Cincinnerdi Tech Stuff

A mind-numbing read if ever there was one

Port-Security: Devil in the “sticky” details?

with one comment

Cisco’s port-security feature in its switches can restrict a switchport to a single, learned MAC address, potentially preventing such security issues as:

  • A user bringing in their own router, switch or hub to create a rogue network.
  • A user unplugging their corporate PC and plugging in an unauthorized laptop.
  • Unauthorized use of a virtual machine (VM) on a PC which creates a new MAC address

It’s easy to see that the VM – Parallels in this case – uses a separate MAC address for its separate IP in the following screen shot:

We can mitigate problems from normal, non-hacker users; presumably hackers could spoof a laptops MAC address. Shoot, I can even plug in my old Linksys NAT router, have it “clone” my PC’s mac address and it will be able to circumnavigate all of the above listed exploits. But, it does afford some level of protection, so off we go…

Last time the Sticky wasn’t working quite right (thanks to errors in Cisco book!):

“During this practice setup, I found that the 3550 switch DID restrict use of multiple MACs it didn’t learn a “Sticky MAC” address and permitted me to swap out one PC for another. Though I followed Cisco’s instructions (ISBN-10: 1-58720-171-2) where it indicates that Sticky Learning is the default. However, later research on the Cisco web site indicates it’s not (see Note 1 below). I’ll try the switchport
port-security mac-address sticky command next time.”

So this time I used the right IOS, so we get to see some security in action.

Note: The running-config is actually changed to add new “sticky” lines with the actual mac addresses added “…sticky  ####.####.####” 

Also, I’ll note here, I attempted to proceed with DAI (Dynamic ARP Inspection) but the switch’s CLI simply returned an error that the ip arp… command is invalid. Also, the use of ip source binding was also unavailable. Hmmm. Our switches are running IOS Release 12.1Cisco’s web site shows this command supported on a 3550 using Cisco IOS Release 12.2(35) SE (See web page). Administration so far refuses to upgrade the IOS release (sigh!)

Now on to the blow-by-blow account of Port-security:

I’ll spare the net diagram: it’s a server plugged into port Fa0/1, four PCs into Fa0/2 – 5.

Setup the initial config as follows:

hostname 3550sw1
!
spanning-tree mode rapid-pvst
!
ip dhcp snooping
ip dhcp snooping vlan 1
!
interface range fa0/2 – 5
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security maximum 1
switchport port-security violation restrict
ip dhcp snooping limit rate 5
no ip address
spanning-tree portfast
no shutdown
!
interface fa0/1
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security maximum 1
switchport port-security violation restrict
ip dhcp snooping trust
no ip address
spanning-tree portfast
no shutdown
!
interface Vlan1
ip address 1.1.1.254 255.255.255.0
no shutdown
!
line con 0
logging synchronous
end

Now Let’s see what we have:

3550sw1#sho port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
—————————————————————————
Fa0/1 1 1 0 Restrict
Fa0/2 1 1 0 Restrict
Fa0/3 1 1 0 Restrict
Fa0/4 1 1 0 Restrict
Fa0/5 1 1 0 Restrict
—————————————————————————
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 5120

Now to activate the Virtual PC on laptop (which is on port Fa0/5 using IP of 1.1.1.15)

3550sw1#
00:06:32: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 00f2.530d.565a on port FastEthernet0/5.
3550sw1#
00:06:43: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 00f2.530d.565a on port FastEthernet0/5.
3550sw1#
00:06:59: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 00f2.530d.565a on port FastEthernet0/5.

This is as I’d hoped. The 2nd MAC address of the virtual machine triggered this event.

3550sw1#sho port-security int fa0/5
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Restrict
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 1
Last Source Address : 00f2.530d.565a
Security Violation Count : 4

3550sw1#sho port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
—————————————————————————
Fa0/1 1 1 0 Restrict
Fa0/2 1 1 0 Restrict
Fa0/3 1 1 0 Restrict
Fa0/4 1 1 0 Restrict
Fa0/5 1 1 4 Restrict
—————————————————————————
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 5120

Now to configure that port to allow up to two MAC addresses:

3550sw1(config)#int fa0/5
3550sw1(config-if)#switchport port-security maximum 2
3550sw1(config-if)#end

3550sw1#sho port-security int fa0/5
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Restrict
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 2
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 1
Last Source Address : 00f2.530d.565a
Security Violation Count : 4

3550sw1#sho port-security int fa0/5 address
Secure Mac Address Table
——————————————————————-
Vlan Mac Address Type Ports Remaining Age
(mins)
—- ———– —- —– ————-
1 0016.d407.2359 SecureSticky Fa0/5 –
1 00f2.530d.565a SecureSticky Fa0/5 –
——————————————————————-
Total Addresses: 2

Note the first MAC address listed above is the actual physical MAC address for the laptop’s NIC.

Note 1 about book errata and the proper commands for switchport port-security mac-address sticky

I consider these book errata. Cisco has book support and errata on the Cisco Press web site. If you dig for a while you can find access to book support here: http://www.ciscopress.com/search/support.asp?rl=1 and can submit errata here: http://www.ciscopress.com/about/contact_us/index.asp?rl=1 . My submissions today were:

Chptr 15; pps. 389. Text says “Each interface using port security dynamically learns…sticky MAC addresses.” My experience shows otherwise. Also, see p. 8 of http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12225see/scg/swtrafc.pdf where it shows that you must use a specific command to enable Sticky

Chptr 15 p. 399. Not an error so much as an opportunity for a gray box. My lab work shows the ip arp… command unavailable until a more recent IOS release for a 3550 switch. Not sure when it became available, but 12.1(19)EA1c doesn’t support this. In other parts of the book, the “gray boxes” give helpful tips about this kind of thing.

The following is a section is cut and quoted completely from the above mentioned pdf from Cisco’s web site:

Secure MAC Addresses

You can configure these types of secure MAC addresses:

Static secure MAC addresses—These are manually configured by using the switchport

port-security mac-address mac-address interface configuration command, stored in the address

table, and added to the switch running configuration.

Dynamic secure MAC addresses—These are dynamically learned, stored only in the address table,

and removed when the switch restarts.

Sticky secure MAC addresses—These can be dynamically learned or manually configured, stored in

the address table, and added to the running configuration. If these addresses are saved in the

configuration file, the interface does not need to dynamically relearn them when the switch restarts.

Although sticky secure addresses can be manually configured, we do not recommend it.

You can configure an interface to convert the dynamic MAC addresses to sticky secure MAC addresses

and to add them to the running configuration by enabling sticky learning. To enable sticky learning, enter

the switchport port-security mac-address sticky interface configuration command. When you enter

this command, the interface converts all the dynamic secure MAC addresses, including those that were

dynamically learned before sticky learning was enabled, to sticky secure MAC addresses.

The sticky secure MAC addresses do not automatically become part of the configuration file, which is

the startup configuration used each time the switch restarts. If you save the sticky secure MAC addresses

in the configuration file, when the switch restarts, the interface does not need to relearn these addresses.

If you do not save the configuration, they are lost.

If sticky learning is disabled, the sticky secure MAC addresses are converted to dynamic secure

addresses and are removed from the running configuration.

The maximum number of available MAC addresses on a secure port or VLAN is determined by the active

Switch Database Management (SDM) template. See the “Optimizing System Resources for

User-Selected Features” section on page 6-26 for more information about configuring an SDM template.

Here is the Running-Config, FWIW:

Current configuration : 3681 bytes
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname 3550sw1
!
!
ip subnet-zero
!
ip dhcp snooping vlan 1
ip dhcp snooping
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
!
!
interface FastEthernet0/1
switchport mode access
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0019.d108.4378
no ip address
spanning-tree portfast
ip dhcp snooping trust
!
interface FastEthernet0/2
switchport mode access
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0019.d108.57ce
no ip address
spanning-tree portfast
ip dhcp snooping limit rate 5
!
interface FastEthernet0/3
switchport mode access
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0019.d108.585b
no ip address
spanning-tree portfast
ip dhcp snooping limit rate 5
!
interface FastEthernet0/4
switchport mode access
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0019.d108.560f
no ip address
spanning-tree portfast
ip dhcp snooping limit rate 5
!
interface FastEthernet0/5
switchport mode access
switchport port-security
switchport port-security maximum 2
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0016.d407.2359
switchport port-security mac-address sticky 00f2.530d.565a
no ip address
spanning-tree portfast
ip dhcp snooping limit rate 5
!
interface FastEthernet0/6
switchport mode dynamic desirable
no ip address
!
interface FastEthernet0/7
switchport mode dynamic desirable
no ip address
!
interface FastEthernet0/8
switchport mode dynamic desirable
no ip address
!
interface FastEthernet0/9
switchport mode dynamic desirable
no ip address
!
interface FastEthernet0/10
switchport mode dynamic desirable
no ip address
!
interface FastEthernet0/11
switchport mode dynamic desirable
no ip address
!
interface FastEthernet0/12
switchport mode dynamic desirable
no ip address
!
interface FastEthernet0/13
switchport mode dynamic desirable
no ip address
!
interface FastEthernet0/14
switchport mode dynamic desirable
no ip address
!
interface FastEthernet0/15
switchport mode dynamic desirable
no ip address
!
interface FastEthernet0/16
switchport mode dynamic desirable
no ip address
!
interface FastEthernet0/17
switchport mode dynamic desirable
no ip address
!
interface FastEthernet0/18
switchport mode dynamic desirable
no ip address
!
interface FastEthernet0/19
switchport mode dynamic desirable
no ip address
!
interface FastEthernet0/20
switchport mode dynamic desirable
no ip address
!
interface FastEthernet0/21
switchport mode dynamic desirable
no ip address
!
interface FastEthernet0/22
switchport mode dynamic desirable
no ip address
!
interface FastEthernet0/23
switchport mode dynamic desirable
no ip address
!
interface FastEthernet0/24
switchport mode dynamic desirable
no ip address
!
interface GigabitEthernet0/1
switchport mode dynamic desirable
no ip address
!
interface GigabitEthernet0/2
switchport mode dynamic desirable
no ip address
!
interface Vlan1
ip address 1.1.1.254 255.255.255.0
!
ip classless
ip http server
!
!
!
line con 0
logging synchronous
line vty 0 4
login
line vty 5 15
login
!
end

Advertisements

Written by scottledyard

2007, April 14th at 9:53 pm

Posted in CCNP, Cisco, Cisco Switches

One Response

Subscribe to comments with RSS.

  1. I know this is an old post: but in todays world I wouldn’t at all rely on sticky-mode as a form of security: one can much to easily clone a MAC address and get access. One should at least use IEEE 802.1x authentication and force domain computers to logon with machine credentials: only domain computers will get access to the data VLAN. Edge boxes that don’t support dot1x authentication can be given access with MAC bypass; but as this is then as unsecure as sticky mode you should isolate these ‘mac only’ devices in a vlan that only gives them the minimum required access (eg printers: only allow traffic terminating on the device or only limited types of traffic [via acl’s on switch or routers] etc.
    Imho sticky mode is security that might have been OK in the 1990’s but NOT in the 201x’s era. It gives a very false idea of security….

    Jan Tonkens

    2013, May 16th at 6:56 pm


Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: