Monday, September 8, 2008

Switchport port-security - what we MUST know

Continuing with the IPExpert CCIE R&S BLS Security section, it´s a short video (40min), but, with a lot of good information! Security has always been one of my biggest weakness, so that´s why I´m depicting it topic by topic, that helps me to either learn it  better, and, if I ever need to review my notes, I´ll have everything splited to it´s own topic here! So that´s good! Hope that helps you too!

To begin with... how do we enable the port-security in a switch port?! That´s easy to answer, using the interface command: switchport port-security. But, what will be actually configured in this specific switch port if  we just type this command and nothing else?! It´ll set the switchport to allow only "one" MAC Address and the Violation mode will be set to Shutdown.

Probably the LAB will ask you something more specific, that´s where you have to know a few things... The violation mode for example, we have three violation modes availabe:

  • Protected - When a violation occurs, it´ll simple ignore any exceeding MAC Addresses, according to your configuration (if you allow only one MAC Address, it´ll permit the first MAC Address to transmit, and drop everything else for any new MAC Address trying to transmit to this port).
  • Restrict - Does exactly the same thing as Protected mode, but will also send a SNMP Trap regarding the violation.
  • Shutdown - When a violation occurs in the shutdown mode, it sets the port to ERRDISABLE state. The port will stop transmitting anything in the ERRDISABLE state, also, the port LED will  turn off. It  sends out a SNMP Trap about this.

When a port enters in the ERRDISABLE state you can do a shut and no shut to recover it! That can be a boring task, if you have many "smart users" in your network. Fortunately, there´s another way to do that, you can also set it to "autorecovery" using the feature errdisable recovery (global configuration mode), the commands for this are:

errdisable recovery cause <violation cause>
errdisable recovery interval <#seconds>

For example, if the Port-Security placed a port in ERRDISABLE state, you can set your switch to recovery it like that:

errdisable recovery cause psecure-violation
errdisable recovery interval 1800

That will recover the port 30min (1800sec) after the violation event! Cool! :)

Another thing to keep in mind is: the command switchport port-security mac-address <MAC> by itself will not get the configured MAC Address into the running-configuration of your switch. If you issue a show switchport port-security you´ll see the configured MAC  there, but not in the show run!

In order to have it in your running configuration, you have to use the STICKY keyword: switchport port-security mac-address sticky <MAC> that way, the configured MAC Address  will appear at the running-configuration, and of course, you´ll be able to save it! If you do not specify any MAC Addresses after the STICKY keyword, the switch will dynamically learn the attached MAC Address and place it into your running-configuration.

So, for example, to allow two MAC Addresses (1111.1111.1111 and 2222.2222.2222) at FastEthernet 0/6 (configured as an access-port), and, if any violation to that rule occurs, the port should be placed in ERRDISABLE state,  recovering itself after 1hour without any intervation. The MAC Address MUST appear in the running-configuration.

How can we solve that!? Not that difficult, right!? Here´s the answer:

conf t
errdisable recovery cause psecure-violation
errdisable recovery interval 3600
interface fastethernet 0/6
switchport mode access
switchport port-security violation shutdown
switchport port-security maximum 2
switchport port-security mac-address sticky 1111.1111.1111
switchport port-security mac-address sticky 2222.2222.2222

That will meet the requirements of our question!

Also, if you issue a switchport port-security ? under the interface configuration mode you´ll have all available options for this command (in fact, there are just a few options).

Is it difficult?! Not at all, but, there are some things to keep in mind to be used either in the exam and in real-life networks!

You can find more information at the following link from Cisco Website:

1 comment:

Anonymous said...

Great article - I've had port security running but had never seen the errdisable autorecovery - implementing right now

thanks again