The Bit-Bucket > CCIE > Topic Notes > Infrastructure Security > Switch Security Features Topic Notes

Switch Security Features Topic Notes

Port Security

Port Security

  • Limits access to port based on MAC address
  • Off by default
  • Manually enabled on individual port
    • Command:
      • (config-if)#switchport port-security
  • Applies to access and trunk ports
    • Not dynamic ports

 

    • #show port-security interface <IF> – Displays the status of the security on an interface
    • #show port-security address – displays the secure mac addresses learned from each interface

 

Port Security Recovery

Port Security Recovery
  • Once port-security violation mode triggered, port is not automatically recovered
    • Can be configured manually with error disable recovery feature
      • Command:
        • (config)#err-disable recovery cause psecure-violation
    • Recovery period 30 seconds by default
      • Can be configured manually
        • Command:
          • (config)#err-disable recovery interval <30 - 86400 seconds>

 

[_/su_spoiler]

Port Security MAC Addresses

Port Security Mac Addresses
  • Secure MAC addresses
    • MAC address can only be located on one port
    • Default of 1 MAC address allowed
      • Can be configured manually
        • Command:
          • (config-if)#switchport port-security maximum <1 - 6144>
    • Methods to learn MAC addresses
      • Statically configured
        • Command:
          • (config-if)#switchport port-security mac-address <mac address>
      • Learn dynamically
        • Default option
        • MAC addresses time-out after the default period of inactivity
          • Can be configured
          • Command:
            • (config-if)#switchport port-security aging time <1-1440 minutes>
            • (config-if)#switchport port-security aging type inactivity
      • Sticky
        • Once learned, MAC address is written to configuration file
        • Command:
          • (config-if)#switchport port-security mac-address sticky
    • Trunk Ports
      • Port limit is aggregate across all vlans
      • support per-vlan limits (default unlimited)

 

[_/su_spoiler]

Port Security Violation Modes

Port Security Violation Modes
  • 3 violation modes
    • Shutdown
      • Default mode
      • Moves interface to err-disable state
    • Protect
      • Violators can not send any traffic
      • Disables MAC learning one limit is reached
    • Restrict
      • Violators can't send any traffic
      • Generates a snmp/syslog message
  • Configured manually
    • Command:
      • (config-if)#switchport port-security violation [shutdown | protect | restrict]

 

[_/su_spoiler]

Port Protection

 Port Protection

  • Similar to Private-VLANs
  • Default port configuration is unprotected
  • Enabled on individual interfaces
    • Command:
      • (config-if)#switchport protected
  • Protected ports can not communicate with each other, even in same VLAN
    • Protected ports can only communicate with unprotected ports
  • Configuration limited to local switch
  • All traffic passing through protected ports must be forwarded through a Layer 3 device
  • Unknown unicast and multicast are allowed
    • MAC address learning
    • Can be configured to be disabled
      • Command:
        • (config-if)#switchport block [unicast | multicast]

 

Static CAM Entries

Static CAM Table Entries

  • Can explicitly configure MAC address entries globally
  • MAC addresses are fixed to specific ports
  • Can be used for null routing
    • Add command drop to end of static address
  • Command:
    • (config)#mac address-table static <mac address> <interface> [drop]

 

 

Storm Control

Storm Control

  • Applies a policer to limit traffic ingress to port
  • Can be configured on types of traffic including:
    • Unicast
    • Multicast
    • Broadcast
  • Default level is a percentage of interface link speed, not bandwidth
  • Configured on individual interfaces
    • Command:
      • (config-if)#storm-control [unicast | multicast | broadcast] level <level> [pps | bps] [<lower threshold> [pps | bps] ]
  • Can define different action on storm control
    • Command:
      • (config-if)#storm-control action [shutdown | trap]

 

DHCP Snooping

DHCP Snooping

  • Prevents DHCP spoofing
  • Creates a DHCP Snooping Binding Table held on the switch as a database
    •  Holds IP, MAC and interface bindings
  • DHCP Snooping Binding table can be used by DAI or IP Source Guard
  • Enabled globally
    • Command:
      • (config)#ip dhcp snooping
      • (config)#ip dhcp snooping vlan <vlan-list>

 

  • The switch has 2 different port settings:
    • Trusted ports
      • Link towards real DHCP server
      • Allowed to reply with DHCP Offer packets
      • Command:
        • (config-if)#ip dhcp snooping trust
    • Untrusted ports
      • Interfaces not pointing towards DHCP Server
      • Drop any DHCP Offers seen on that port
      • Default interface configuration

 

  • DHCP Snooping can rate limit the number of messages received from a DHCP client
    • Based on a per-second rate
    • Configured on physical interface
    • Command:
      • (config-if)#ip dhcp snooping limit rate <1-2048>

 

  • DHCP snooping inserts DHCP information option
    • adds a “giaddr” field
    • Cisco IOS DHCP servers rejects these packets
    • Can be manually disabled
    • Command:
      • (conig)#no ip dhcp snooping information option
    • Can set the DHCP server to trust the empty field

 

Dynamic ARP Inspection

Dynamic ARP Inspection

  • Uses the DHCP Snooping Binding Table to perform ARP packet inspection
    • Packets that don’t conform to the table are droppe
  • Prevents ARP poisoning
    • Inspects ARP reply packets
      1. Checks the bindings against the DHCP Snooping Bindings Table
      2. Checks the Static bindings table
      3. Checks the source MAC address in Ethernet header against the source MAC address in the ARP reply
      4. Checks the destination MAC address and the target MAC address listed in ARP message

 

  • Enabled on the VLAN
    • Command:
      • (config)#ip arp inspection vlan <vlan-id>
  • Can  trust individual ports and not inspect
    • Normally same interface as DHCP trusted interfaces
    • Command:
      • (config-if)#ip arp inspection trust

 

  • Can use Static ARP Access Lists to map ARP entries to IP addresses
    • Configuration:
      • (config)#arp access-list <name>
      • (config-arp-nacl)#<permit | deny> ip host <sender IP> mac host <sender MAC> [log]
      • (config)#ip arp inspection filter <access list name> vlan <vlan-id>

 

IP Source Guard

IP Source Guard

  • Prevents IP address spoofing
  • Works in conjunction with DHCP Snooping
  • Uses DHCP bindings database to filter IPs on interface
    • Can create static bindings
      • Command:
        • (config)#ip source binding <mac> vlan <vlan-id> <ip address> interface <IF>
  • Enabled Globally
    • Command:
      • (config)#ip source binding
  • Configured on untrusted ports
  • Enabled on individual interfaces
    • Command:
      • (config-if)#ip verify source
  • Can enable checking of both source IP address and MAC address
    • Requires Port Security to be enabled on port
    • Command:
      • (config-if)#ip verify source port-security
      • (config-if)#switchport port-security

 

  • #show ip verify source
  • #show ip source binding

 

Troubleshooting Commands

Troubleshooting Commands

  • show interface status – displays the status of all the interfaces
  • show err-disable recovery – Displays what errors are configured to be automatically recovered
  • show err-disable detection – Displays what errors are configured to be detected
  • show storm-control <interface> – Displays storm control information on interface

 

Print Friendly, PDF & Email