Port Security |
Configuring
Planning port security
Plan your port security configuration and monitoring according to the following:
On which ports do you want port security?
Which devices (MAC addresses) are authorized on each port?
For each port, what security actions do you want? (The switch automatically blocks intruders detected on that port from transmitting to the network.) You can configure the switch to (1) send intrusion alarms to an SNMP management station and to (2) optionally disable the port on which the intrusion was detected.
How do you want to learn of the security violation attempts the switch detects? You can use one or more of these methods:
Through network management (That is, do you want an SNMP trap sent to a net management station when a port detects a security violation attempt?)
Through the switch Intrusion Log, available through the CLI, menu, and WebAgent
Through the Event Log (in the menu interface or through the CLI show log command)
Use the CLI or WebAgent to configure port security operating and address controls.
Use the global configuration level to execute port-security configuration commands.
Configuring port security
Using the CLI, you can:
Configure port security and edit security settings.
Add or delete devices from the list of authorized addresses for one or more ports.
Clear the Intrusion flag on specific ports.
Syntax
port-security
[e] <port-list>
<learn-mode
|address-limit
|mac-address
|action
|clear-intrusion-flag>
<port-list>
Specifies a list of one or more ports to which the port-security command applies.
learn-mode
<continuous
|static
|configured
|limited-continuous>
For the specified port:
Identifies the method for acquiring authorized addresses.
On switches covered in this guide, automatically invokes eavesdrop protection, see Eavesdrop prevention.
continuous
(Default): Appears in the factory-default setting or when you execute no port-security. Allows the port to learn addresses from the devices to which it is connected. In this state, the port accepts traffic from any devices to which it is connected. Addresses learned in the learn continuous mode "age out" and be automatically deleted if they are not used regularly. The default age time is five minutes.
Addresses learned this way appear in the switch and port address tables and age out according to the
MAC Age Interval
in the System Information configuration screen of the Menu interface or theshow system information
listing. You can set the MAC age out time using the CLI, SNMP, Web, or menu interfaces. For more information on themac-age-time
command see "Interface Access and System Information" in the management and configuration guide for your switch.
static
Enables you to use the
mac-address
parameter to specify the MAC addresses of the devices authorized for a port, and theaddress-limit
parameter (explained below) to specify the number of MAC addresses authorized for the port. You can authorize specific devices for the port, while still allowing the port to accept other, non-specified devices until the device limit has been reached. That is, if you enter fewer MAC addresses than you authorized, the port authorizes the remaining addresses in the order in which it automatically learns them.
For example, if you use address-limit to specify
three authorized devices, but use mac-address
to
specify only one authorized MAC address, the port adds the one specifically
authorized MAC address to its authorized-devices list and the first
two additional MAC addresses it detects.
If, for example:
You use mac-address to authorize MAC address 0060b0-880a80 for port A4.
You use address-limit
to allow
three devices on port A4 and the port detects these MAC addresses:
080090-1362f2
00f031-423fc1
080071-0c45a1
0060b0-880a80 (the address you authorized with the mac-address parameter)
In this example port A4 would assume the following list of authorized addresses:
080090-1362f2 (the first address the port detected)
00f031-423fc1 (the second address the port detected)
0060b0-880a80 (the address you authorized with the mac-address parameter)
The remaining MAC address detected by the port, 080071-0c45a1, is not allowed and is handled as an intruder. Learned addresses that become authorized do not age-out. See also Retention of static addresses.
CAUTION: Using the static parameter with a device limit greater than the number of MAC addresses specified with mac-address can allow an unwanted device to become "authorized". This is because the port, to fulfill the number of devices allowed by the address-limit parameter (se below), automatically adds devices it detects until it reaches the specified limit. | |
NOTE: If 802.1X port-access is configured on a given port, then port-security learn-mode must be set to either continuous (the default) or port-access. | |
Syntax
port-security
[e]
<port-list>
<learn-mode
|address-limit
|mac-address
|action
|clear-intrusion-flag>
port-access
Enables you to use Port Security with (802.1X) Port-Based Access Control.
configured
Specifies which MAC addresses are allowed for this port. Range is 1 (default) to 64 and addresses do not age. Addresses are saved across reboots.
limited-continuous
Also known as MAC Secure, or "limited" mode. The limited parameter sets a finite limit to the number of learned addresses allowed per port. (You can set the range from 1, the default, to a maximum of 32 MAC addresses which may be learned by each port.)
All addresses age, meaning they are automatically removed from the authorized address list for that port after a certain amount of time. Limited mode and the address limit are saved across reboots, but addresses which had been learned are lost during the reboot process.
Addresses learned in the limited mode are normal addresses learned from the network until the limit is reached, but they are not configurable. (You cannot enter or remove these addresses manually if you are using learn-mode with the limited-continuous option.)
Addresses learned this way appear in the switch and port address tables and age out according to the MAC Age Interval in the System Information configuration screen of the Menu interface or the show system information listing. You can set the MAC age out time using the CLI, SNMP, Web, or menu interfaces. For more on the mac-age-time command, see "Interface Access and System Information" in the management and configuration guide for your switch. To set the learn-mode to limited use this command syntax:
port-security <port-list> learn-mode limited addresslimit <1..32> action
<none
|send-alarm
|send-disable>
The default address-limit is
1
but may be set for each port to learn up to 64 addresses.The default action is none.
To see the list of learned addresses for a port use the command:
show mac
port-list
address-limit
<integer>
When
learn-mode
is set tostatic
,configured
, orlimited-continuous
, theaddress-limit
parameter specifies how many authorized devices (MAC addresses) to allow. Range: 1 (the default) to 8 for static and configured modes. Forlearn-mode
with thelimited-continuous
option, the range is 1-32 addresses.Available for
learn-mode
with the,static
,configured
, orlimited-continuous
option. Allows up to eight authorized devices (MAC addresses) per port, depending on the value specified in theaddress-limit
parameter. Themac-address limited-continuous
mode allows up to 32 authorized MAC addresses per port. If you use mac-address with static, but enter fewer devices than you specified in the address-limit field, the port accepts not only your specified devices, but also as many other devices as it takes to reach the device limit. For example, if you specify four devices, but enter only two MAC addresses, the port accepts the first two non-specified devices it detects, along with the two specifically authorized devices. Learned addresses that become authorized do not age-out. See also Retention of static addresses.
action
<none
|send-alarm
|send-disable>
Specifies whether an SNMP trap is sent to a network management station when Learn Mode is set to static and the port detects an unauthorized device, or when Learn Mode is set to continuous and there is an address change on a port.
none
Prevents an SNMP trap from being sent.
none
is the default value.
send-alarm
Sends an intrusion alarm. Causes the switch to send an SNMP trap to a network management station.
send-disable
Sends alarm and disables the port. Available only in the
static
,port-access
,configured
, orlimited learn
modes. Causes the switch to send an SNMP trap to a network management station and disable the port. If you subsequently re-enable the port without clearing the port's intrusion flag, the port blocks further intruders, but the switch does not disable the port again until you reset the intrusion flag. See the Note on Keeping the intrusion log current by resetting alert flags.For information on configuring the switch for SNMP management, see the management and configuration guide for your switch.
clear-intrusion-flag
Clears the intrusion flag for a specific port, see Reading intrusion alerts and resetting alert flags.
Eavesdrop Prevention is Disabled
Syntax
[no]
port-security <port-list> eavesdrop-prevention
When this option is enabled, the port is prevented from transmitting packets that have unknown destination addresses. Only devices attached to the port receive packets intended for them. This option does not apply to a learning mode of port-access or continuous. Default: Enabled
Blocked unauthorized traffic
Unless you configure the switch to disable a port on which a security violation is detected, the switch security measures block unauthorized traffic without disabling the port. This implementation enables you to apply the security configuration to ports on which hubs, switches, or other devices are connected, and to maintain security while also maintaining network access to authorized users. For example:
NOTE: Broadcast and Multicast traffic is always allowed, and can be read by intruders connected to a port on which you have configured port security. | |
Trunk Group Exclusion
Port security does not operate on either a static or dynamic trunk group. If you configure port security on one or more ports that are later added to a trunk group, the switch resets the port security parameters for those ports to the factory-default configuration. (Ports configured for either Active or Passive LACP, and which are not members of a trunk, can be configured for port security.)
Configuring Trusted Ports for Dynamic ARP Protection
To configure one or more Ethernet interfaces that handle VLAN traffic as trusted ports, enter the arp-protect trust command at the global configuration level. The switch does not check ARP requests and responses received on a trusted port.
Syntax
[no]
arp-protect trust <port-list>
port-list
Specifies a port number or a range of port numbers. Separate individual port numbers or ranges of port numbers with a comma; for example: c1-c3, c6.
An example of the
arp-protect trust
command is shown here:switch(config)# arp-protect trust b1-b4, d1
Configuring Additional Validation Checks on ARP Packets
Dynamic ARP protection can be configured to perform additional validation checks on ARP packets. By default, no additional checks are performed. To configure additional validation checks, enter the arp-protect validate command at the global configuration level.
Syntax
[no]
arp-protect validate <[src-mac] | [dest-mac] | [ip]>
src-mac
(Optional) Drops any ARP request or response packet in which the source MAC address in the Ethernet header does not match the sender MAC address in the body of the ARP packet.
dest-mac
(Optional) Drops any unicast ARP response packet in which the destination MAC address in the Ethernet header does not mach the target MAC address in the body of the ARP packet.
ip
(Optional) Drops any ARP packet in which the sender IP address is invalid. Drops any ARP response packet in which the target IP address is invalid. Invalid IP addresses include: 0.0.0.0, 255.255.255.255, all IP multicast addresses, and all Class E IP addresses.
You can configure one or more of the validation
checks. The following example of the arp-protect validate
command
shows how to configure the validation checks for source MAC address
and destination AMC address:
switch(config)# arp-protect validate src-mac dest-mac
Verifying the configuration of dynamic ARP protection
To display the current configuration of dynamic
ARP protection, including the additional validation checks and the
trusted ports that are configured, enter the show arp-protect
command:
Configuring DHCP snooping trusted ports
Networking switches support DHCPv4 and DHCPv6 snooping. Configuring both versions helps protect your entire network by blocking unintended or rogue DHCPv4 and DHCPv6 servers. By default, all ports are untrusted. Once configured, DHCP server packets are forwarded only if received on a trusted port. DHCP server packets received on an untrusted port are dropped.
For DHCPv4 servers
To configure a port or range of ports as trusted, enter this command:
switch(config)# dhcp-snooping trust <port-list>
You can also use this command in the interface context, in which case you are not able to enter a list of ports.
Use the no
form of the command
to remove the trusted configuration from a port.
For DHCPv6 servers
To configure a port or range of ports as trusted, enter this command:
switch(config)# dhcpv6-snooping trust <port-list>
You can also use this command in the interface context, in which case you are not able to enter a list of ports.
Use the no
form of the command
to remove the trusted configuration from a port.
Configuring authorized server addresses
If authorized server addresses are configured, a packet from a DHCP server must be received on a trusted port AND have a source address in the authorized server list in order to be considered valid. If no authorized servers are configured, all servers are considered valid. You can configure a maximum of 20 authorized servers.
To configure a DHCP authorized server address, enter this command in the global configuration context:
switch(config)# dhcp-snooping authorized-server <ip-address>
Authorized servers for DHCP snooping
Configuring MAC Lockdown
Syntax
Locks down a given MAC address and VLAN to a specific port.
A separate command is necessary for each MAC/VLAN pair you wish to lock down. If not specifying a VID, the switch inserts "1".
NOTE: A port configured with MAC Lockdown does not accept Multicast MAC addresses; such a port does accept unicast MAC addresses.
MAC Lockdown, also known as "static addressing," is permanently assigned a given MAC address and VLAN to a specific port on the switch. Use MAC Lockdown to prevent station movement and MAC address hijacking and control address learning on the switch.
Locking down a MAC address on a port and a specific VLAN only restricts the MAC address on that VLAN. The client device with that MAC address can to access other VLANs on the same port or through other ports.
NOTE: Port security and MAC Lockdown are mutually exclusive on a given port. | |
Configuring MAC Lockout
Syntax
MAC Lockout involves configuring a MAC address on all ports and VLANs for a switch, so that any traffic to or from the "locked-out" MAC address is dropped: all data packets addressed to or from the given address are stopped by the switch. MAC Lockout is like a simple blacklist.
MAC Lockout is implemented on a per switch assignment. To use it you must know the MAC Address to block. To fully lock out a MAC address from the network it is necessary to use the MAC Lockout command on all switches.
Configuring instrumentation monitor
The following commands and parameters are used to configure the operational thresholds that are monitored on the switch. By default, the instrumentation monitor is disabled.
Syntax
[no]
instrumentation monitor [parameterName|all] [<low|med|high|limitValue>]
[log]
Enables/disables instrumentation monitoring log so that event log messages are generated every time there is an event which exceeds a configured threshold. (Default threshold setting when instrumentation monitoring is enabled: enabled)
[all]
Enables/disables all counter types on the switch but does not enable/disable instrumentation monitor logging. (Default threshold setting when enabled: see parameter listings below)
[arp-requests]
The number of arp requests that are processed each minute. (Default threshold setting when enabled: 1000 med)
[ip-address-count]
The number of destination IP addresses learned in the IP forwarding table. (Default threshold setting when enabled: 1000 med)
[learn-discards]
The number of MAC address learn events per minute discarded to help free CPU resources when busy. (Default threshold setting when enabled: 100 med)
[login-failures]
The count of failed CLI login attempts or SNMP management authentication failures per hour. (Default threshold setting when enabled: 10 med)
[mac-address-count]
The number of MAC addresses learned in the forwarding table. You must enter a specific value in order to enable this feature. (Default threshold setting when enabled: 1000 med)
[mac-moves]
The average number of MAC address moves per minute from one port to another. (Default threshold setting when enabled: 100 med)
[pkts-to-closed-ports]
The count of packets per minute sent to closed TCP/UDP ports. (Default threshold setting when enabled: 10 med)
[port-auth-failures]
The count of times per minute that a client has been unsuccessful logging into the network. (Default threshold setting when enabled: 10 med)
[system-resource-usage]
The percentage of system resources in use. (Default threshold setting when enabled: 50 med)
<1–2147483647>
—Set the threshold value
low
—Low threshold
med
—Medium threshold
high
—High threshold [system-delay]
The response time, in seconds, of the CPU to new network events such as BPDU packets or packets for other network protocols. (Default threshold setting when enabled: 3 seconds med)
[trap]
Enables or disables SNMP trap generation. (Default setting when instrumentation monitoring is enabled: disabled)
To enable instrumentation monitor using the default parameters and thresholds, enter the general instrumentation monitor command. To adjust specific settings, enter the name of the parameter that you wish to modify, and revise the threshold limits as needed.
Examples
To turn on monitoring and event log messaging with the default medium values:
switch(config)# instrumentation monitor
To turn off monitoring of the system delay parameter:
switch(config)# no instrumentation monitor systemdelay
To adjust the alert threshold for the MAC address count to the low value:
switch(config)# instrumentation monitor mac-addresscount low
To adjust the alert threshold for the MAC address count to a specific value:
switch(config)# instrumentation monitor mac-addresscount 767