CCNP Security (SENSS) - PORT SECURITY - Lesson # 03

PC1 & PC2 connected to the switch and they can communicate without any interruption. No delay in the network. Switch knows about the MAC addresses for both PCs and network connection is working smoothly.

Let’s say now, Kali box is plugged into a switch port and send a bogus MAC address attack to the switch. For testing the port security we used a Kali box. But you can use any device which can send a bogus MAC addresses to switch. Here Kali using ‘MACOF’ utility to send that MAC addresses.Now switch is getting 1000 of MAC addresses. When receiving so many MAC to the switch, it cannot remember all the MAC. CAM (Content Addressable Memory) table in the switch cannot handle those MAC addresses. It goes unknown state and forward that frame to all other ports.

When switch forwards the frames related to the VLAN to other ports, then Kali box can see all the frames in the VLAN because switch is forwarding frames to other ports in switch under the same VLAN. This is a kind of CAM table overflow attack. So, how do we rectify this attack? Let’s see.

Solution to protect the cam table overflow attacks

Port security. We can limit the MAC addresses which coming to switch port. Let’s say we configured as 5. Once the switch port received 5 MAC addresses and exceeded that limit, we can take actions. These violation actions are P/R/S/S. Default max MAC address is one. We can configure below option by enabling port security.

Protect – Switch will only memorized first 5 MAC addresses. After that switch is not going to memorize other MAC addresses which coming to switch port. But after doing that we cannot notice it because PROTECT option is not provided any syslog or SNMP messages. No alerts but done the job. Normally we don’t use protect as a violation action because we want to know once violation happens.

Restrict – Same thing done like protect but send alerts. But all the switches are not supporting all those features. It will depend on the hardware.

Shutdown – This is the default behavior. When 5 is configured, and if it receive 6^th one, the switch port will shutdown. And it also provides alerts.

Shutdown – last option is also shutdown. But not to the interface, it will shutdown the VLAN.

In port security we have three modes. (Dynamic, Static, Sticky)

• Dynamic – Switch port will learn about the MAC address dynamically when device is connected to the port.

• Static – We can hardcode the MAC address of the device which going to connect to the switch port. If we have the option port security and configured the static, once receive any frame related to another MAC, the switch port will take actions due to security violation. But we have a problem when 100 devices having the network. Then it is not practical to configure all 100 as static. We cannot configure all MAC addresses in the switch.When we configured the thing, it will store in running-config. Then we use WR to copy that running config into startup config. Then static MAC address copied to startup config or we can store them in the NVRAM of the switch.

• Sticky – if we have 100 PCs, not practical to configure all the MAC addresses. When configured sticky under port security, switch will learn about the MAC addresses by dynamically and put them into running config. And then we can put it into startup config. Once the switch reboot, it will learn about all the MAC addresses in the network.

Port security, we can set it for access or trunk port but these ports should be static access ports or trunk ports. Port security is not worked for dynamic port. Port must be willing to work as either way as access or trunk port.

When configured as trunk, through that trunk so many MAC addresses will pass through. Here we can configure the port security under VLAN keyword. We can limit the MAC address coming to the trunk port or enable one VLAN to pass the frames through the trunk port.

We have another option called aging. When dynamically learning about the MACs, we can set a time that how long that MAC addresses can stay and secure. Then takes violation actions. If we want to age those MAC out of the CAM table, we have additional options like inactive timeout and absolute time outs.