GregLedet.net Adventures in networking, security, and other things

Secure your network with Switchport Port-Security!!!

It's been a couple of months since I've posted, so today we're going to play catch-up.  Right now you know how to securely login to your Cisco devices using SSH (and TACACS+).  Today we're going to make sure that no one else can just walk in to your building and start plugging in unauthorized devices.

We're going to start with Port-Security.  Port-security is part of Cisco's best practice and it should be one of the first things that you do when you set up your Catalyst switch. For this lesson, I'm going to be using a Catalyst 3750 PoE-48 running c3750-ipbasek9-mz.122-25.SEE2 as the test bed.

The reason we want to run Port-Security is because this will start your network security on Layer 2.  Your layer 1 security should be in place in the sense that you don't just give Joe Blow of the street access to plug into the network.  Any unused ports should be in SHUTDOWN!  Only, and I mean ONLY, those ports that are currently being used should be active.  But Joe Blow decides to unplug a PC and plug his laptop in.  BAD Joe!  To stop Joe from doing this, plug this into your config.

Switch (config-if)#switchport port-security

WAIT!  Don't get carried away.  Let's discuss the best way to do this first.  There's a good chance that there's some "dumb" switches and hubs on your network.  Not to mention the phones, PCs, printers, etc.  There's a couple of ways you can go about figuring out what's out there.  The way I do it (though probably not the best way, but it sure is easy) is to enter the following commands, in order.

Switch# config terminal
Switch (config)# interface range FastEthernet 0/1-48 (if you're stacked, 1/0/1-48, fa2/0/1-48, etc)
Switch (config-if-range)# switchport port-security violation restrict
Switch (config-if-range)# switchport port-security maximum 24
Switch (config-if-range)# switchport port-security mac-address sticky
Switch (config-if-range)# switchport port-security

What we just did was put port-security on all the ports on the switch with a maximum of 24 MACs per port and for a violation, we don't shut down the port.  I let this run for about a week.  This will build a nice MAC table so when you run the command "show port-security", you can find out what's out there.  The "mac-address sticky" will write the MAC addresses to the startup config so they don't have to be learned again. Let's look at a "show port-security" output now...

Switch# show port-security
Secure Port  MaxSecureAddr  CurrentAddr  SecurityViolation  Security Action
thisis is for formating(Count)        (Count)              (Count)
---------------------------------------------------------------------------
Fa0/1                             24                   1                       0            Restrict
Fa0/2                             24                   1                       0            Restrict
Fa0/3                             24                   3                       0            Restrict
Fa0/4                             24                   1                       0            Restrict
Fa0/5                             24                   2                       0            Restrict

---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port)     : 3
Max Addresses limit in System (excluding one mac per port) : 655

As you can see, we've got a couple of ports with only 1 thing plugged into them and a couple with more than one.  Port fa0/3 has a PC and a Cisco 7960 plugged into it, and port fa0/5 has a "dumb" switch.  The reason that fa0/3 is showing 3 MAC addresses is because you need to have the phone on both the data and voice VLANs.  When the phone boots, the switch thinks it's a data device until CDP tells it to move to the Voice VLAN.  That's 2 MACs (phone Data and phone Voice), plus the PC on the data VLAN.  Putting it into "Restrict" rather than the default of "shutdown" will keep the port alive if there's a violation and send you an SNMP trap if there's a violation.

Now we know what's on our network, so let's button things down.  You can go back through the interfaces and reduce the maximum number of MAC's allowed to what's already there.  On a rather static Cisco VoIP network, this number will be 3.  The commands are:

Switch# config t
Switch (config)# int fa0/3
Switch (config-int)# switchport port-security mac-address maximum 3
Switch (config-int)# switchport port-security violation shutdown

Now, port security is running and it's going to shutdown the port during a violation. I prefer to leave it in shutdown with no aging on it so I have to physically reactivate the port after a violation.  Now let's look at what happens when Joe Blow plugs into your network...

Joe Blow walks into your building, unplugs a user that is on vacation's computer and plugs his laptop in.  Joe is up to no good.  The second he plugs the laptop in, the switch will check the MAC address against the MAC table it built for that port, see that Joe's laptop is NOT supposed to be plugged into that port, and shutdown that port.  It will then send an SNMP trap to your NMS server (or whatever) alerting you to the fact that there's a port-security violation.  You bust Joe Blow, your boss showers you with 4 extra weeks of vacation for a job well done, and they throw a ticker-tape parade for you in Time Square.  Well, maybe not, but you'll have better security than you had before!

This is all fine and dandy, as long as Joe Blow doesn't know how to spoof a MAC address.  If he does, we'll have to use DHCP Snooping and Dynamic ARP Inspection (DAI) to avert this.  Guess what the next article will be about?

-Greg