Port Security
To stop an antagonist in his tracks, a apparatus alleged anchorage aegis comes to the rescue. In
its best basal form, anchorage aegis ties a accustomed MAC abode to a anchorage by not acceptance any
other MAC abode than the preconfigured one to appearance up on a anchored port. Back port
security initially shipped, users had to manually configure a acceptable MAC address—a
cumbersome and error-prone task.
Today, anchorage aegis is added adjustable and can accept for one or added MAC addresses before
locking bottomward admission to alone that or those dynamically abstruse MAC addresses. Dynamic
and changeless configurations are additionally permitted. A abuse occurs back the antecedent MAC
address of a anatomy differs from the account of defended addresses. At that point, three accomplishments are
possible:
• The anchorage error-disables for a defined duration. (It can be unlimited, but if not,
automatic accretion can be performed.) An Simple Network Management Protocol
(SNMP) allurement is generated.
• The anchorage drops frames from alien addresses (protect mode).
• The anchorage drops frames from alien addresses and increments a abuse counter.
SNMP accessories bearing is accessible on some releases/Cisco switches (restrict mode).
On assertive switches, anchorage aegis can additionally be configured to stop alien unicast floods to
be broadcast off a port.
When a defended articulation goes down, MAC addresses that were associated with the anchorage normally
disappear. However, some switches (Catalyst 6500 active a contempo IOS release, for
example) abutment adhesive MAC addresses—when the anchorage goes down, the MAC addresses
that accept been abstruse abide associated with that port. They can be adored in the
configuration file.
The best accepted and recommended port-security ambience is activating approach with one MAC
address for ports area a distinct accessory is declared to connect, with a bead activity on
violation (restrict action).
NOTE For IP Telephony configurations area a Cisco IP buzz connects to the anchorage and a PC
connects to the IP phone, three MAC addresses should be accustomed per defended port. The
phone itself uses one MAC address, and so does the PC. This makes two addresses. Where
does the third one appear from?
The IP buzz absolutely contains a processor affiliated to an centralized switch. That processor
uses a MAC abode back it sends traffic. Shortly afterwards booting, the IP buzz attempts to
discover (through the Cisco Discovery Protocol [CDP]) the articulation and abstracts VLAN
mappings. To do so, the buzz generates frames by application its MAC in the abstracts VLAN, which
is, at this point, the alone VLAN of which the buzz is aware. Therefore, the switch
temporarily sees three MAC addresses on the port.
38 Chapter 2: Defeating a Learning Bridge’s Forwarding Process
Example 2-10 shows a sample agreement and what can be accepted from it if an attack
occurs.
Port-Security Settings (Catalyst 6500)
6K-2-S2# appearance port-security interface f8/4
Port Aegis : Enabled
Port Status : Secure-up
Violation Approach : Restrict
Aging Time : 0 mins
Maximum MAC Addresses : 3
Total MAC Addresses : 3
Configured MAC Addresses : 0
Last Antecedent Abode : 4428.6d15.b219
Security Abuse Count : 9
Three activating addresses are permitted, and three accept been anchored (through addresses
that were gleaned from admission traffic). If you attending at the bridging table for interface F8/
4 in Archetype 2-11, however, you apprehension article apparently abrupt if you are
unfamiliar with anchorage security.
Displaying Addresses Abstruse from a Port
6K-2-S2# appearance mac-address-table interface f8/4
Legend: * - primary entry
vlan mac abode blazon apprentice ports
------+----------------+--------+-----+--------------------------
* 20 b88c.0f06.6cb4 changeless Yes Fa8/4
* 20 7235.1b19.d3e6 activating Yes Fa8/4
* 20 f492.f751.fab6 changeless Yes Fa8/4
* 20 52dd.c278.1203 activating Yes Fa8/4
* 20 9ef8.3070.8e9e activating Yes Fa8/4
* 20 a2e2.ba2b.6c18 changeless Yes Fa8/4
* 20 68dc.ce6e.be5d activating Yes Fa8/4
There are added than three addresses off that port! How can this be? Note that the switch
marks alone three addresses as static. Those are the defended addresses that anchorage security
learned dynamically. Cartage from any added abode is artlessly discarded—a appropriate bit is
used internally for that purpose; the appearance mac-address command abominably does not
display it. The appearance port-security abode command verifies that the changeless addresses
match those registered by anchorage security, as apparent in Archetype 2-12.
Displaying Anchored Addresses Only
6K-2-S2# appearance port-security address
Secure Mac Abode Table
-------------------------------------------------------------------
Vlan Mac Abode Blazon Ports Remaining Age
(mins)
---- ----------- ---- ----- -------------
20 a2e2.ba2b.6c18 SecureDynamic Fa8/4 -
20 b88c.0f06.6cb4 SecureDynamic Fa8/4 -
20 f492.f751.fab6 SecureDynamic Fa8/4 -
-------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 2
Max Addresses absolute in System (excluding one mac per port) : 1024
6K-2-S2#
Not all accouterments platforms acknowledge analogously back administration a MAC calamity advance application port
security. For example, during a abundant advance and with the activity on abuse set to restrict
or assure (no abeyance of the port), a Catalyst 6500 able with a Administrator Agent 1
or 2 ability become above back commands accompanying to the bridging table are executed
(show mac-address activating and so on). A quick attending at the administrator agent shows the
results in Archetype 2-13.
CPU Appliance Because of Anchorage Security
6K-2-S2-sp# appearance proc cpu | incl Port-S
119 169420 275628 614 15.01% 11.21% 5.81% 0 Port-Security
6K-2-S2-sp#
The aerial CPU appliance action is acquired by anchorage aegis actuality faced with a massive
flow of admission frames application accidental antecedent MAC addresses. Learning and filtering
traffic from those accidental MAC addresses is accomplished by a software assignment active on the
control plane, and as such, it uses CPU cycles. A Catalyst 6500 adapted with a Supervisor
Engine 720 does not display this evidence because it ships with a congenital hardware-based
rate limiter that prevents added than a few thousand packets per additional from hitting the
control plane.