- Port Security
You can use port security with dynamically learned and static MAC addresses to restrict a port's ingress traffic by limiting the MAC addresses that are allowed to send traffic into the port. When you assign secure MAC addresses to a secure port, the port does not forward ingress traffic that has source addresses outside the group of defined addresses. If you limit the number of secure MAC addresses to one and assign a single secure MAC address, the device attached to that port has the full bandwidth of the port.
A security violation occurs in either of these situations:
- When the maximum number of secure MAC addresses is reached on a secure port and the source MAC address of the ingress traffic is different from any of the identified secure MAC addresses, port security applies the configured violation mode.
- If traffic with a secure MAC address that is configured or learned on one secure port attempts to access another secure port in the same VLAN, applies the configured violation mode.
Port security includes the secure addresses in the address table in one of these ways:
- You can statically configure all secure MAC addresses by using the switchport port-security mac-address mac_address interface configuration command.
- You can allow the port to dynamically configure secure MAC addresses with the MAC addresses of connected devices.
- You can statically configure a number of addresses and allow the rest to be dynamically configured.
If the port has a link-down condition, all dynamically learned addresses are removed.
- Sticky MAC Addresses
Port security with sticky MAC addresses provides many of the same benefits as port security with static MAC addresses, but sticky MAC addresses can be learned dynamically. Port security with sticky MAC addresses retains dynamically learned MAC addresses during a link-down condition.
If you enter a write memory or copy running-config startup-config command, then port security with sticky MAC addresses saves dynamically learned MAC addresses in the startup-config file and the port does not have to learn addresses from ingress traffic after bootup or a restart.
Configuration:
- Enables port security on the port.
Router(config-if)# switchport port-security
- (Optional) Sets the violation mode and the action to be taken when a security violation is detected.
Router(config-if)# switchport port-security violation {protect | restrict | shutdown}
- Sets the maximum number of secure MAC addresses for the port (default is 1)
Router(config-if)# switchport port-security maximum number_of_addresses vlan {vlan_ID | vlan_range}
- Enables port security with sticky MAC addresses on a port.
Router(config-if)# switchport port-security mac-address sticky
- Configures a static MAC address as secure on the port.
Router(config-if)# switchport port-security mac-address [sticky] mac_address [vlan vlan_ID]
Note Per-VLAN configuration is supported only on trunks.
- Configures the secure MAC address aging type on the port (default is absolute).
Router(config-if)# switchport port-security aging type {absolute | inactivity}
- Configures the secure MAC address aging time on the port. The aging_time range is 1 to 1440 minutes (default is 0).
Router(config-if)# switchport port-security aging time aging_timeVerification:
Router# show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security
Action
(Count) (Count) (Count)
----------------------------------------------------------------------------
Fa5/1 11 11 0 Shutdown
Fa5/5 15 5 0 Restrict
Fa5/11 5 4 0 Protect
----------------------------------------------------------------------------
Total Addresses in System: 21
Max Addresses limit in System: 128
Router# show port-security interface fastethernet 5/1
Port Security: Enabled
Port status: SecureUp
Violation mode: Shutdown
Maximum MAC Addresses: 11
Total MAC Addresses: 11
Configured MAC Addresses: 3
Aging time: 20 mins
Aging type: Inactivity
SecureStatic address aging: Enabled
Security Violation count: 0
Router# show port-security address
Secure Mac Address Table
-------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- -------------
1 0001.0001.0001 SecureDynamic Fa5/1 15 (I)
1 0001.0001.0002 SecureDynamic Fa5/1 15 (I)
1 0001.0001.1111 SecureConfigured Fa5/1 16 (I)
1 0001.0001.1112 SecureConfigured Fa5/1 -
1 0001.0001.1113 SecureConfigured Fa5/1 -
1 0005.0005.0001 SecureConfigured Fa5/5 23
1 0005.0005.0002 SecureConfigured Fa5/5 23
1 0005.0005.0003 SecureConfigured Fa5/5 23
1 0011.0011.0001 SecureConfigured Fa5/11 25 (I)
1 0011.0011.0002 SecureConfigured Fa5/11 25 (I)
-------------------------------------------------------------------
Total Addresses in System: 10
Max Addresses limit in System: 128
- STP BPDU Guard
STP configures meshed topology into a loop-free, tree-like topology. When the link on a bridge port goes up, STP calculation occurs on that port. The result of the calculation is the transition of the port into forwarding or blocking state. The result depends on the position of the port in the network and the STP parameters. This calculation and transition period usually takes about 30 to 50 seconds. At that time, no user data pass via the port. Some user applications can time out during the period.
In order to allow immediate transition of the port into forwarding state, enable the STP PortFast feature. PortFast immediately transitions the port into STP forwarding mode upon linkup.
This could be desired for ports where are connected end user devices, servers or access-points.
Using BPDU Guard, when an unexpected BPDU is detected (an end-user plug in a switch in one PortFast interface) the port will shutdown and enter a err-disable state.
Configuration:
CatSwitch-IOS(config)# spanning-tree portfast bpduguard
When STP BPDU guard disables the port, the port remains in the disabled state unless the port is enabled manually. You can configure a port to re-enable itself automatically from the errdisable state. Issue these commands, which set the errdisable-timeout interval and enable the timeout feature:
CatSwitch-IOS(config)# errdisable recovery cause bpduguard
CatSwitch-IOS(config)# errdisable recovery interval 400
Note: The default timeout interval is 300 seconds and, by default, the timeout feature is disabled.
Best Practices: enable BPDU Guard only on access ports (access ports lead to end user devices) so that any end user devices on these ports that have BPDU Guard enabled are not able to influence the Spanning-tree topology.
- STP BPDU Filter
BPDUfilter on the other hand filters BPDUs in both directions, which effectively disables STP on the port. Bpdu filter will prevent inbound and outbound bpdu.Enabling BPDU filtering on an interface is the same as disabling spanning tree on it and can result in spanning-tree loops.
If a bpdu is received on a PortFast interface(configured with BPDU Filter) then PortFast state will be removed.
BPDU Filter can be use on the demarcation point between two layer 2 networks owned by to separated ISPs.
Configuration:
BPDU filtering can be enabled on a per-interface basis or globally. The commands are:
- globally - applies to all ports configured as "portfast"
spanning-tree portfast bpdu filter default
- per-interface
spanning-tree portfast bpdufilter enable
- STP Root Guard
The forwarding topology of the switched network is calculated using STP. The calculation is based on the root bridge position, among other parameters. Any switch can be the root bridge in a network. But a more optimal forwarding topology places the root bridge at a specific predetermined location. With the standard STP, any bridge in the network with a lower bridge ID takes the role of the root bridge. The administrator cannot enforce the position of the root bridge.
The root guard ensures that the port on which root guard is enabled is the designated port. Normally, root bridge ports are all designated ports, unless two or more ports of the root bridge are connected together. If the bridge receives superior STP Bridge Protocol Data Units (BPDUs) on a root guard-enabled port, root guard moves this port to a root-inconsistent STP state. This root-inconsistent state is effectively equal to a listening state. No traffic is forwarded across this port. In this way, the root guard enforces the position of the root bridge.
You must enable root guard on all ports where the root bridge should not appear. In a way, you can configure a perimeter around the part of the network where the STP root is able to be located
Configuration:
Cat-IOS#(config)# interface fastethernet 3/1
Cat-IOS#(config-if)# spanning-tree guard root