured MAC Addresses 0
Sticky MAC Addresses 0
Last Source Address:Vlan 0000.0000.0000:0
Security Violation Count
SI#
0
Note : If an active port is configured with the switchport port-
security command and more than one device is connected to that port, the port
will transition to the error-disabled state. This condition is discussed later in this
topic.
After port security is enabled, other port security specifics can be configured, as
shown in the example.
SI (config-if)#
aging
switchport port-security ?
Port-security aging commands

mac-address Secure mac address
maximum Max secure addresses
violation Security violation mode
<cr>
SI (config-if)# switchport port-security
11.1.4 Limit and Learn MAC Addresses
To set the maximum number of MAC addresses allowed on a port, use the
following command:
Switch(config-if)# switchport port-security maximum value
The default port security value is 1. The maximum number of secure MAC
addresses that can be configured depends the switch and the IOS. In this
example, the maximum is 8192.
SI (config)# interface ID/1
S1(config-if)# switchport port-security maximum ?
<1-8192> Maximum addresses
SI (config-if)# switchport port-security maximum
The switch can be configured to learn about MAC addresses on a secure port in
one of three ways:
1. Manually Configured
The administrator manually configures a static MAC address(es) by using the
following command for each secure MAC address on the port:
Switch(config-if)# switchport port-security mac-address mac-
address
2. Dynamically Learned
When the switchport port-security command is entered, the current
source MAC for the device connected to the port is automatically secured but is
not added to the startup configuration. If the switch is rebooted, the port will have
to re-leam the device's MAC address.
3. Dynamically Learned - Sticky
The administrator can enable the switch to dynamically learn the MAC address
and "stick" them to the running configuration by using the following command:
Switch(config-if)# switchport port-security mac-address
sticky
Saving the running configuration will commit the dynamically learned MAC
address to NVRAM.

The following example demonstrates a complete port security configuration for
FastEthemet 0/1. The administrator specifies a maximum of 4 MAC addresses,
manually configures one secure MAC address, and then configures the port to
dynamically learn additional secure MAC addresses up to the 4 secure MAC
address maximum. Use the show port-security interface and the show
port-security address command to verify the configuration.
SI (config)# interface faO/1
S1(config-if)# switchport mode access
S1(config-if)# switchport port-security
S1(config-if)# switchport port-security maximum 4
S1(config-if)# switchport port-security mac-address
aaaa.bbbb.1234
SI (config-if)# switchport port-security mac-address sticky
SI (config-if)# end
SI# show port-security interface faO/1
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses 4
Total MAC Addresses 1
Configured MAC Addresses 1
Sticky MAC Addresses 0
Last Source Address:Vian 0000.0000.0000:0
Security Violation Count 0
SI# show port-security address
Secure Mac Address Table
Vian
Ports
Mac Address
Remaining Age
Type
(mins)
1
FaO/1
aaaa.bbbb.1234 SecureConfigured

Loading page 6...

Total Addresses in System (excluding one mac per port)
0
Max Addresses limit in System (excluding one mac per port) :
8192
SI#
11.1.5 Port Security Aging
Port security aging can be used to set the aging time for static and dynamic
secure addresses on a port. Two types of aging are supported per port:
□ Absolute - The secure addresses on the port are deleted after the
specified aging time.
□ Inactivity - The secure addresses on the port are deleted only if
they are inactive for the specified aging time.
Use aging to remove secure MAC addresses on a secure port without manually
deleting the existing secure MAC addresses. Aging time limits can also be
increased to ensure past secure MAC addresses remain, even while new MAC
addresses are added. Aging of statically configured secure addresses can be
enabled or disabled on a per-port basis.
Use the switchport port-security aging command to enable or disable
static aging for the secure port, or to set the aging time or type.
Switch(config-if)# switchport port-security aging { static
time time | type { absolute | inactivity }}
The parameters for the command are described in the table.
Paramete Description
r
static Enable aging for statically configured secure addresses on this port.
Specify the aging time for this port. The range is 0 to 1440 minutes. If the time
is 0, aging is disabled for this port.
Set the absolute aging time. All the secure addresses on this port age out
exactly after the time (in minutes) specified and are removed from the secure
address list.
Set the inactivity aging type. The secure addresses on this port age out only if
there is no data traffic from the secure source address for the specified time
period.
time time
type
absolute
type
inactivity

Loading page 7...

Note : MAC addresses are shown as 24 bits for simplicity.
The example shows an administrator configuring the aging type to 10 minutes of
inactivity and by using the show port-security interface command to
verify the configuration.
SI (config)# interface faO/1
S1(config-if)# switchport port-se'
S1(config-if)# switchport port-sei
SI (config-if)# end
SI# show port-security interface faO/1
Port Security
Port Status
Violation Mode
Aging Time
Aging Type
SecureStatic Address Aging : Disabled
Maximum MAC Addresses
Total MAC Addresses
Configured MAC Addresses
Sticky MAC Addresses
Last Source Address:Vlan
Security Violation Count
curity aging time 10
curity aging type inactivity
: Enabled
: Secure-shutdown
: Restrict
: 10 mins
: Inactivity
4
1
1
0
0050.56be.e4dd:l
1
11.1.6 Port Security Violation Modes
If the MAC address of a device attached to the port differs from the list of secure
addresses, then a port violation occurs. By default, the port enters the error-
disabled state.
To set the port security violation mode, use the following command:
Switch(config-if)# switchport port-security violation {
protect | restrict | shutdown } __________________________
The following tables show how a switch reacts based on the configured violation
mode.
Security Violation Mode Descriptions
Mode Description
The port transitions to the error-disabled state immediately, turns off the port
LED, and sends a syslog message. It increments the violation counter. When a
secure port is in the error-disabled state, an administrator must re-enable it by
shutdo
wn

Loading page 8...

Mode Description
(default
entering the shutdown and no shutdown commands.
The port drops packets with unknown source addresses until you remove a
sufficient number of secure MAC addresses to drop below the maximum value
or increase the maximum value. This mode causes the Security Violation
counter to increment and generates a syslog message.
This is the least secure of the security violation modes. The port drops packets
with unknown MAC source addresses until you remove a sufficient number of
secure MAC addresses to drop below the maximum value or increase the
maximum value. No syslog message is sent.
restrict
protect
Security Violation Mode Comparison
Violation
Mode
Discards
Offending Traffic
Sends Syslog
Message
Increase Violation
Counter
Shuts
Down Port
Protect Yes No No No
Restrict Yes Yes Yes No
Shutdown Yes Yes Yes Yes
The following example shows an administrator changing the security violation to
"restrict". The output of the show port-security interface command
confinns that the change has been made.
SI (config)# interface fO/1
S1(config-if)# switchport port-security violation restrict
SI (config-if)# end
SI#
S1# show port-security interface fO/1
Port Security : Enabled
Port Status : Secure-shutdown
Violation Mode : Restrict
Aging Time : 0 mins
Aging Type
SecureStatic Address Aging : Disabled
: Absolute
Maximum MAC Addresses : 4
Total MAC Addresses : 1
Configured MAC Addresses : 1

Loading page 9...

Sticky MAC Addresses
Last Source Address:Vlan
Security Violation Count
SI#
: 0
: 0050.56be.e4dd:l
: 1
11.1.7 Ports in error-disabled State
When a port is shutdown and placed in the error-disabled state, no traffic is sent
or received on that port. A series of port security related messages display on the
console, as shown in the following example.
*Sep 20 06:44:54.966: %PM-4-ERR_DlSABLE: psecure-violation
error detected on FaO/1 8, putting Fa0/18 in err-disable
state
*Sep 20 06:44:54.966: %PORT_SECURITY-2-PSECURE_VIOLATION:
Security violation occurred, caused by MAC address
000c.292b.4c75 on port FastEthemet0/18.
*Sep 20 06:44:55.973: %LINEPROTO-5-PPDOWN: Line protocol on
Interface FastEthemetO/18, changed state to down
*Sep 20 06:44:56.971: %LINK-3-UPDOWN: Interface
FastEthernet0/18, changed state to down
Note : The port protocol and link status are changed to down and the port LED is
turned off.
In the example, the show interface command identifies the port status
as err-disabled . The output of the show port-security
interface command now shows the port status as secure-shutdown . The
Security Violation counter increments by 1.
SI# show interface faO/18
FastEthernet0/18 is down, line protocol is down (err-
disabled)
(output omitted)
SI# show port-security interface faO/18
Port Security : Enabled
Port Status : Secure-shutdown
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled

Loading page 10...

Maximum MAC Addresses 1
Total MAC Addresses 1
Configured MAC Addresses 1
Sticky MAC Addresses 0
Last Source Address:Vlan cO25.5cd7.efDl:l
Security Violation Count 1
SI#
The administrator should determine what caused the security violation If an
unauthorized device is connected to a secure port, the security threat is
eliminated before re-enabling the port.
To re-enable the port, first use the shutdown command, then, use the no
shutdown command to make the port operational, as shown in the example.
SI (config)# interface faO/18
Sl(config-if)# shutdown
*Sep 20 07:11:18.845: %LINK-5-CHANGED: Interface
FasfEthemetO/18, changed state to administratively down
Sl(config-if)# no shutdown
*Sep 20 07:11:32.006: %LINK-3-UPDOWN: Interface
FastEthernetO/18, changed state to up
*Sep 20 07:11:33.013: %LINEPROTO-5-UPDOWN: Line protocol on
Interface FastEthemetO/18, changed state to up
Sl(config-if)#
11.1.8 Verify Port Security
After configuring port security on a switch, check each interface to verify that the
port security is set correctly, and check to ensure that the static MAC addresses
have been configured correctly.
Port Security for All Interfaces
To display port security settings for the switch, use the show port-
security command. The example indicates that all 24 interfaces are configured
with the switchport port-security command because the maximum
allowed is 1 and the violation mode is shutdown. No devices are connected.
Therefore , the CurrentAddr (Count) is 0 for each interface.
S1# show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation
Security Action
(Count) (Count) (Count)

Loading page 11...

FaO/1 1 0 0
Shutdown
FaO/2 1 0 0
Shutdown
FaO/3 1 0 0
Shutdown
(output omitted)
FaO/24 1 0 0
Shutdown
Total Addresses in System (excluding one mac per port)
0
Max Addresses limit in System (excluding one mac per port) :
4096
Switch#
Port Security for a Specific Interface
Use the show port-security interface command to view details for a
specific interface, as shown previously and in this example.
SI# show port-security interface fastethemet 0/18
Port Security : Enabled
Port Status : Secure-up
Violation Mode Shutdown
Aging Time 0 mins
Aging Type Absolute
SecureStatic Address Aging Disabled
Maximum MAC Addresses 1
Total MAC Addresses 1
Configured MAC Addresses 0
Sticky MAC Addresses 0
Last Source Address:Vlan 0025.83e6.4b01:l
Security Violation Count 0
SI#
Verify Learned MAC Addresses
To verify that MAC addresses are "sticking" to the configuration, use the show
run command as shown in the example for FastEthemet 0/19.
SI# show run | begin interface FastEthemetO/1 9
interface FastEthemetO/19
switchport mode access
switchport port-security maximum 10
switchport port-security

Loading page 12...

Secure Your Network Master Switch Security Configu

Study Now!

Document Details

Related Documents

Dump4Cisco CCNA CyberOps Associate 200-201

CCNA 1 - Introduction to Networks

CCNA 1 v7

CCNA 1 v7

9TUT CCNA Exam 102 Questions

CCNA Module Quiz Number Systems & IP Addressing

CCNA 4 Pretest Part 2

CCNA Week 1 Networks Basic Configuration

Week 4 Security Concepts CCNA

CCNA Exam Review Fundamentals12 Stamped

Company

Explore

Study Tools