Attackers task is comparatively very easy when they can enter the network they want to attack. Ethernet LANs are very much vulnerable to attack as the switch ports are open to use by default. Various attacks such as Dos attack at layer 2, address spoofing can take place. If the administrator has control over the network then obviously the network is safe. To take total control over the switch ports, user can use feature called port-security. If somehow prevent an unauthorised user to use these ports, then the security will increase upto a great extent at layer 2.
User can secure a port in two steps:
- Llimiting the number of MAC addresses to a single switch port, i.e if more than the limit, Mac addresses are learned from a single port then appropriate action will be taken.
- If an unauthorised access is observed, the traffic should be discarded by using any of the options or more appropriate, user should generate a log message so that unauthorised access can be easily observed.
Port security –
Switches learn MAC addresses when the frame is forwarded through a switch port. By using port security, user can limit the number of MAC addresses that can be learned to a port, set static MAC addresses and set penalties for that port if it is used by an unauthorised user. User can either use restrict, shut down or protect port-security commands.
Let’s discuss these violation modes:
- protect – This mode drops the packets with unknown source mac address until you remove enough secure mac addresses to drop below the maximum value.
- restrict –This mode performs the same function as protect, i.e drops packets until enough secure mac addresses are removed to drop below the maximum value.In addition to this, it will generate a log message, increment the counter value and will also send SNMP trap.
- shut down – This mode is mostly preferred as compared to other modes as it shut down the port immediately if unauthorised access is done. It will also generate a log, increment counter value and send a SNMP trap. This port will remain in shut down state until the administrator will perform “no shutdown” command.
- Sticky – This is not a violation mode. By using sticky command, user provides static Mac address security without typing the absolute Mac address. For example, if user provides maximum limit of 2 then the first 2 Mac addresses learned on that port will be placed in running-configuration. After the 2nd learned Mac address, if 3rd user want to access then the appropriate action will be taken according to the violation mode applied.
Note – The port security will work on access port only i.e to enable port-security, user first has to make it an access port.
Applying port-security on fa0/1 interface of switch .first, convert the port to an access port and will enable port-security.
S1(config)#int fa0/1 S1(config-if)#switchport mode access S1(config-if)#switchport port-security
Use sticky command so that it will learn the Mac address dynamically and will provide the limit and the appropriate action that should be taken.
S1(config-if)#switchport port-security mac-address sticky S1(config-if)#switchport port-security maximum 2 S1(config-if)#switchport port-security violation shutdown
If user wants to provide a static entry, then configure that by stating it’s Mac address.
S1(config-if)#switchport port-security S1(config-if)#switchport port-security violation shutdown S1(config-if)#switchport port-security mac-address aa.bb.cc.dd.ee.ff