Chapter 35 - Implementing Switch Port Security

Question 1

What is Port Security?

Answer 1

• Cisco feature
• A security feature used on switches which ensures that only pre determined devices can actually use certain switch ports for data transmission based on their MAC address.

Question 2

What functons does Port Security perform?

Answer 2

• Sets a limit on how many unique source MAC addresses can come in a single interface.
• Keeps a list and counter of all source MAC addresses entering an interface.
• Monitors newly learned MAC addresses and received frames to determine if they cause any Port Security violations.
• Takes action to discard traffic that violates Port Security dependent on the configured violation mode

Question 3

How can you define what MAC addresses are allowed on an interface in port-security?

Answer 3

• Statically define a list of MAC addresses that are allowed on an interface
• Dynamically learning the first of a defined amount of MAC addresses and only allowing those to pass in future
• Dynamically learning some MAC addresses and statically defining others

Question 4

What is a Sticky Secure MAC Address?

Answer 4

• Allows dynamically learned MAC addresses to be added to the running-config of the switch. Each learned MAC address will have a line showing as ‘switchport port-security mac-address sticky <mac>'</mac>
• They will never age out

Question 5

True or False. Port security runs on trunks and access ports.

Answer 5

True.

Question 6

True or False. Port security runs on switchports that have dynamically learnt their state via DTP.

Answer 6

False. Access or trunk has to be statically set on the interface. It also must be the Administrative Mode not the Operational Mode.

Question 7

What command do you use to enable port security on an interface? What other commands add onto this?

Answer 7

• From interface configuration mode

-To enable Port Security:
‘switchport port-security’

• To determine the maximum number of MAC addresses allowed in an interface (default of 1):
  ‘switchport port-security maximum <number>'</number>
• To define how the switchport reacts to a violation (default is shutdown):
  ‘switchport port-security violation <protect/restrict/shutdown>’
• To define an allowed source MAC on an interface (perform once for each MAC address):
  ‘switchport port-security mac-address <MAC>'</MAC>
• To tell Port Security to save current and future dynamically learned MAC addresses into the running-config:
  ‘switchport port-security mac-address sticky’

Question 8

True or False. Interfaces will still perform MAC learning when they have reached their maximum MAC address limit.

Answer 8

False, MAC addresses will not be added to the MAC address table. However, the last MAC that was allowed on the interface will still show up in ‘show switchport port-security int’.

Question 9

True or False. The switch automatically saves any MAC addresses learned by Port Security that uses sticky mode.

Answer 9

False. You will need manually save the switch config.

Question 10

True or False. Port security can be implemented on Etherchannels

Answer 10

True. It should be performed on the Etherchannel interface rather than the physical interfaces participating in the Etherchannel.

Question 11

What command can you use to find information on port-security? What information does it show?

Answer 11

‘show port-security interface <Interface>'</Interface>

This can show:
- Port Security enabled/disabled
- The interface mode that port-security has entered it into
- The violation mode of the interface
- The maximum MAC addresses (including sticky) learned on the interface
- The last source address learned
- The number of security violations that have occurred

You can also use ‘show port-security’ which shows a brief of this information

Question 12

What does the port-security violation mode do?

Answer 12

• Defines how an interface should react when a violation occurs

Question 13

What are examples of a port-security violation?

Answer 13

• When the number of MAC addresses entering an interface exceeds that maximum number of MAC addresses allowed to be learned on that interface define by port-security
• Where allowed MAC addresses are defined statically in port-security, any MAC addresses enter an interface that are not defined here will be considered a violation

Question 14

List whether port-security violation modes discard offending traffic

Answer 14

• Protect - Yes
• Restrict - Yes
• Shutdown - Yes

Question 15

List whether port-security violation modes send log and SNMP messages

Answer 15

• Protect - No
• Restrict - Yes
• Shutdown - Yes

Question 16

List whether port-security violation modes disable an interface by putting it in an err-disabled state

Answer 16

• Protect - No
• Restrict - No
• Shutdown - Yes

Question 17

What happens to an interface when Shutdown port-security mode is set and a violation occurs?

Answer 17

• The interface is put into an err-disabled state
• The port-security status for the interface moves to secure-shutdown
• No longer sends or receives traffic over this interface

Question 18

True or False. An interface can automatically recover from being put into an err-disabled state.

Answer 18

False by default. Unless one of the below commands is configured you need to shutdown and no shutdown the interface:

• ‘errdisable recovery cause psecure-violation’ - A global command used to allow interfaces to recover from err-disabled when they have been put in this state specifically by port-security. This runs every 5 minutes
• ‘errdisable recovery interval <time>' - A global command used to set the time that an interface has to wait to recover.</time>

Question 19

What is the main difference between violation mode Shutdown and modes Protect and Restrict?

Answer 19

• Shutdown will disable the interface (secure-shutdown) and block all traffic. Protect and Restrict will keep the interface up (secure-up) and will continue to process good traffic but discard violating traffic.

Question 20

What is the main difference between violation mode Protect and violation mode Restrict?

Answer 20

• Protect and Restrict both only disallow violating traffic, however, Protect will not increment its violation counter for violating traffic or produce log messages. Restrict will do both of these things.

Question 21

When you first enable port-security, how does a switch determine what MAC addresses to allow?

Answer 21

• If the MAC address is not statically configured, the interface will allow only the first MAC address it receives. Any other MAC address after this will cause a violation.

Question 22

List whether port-security violation modes increment their violation counter

Answer 22

• Protect - No
• Restrict - Yes
• Shutdown - Yes

Question 23

What is the default port-security violation mode?

Answer 23

Shutdown

Question 24

What is Secure MAC Aging?

Answer 24

• The process by which the secure MAC address(es) in port-security is aged out to where it needs to be either readded statically or relearned dynamically.
• Default Aging Timer is 0 mins (will not age out)
• Default Aging Type is Absolute
• Configured with ‘switchport port-security aging time <time>'</time>

Question 25

What are the different MAC Aging Types in port-security

Answer 25

- Absolute - Will age out the secure MAC address(es) after the aging timer reaches 0 even if frames are still being received from that MAC address. - Inactivity - The aging timer counts down as with Absolute, however, it is reset anytime a frame is received from the current secure MAC address. - Configured with 'switchport port-security aging type '

Question 26

True or False. Static secure MAC aging is disabled by default.

Answer 26

True.

Question 27

What command can you use to enable MAC aging for static secure MAC addresses?

Answer 27

'switchport port-security aging static'

Question 28

What is the difference between dynamically learned secure MACs and sticky secure MACs?

Answer 28

- Sticky secure MACs are saved to the running-config. Provided these are saved to the startup-config, the switch doesn't need to dynamically relearn these MACs whereas with dynamic MACs, these are not saved and therefore will need to be relearned if the switch reboots.

Question 29

What are Sticky MAC addresses listed as in the mac-address table?

Answer 29

STATIC