Introduction
One of the best practices in network security is to try and stop security threats from the entry-point of a LAN network. This means that the switch can play an important role in network security since it’s the entry-point of the network.
For example, port- security on Cisco switches can be used to stop MAC-flooding attacks. In MAC-flooding, an attacker can connect a laptop into an empty Switch port or empty RJ45 wall socket, and he can use hacking tools to generate millions of Ethernet frames with fake source MAC addresses and send them to the switch interface. The switch will learn these MAC addresses and once the switch reaches its MAC address learning limit it will start flooding all the traffic to all of its ports (i.e it will start behaving like a hub). This means that the attacker can capture the traffic from connected devices.
The solution to this kind of attacks (and also to other Layer 2 attacks) is easy and simple. It’s called Port Security and you can use it to limit the number of MAC addresses per interface or even to specify which MAC address can connect to each physical port of the switch.
I'm loving the PowerConnect 8024f and 5524p, very happy with both of them, I'm just lost on how to quickly clear a port of all config and make it stock/blank again. In Cisco IOS land I was very used to running (at config) default int gig 1/0/12, or even default int range gig 1/0/1-12, but I'm struggling to find the equal for the PowerConnects.
Configuration of Port Security
Let’s now see the basic port-security configuration on Cisco switches.
I will be using Cisco 3560 Switch version 15.0, for this tutorial.
TestSwitch#show version
Cisco IOS Software, C3560E Software (C3560E-IPBASEK9-M), Version 15.0(2)SE7, RELEASE SOFTWARE (fc1)
Setting MAC address limits per port
Below is an example of Port Security where only one MAC address is allowed on interface g0/1.
TestSwitch(config)#int g0/1
TestSwitch(config-if)#switchport mode access
TestSwitch(config-if)#switchport port-security
TestSwitch(config-if)#switchport port-security maximum 1
TestSwitch(config-if)#switchport mode access
TestSwitch(config-if)#switchport port-security
TestSwitch(config-if)#switchport port-security maximum 1
Now, interface g0/1 is allowed to learn only one MAC address. If this interface receives any more MAC addresses it will go to err-disabled state.
Setting MAC address filtering per port
Besides setting a maximum limit on the number of MAC addresses, you can also use port security to filter MAC addresses. In the following example I configured port security so it only allows MAC address f1d3.2c9f.abdc.ccba to connect to the specific port of the switch.
TestSwitch(config)#int g0/1
TestSwitch(config-if)#switchport mode access
TestSwitch(config-if)#switchport port-security
TestSwitch(config-if)#switchport port-security mac-address f1d3.2c9f.abdc.ccba
TestSwitch(config-if)#switchport mode access
TestSwitch(config-if)#switchport port-security
TestSwitch(config-if)#switchport port-security mac-address f1d3.2c9f.abdc.ccba
Any device having different MAC address than this will violate the rule and the interface will go to err-disabled state.
You will see the message below if there would be any violation.
%PM-4-ERR_DISABLE: psecure-violation error detected on Gi0/1, putting Gi0/1 in err-disable state
%PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address f02d.3f4e.2dcc on port GigabitEthernet0/1.
As you can see from the log message above, a device with MAC address f02d.3f4e.2dcc violated the port-security and interface went into err-disabled state.
Setting MAC address filtering with sticky command
There is another very useful way to filter MAC addresses. Instead of typing in a MAC address manually, you can use the “sticky” command. With this command, switch will learn the first MAC address connected to the interface and save it for port security.
First you have to remove the existing command (if you have configured manual MAC filtering):
TestSwitch(config-if)#no switchport port-security mac-address f1d3.2c9f.abdc.ccba
TestSwitch(config-if)#switchport port-security mac-address sticky
TestSwitch(config-if)#switchport port-security mac-address sticky
To See what MAC address is learned/“sticks” on the interface, type “show run interface” command
TestSwitch#sh run int g0/1
Building configuration. . .
Current configuration : 544 bytes
!
interface GigabitEthernet0/1
switchport mode access
switchport port-security
switchport port-security aging time 15
switchport port-security mac-address sticky
switchport port-security mac-address sticky f02d.3f4e.2dcc
Current configuration : 544 bytes
!
interface GigabitEthernet0/1
switchport mode access
switchport port-security
switchport port-security aging time 15
switchport port-security mac-address sticky
switchport port-security mac-address sticky f02d.3f4e.2dcc
As you can see from above, the switch has learned MAC address f02d.3f4e.2dcc and from now on only this address will be allowed to connect to this port.
Verification Commands
You can see the switch ports which have entered into error-disabled state (because of security violation) with the following command:
TestSwitch#show int status err-disabled
Port Name Status Reason Err-disabled Vlans
Gi0/1 err-disabled psecure-violation
Gi0/1 err-disabled psecure-violation
You can also verify this with show “interface g0/1 command”
TestSwitch#sh int g0/1
GigabitEthernet0/1 is down, line protocol is down (err-disabled)
To take this interface out of err-disabled state you have to unplug the device and run commands “Shutdown” followed by “no shutdown”.
TestSwitch(config)#int g0/1
TestSwitchconfig-if)#shut
TestSwitchconfig-if)#no shut
TestSwitchconfig-if)#shut
TestSwitchconfig-if)#no shut
To verify, run the commands “show interface status err-disabled” or “show interface g0/1”
Recovering from error-disabled stated
You can also set an automatic recovery on a switch-port with the following commands:
TestSwitch(config)#errdisable recovery cause psecure-violation
TestSwitch(config)#interface g0/1
TestSwitch(config-if)#switchport port-security aging time 15
TestSwitch(config)#interface g0/1
TestSwitch(config-if)#switchport port-security aging time 15
After 15 minutes the interface g0/1 will automatically recover from err-disable state. Make sure in these 15 minutes you solve the problem because otherwise it will have another violation and the interface will end up in err-disable state again. And don’t forget to enable automatic recovery in global configuration mode with “errdisable recovery cause psecure-violation” command.
Other Port Security Commands
TestSwitch(config-if)#switchport port-security violation ?
protect [Security violation protect mode]
restrict [Security violation restrict mode]
shutdown [Security violation shutdown mode]
restrict [Security violation restrict mode]
shutdown [Security violation shutdown mode]
There are three actions for each port to take when there will be a violation on the interface. These options are “Shurdown” (default), “Protect” and “Restrict”.
Protect: From the restricted MAC addresses, the frames will be dropped but there won’t be any logging information.
Restrict: From the restricted MAC addresses, the frames will be dropped but you will see logging information and SNMP trap will be sent.
Shutdown: This is the default action of the interface. If an interface receives frames from a restricted MAC address, the interface will go to err-disable state and will be practically shutdown. There will be logging and an SNMP trap will be sent. For recovery you have to enable the interface manually or set automatic recovery.
Related Posts
This post contains references to products from one or more of our advertisers. We may receive compensation when you click on links to those products. For an explanation of our Advertising Policy, visit this page.
Get CLEAR for a discounted rate of $149 for 12 months using code TPG149 or get a 2 month free trial of CLEAR using code TPG2M
Two decades ago, going through airport security was a simple process. You simply got into THE line, put your stuff through the x-ray machine, and walked through the metal detector. Today, the situation is much more complex, with as many as four different security lines at some airports, various levels of identity verification and screening offered, and a shifting array of rules and guidelines for each.
An expedited security program called CLEAR has made its way to 28 airports — and 14 stadiums — in the United States, so you’ve likely seen the kiosks and uniformed agents at airports or stadiums. And you’ve probably had a CLEAR member escorted ahead of you when going through airport security. So, here’s what you should know about CLEAR including the benefits and potential drawbacks.
How CLEAR Works
As CLEAR’s representative explained to me, today’s airport security consists of passing through two steps: identity verification and security screening. Travelers who have enrolled in CLEAR have their own separate lane for the first step, where you can utilize biometric authentication (fingerprint or eye scan) at a kiosk rather than wait for a TSA agent to inspect your ID and scribble something on your boarding pass. And with CLEAR, no one will bark at you for “approaching the podium” before they’re ready for you.
After your identity has been verified, a CLEAR representative will escort you to the actual security screening, bypassing everyone waiting in the first line. If you’re also enrolled in TSA PreCheck, then you’ll be taken directly to the Pre-Check line. Finally, children under 18 may use the CLEAR line for free when traveling with a paid member.
The CLEAR program that operates today is actually its second iteration. CLEAR first began in 2004, long before TSA Pre-Check was available. That company went bankrupt in 2010, and its assets were purchased by the current founders. The present CLEAR is an entirely separate organization, with no remaining staff from the old company. According to the representative I spoke to, the old CLEAR expanded too aggressively and was spread too thin, while the new CLEAR is taking a more conservative approach.
TPG himself recently talked with CLEAR CEO, Caryn Seidman-Becker, about CLEAR’s plans to expand to more stadiums and airports, the importance of biometric technology and membership pricing. Here’s the podcast:
Where CLEAR Works
At this time, CLEAR is available at the following airports:
- Atlanta (ATL)
- Austin (AUS)
- Baltimore (BWI)
- Cleveland (CLE)
- Dallas Love Field (DAL)
- Dallas-Fort Worth (DFW)
- Denver (DEN)
- Detroit (DTW)
- Fort Lauderdale (FLL)
- Houston Hobby (HOU)
- Houston Bush Intercontinental (IAH)
- Las Vegas (LAS)
- Los Angeles (LAX)
- Miami (MIA)
- Minneapolis (MSP)
- New Orleans (MSY)
- New York-JFK
- New York-LaGuardia (LGA)
- Orlando (MCO)
- Phoenix, AZ (PHX)
- Salt Lake City (SLC)
- San Antonio (SAT)
- San Francisco (SFO)
- San Jose (SJC)
- Seattle (SEA)
- Reagan National Airport, Washington, D.C. (DCA)
- Washington Dulles (IAD)
- White Planes, New York (HPN)
Additionally, CLEAR is available at select entrances to the following stadiums during some events:
- Atlanta, GA — SunTrust Park
- Denver, CO — Coors Field
- Detroit, MI — Comerica Park
- Los Angeles, CA — Banc of California Stadium
- Miami, FL — AmericanAirlines Arena
- Miami, FL — Marlins Park
- New York, NY — Madison Square Garden
- New York, NY — Citi Field
- New York, NY — Yankee Stadium
- Oakland, CA — Oakland Coliseum
- San Francisco, CA — Oracle Park
- San Jose, CA — Avaya Stadium
- Seattle, WA — CenturyLink Field
- Seattle, WA — T-Mobile Park
At the Seattle stadiums, you can also use CLEAR to make some alcohol and concession purchases with just your fingerprint.
CLEAR Versus TSA PreCheck
I’ve noticed the CLEAR lane at my home airport in Denver, and hadn’t given it much thought, since my entire family is enrolled in Global Entry, which offers access to TSA PreCheck. However (as it was explained to me), one is not a substitute for the other, and CLEAR offers some distinct, and complementary advantages.
First, TSA PreCheck members are not guaranteed access every day, as they can be randomly excluded and sent to the standard line, but CLEAR has no randomized exclusion of passengers. In addition, everyone who enters the CLEAR line is a member of CLEAR and knows how to operate the system. On the other hand, TSA sometimes adds non-member travelers to the PreCheck line who have no idea how it works and hold things up. Also, PreCheck only works when traveling with a participating airline. In contrast, CLEAR works when traveling with any carrier.
Other distinctions between CLEAR and PreCheck include the ability to reach screening more quickly by speeding up the verification process, and the fact that not everyone will be able to qualify for PreCheck. Also, keep in mind that having CLEAR doesn’t preclude you from using the streamlined PreCheck security screening process; it’s just designed to help you reach it faster than you would have otherwise.
CLEAR Versus the Line for Elite and Premium Passengers
The four security lines I mentioned above include the standard line, the PreCheck line, the CLEAR line and finally one for passengers traveling in first (or business) class and those with elite status. While this first-class/elite line is usually much shorter than the standard line, you may still find yourself waiting for the TSA agent to inspect your ID and boarding pass, while CLEAR automates this process and escorts passengers directly to either the standard or PreCheck screening. CLEAR is blind to status, so there’s no need to worry about being bypassed if you’re traveling in economy or lack elite status with any airline. Indeed, you may be the one doing the bypassing.
CLEAR Versus CLEAR Sports
You can use your paid CLEAR membership at select stadiums that have CLEAR lanes. But, there’s also a free CLEAR Sports membership that allows fans to enjoy expedited entry to games at participating stadiums. However, this membership doesn’t provide access to non-stadium CLEAR locations such as airports.
To register for a CLEAR Sports membership, simply arrive at an eligible stadium before an eligible event and visit the enrollment area outside the stadium. CLEAR Sports members may bring one guest with them through the CLEAR Lane at stadium CLEAR locations and can upgrade to a paid membership that’s valid at non-stadium locations anytime.
What CLEAR Costs
The normal rate for CLEAR membership is $179 per year. However, TPG readers can use the promo code TPG149 to get a discounted membership of $149 for the first year or can use the promo code TPG2M to get a two month free trial membership. You can enter either code manually or use the above links to get the discount.
CLEAR and Delta have also partnered to offer the following special membership rates for US-based SkyMiles members:
- Diamond Medallion members: complimentary membership
- Platinum, Gold and Silver Medallion members: $109 per year
- Basic cardmembers of the Gold Delta SkyMiles® Credit Card from American Express, Platinum Delta SkyMiles® Credit Card from American Express, Delta Reserve® Credit Card from American Express, Gold Delta SkyMiles® Business Credit Card from American Express, Platinum Delta SkyMiles® Business Credit Card from American Express and Delta Reserve for Business Credit Card: $109 per year
- General SkyMiles members: $119 per year
In order to take advantage of these rates, simply apply your SkyMiles number during enrollment or link your SkyMiles account here after enrolling. Since it’s free to join Delta SkyMiles, this means any US-based passenger can access the $119 per year membership rate by linking their SkyMiles account to their CLEAR account.
Once you are a CLEAR member, you can log in to your account on Clear’s website and add up to three family members for $50 each per year. Remember that children under 18 can use the lane for free when accompanied by a CLEAR member and aren’t eligible to enroll in CLEAR themselves.
How to Enroll in CLEAR
You can either start the enrollment process online and finish at a CLEAR location, or you can do the entire process at a CLEAR location. The enrollment process takes about five minutes and no appointment is required. The final steps of enrollment, which must be done at a CLEAR location, include answering a few simple questions to verify your identity, providing a valid photo ID and method of payment and attaching your biometrics (fingerprints and a picture of your irises) to your newly created account.
In order to enroll, you must (1) be a US citizen or legal permanent resident, (2) be at least 18 years old and (3) have one of the following forms of photo identification: US Driver’s License, US Passport, US Passport Card, US-issued Permanent Resident Card, State Issued ID or US Military ID.
Once you enroll in CLEAR or CLEAR Sports, you should link your US-based Hertz Gold Plus Rewards account to your CLEAR or CLEAR Sports account here. Once you have a valid US Driver’s License as well as fingerprints and a photo associated with your CLEAR membership you’ll be able to use Hertz Fast Lane powered by CLEAR at select Hertz locations.
Analysis
If CLEAR is available at your home airport or one you visit frequently, then it could be a big time saver regardless of whether you have TSA PreCheck. Even if you have PreCheck, the reality is that there’s often just a single TSA staffer checking IDs and boarding passes for the PreCheck line, alternating with other non PreCheck passengers and holding things up significantly. The idea is that CLEAR members enjoy more predictable access to security, which means those who check in online and don’t check bags can schedule airport arrivals even closer to departure than they would normally. Otherwise, you can still spend more time in your favorite lounge or restaurant, and less time waiting in line for the TSA.
On the downside, no credit cards offer a statement credit for CLEAR membership while you can get a statement credit for Global Entry membership with select credit cards including the Chase Sapphire Reserve, the Capital One Venture Rewards Credit Card and The Platinum Card® from American Express. Plus, CLEAR is only available in a limited number of cities. But if the footprint roughly matches your typical travel patterns, and you highly value a predictable travel experience, than CLEAR is worth considering.
Ready to enroll in CLEAR? Use code TPG2M to get a 2 month free trial.
Chase Sapphire Preferred® Card
NEW INCREASED OFFER:60,000 Points
TPG'S BONUS VALUATION*: $1,200
CARD HIGHLIGHTS: 2X points on all travel and dining, points transferrable to over a dozen travel partners
*Bonus value is an estimated value calculated by TPG and not the card issuer. View our latest valuations here.
Apply Now More Things to Know
- Earn 60,000 bonus points after you spend $4,000 on purchases in the first 3 months from account opening. That's $750 toward travel when you redeem through Chase Ultimate Rewards®
- Chase Sapphire Preferred named 'Best Credit Card for Flexible Travel Redemption' - Kiplinger's Personal Finance, June 2018
- 2X points on travel and dining at restaurants worldwide & 1 point per dollar spent on all other purchases.
- No foreign transaction fees
- 1:1 point transfer to leading airline and hotel loyalty programs
- Get 25% more value when you redeem for airfare, hotels, car rentals and cruises through Chase Ultimate Rewards. For example, 60,000 points are worth $750 toward travel
- No blackout dates or travel restrictions - as long as there's a seat on the flight, you can book it through Chase Ultimate Rewards
N/A
18.24% - 25.24% Variable
$95
Either $5 or 5% of the amount of each transfer, whichever is greater.
Excellent/Good
Editorial Disclaimer: Opinions expressed here are the author’s alone, not those of any bank, credit card issuer, airlines or hotel chain, and have not been reviewed, approved or otherwise endorsed by any of these entities.
Disclaimer: The responses below are not provided or commissioned by the bank advertiser. Responses have not been reviewed, approved or otherwise endorsed by the bank advertiser. It is not the bank advertiser’s responsibility to ensure all posts and/or questions are answered.