Christmas Offer - Every Learner Must Check Out - Flat 88% OFF on All Access Pass
00
days
:
00
hours
:
00
minutes
:
00
seconds
PyNet Labs- Network Automation Specialists

Port Security in Computer Network

Author : PyNet Labs
Last Modified: November 25, 2023 
Port Security in Computer Network

Introduction

With port security, network administrators can limit which devices can connect to which ports on a router or switch. It can stop unauthorized devices from accessing your network and compromise its safety and functionality. As a component of the CCNA course, Port Security is a subject of particular importance. For more information, simply follow the link provided.

In this blog, we will discuss the basic meaning of port security and how port security works with the help of the topology. Before getting into details, let’s first understand what port security really is. 

What is Port Security?

Port security is based on the concept of MAC address filtering. The MAC address is a unique identifier assigned to each network interface card (NIC) by the manufacturer. Port security allows the network administrator to specify which MAC addresses can access a particular port and how many devices can connect to that port at a time.

Port security can be configured in two modes: static and dynamic.

In static mode, the network administrator manually enters the MAC addresses of the authorized devices for each port.

In dynamic mode, we use the keyword “sticky” with the command to ensure that the MAC will be attached dynamically to the specific port on which you are configuring port security. Still, here the very first frame received on configured port security interface will automatically attach the MAC Address in the frame. The network administrator can limit how many MAC addresses can be learned per port.

Now that we have discussed what is port security, let’s take a look at how it works.

How Port Security Works?

As we know about the switch, it’s a layer 2 device that stores the MAC Address of connected clients, and to verify this – we have a lab ready, have a look at the topology given below.

how port security works

We got one switch and five clients connected to this switch, and all the clients’ MAC Addresses are also mentioned on the topology.

Let’s see the output of the MAC table inside the switch using the command –

Switch#show mac address-table

Mac Address Table

If you want to see how many total Mac Addresses your switch can store inside the CAM Table so, there is a command to verify that as well i.e.

Switch#show mac address-table count

Show mac address table count

By default, we know all interfaces on Cisco switches are turned on. That means that an attacker can connect to your network through another available port and potentially threaten your network. If you know which devices will be connected to which ports, you can use the Cisco security feature called port security.

By using port security, a network admin can reserve a specific MAC address with the interface, which can prevent an attacker from connecting his device. This is how you can restrict access to an interface so only authorized devices can use it. If an unauthorized device is connected, you can decide what action the switch will take, for example, discard the traffic or shut down the port and put the port in an err-disable state.

Port Security adds an additional layer of security to the switching network.

Let’s take a scenario to understand the concept of port security in more detail –

Let’s say if an attacker is sitting inside your LAN, and he got access to your switch with any port that is not in use. There are many operating systems in the market, like Kali Linux; using this kind of OS, the attacker can send many fake MAC entries to the switch, and when the switch will receive the fake frames with fake MAC Addresses. The switch will store the MAC entry inside the CAM table.

Suppose your switch has total address space available in the CAM Table of 100 MAC Entries. Using the fake frames, the attacker fills the MAC Table, and in this kind of scenario, when the MAC table is completely filled, the switch starts acting like a HUB. Whenever a frame is received on the switch, the switch will broadcast in the network, allowing the attacker to capture the traffic, and the attacker can see what’s going on inside the network.

So, this is what we call a MAC Table overflow attack and preventing these types of attacks in Port Security.

Port Security allows you to limit the MAC-Address on the interface. So basically, by the port security, you can assign a number of MAC addresses, and you can fix on port with static MAC entry.

Role of Port Security in Networking

Port security can provide several benefits for network security and performance, such as:

  • Preventing the ability of unauthorized devices to access protected network information and resources.
  • Keeping malicious software and viruses out of the network by blocking access from unapproved devices.
  • Preventing unauthorized devices from consuming bandwidth or causing congestion on the network.
  • Preventing spoofing and impersonation by unauthorized network devices.
  • The elimination of network loops and broadcast storms caused by malicious devices.

Port security assists network administration and troubleshooting by showing which devices are connected to which ports and detecting any topological changes or anomalies.

Port Security Violation Types

Port security violation types are the actions that trigger a port security response when a device tries to connect to a switch port that is configured with port security. Port security has three violation parameters.

  1. Shutdown
  2. Protect
  3. Restrict

Let’s understand each port security violation in detail.

Shutdown

When any unauthorized device tries to connect to the port which is configured with port security shutdown violation, the port immediately goes into an err-disable state. This shutdown violation is also the default violation mode.

To configure shutdown – Let’s go on the switch CLI and run the following commands.

Switch>enable
Switch#configure terminal
Switch(config)#interface fa0/1
Switch(config-if)#switchport mode access
Switch(config-if)#switchport port-security
Switch(config-if)#switchport port-security mac-address 0030.A3C4.C9C7

(By this command we have statically assigned the MAC Address to interface fa0/1 with shutdown violation)

Switch(config-if)#switchport port-security violation shutdown

Now to verify the output of port security on interface fa0/1,

Run the following command –

Switch#show port-security interface fa0/1

port security interface

Now, on this interface, if the attacker tries to access the port will automatically go into the err-disable state which means shutdown and to turn the port you have to manually select the interface shutdown and then run the command no shut down.

FastEthernet0/1 is down, line protocol is down (err-disabled)

Shutdown command

Protect

The port is allowed to stay up. As this port reaches its MAC add limit, it stops learning MAC Address. Although packets from violations dropped, no record of violation is kept.

When it comes to the violation parameter, which is protected, so here, when the attacker tries to connect with any interface configured with protect violation, the port will stay up. Still, the attacker won’t be able to communicate inside the LAN. The switch will stop learning the MAC and will drop the frame.

To configure port-security protect use the following commands –

Switch>enable
Switch#configure terminal
Switch(config)#interface fa0/2
Switch(config-if)#switchport mode access
Switch(config-if)#switchport port-security
Switch(config-if)#switchport port-security mac-address sticky

By this keyword sticky we have done the automatic assignment of the MAC Address to interface fa0/2 which means that after assigning this command the user who’ll first send the frame to interface fa0/2. The MAC of the user who’ll first send the frame will stick to interface fa0/2

Switch(config-if)#switchport port-security violation protect

Protect 1

Verify the MAC entries as well –

Protect 2

The last violation parameter for port security is restrict, which is mostly used.

Restrict

It’s more similar to protect like the switchport configured with restrict will also won’t go in the err-disable state, but it’ll just drop the frame. The port is allowed to stay up, but one feature in restrict is that it keeps the count of the number of violating packets and can send SNMP trap and syslog message as an alert of violation.

To configure restrict –

Switch>enable
Switch#configure terminal
Switch(config)#interface range fa0/3-4
Switch(config-if)#switchport mode access
Switch(config-if)#switchport port-security
Switch(config-if)#switchport port-security mac-address sticky

By this keyword sticky we have done the automatic assignment of the MAC Address to interface fa0/2 which means that after assigning this command the user who’ll first send the frame to interface fa0/2. The MAC of the user who’ll first send the frame will stick to interface fa0/2

Switch(config-if)#switchport port-security violation restrict

To verify –

Restrict 1

Now as per these configurations, when you will see the MAC entries. You’ll find that –

Restrict 2

Fa0/1 to Fa0/4 Will have static entries which show that only these MAC addresses are allowed for these specific interfaces configured by port-security no other user is allowed to connect on these interfaces if in case any attacker or other user from LAN tries to access using these port-security configured interfaces according to the violation parameters the action will be taken.

Frequently Asked Questions

Q1 – Why is port security important?

Due to the open nature of the switch ports in Ethernet LANs, several assaults, such as layer-2 DoS attacks and address spoofing, are possible. Port security is an effective means of securing a network by preventing unauthorized devices from forwarding packets. You may limit the number of MAC addresses, configure static MAC addresses, and penalize unauthorized users with the help of port security.

Q2 – What layer is port security?

Port security is a Layer 2 security feature that may be implemented on each port of a switch. Its purpose is to filter incoming frames based on the media access control (MAC) addresses of the devices that are connected to the switch.

Q3 – What are the 3 types of port security?

There are mainly 3 types of port security violations. These are:

  • Shutdown
  • Protect
  • Restrict

When the switch’s port security violation feature is on, each port may be set to use one of three violation modes, each defining the actions to be taken in the event of a security violation.

Q4 – What are the methods of port security?

Mainly there are two methods of port security. These are:

  • Static
  • Dynamic

One can use the above two methods individually or can be used concurrently.

Conclusion

In a computer network, port security is a feature that restricts which devices may connect to a certain switch port. It protects against various security issues, including unauthorized access, data theft, network attacks, and more. Various methods of configuration, such as MAC address filtering, are available. Protecting your network’s ports is crucial in keeping your data and systems safe from attackers.

Recent Blog Post

Leave a Reply

Your email address will not be published. Required fields are marked *

linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram