What Is Port Security?
Port security controls and manages network traffic based on MAC addresses. This function not only binds MAC addresses to ports, but also limits the number of MAC addresses that can be learned by a port. It converts dynamic MAC addresses learned by a port into secure MAC addresses (including secure dynamic MAC addresses, secure static MAC addresses, and sticky MAC addresses), and allows only packets with source MAC addresses in the secure MAC address list to pass through. Packets whose source MAC addresses are not in the secure MAC address list are considered unauthorized. Port security prevents unauthorized users from accessing the switch through the port, enhancing network security.
Why Do We Need Port Security?
When unauthorized users acquire a port's MAC address, they may use this address as a destination MAC address to communicate with the device, thereby initiating attacks. For example, if an unauthorized user sends a large number of packets with variable source MAC addresses to the switch, the MAC address entry resources on the switch may become exhausted. In this case, the switch cannot learn source MAC addresses of normal packets. For another example, on a network that has high security requirements, visitors who use their own computers to access the enterprise network pose great security risks to the network.
To mitigate such risks, port security can be enabled on the device to convert the dynamic MAC addresses learned by a port into secure MAC addresses. In this case, the dynamic MAC address entries that have been learned on the port are deleted. When the number of MAC addresses newly learned by the port reaches the upper limit, the port stops learning new MAC addresses. If the source MAC address of packets received by a port matches a secure MAC address entry, the switch permits the packets. If no match is found, the switch considers the packets as attack packets and takes a protective action, such as discarding the packets, reporting an alarm, or shutting down the port.
How Does Port Security Work?
MAC address entries can be classified as dynamic, static, or blackhole MAC address entries. The secure MAC address is a type of service MAC address entry, and is converted from the dynamic MAC address entry.
After port security is enabled, the device takes a protective action, such as discarding packets, reporting alarms, or shutting down the port.
Classification of Secure MAC Addresses
Secure MAC addresses are classified into secure dynamic MAC addresses, secure static MAC addresses, and sticky MAC addresses.
Type |
Definition |
Feature |
---|---|---|
Secure dynamic MAC address |
MAC address that is converted on a port with port security enabled but sticky MAC disabled. |
After a device restarts, secure dynamic MAC addresses are lost and need to be relearned. By default, secure dynamic MAC addresses never age. They can be aged only after the aging time is set. Secure dynamic MAC addresses can be aged based on the absolute aging time or relative aging time.
|
Secure static MAC address |
MAC address that is manually configured on a port with port security enabled. |
Secure static MAC addresses are not aged out and are not lost after a device restarts. Before enabling the secure static MAC address function, you need to know the endpoint MAC address and then manually configure the mapping between the port, MAC address, and VLAN. |
Sticky MAC address |
MAC address that is converted on a port with both port security and sticky MAC enabled. |
Sticky MAC addresses are not aged out and are not lost after a device restart. You do not need to know the endpoint MAC address before enabling sticky MAC. After sticky MAC is enabled on a port, the mapping between the port, MAC address, and VLAN is automatically generated. |
MAC Address Changes
When port security or sticky MAC is enabled or disabled on a port, MAC addresses on the port may change or be deleted. For details, see the following table.
Function |
Enabled |
Disabled |
---|---|---|
Port security |
The dynamic MAC address entries that have been learned on the port are deleted, and subsequently learned MAC address entries are converted into secure dynamic MAC address entries. |
The existing secure dynamic MAC address entries on the port are deleted, and the port relearns dynamic MAC address entries. |
Sticky MAC |
The existing secure dynamic MAC address entries and subsequently learned MAC address entries on the port are converted into sticky MAC address entries. |
The sticky MAC address entries on the port are converted into secure dynamic MAC address entries. |
Action to Take After the Number of Secure MAC Addresses Exceeds the Limit
After port security is enabled, a port can learn only one secure MAC address by default. You can manually set the number of secure MAC addresses that a port can learn. When the number of secure MAC addresses on a port reaches the limit, if the port receives packets whose source MAC address is not in the secure MAC address list, the switch considers that an attack from an unauthorized user occurs regardless of whether the destination MAC address of packets exists in the MAC address list. It then takes a specified action to protect the port. There are three port security protective actions: restrict, protect, and shutdown. The following table lists the protective actions for port security. By default, the protective action is restrict.
Action |
Description |
---|---|
restrict |
Discards packets whose source MAC addresses are not in the secure MAC address list and reports an alarm. This action is recommended. |
protect |
Discards packets whose source MAC addresses are not in the secure MAC address list but does not report an alarm. |
shutdown |
Sets the port state to error-down and reports an alarm. |
Action to Take When Static MAC Address Flapping Occurs
Secure MAC addresses are also static MAC addresses. After static MAC address flapping detection is configured on a port, if the source MAC address of packets received on the port exists in the static MAC address table of another port, the switch considers that static MAC address flapping occurs and takes a specified action to protect the port. There are three port security protective actions: restrict, protect, and shutdown.
Action |
Description |
---|---|
restrict |
Discards the packets that trigger static MAC address flapping and sends an alarm. This action is recommended. |
protect |
Discards the packets that trigger static MAC address flapping but does not send an alarm. |
shutdown |
Sets the port state to error-down and reports an alarm. |
How to Apply Port Security on the Network?
Port security can be configured on:
- Access devices, to prevent unauthorized users from initiating attacks through ports.
- Aggregation devices, to control the number of access users.
Configuring Port Security at the Access Layer
- Prevent visitors from using their own computers to access the company network.
- Prevent employees from changing their locations without permission.
Networking of port security on an access device
- If access users frequently change locations, you can configure port security to convert dynamic MAC addresses to secure dynamic MAC addresses. This ensures that bound MAC address entries are deleted as soon as users change locations.
- If access users rarely change locations, you can configure port security to convert dynamic MAC addresses to sticky MAC addresses. This ensures that bound MAC address entries are not lost after a device restarts with configurations saved.
- If there are only a few access users who rarely change locations, you can configure secure static MAC addresses.
Configuring Port Security at the Aggregation Layer
As shown in the following tree networking diagram, multiple users communicate with the aggregation device Switch through SwitchA. To ensure the security of the aggregation device and control the number of access users, configure port security on the aggregation device and set the maximum number of secure MAC addresses. This prevents the MAC address table of the aggregation device from being full due to MAC address flooding.
Networking of port security on an aggregation device
- Author: Tang Jinhua
- Updated on: 2024-11-15
- Views: 821
- Average rating: