Port Security

1.    What is Port security?

Port Security helps secure any network by preventing unknown devices from forwarding packets. One can limit the number of MAC addresses on a given port. The ‘switchport security’ feature offers the ability to configure a switch port so that traffic can be limited to only specific configured MAC address or list of MAC addresses that will be authorized to access the network through that port. This enables the individual ports to detect, prevent and log attempts by unauthorized devices.

1.1             Protected port

Ports that are protected cannot forward traffic to other protected ports, regardless of the VLAN membership. However, protected ports can forward traffic to unprotected ports. Unprotected ports can forward traffic to both protected and unprotected ports. Port protection is used to avoid communication with two ports (Protected) with in the same VLAN.

1.2             Configuring a port as protected port using CLI

Enter into the configuration mode after logging in to the switch through SSH or Telnet.

Switch>enable

Switch#configure terminal

Switch(config)#interface ge1/8 # Entering interface ge1/8 configuration mode

Switch(config-ge1/8)#switchport port-security protect # Configuring interface ge1/8 as protected port

Switch(config-ge1/8)#exit

Switch(config)#exit

Switch#write # Saving the configuration

Switch#show port-security protect # Display protected port information

To remove the protection from the particular port, enter its configuration mode and enter the following command

Switch(config-ge1/8)#no switchport port-security protect

1.3             Configuring a port as protected port using web GUI

Access the web GUI, go to Port Configuration -> Protected Port, select the interface one wants to configure as protected port and click on Protected Port. To make a protected port as unprotected, select the particular port and click on Unprotected Port.

2.    MAC-Binding

MAC Binding is defining certain MAC addresses to a port allowing traffic only from those mac addresses. This feature can protect your network from ARP poisoning attacks, in which hackers try to change the MAC address of their computers to match a real device on your network. One can specify the number of mac addresses that can be learnt or bind with an interface.

In web GUI, go to Port Configuration -> Learn Limit, choose the port one wants to configure and then specify a number beside ‘MAC Address Num Able To Learn:’. Here we have specified the limit on port ge1/6 as 3.

In CLI, the configuration is as follows:

Switch>enable

Switch#configure terminal

Switch(config)#interface ge1/5

Switch(config-ge1/5)#switchport port-security learn-limit 4

Switch(config-ge1/5)#exit

Switch(config)#exit

Switch#show port-security learn-limit

We are configuring the learn limit on port ge1/5 as 4.

Auto binding feature is also available with which the port dynamically learns the mac address as per the limit set (if set). As shown below, since the limit is set to 3, it has learnt 3 mac addresses, and hence any other device with mac address other than these 3 will not be able to access the network through that port.

       2.1.         Configuring mac binding using web GUI

Go to MAC Binding -> MAC Binding Configuration, select the port one wants to do the binding on, specify the mac address of the device and the vlan ID it is in and click on Apply. The format in which one specifies the mac address is ‘hhhh.hhhh.hhhh’.

   2.2.         Configuring mac binding using web CLI

In CLI, enter the switch in configuration mode and enter the following commands for the same.

Switch(config)#interface ge1/6

Switch(config-ge1/6)#switchport port-security mac-bind <mac_address> vlan <vlanID>

Switch(config-ge1/6)#exit

Switch(config)#exit

Switch#show port-security mac-bind

·         In place of <mac_address> specify the mac address one wants to configure for mac binding.

·         In place <vlanID> enter the vlan ID.

We have configured c85b.763f.74fe as the mac address to port ge1/6 as shown below.

3.    MAC-Filtering

MAC Filtering is specifying the mac addresses from/to which traffic is blocked for a particular interface/port. It basically acts as a black list of mac addresses to be blocked from accessing the network. It is a security method based on access control. It helps in preventing unwanted access to the network.

To configure MAC filtering in web GUI, go to MAC Filter -> MAC Filter Configuration, choose the port which one wants to configure, specify the mac address to be blocked (filtered), enter the vlan ID and click on Apply. The format for mac address entry is ‘hhhh.hhhh.hhhh’.

To configure MAC Filtering in CLI follow these steps/commands:

Switch>enable # Enter password if set

Switch#configure terminal

Switch(config)#interface ge1/5

Switch(config-ge1/5)#switchport port-security mac-filter <mac_address> vlan <vlanid>

Switch(config-ge1/5)#exit

Switch(config)#exit

Switch#write

Switch#show port-security mac-filter # This will display the list of mac address filtered