๐ŸŽฏ Lab Objectives

  • Understand MAC flooding attacks and how port security prevents them
  • Configure maximum MAC address count per port
  • Use sticky learning to automatically learn and lock MAC addresses
  • Configure violation modes: protect, restrict, shutdown
  • Recover a port from err-disabled state
๐Ÿ‘ถ
Port Security lets you control which devices (identified by MAC address) can connect to a switch port. Without it, an attacker can flood the switch's MAC table (CAM table overflow), forcing it to broadcast all traffic โ€” enabling eavesdropping.

Step 1 โ€” Why Port Security?

# CAM Table Overflow Attack (MAC Flooding)
1. Switches use a MAC address table (CAM table) to forward frames
2. CAM table has limited size (e.g., 8192 entries)
3. Attacker floods switch with frames using random fake MAC addresses
4. CAM table fills up โ†’ switch can't add legitimate MACs
5. Switch enters "fail-open" mode โ†’ broadcasts EVERYTHING on all ports
6. Attacker captures all traffic (like a hub) โ†’ captures passwords, data

# Tool: macof (part of dsniff suite)
macof -i eth0   โ†’ floods switch with ~155,000 random MACs/minute

# Port security defence:
# Limit how many MACs can be learned on each port
# If limit exceeded โ†’ trigger a violation action

Step 2 โ€” Basic Port Security Configuration

# Port security only works on ACCESS ports (not trunk ports)

interface GigabitEthernet0/1
 switchport mode access       # must be access mode first
 switchport port-security     # enable port security

# Default behaviour after enabling:
# Maximum MACs: 1
# Violation mode: shutdown
# MAC learning: dynamic (learns first MAC, locks on violation)

# Manually specify which MAC is allowed:
interface GigabitEthernet0/1
 switchport port-security mac-address AA:BB:CC:DD:EE:FF   # static MAC

Step 3 โ€” MAC Address Limits

# Allow up to 3 devices on a port (e.g., phone, PC, IP printer)
interface GigabitEthernet0/1
 switchport mode access
 switchport port-security
 switchport port-security maximum 3   # allow 3 MACs max

# Common port security configurations:
Access port (PC):     maximum 1  (only that PC)
IP Phone + PC:        maximum 2  (phone + PC)
Server port:          maximum 1  (just the server)
Printer port:         maximum 1

Step 4 โ€” Sticky MAC Learning

# Problem with static MAC: you'd have to configure each MAC manually
# Solution: sticky learning โ€” dynamically learn and SAVE MAC addresses

interface GigabitEthernet0/1
 switchport mode access
 switchport port-security
 switchport port-security maximum 2
 switchport port-security mac-address sticky

# What happens:
# 1. First device connects โ†’ its MAC is learned and SAVED to running-config
# 2. MAC appears as: switchport port-security mac-address sticky AA:BB:CC:DD:EE:FF
# 3. Save with: copy running-config startup-config
# 4. Now if a different device connects โ†’ violation triggered

# View sticky learned MACs:
show running-config interface Gi0/1
switchport port-security mac-address sticky aa11.bb22.cc33   โ† auto-learned!

Step 5 โ€” Violation Modes

# Three actions when a violation occurs:

# PROTECT โ€” silently drops frames from unknown MACs, no notification
switchport port-security violation protect
# Use: when false positives are frequent (noisy environment)

# RESTRICT โ€” drops frames + logs syslog message + increments violation counter
switchport port-security violation restrict
# Use: when you want visibility but don't want ports going down

# SHUTDOWN โ€” puts port in err-disabled state + syslog (DEFAULT)
switchport port-security violation shutdown
# Use: maximum security โ€” any violation kills the port

# Comparison:
Mode      | Drops frames | Syslog | Counter++ | Port state
----------|--------------|--------|-----------|----------
Protect   |      โœ“       |   โœ—    |    โœ—      | Up
Restrict  |      โœ“       |   โœ“    |    โœ“      | Up
Shutdown  |      โœ“       |   โœ“    |    โœ“      | Err-disabled

Step 6 โ€” Verify & Recover

# Show port security status on all ports
show port-security
Secure Port  MaxSecureAddr  CurrentAddr  SecurityViolation  Security Action
Gi0/1              1             1               0           Shutdown

# Show detail for one port
show port-security interface GigabitEthernet0/1
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Maximum MAC Addresses      : 1
Total MAC Addresses        : 1
Last Source Address        : aa:bb:cc:dd:ee:ff

# Show all secured MAC addresses
show port-security address

# Recover a port from err-disabled:
interface GigabitEthernet0/1
 shutdown
 no shutdown
# Note: violation will trigger again if same MAC connects!
# Clear the sticky MACs before bringing port up:
 no switchport port-security mac-address sticky

# Auto-recovery (optional โ€” re-enables port after X seconds)
errdisable recovery cause psecure-violation
errdisable recovery interval 300   # re-enable after 300 seconds
โœ…
Lab Complete! Port security + DHCP snooping + Dynamic ARP Inspection (DAI) together form the Layer 2 security trinity. All three are CCNA exam topics.
Related: STP Lab โ†’ โ† All Labs
// guided terminal

Try It Live

Type the commands from the steps above. The terminal simulates the expected output for this lab.

KaliRange ~ Terminal type help for commands