If you take care of the computer network at your job, you can make it safe by using Port Security on Cisco devices. This means you have the authority to determine which devices can connect to the slots. So, you only let people who work in the company use their computers in the local environment.
It’s essential to stay safe today when we use technology a lot and face risks online. In addition to keeping network computers safe, it’s necessary to do other things to keep everything secure. One easy way to do this is to stop people who shouldn’t be on the LAN from getting on it. In this article, we’ll talk about what Cisco Port Security is and what it can do.
What is Cisco Port Security, and What Does It Do?
Thanks to Cisco Port security, you restrict the device that can connect to a Switch’s slot by its MAC address. So, by limiting the number of these addresses, you control access to your network. So, you associate the MAC address of an authorized device with the Switch’s port.
In this case, a user wanting to connect to the network would only use the port assigned to them. In short, the user connects their device to their designated connection point. At this stage, the switch checks the MAC address against the authorized MAC address list. If the MAC ID is not on the list, the Cisco Switch does not allow the device to connect.
By understanding what port security is, you can create a super safe network. Usually, any computer connected to a switch can quickly get onto the LAN. But for safety, there are better ideas than this. That’s why we suggest turning on the interface security feature on switches that you can control.
Why Should I Use Cisco Port Security?
When you know what Port Security is, you can make your topology robust and secure. Generally, the PC connected to the Switch can quickly join the LAN. But to stay safe, don’t let devices join the LAN automatically. So, I recommend you turn this on on your Cisco Switches.
Next, you can stop a kind of trick called MAC address spoofing. In this trick, attackers change the unique ID of your approved devices to look like theirs. This is a way they try to get around the security in your topology. Basically, the Cisco Switch’s ethernet slot security helps you say no to these tricky moves with MAC addresses.
It’s essential to close ports that are not in use to stop the users from getting into a network without permission. Also, make sure to turn on the security feature for the active interfaces.
Think of it this way: It takes work to keep things super secure on the extended LAN. You need to look at every weak point and fix it. Sometimes, there may be people from outside trying to get in whom you have banned from entering. In this case, they can plug their malicious computers into the Switch on your topology and cause problems.
How Does Port Security Work on a Switch?
Port Security works on the second layer of the OSI model. At this layer, it puts restrictions based on MAC addresses.
Imagine setting a restriction on the connection point of the Cisco Switch using the port security feature. When someone plugs their computer into the port to connect it to the LAN, you block them. In simple terms, users only need to plug their cable into the slot they are allowed to use.
Let me show you how Cisco Port Security works:
- Watching MAC Addresses
First, it keeps an eye on the unique IDs (MAC addresses) of devices connected to the port. Each device has its unique ID on the LAN.
- Learning Mode
At this stage, it starts learning mode. In this mode, it monitors the traffic passing through the port. It then learns the MAC of the devices it transmits over the port.
- Setting a Limit on the Number of Addresses
The manager decides how many MACs each connection point can have. Thus, it stops many devices from using the same port at once.
- Secure MAC Address List
Now, the admin makes sure a device can connect by checking if its MAC address matches the list they set up for specific PCs.
- Modes of Violation
After that, if the Switch sees a restricted record in its list, it goes into violation mode. There are three modes: Protect, Restrict, and Shutdown.
- Event Log and Alerts
Lastly, if it catches someone trying to get in without permission, it notes it down and warns the device.
What are the Violation Modes of Port Security?
- Protect Mode
- This is the Protect mode you turn on to keep a Switch secure. When an unauthorized machine tries to connect to a safe port, you can turn it off. In short, you may prefer this as it is effective in preventing access.
- But, if there’s an issue with the connection of an approved device on the topology, you might run into problems when trying to do something. In simple terms, if you often Cisco switch devices around, it messes up how the LAN works.
- Restrict Mode
- You can choose the restrict mode for rules that are not as strict as the protection mode. In this mode, an unauthorized device can access the Switch’s interface and get on the network. But, if you establish a limit on the Switch for how many times this can occur, it triggers restrict mode upon reaching that limit.
- So, at this point, the restrict mode shuts down the interface. Basically, you can prefer this mode to ensure the LAN stays available and safe. Thus, you strike a balance between the LAN working well and staying secure, but only after a specific limit.
- Shutdown Mode
- This mode is the strictest rule you can use. You can only connect a device to the Switch’s interface if it has the secure MAC address you define. In this case, as soon as an unauthorized person connects his device, shutdown mode immediately closes that connection point. It also shows a warning message on the Switch’s console.
- We suggest using the Shutdown mode to make sure things are super safe.
What are the MAC Address Learning Modes?
The port security on Cisco Switches comes in three different modes:
- Static, you can type in the MAC addresses of the equipment you want to enter into the LAN.
- Dynamic, it learns device IDs by itself. We use this when users frequently connect and disconnect from the network.
- Sticky, it’s a bit like dynamic mode. But, in contrast, it keeps the MAC addresses it learns connected to the Cisco switch slot permanently.
What are the Pros and Cons of Cisco Port Restriction?
Pros
- Stopping People from Getting in Without Permission
The main benefit is stopping unauthorized people from getting into your private or work network. That is, it kicks in when a device connects to a device that you set up with its approved MAC address. If the MAC address isn’t on the database, the Switch quickly checks and shuts down the interface.
- Making the Network Work Better
Let’s say you have unauthorized devices on your network. In this case, if these are present, they also consume a lot of internet speed. They might even make the internet slower by sending bad things. So, having port restriction is good because it keeps the LAN working well.
- Simple to Take Care Of
Turning this feature on or off on Switch equipment is simple. In this case, you can control your entire structure from one place. Plus, you can check the devices connected to it. To get the hang of it, practice setting up Port Security with Packet Tracer.
- Better Understanding of Your LAN Area
You see your network better by deciding who can use each socket. Basically, you can easily watch which devices connect to your switches. Thus, this makes it faster to find and fix any problems with the LAN.
Cons
- Limits on Special IDs (MAC Addresses)
The Cisco port security feature uses MAC records to recognize devices. But malicious actors can fake these values and still gain access to your LAN. Plus, the Cisco Switch can only store a certain number of MACs. So, in vast networks, this can cause issues.
- Wrong Processes
The Switch may close or limit interfaces when allowed. People who use those devices, like employees, might only like this a little. It also means that people who run networks have to spend time fixing these problems.
- Not So Much Protection
This thing helps with network safety, but more is needed. It stops unauthorized access, but it doesn’t guard against all sorts of problems. So, it can’t protect against things like harmful software or tricky attacks. That’s why it’s wise to use other safety methods along with this one for protection.
- More Working Load
Handling socket permissions is simple. But, of course, it adds a bit of work for the device. After all, it’s good to make sure the list of approved MAC addresses is always current.
The Commands of Port Security
The simple commands for making Cisco’s Port Security work on equipment using IOS are:
- Turning on Port Security
Most equipment doesn’t protect their sockets by default. But with the command below, you can turn on this great feature.
switchport port-security
- Setting the Maximum Number of MAC Addresses to Learn
This command helps you find out the MAC addresses an interface can learn the most. The number can be anywhere from 1 to 3072. But it’s usually set at 1 by default.
switchport port-security maximum <max_count>
- Adding a Specific MAC Address to the Switch
With this command, you can add any specific address you want to the trusted MAC list.
switchport port-security mac-address <mac_address>
- Choose What Happens When There’s a Violation
You can use this command to choose what to do when there’s a problem. For instance, if you pick “protect,” it drops packets during a violation. If you go with “restrict,” it drops packets but also creates a log record. Lastly, if you choose “shutdown,” it closes the port straight up during a violation.
switchport port-security violation {protect | restrict | shutdown}
- Decide How Long MAC Addresses Stay Valid
With this, you can decide how long the Switch sees MAC addresses as valid.
switchport port-security aging time <seconds>
- Stopping Wrong MAC Packets
You can change the count of packets with the wrong MAC address in seconds.
switchport port-security limit rate invalid-source-mac <packets_per_sec>
- Setting Up Port Security Again
You wipe out all the port permission settings you’ve made on a specific interface.
clear port-security interface <interface_name>
Show Commands
- Checking the Statistics for a Certain Port
Use this command to see what MAC addresses the Cisco Switch has learned, any violations, or other info.
show port-security interface <interface_name>
- Checking the Information of All Ports on the Switch
The command below shows the Switch settings on all interfaces.
show port-security
- Looking at Safe MAC’s
Use this to find the list of all secure MACs for devices you allow on the Switch.
show port-security address
- Checking the Record
You can use the relevant command to examine the record of what is happening on the socket. In particular, you check whether there are any security issues.
show port-security interface <interface_type> <interface_number> status
A Sample Setup
You can activate this feature with the switchport port-security
command in Global mode in the CLI command prompt. Also, you need to adjust the way your device behaves in the event of a breach.
- Switch# config terminal – (Switch to Global Configuration Mode.)
- Switch(config)# interface FastEthernet 0/1 – (Select the socket you want to set.)
- Switch(config-if)# switchport port-security – (Allow the Security characteristic.)
- Switch(config-if)# switchport port-security maximum 1 – (Allow this socket for at most one device.)
- Switch(config-if)# switchport port-security mac-address sticky – (Make MAC addresses persistent.)
- Switch(config-if)# switchport port-security violation shutdown – (If there’s a violation, decide to shut down the port right away.)
In short, you’ve adjusted the Port permissions on FastEthernet0/1. Only one MAC address accesses the network through this interface. You’ve also set it up to remember the MAC address as Sticky. If there’s a violation, the PC linked to this port won’t be able to get on the LAN. So, the FastEthernet interface will close itself down because of the violation.
NOTE: You can turn the violated port back on by using the “no shutdown” command from its interface. So you can get rid of the violation issue. You then make it accessible again by re-enabling it.
You should see how the sample setup works in the virtual lab. If so, you can check out our YouTube video to understand Port Security better.
Frequently Asked Questions About Port Security (FAQ)
- What is Cisco Port Security?
- How does Port Security work?
- What are the benefits of using this feature?
Conclusion
In short, Cisco says it’s a good idea to use Port Security. It keeps your network safe from outside dangers. It’s good for you to understand what this security measure is and what it does. If you’re part of an organization, it helps lower the risks of MAC Spoofing attacks. As a result, you can cut down on threats from both inside and outside.
As time goes on, the need for network security stays crucial. In this ever-changing process, it’s vital to keep up with the evolving threats. Regularly update and adjust yourself. By taking such precautions on Cisco or other devices, you avoid risks. This way, you keep a safe LAN. In conclusion, you do your part to stay firm against new dangers.