Security

Lock down Cisco switch port security

One way to boost network security is to use Cisco's Port Security feature to lock down switch ports. Learn the basics of port security, and find out how to configure this feature.

A growing challenge facing network administrators is determining how to control who can access the organization's internal network -- and who can't. For example, can anyone walk into your office, plug in a laptop, and access your network? You might argue that the wall jack has no connection to a switch, but couldn't someone just pull the Ethernet cable from a working PC and connect to the network that way?

You might think this an unlikely scenario, but it does happen. At my organization, we had salesmen coming in to demo products, and they would just pull the Ethernet jack off a PC and connect it to their laptop, hoping to get Internet access.

The idea that anyone could just come in and access our network scared me -- and the possibility should scare you too. What frightened me the most were the various viruses or worms that their PCs might contain. Remember, not everyone recognizes the importance of effective security measures, and you don't want to trust your network's security to their apathy.

I turned to switch port security to help solve the problem. Let's look at how you can use Cisco's Port Security feature to protect your organization.

Understand the basics

In its most basic form, the Port Security feature remembers the Ethernet MAC address connected to the switch port and allows only that MAC address to communicate on that port. If any other MAC address tries to communicate through the port, port security will disable the port. Most of the time, network administrators configure the switch to send a SNMP trap to their network monitoring solution that the port's disabled for security reasons.

Of course, implementing any security solution always involves a trade-off -- most often, you trade increased security for less convenience. When using port security, you can prevent devices from accessing the network, which increases security.

However, as you know, there's usually a downside. In this case, it's that the network administrator is the only one who can "unlock" the port, which can cause problems when there are legitimate reasons to change out devices.

Configure port security

Configuring the Port Security feature is relatively easy. In its simplest form, port security requires going to an already enabled switch port and entering the port-security Interface Mode command. Here's an example:

Switch)# config t

Switch(config)# int fa0/18

Switch(config-if)# switchport port-security ?

aging Port-security aging commands

mac-address Secure mac address

maximum Max secure addresses

violation Security violation mode

Switch(config-if)# switchport port-security

Switch(config-if)#^Z

By entering the most basic command to configure port security, we accepted the default settings of only allowing one MAC address, determining that MAC address from the first device that communicates on this switch port, and shutting down that switch port if another MAC address attempts to communicate via the port. But you don't have to accept the defaults.

Know your options

As you can see in the example, there are a number of other port security commands that you can configure. Here are some of your options:

  • switchport port-security maximum {max # of MAC addresses allowed}: You can use this option to allow more than the default number of MAC addresses, which is one. For example, if you had a 12-port hub connected to this switch port, you would want to allow 12 MAC addresses -- one for each device. The maximum number of secure MAC addresses per port is 132.
  • switchport port-security violation {shutdown | restrict | protect}: This command tells the switch what to do when the number of MAC addresses on the port has exceeded the maximum. The default is to shut down the port. However, you can also choose to alert the network administrator (i.e., restrict) or only allow traffic from the secure port and drop packets from other MAC addresses (i.e., protect).
  • switchport port-security mac-address {MAC address}: You can use this option to manually define the MAC address allowed for this port rather than letting the port dynamically determine the MAC address.

Of course, you can also configure port security on a range of ports. Here's an example:

Switch)# config t

Switch(config)# int range fastEthernet 0/1 - 24

Switch(config-if)# switchport port-security

However, you need to be very careful with this option if you enter this command on an uplink port that goes to more than one device. As soon as the second device sends a packet, the entire port will shut down.

View the status of port security

Once you've configured port security and the Ethernet device on that port has sent traffic, the switch will record the MAC address and secure the port using that address. To find out the status of port security on the switch, you can use the show port-security address and show port-security interface commands. Below are examples for each command's output:

Switch# show port-security address

Secure Mac Address Table

-------------------------------------------------------------------

Vlan Mac Address Type Ports Remaining Age

(mins)

---- ----------- ---- ----- -------------

1 0004.00d5.285d SecureDynamic Fa0/18 -

-------------------------------------------------------------------

Total Addresses in System (excluding one mac per port) : 0

Max Addresses limit in System (excluding one mac per port) : 1024

Switch# show port-security interface fa0/18

Port Security : Enabled

Port Status : Secure-up

Violation Mode : Shutdown

Aging Time : 0 mins

Aging Type : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses : 1

Total MAC Addresses : 1

Configured MAC Addresses : 0

Sticky MAC Addresses : 0

Last Source Address : 0004.00d5.285d

Security Violation Count : 0

Switch#

For more information on switch port commands and configuring the Port Security feature, check out Cisco's Enabling Port Security documentation for the Catalyst 2950. What steps have you taken to lock down switch port security? Share your tips in this article's discussion.

David Davis has worked in the IT industry for more than 12 years and holds several certifications, including CCIE, MCSE+I, CISSP, CCNA, CCDA, and CCNP. He currently manages a group of systems/network administrators for a privately owned retail company and performs networking/systems consulting on a part-time basis.

Want to learn more about router and switch management? Automatically sign up for our free Cisco Routers and Switches newsletter, delivered each Friday!

21 comments
nabaruma
nabaruma

How do you enable multiple mac address to be map to several ports?

karaminejad
karaminejad

Dear David Davis; I read your Article.but i have question: in a Lan if someone copy the Mac address with mac changer can coonect to lan and make some proplem. So if our lan users be member of a Domain and connect to network with windows username and pass, how can we use of the propertise for secure lan. it means if a user connect laptop to our lan the swith dont let him to get ip and connect to network and port automaticly shutdown. is it possible?

madhukar_m
madhukar_m

I tried to add my PC mac address to access the vlan port, but it show me disable not working, how to enable it interface GigabitEthernet1/0/1 description ****** switchport access vlan 20 switchport mode access switchport port-security violation protect switchport port-security mac-address 0011.5bf4.4d45 abc#sh port-security interface gigabitEthernet 1/0/1 Port Security : Disabled Port Status : Secure-down Violation Mode : Protect Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 1 Total MAC Addresses : 1 Configured MAC Addresses : 1 Sticky MAC Addresses : 0 Last Source Address:Vlan : 0000.0000.0000:0 Security Violation Count : 0

EEnglish34
EEnglish34

Great info as always. I've used this in several high security situations (banks, schools, etc.) Works great!

robert.sebastian
robert.sebastian

Have found the command switch port-security mac-address sticky helpful when tracking or wanting to know what was the last machine to connect/connected to a particular port.

royhayward
royhayward

there is this old story, that may not be entirely apocryphal, about the company that spent a million dollars to buy laptops for all of their employees so that they could be more efficient and take their PCs to meetings and such. And then there was the IT Security guy that came around and chained them all to the desks to prevent theft. Port security is kinda like that. There may be places where this is a great idea. I am thinking of public areas where people enter and exit without bing monitored. Like a library or university computer lab. The constant shuffle of people would make it an attractive place to try and plug in your laptop to get some free highspeed to download updates, or that movie. But all the places that I have worked, (and that is quite a few) we had conference rooms where people would bring laptops, (employees, company laptops, etc) and need to pug them in. Port Securing these areas are just a headache for everyone. I once worked where we had an over zealous IT security guy. He enabled port security accross the board. After that, there were a few people that happened to have been the first in the conference room, that could have effective meetings there. And our 'hotel' cubes and offices for out of town employees and execs where soon 'taken' by those first visitors. You couldn't even rearrange your cube (most of us had more than one PC, I had 5) without getting IT approval and cooperation. If you feel that your physical assets are at risk of someone plugging in their infected PC, announce your concerns and what you want to do. Clearly mark out the areas that will need port security. If you have vendors coming in, it would be nice to provide them a place to setup. Designate one of the 'hotel' cubes or offices as a 'Vendor' office where the internet is available, but company assets are not. In this day an age, expecting vendors to come on site and spend serious training or support time without internet access seems a bit behind the times. And just saying that there is a PC they can use may not cut it. They may not be able to access their assets without their VPN client ect. By the way, the systems on you network should all have virus scanners and firewalls to protect them from Joe down the hall installing a widget with a virus too. If you are relying on his registered MAC address to provide protection from these threats, you will be disappointed. Lets see if there is a way to satisfy the security needs without the chains of Port Security. Port Security is so inconvenient for wide ranged deployment that it should be kept as a last resort.

randallkeels
randallkeels

# config t # int g1/0/1 # switchport port-security # exit # sho port-security int g1/0/1 # wri mem

atabrich
atabrich

l've read all the answer about the LAN ACCESS SECURITY. what about a NAC solution l've found Cisco NAC and the CONSENTRY NAC. it seems like these two solutions can solve the problem. but of cause they are too expensive. so please can you learn me more about the ACL ???

alkesh.patel
alkesh.patel

Had this configured at our old office building. Absolute Hell! With 600+ users and departments constantly changing in size and location as well as Helpdesk staff having to constantly change faulty PCs, it was an absolute nightmare. We are now looking at Cisco NAC. Guess what? Cisco cannot get it to work with the "configuration" we have. Easier to have physical security in the building with wireless access to the Internet only. Wensense and Firewalls take care of the required level of access and still allows visitors to VPN into their company network to pull down presntations or just e-mail. Cisco Wireless seems to do the trick.

lesko
lesko

Port Security is an overkill for small shops unless you have lots of publicly accessible ports. For larger shops its great for keeping track of assets. What our desktop group typically run into is they try to fix a failed machine only to find out that it had moved to a different desk somewhere in the building. Port security will limit moves as that machine will not work in another area (as long as its on the same switch). The issue of conference rooms are only an issue if you do not plan it well. We have a perl script with a web front end that activates and deactivates ports for conference rooms and we give the helpdesk access to this. We have a label on conference room ports that says phone the helpdesk if you need the port activated. We currently use this system with 2000+ ports and on the web frontend we have about 100+ ports that the helpdesk turns off and on. Its a crude version of the NAC but its simpler, it does not have all the bells and whistles like virus signature checking, etc. but it is free. There is also a new feature on the switches I was told where if you enable the web server you can have some sort of authentication you run with LDAP as its source although I dont know anyone using this nor tried it myself. if you are interested in our web front end just email me.

-Q-240248
-Q-240248

I saw 802.1x as an answer here, so I won't mention that. You forget the biggest risk however to opening your internal network to just anyone: They have access to your internal resources. Firewalls and AV are now ineffective. There are of course easier methods to securing the network, one of them is to vlan the conference rooms and wireless networks so that they only get to the internet. They don't need acces to the internal network and if they do, then they should be employees and then you should use 802.1x. I agree though locking down the ports to mac addresses is jut too cumbersome and annoying.

wilsonb
wilsonb

How about Dynamic VLAN assignment.. it assures that any new device wont be able to communicate without being approved by security and added to the MAC Table and assciated with the correct VLAN the user needs. This would also allow them to move thier devices to anywhere in the same VTP Domain and have the same access. Honestly though most mobile computers are utilizing wireless these days and you can always have a MAC ACL for that as well.

eharris
eharris

This does solve a significant problem that I have been struggling with. I run a highly locked down environment. While I have accepted the defaults for port-security (that being a single MAC over a port), I have struggled with having to break network-teaming on my servers as teaming forces multiple MACs to be consolidated across all NICs in the team. Now, I can re-enable the NIC resilency and not have to worry about the port on the switch shutting down. The "maximum" command is just what I have been looking for. Thanks for the tip and keep up the good work.

giadich
giadich

I am not against granting access to business partners/visitors but at the same time I also promote secure access. Port Security if done right, can greatly benefit your company. There are options that allow you to configure port security to meet your business needs. The question is "what do you need and how much are you willing to spend to accomplish that?" As with Port Security, you can configure a server to manage network access where you can centrally stored MAC addresses and determine whether they are your own or not and grant access from there. This solution is not cheap though. For a small sized company, I would say VLAN and ACL is the way to go.

trisol
trisol

At last a voice of reason! I thought that IT systems were developed to make the ability to conduct business and exchange ideas easier. Unfortunately the vast majority of "IT Empire Builders" and security zealots seem intent on the reverse. Most people I have come across on a daily basis are honest and genuine enough to use IT facilities as they are intended. The conspiracy theory that everyone is out to bring down your network and infect your systems seems to be propagated by such individuals. While I concede there are those out there that do want to perform such anarchy I believe if they succeed it is your fault for firstly failing to validate them before inviting them in. We manage a small IT network for a client and from the start we took the approach of "why not"? Why not allow people to connect when on site? Why not allow them to access the internet in the course of their business? etc. We then set about implementing policy and procedures to ensure such access was controlled and monitored. In 3 years we have not suffered any problem of any kind and only receive praise of how easy it is to conduct business. Understand we are not lax in our approach, we have the usual security measures of virus protection, firewalls, secure VPN etc., it's that we choose to use implement slightly differently from the norm. More common sense and less paranoia please.

rick.dash
rick.dash

Port security can have an extreme overhead cost however, it does stop the guy you do not know from coming into your network and plugging in to gain access without your knowledge. In some areas I have allowed two mac addresses for those that have desktops and a laptop. When these get changed the pc folks send me an emial telling me a pc has been replaced and I clear the mac address table. One other overhead cost is to audit all switches at least once a month to close open ports which I assign to a non-routed vlan. What I have done for our conference rooms is to apply a web access only vlan and an ACL that only allowws web access to that port.

paul.stephenson
paul.stephenson

In this day and age restricting ports in this way must be limited to but a handful of places where it would be the preferred option, and surely it fall's over at mac address spoofing. I'd like to see an article on here about 802.1x, which is something i'm working on implementing at the moment as it addresses most if not all the issue's with the above technology minus the obvious failings. i am currently having problems with guest access for 802.1x capable devices for visitors.

matthew_ottoson
matthew_ottoson

We are trying to get port security on our switches. The problem is that we are testing it on a port that is connected tho another switch that is unused. We were able to get it up and running but now as long as port security is enabled the port will shutdown. Even though the switch connected to the port has the same MAC listed as the only one allowed.

sollis
sollis

www.freenac.net - it's beautiful. It works. Its free.

nowakowsky
nowakowsky

One thing that is not mentioned is that when port security is turned on you start getting information on the number of devices connected to that port. We are not that strict with our security and often there is more than one person in an office where there is only one Ethernet line. A small switch helps increase the available ports for those type of situations.

-Q-240248
-Q-240248

includes doing your security job of "due diligence". It's all about risk. If you feel the risk is not high enough to warrant authenticating/authorizing users who connect to your network, then that is a risk you have to live with. If an unscrupulous is allowed access into your building, or is sitting out in the parking lot connecting to a rogue wireless AP on your network, and he hacks into your customer database and steals customer data, and then you find yourself in court with the judge asking your company if you could've prevented this type of thing, and your company says yes (because obviously you could've)then you did not perform your due-diligent duties of securing your network. But of course, you may not have any sensitive/confidential/GLB/SOX data to worry about.