Protecting the CAM Table using Port Security

Core Knowledge and Real World Scenarios

When it comes to protecting your switching infrastructure, one thing that often gets overlooked is protecting the CAM table of Cisco Switches. Unless you specifically read up on securing Cisco Switches, the CCNA Routing and Switching curriculum barely touches on this concept.

First off lets start out with what the CAM table is.

On a Cisco Catalyst Switch, are very specific microchips that are used to copy an Ethernet Frame one an ingress port to an Egress port based on SRC and DST MAC Address. Among one of the other functions of the CAM table is to store the MAC Address Table.

In a CAM Table Attack, the attacker attempts to flood the switch with bogus MAC addresses to exhaust the resources of the CAM table thus forcing the switch to forward received on a given interface out ALL interfaces in the attached VLAN. This in turn gives the attacker the ability to capture and analyze traffic on his computer to gather information destined to computers other then his computer. For example, Server to Server communication or Client to Server communication that is unencrypted could easily be viewed by Wireshark in this type of attack.

So how exactly do we prevent CAM Table poisoning? Through the use of Port Security.

Port Security is a layer 2 security feature that limits Catalyst switchport(s) to only learn a configured amount of MAC addresses before triggering an administrative action such as disabling the port or restricting the port. When a switchport with port security configured with a maximum of 3 MAC Addresses receives a frame with a NEW SRC MAC address other then the 3 already known ones, it will trigger the administratively configured action. By default this is to shutdown the interface and place it into ERR-DISABLED mode.

While this layer 2 security feature is not the best way to secure your layer 2 switches, it will in fact prevent CAM table poisoning on edge switches.

The most common deployment of Port Security is used with Cisco VoIP Telephones. Because these telephones have a built-in switch, you must set the port-security MAC limited to 3. One for the switch, one for the phone and one for the PC connected to the phone.

There are in some cases where you may run into a security violation with only one physical machine connected to a port running multiple virtual machines. For example, a developer is using VMWare Workstation to develop and test software. By creating new Virtual PC’s inside VMWARE Workstation, a NEW mac address is sent out on the wire and is also counted towards the 3 MAC limit of Port Security which trigger a security violation if a phone, pc is plugged into the switch and the user starts a virtual machine.

You can also limit the amount of MAC addresses to a single address and even statically configure the address if you know exactly what is being connected at that port. For example you have a printer in a public area that should be the only device connected to a given interface. You can statically configure that interface to only accept traffic from the printers MAC address, if a new MAC address is detected, shutdown the port (ERR-Disabled).

So from a security perspective you should easily be able to see how this configuration can save your job. Lets say you have a someone computer savvy individual working on the development team and the HR department is connected to the same switch and this individual has access to a port configured in the HR VLAN, if he can poison the CAM table successfully, he can view all unencrypted transactional information going across the switch which could be financial information, personal information and more. These types of security violations can easily result in termination and even potentially lawsuits from outside companies against your company for failing to protect such information.

So how do you configure port-security to prevent this type of attack?

First off you start out with the simple command switchport port-security. Keep in mind this command can only be executed on an access port so the interface must be set to switchport mode access.

Once port-security is enabled on the interface you can than configure the parameters as needed. To configure the maximum address limit per interface you’ll use the switchport port-security maximum 3 command whereas 3 is the limit.

There are three types of violation actions; shutdown, restrict and protect. The default action of a port-security violation is to shutdown the interface into ERR-Disabled mode. The restrict and protect actions perform the same function but the primary difference is that the security violation counter is incremented with restrict whereas it’s not with protect. Both Restrict and Protect will drop all frames from a SRC MAC address that violate port-security configuration.

As discussed earlier you can statically set MAC addresses such as for printers, phones and/or other devices by configuring them explicitly on a given interface. There are two ways to complete this action. First is by configuring port-security to make the MAC addresses dynamically learned in the order they’re learned up to the MAC Address limit as sticky addresses or you can manually configure the sticky MAC address on a per interface basis.

The term Sticky MAC address means administratively defined MAC address(es) that are permitted to transmit on a given configured interface.

Familiarize yourself with the list of command(s) compiled below;

Command	Description
show port-security	This command when executed in user/privileged mode displays information regarding port-security status on their respective interface(s).
switchport port-security	This command when executed in interface configuration mode enables port-security on the configured interface.
switchport port-security violation {shutdown, restrict, protect}	This command when executed in interface configuration mode sets the port-security violation action, the default is shutdown.
switchport port-security violation {shutdown, restrict, protect}	This command when executed in interface configuration mode sets the port-security violation action, the default is shutdown.
switchport port-security maximum #	This command when executed in interface configuration mode sets the maximum number of dynamically learned MAC addresses on the configured port.
switchport port-security mac-address sticky	This command when executed in interface configuration mode sets the learned MAC addresses as sticky MAC Addresses.
switchport port-security mac-address H.H.H	This command when executed in interface configuration statically sets a MAC address permitted to transmit on the configured interface.

To get started with this lab exercise please review the lab topology and prerequisites prior to loading initial configs and attempting the objective(s).

Lab Logical Topology

The following logical topology is used in all labs found through out Section 1 of the CCNA Security Workbook;

To view the physical cabling topology please visit the Topology page.

Lab Device Initial Configurations

The following initial configurations are provided as a base configuration to start the lab with. You may copy and paste these configurations directly into the terminal window of Stub Lab devices.

!############################################
!#  R1   -  CCNA Security Workbook Lab 1-5  #
!############################################
!
enable
config terminal
!
hostname R1
!
no ip domain-lookup
!
interface FastEthernet0/0
 description Link to SW1 Fa0/1
 ip address 10.1.1.1 255.255.255.0
 no shut
!
line con0
logging sync
!
end

!############################################
!#  SW1  -  CCNA Security Workbook Lab 1-3  #
!############################################
!
enable
config terminal
!
hostname SW1
!
no ip domain-lookup
!
line con0
logging sync
!
end

Before you Start

This lab requires that you have access to console Cisco Catalyst Switches. You cannot complete this lab using the NM-16ESW in GNS3. If you do not own Cisco switches you can reserve free lab time on the Stub Lab and get free access to a 4 (four) Cisco Catalyst 3560 Series switches.

Load the initial configuration provided in this lab by copying and pasting them into the terminal window of their respected device(s).

Lab Objectives

In this lab you will complete the following objectives.

Configure Port Security on SW1’s FastEthernet0/1 interface. Limit the MAC address on this interface to 1 and make it sticky.
Configure Port-Security on SW1’s FastEthernet0/2 interface with the limit of 3 MAC addresses and restrict the port if a security violation occurs.
Verify your configuration.

One More Thing…

It is recommended that you attempt to complete these lab objectives the first time without looking at the Lab Instruction section.

If you are a student preparing for the Cisco CCNA Security Certification Exam than you are more likely to remember how to complete these objectives if you attempt to complete them the first time on your own with the use of the core knowledge section found in this lab. You should only resort to the Lab Instruction section to verify your work.

Lab Instruction

Objective 1. – Configure Port Security on SW1’s FastEthernet0/1 interface. Limit the MAC address on this interface to 1 and make it sticky.

SW1>enable
SW1#config t
Enter configuration commands, one per line.  End with CNTL/Z.
SW1(config)#interface fa0/1
SW1(config-if)#switchport mode access
SW1(config-if)#switchport port-security
SW1(config-if)#switchport port-security maximum 1
SW1(config-if)#switchport port-security mac-address sticky
SW1(config-if)#exit
SW1(config)#

Objective 2. – Configure Port-Security on SW1’s FastEthernet0/2 interface with the limit of 3 MAC addresses and restrict the port if a security violation occurs.

SW1>enable
SW1#config t
Enter configuration commands, one per line.  End with CNTL/Z.
SW1(config)#interface fa0/2
SW1(config-if)#switchport mode access
SW1(config-if)#switchport port-security
SW1(config-if)#switchport port-security maximum 3
SW1(config-if)#switchport port-security violation restrict
SW1(config-if)#exit
SW1(config)#

Objective 3. – Verify your configuration.

SW1#sh run int fa0/1
Building configuration...

Current configuration : 232 bytes
!
interface FastEthernet0/1
 switchport mode access
 switchport port-security
 switchport port-security mac-address sticky
 switchport port-security mac-address sticky 0023.5e01.f7e8 vlan access
 spanning-tree bpduguard enable
end

SW1#sh run int fa0/2
Building configuration...

Current configuration : 164 bytes
!
interface FastEthernet0/2
 switchport mode access
 switchport port-security maximum 3
 switchport port-security
 switchport port-security violation restrict
end

SW1#show port-security
Secure Port  MaxSecureAddr  CurrentAddr  SecurityViolation  Security Action
                (Count)       (Count)          (Count)
---------------------------------------------------------------------------
      Fa0/1              1            1                  0         Shutdown
      Fa0/2              3            0                  0         Restrict
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port)     : 0
Max Addresses limit in System (excluding one mac per port) : 6144
SW1#