• No results found

To stop an attacker in his tracks, a mechanism called port security comes to the rescue. In its most basic form, port security ties a given MAC address to a port by not allowing any other MAC address than the preconfigured one to show up on a secured port. When port security initially shipped, users had to manually configure a permitted MAC address—a cumbersome and error-prone task.

Today, port security is more flexible and can listen for one or more MAC addresses before locking down access to only that or those dynamically learned MAC addresses. Dynamic and static configurations are also permitted. A violation occurs when the source MAC address of a frame differs from the list of secure addresses. At that point, three actions are possible:

The port error-disables for a specified duration. (It can be unlimited, but if not, automatic recovery can be performed.) An Simple Network Management Protocol (SNMP) trap is generated.

The port drops frames from unknown addresses (protect mode).

The port drops frames from unknown addresses and increments a violation counter. SNMP traps generation is possible on some releases/Cisco switches (restrict mode). On certain switches, port security can also be configured to stop unknown unicast floods to be propagated off a port.

When a secure link goes down, MAC addresses that were associated with the port normally disappear. However, some switches (Catalyst 6500 running a recent IOS release, for example) support sticky MAC addresses—when the port goes down, the MAC addresses that have been learned remain associated with that port. They can be saved in the configuration file.

The most common and recommended port-security setting is dynamic mode with one MAC address for ports where a single device is supposed to connect, with a drop action on violation (restrict action).

NOTE For IP Telephony configurations where a Cisco IP phone connects to the port and a PC connects to the IP phone, three MAC addresses should be allowed per secure port. The phone itself uses one MAC address, and so does the PC. This makes two addresses. Where does the third one come from?

The IP phone actually contains a processor connected to an internal switch. That processor uses a MAC address when it sends traffic. Shortly after booting, the IP phone attempts to discover (through the Cisco Discovery Protocol [CDP]) the voice and data VLAN mappings. To do so, the phone generates frames by using its MAC in the data VLAN, which is, at this point, the only VLAN of which the phone is aware. Therefore, the switch temporarily sees three MAC addresses on the port.

Example 2-10 shows a sample configuration and what can be expected from it if an attack occurs.

Three dynamic addresses are permitted, and three have been secured (through addresses that were gleaned from incoming traffic). If you look at the bridging table for interface F8/ 4 in Example 2-11, however, you notice something probably unexpected if you are unfamiliar with port security.

There are more than three addresses off that port! How can this be? Note that the switch marks only three addresses as static. Those are the secure addresses that port security learned dynamically. Traffic from any other address is simply discarded—a special bit is used internally for that purpose; the show mac-addresscommand unfortunately does not display it. The show port-security addresscommand verifies that the static addresses match those registered by port security, as shown in Example 2-12.

Example 2-10 Port-Security Settings (Catalyst 6500)

6K-2-S2# show port-security interface f8/4 Port Security : Enabled

Port Status : Secure-up Violation Mode : Restrict Aging Time : 0 mins Maximum MAC Addresses : 3 Total MAC Addresses : 3 Configured MAC Addresses : 0

Last Source Address : 4428.6d15.b219 Security Violation Count : 9

Example 2-11 Displaying Addresses Learned from a Port

6K-2-S2# show mac-address-table interface f8/4

Legend: * - primary entry

vlan mac address type learn ports

---+---+---+---+--- * 20 b88c.0f06.6cb4 static Yes Fa8/4

* 20 7235.1b19.d3e6 dynamic Yes Fa8/4 * 20 f492.f751.fab6 static Yes Fa8/4 * 20 52dd.c278.1203 dynamic Yes Fa8/4 * 20 9ef8.3070.8e9e dynamic Yes Fa8/4 * 20 a2e2.ba2b.6c18 static Yes Fa8/4 * 20 68dc.ce6e.be5d dynamic Yes Fa8/4

Example 2-12 Displaying Secured Addresses Only 6K-2-S2# show port-security address

Secure Mac Address Table

--- Vlan Mac Address Type Ports Remaining Age (mins) ---- --- ---- --- ---

Not all hardware platforms react similarly when handling a MAC flooding attack using port security. For example, during a heavy attack and with the action on violation set to restrict or protect (no shutdown of the port), a Catalyst 6500 equipped with a Supervisor Engine 1 or 2 might become unresponsive when commands related to the bridging table are executed (show mac-address dynamicand so on). A quick look at the supervisor engine shows the results in Example 2-13.

The high CPU utilization condition is caused by port security being faced with a massive flow of incoming frames using random source MAC addresses. Learning and filtering traffic from those random MAC addresses is achieved by a software task running on the control plane, and as such, it uses CPU cycles. A Catalyst 6500 fitted with a Supervisor Engine 720 does not exhibit this symptom because it ships with a built-in hardware-based rate limiter that prevents more than a few thousand packets per second from hitting the control plane.