Port security technology: Where is your network defense line?

Port Security Technology Background

The enterprise requires that each interface on the access layer switch that connects to the terminal device only allows one PC to access the network (limiting the number of MAC address accesses). If an employee attempts to cascade a small switch or hub under a certain interface to expand the Internet access interface, this behavior should be discovered or prohibited, as shown in the following figure:

Some companies may also require that only data frames sent by terminals with trusted MAC addresses are allowed to be forwarded by the switch to the upper network, and employees cannot change their positions (change the access port of the switch) without permission, as shown in the following figure:

These problems can be solved by the switch's port security feature.

Port Security Overview

By deploying port security on specific interfaces of a switch, you can limit the number of MAC addresses learned by the interface and configure penalty measures when the limit is exceeded.

Port security converts the dynamic MAC addresses learned by the interface into secure MAC addresses (including secure dynamic MAC, secure static MAC, and sticky MAC) to prevent illegal users from communicating with the switch through the interface, thereby enhancing the security of the device.

Port Security Technology Principles

Secure MAC addresses are usually used in conjunction with security protection actions. Common security protection actions include:

• Restrict: discards packets with non-existent source MAC addresses and reports an alarm.
• Protect: Only packets with non-existent source MAC addresses are discarded and no alarm is reported.
• Shutdown: The interface status is set to error-down and an alarm is reported.

Port security technology application

In a network that requires high security for access users, you can configure the port security function and the limit on the number of port security dynamic MAC learning. In this case, the MAC addresses learned by the interface will be converted into secure MAC addresses. When the maximum number of MAC addresses learned by the interface reaches the upper limit, no new MAC addresses will be learned, and only these MAC addresses are allowed to communicate with the switch. In addition, when the number of secure MAC addresses on the interface reaches the limit, if a message with a non-existent source MAC address is received, regardless of whether the destination MAC address exists, the switch will consider that there is an attack by an illegal user, and will protect the interface according to the configured action. This can prevent other untrusted users from communicating with the switch through this interface, thereby improving the security of the switch and the network.

After configuring the port security function, the MAC addresses learned by the interface will be converted to secure MAC addresses. When the maximum number of MAC addresses learned by the interface reaches the upper limit, no new MAC addresses will be learned, and only these MAC addresses are allowed to communicate with the switch. If the access user changes, you can refresh the MAC address table by restarting the device or configuring the secure MAC aging time. For relatively stable access users, if you do not want subsequent changes, you can further enable the Sticky MAC function of the interface, so that after saving the configuration, the MAC address table entries will not be refreshed or lost.

Port Security Configuration Commands

(1) Enable port security:

 [Huawei-GigabitEthernet0/0/1] port-security enable

By default, port security is disabled.

(2) Configure the port security dynamic MAC learning limit:

 [Huawei-GigabitEthernet0/0/1] port-security max-mac-num max-number

By default, the maximum number of secure MAC addresses that an interface can learn is 1.

(3) (Optional) Manually configure a secure static MAC address entry:

 [Huawei-GigabitEthernet0/0/1] port-security mac-address mac-address vlan vlan-id

(4) (Optional) Configure port security protection actions:

 [Huawei-GigabitEthernet0/0/1] port-security protect-action { protect | restrict | shutdown }

By default, the port security action is restrict.

When static MAC address flapping occurs, the interface will perform error down operations and issue an alarm:

• When the number of learned MAC addresses exceeds the interface limit, the interface will execute the error down operation and issue an alarm.
• When static MAC address flapping occurs, the interface will perform the error down operation and issue an alarm.
• When the number of learned MAC addresses exceeds the interface limit, the interface discards packets with source addresses outside the MAC table and issues an alarm.
• When static MAC address flapping occurs, the interface discards packets with the MAC address and issues an alarm.
• When the number of learned MAC addresses exceeds the interface limit, the interface will discard packets with source addresses outside the MAC table.
• When a static MAC address flaps, the interface discards the packets with the MAC address.
• protect
• restrict
• shutdown

(5) (Optional) Set the aging time for secure dynamic MAC addresses learned on an interface:

 [Huawei-GigabitEthernet0/0/1] port-security aging-time time [ type { absolute | inactivity } ]

By default, secure dynamic MAC addresses learned on an interface do not age.

(6) Enable the Sticky MAC function on the interface

 [Huawei-GigabitEthernet0/0/1] port-security mac-address sticky

By default, the sticky MAC function is disabled on an interface.

(7) Set the maximum number of sticky MAC addresses that can be learned on an interface.

 [Huawei-GigabitEthernet0/0/1] port-security max-mac-num max-number

 [Huawei-GigabitEthernet0/0/1] port-security max-mac-num max-number

After the sticky MAC function is enabled on an interface, the default limit on the number of MAC addresses that the interface can learn is 1.

(8) (Optional) Manually configure a sticky-mac entry:

 [Huawei-GigabitEthernet0/0/1] port-security mac-address sticky mac-address vlan vlan-id

Port Security Configuration Example

Secure Dynamic MAC

Configuration requirements:

• Deploy port security on Switch1.
• The number of MAC addresses learned by GE0/0/1 and GE0/0/2 interfaces is limited to 1. When the interface is connected to multiple PCs, Switch1 needs to issue an alarm and the interface must still be able to forward data frames of legitimate PCs.
• The GE0/0/3 interface limits the number of learned MAC addresses to 2. When the number of learned MAC addresses exceeds the interface limit, the switch needs to issue an alarm and shut down the interface.

The configuration of Switch1 is as follows:

 [Switch1] interface GigabitEthernet 0/0/1 [Switch1-GigabitEthernet 0/0/1] port-security enable [Switch1-GigabitEthernet 0/0/1] port-security max-mac-num 1 [Switch1-GigabitEthernet 0/0/1] port-security protect-action restrict [Switch1] interface GigabitEthernet 0/0/2 [Switch1-GigabitEthernet 0/0/2] port-security enable [Switch1-GigabitEthernet 0/0/2] port-security max-mac-num 1 [Switch1-GigabitEthernet 0/0/2] port-security protect-action restrict [Switch1] interface GigabitEthernet 0/0/3 [Switch1-GigabitEthernet 0/0/3] port-security enable [Switch1-GigabitEthernet 0/0/3] port-security max-mac-num 2 [Switch1-GigabitEthernet 0/0/3] port-security protect-action shutdown

Configuration verification: Run the display mac-address security command to view the dynamic secure MAC table entries.

 [Switch1]display mac-address security MAC address table of slot 0: ---------------------------------------------------------------------------------------------------------------- MAC Address VLAN/ PEVLAN CEVLAN Port Type LSP/LSR-ID VSI/SI MAC-Tunnel ---------------------------------------------------------------------------------------------------------------- 5489-98ac-71a9 1 - - GE0/0/3 security - 5489-98b1-7b30 1 - - GE0/0/1 security - 5489-9815-662b 1 - - GE0/0/2 security - ---------------------------------------------------------------------------------------------------------------- Total matching items on slot 0 displayed = 3

Sticky MAC

Configuration requirements:

• Deploy port security on the Switch and activate port security on GE0/0/1 to G0/0/3.
• Both GE0/0/1 and GE0/0/2 limit the number of learned MAC addresses to 1 and convert the dynamic secure MAC addresses learned on these two interfaces into sticky MAC addresses.
• For GE0/0/3, the number of learned MAC addresses is limited to 1, but a sticky MAC address entry is manually created for the interface to bind the interface to MAC address 5489-98ac-71a9. The violation penalty for each interface remains the default.

The Switch configuration is as follows:

 [Switch] interface GigabitEthernet 0/0/1 [Switch-GigabitEthernet 0/0/1] port-security enable [Switch-GigabitEthernet 0/0/1] port-security max-mac-num 1 [Switch-GigabitEthernet 0/0/1] port-security mac-address sticky [Switch] interface GigabitEthernet 0/0/2 [Switch-GigabitEthernet 0/0/2] port-security enable [Switch-GigabitEthernet 0/0/2] port-security max-mac-num 1 [Switch-GigabitEthernet 0/0/2] port-security mac-address sticky [Switch] interface GigabitEthernet 0/0/3 [Switch-GigabitEthernet 0/0/3] port-security enable [Switch-GigabitEthernet 0/0/3] port-security max-mac-num 1 [Switch-GigabitEthernet 0/0/3] port-security mac-address sticky [Switch-GigabitEthernet 0/0/3] port-security mac-address sticky 5489-98ac-71a9 vlan 1

Configuration verification Run the display mac-address sticky command to view the sticky MAC entries:

 [Switch1]display mac-address sticky MAC address table of slot 0: ------------------------------------------------------------------------------------------------------- MAC Address VLAN/ PEVLAN CEVLAN Port Type LSP/LSR-ID VSI/SI MAC-Tunnel ------------------------------------------------------------------------------------------------------- 5489-98ac-71a9 1 - - GE0/0/3 sticky - 5489-98b1-7b30 1 - - GE0/0/1 sticky - 5489-9815-662b 1 - - GE0/0/2 sticky - ------------------------------------------------------------------------------------------------------- Total matching items on slot 0 displayed = 3