1. Introduction to Port Security
Port Security converts the dynamic MAC addresses learned by the interface into secure MAC addresses (including secure dynamic MAC, secure static MAC, and StickyMAC) to prevent illegal users from communicating with the switch through this interface, thereby enhancing the security of the device.
2 port security principle description
1. Classification of secure MAC addresses
The secure MAC address is divided into: secure dynamic MAC, secure static MAC and StickyMAC.
2. Secure dynamic MAC address:
The table entries will be lost after the device restarts and need to be relearned.
By default, it will not be aged. It can be aged only after the aging time of the secure MAC is configured.
3. Secure static MAC address:
It will not be aging, and the device will not be lost after you manually save the configuration.
4.Sticky MAC address:
It will not be aging, and the device will not be lost after you manually save the configuration.
5. Actions after exceeding the limit of secure MAC addresses
After the number of secure MAC addresses on an interface reaches the limit, if it receives a packet with a non-existent source MAC address, regardless of whether the destination MAC address exists, the switch considers that there is an illegal user attack and will protect the interface according to the configured action. By default, the protection action is to discard the packet and report an alarm.
restrict:
Discard packets with non-existent source MAC addresses and report an alarm. The restrict action is recommended.
protect:
Only the packets whose source MAC address does not exist are discarded, and no alarm is reported.
shutdown:
The interface status is set to error-down, and an alarm is reported.
By default, the interface will not be automatically restored after it is closed. The network administrator can only use the restart command in the interface view to restart the interface for restoration.
3-port security application scenario
Port security is often used in the following scenarios:
•Apply to the access layer equipment, by configuring port security to prevent counterfeit users from attacking other ports.
•Apply to the convergence layer equipment, the number of access users can be controlled by configuring port security.
Access layer usage scenarios:
User PC1 and PC3 connect to SwitchA through IPPhone, and user PC2 directly connects to SwitchA. To ensure the security of the access device and prevent attacks from unauthorized users, you can configure port security on the interface of the access device SwitchA.
• If the access users change frequently, the dynamic MAC address can be converted to a secure dynamic MAC address through port security. This can clear the bound MAC address table entries in time when the user changes.
• If the access user changes less, you can convert the dynamic MAC address to StickyMAC address through port security. In this way, after saving the configuration and restarting, the bound MAC address table entries will not be lost.
• If the number of access users is small and the number of users is small, you can configure it as a secure static MAC address to realize the binding of MAC address table entries.
Convergence layer usage scenarios
In a tree network, multiple users communicate with the aggregation layer device Switch through SwitchA. In order to ensure the security of the aggregation device and control the number of access users, you can configure the port security function on the aggregation device and specify the limited number of secure MAC addresses.
5. Switch port security
The switch relies on the MAC address table to forward data frames. If the MAC address does not exist, the switch forwards the frame to each port on the switch (flooding). However, the size of the MAC address table is limited. MAC flooding attacks take advantage of this limitation Bomb the switch with fake source MAC addresses until the switch's MAC address table becomes full. The switch then enters a mode called "Fail-open" (Fail-open) and begins to work like a hub, broadcasting data packets to all machines on the network.
Therefore, the attacker can see all frames sent to another host without a MAC address table entry. To prevent MAC flooding attacks, you can configure port security features, limit the number of valid MAC addresses allowed on the port, and define the port's actions when an attack occurs: shutdown, protection, and restriction.
END
In order to better help you learn and understand network engineers, and other related content, I deliberately organize all the materials systematically, and share them here for free. Necessary materials for net workers, including:
Huawei certification mind map (super fine);
Huawei certification essential knowledge document (pdf);
A collection of essential knowledge documents for net workers;
Necessary toolkit for net workers;
Necessary experiment package for net workers;
Necessary video interview package for net workers.
……
I won’t list them all because there are a lot of information. If you need information or have any questions, you can leave a message and discuss private messages~