Port-Security: question that is probably obvious

So I'm tinkering with port security, but to me and someone just let me know if I'm correctly.

The code below, I setup a 3550 which is the DHCP for a 2950 to have a trunk have a sticky security on it with a violation of protect once the 24 ports are used up with the 'maximum 24' command now if I change the 'aging time' to say 8 hours or more could this basically make a switch secure for X amount of time. Like say a rogue user comes into a server room and unplug a cable in the 2950 and pops in there laptop would a port-security block this access on the 3550?

I'm sure this is getting into the CCNA: Security study but I'm curious....

Code below:

Cisco-3550-Bravo(config-if)#switchport po
Cisco-3550-Bravo(config-if)#switchport port-security mac-address sticky
Cisco-3550-Bravo(config-if)#exit
Cisco-3550-Bravo(config)#exit
Cisco-3550-Bravo#wr me
00:52:56: %SYS-5-CONFIG_I: Configured from console by console
Building configuration...
[OK]
Cisco-3550-Bravo#show config
Using 8163 out of 393216 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Cisco-3550-Bravo
!
enable secret 5 $1$bwOd$WZ4tZalTgp1OFkDpHXRt.0
!
no aaa new-model
ip subnet-zero
ip routing
ip domain-name G15IT.com
ip dhcp excluded-address 192.168.108.2 192.168.108.50
ip dhcp excluded-address 192.168.106.2 192.168.106.50
!
ip dhcp pool 2950-300
network 192.168.106.0 255.255.255.0
lease 2
!
ip dhcp pool 2950-400
network 192.168.108.0 255.255.255.0
lease 2
!
!

shutdown vlan 888

!
!
crypto pki trustpoint TP-self-signed-1777811328
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1777811328
revocation-check none
rsakeypair TP-self-signed-1777811328
!
!
crypto pki certificate chain TP-self-signed-1777811328
certificate self-signed 01 nvram:IOS-Self-Sig#3803.cer
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
ip ssh authentication-retries 5
!
!
!
!
!
interface FastEthernet0/1
switchport access vlan 300
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 300
switchport mode trunk
switchport port-security
switchport port-security violation protect
!
interface FastEthernet0/2
switchport access vlan 400
switchport trunk encapsulation dot1q
switchport trunk native vlan 888
switchport trunk allowed vlan 400
switchport mode trunk
switchport port-security maximum 24
switchport port-security
switchport port-security aging time 5
switchport port-security mac-address sticky
switchport port-security mac-address sticky 000f.245e.3d00 vlan 400
switchport port-security mac-address sticky 000f.245e.3d01 vlan 400
!
interface FastEthernet0/3
description "TFTP network for firmware"

Cisco-3550-Bravo#ping 192.168.108.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.108.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Cisco-3550-Bravo#ping 192.168.108.11

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.108.11, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
Cisco-3550-Bravo#show config
Using 8163 out of 393216 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Cisco-3550-Bravo
!
enable secret 5 $1$bwOd$WZ4tZalTgp1OFkDpHXRt.0
!
no aaa new-model
ip subnet-zero
ip routing
ip domain-name G15IT.com
ip dhcp excluded-address 192.168.108.2 192.168.108.50
ip dhcp excluded-address 192.168.106.2 192.168.106.50
!
ip dhcp pool 2950-300
network 192.168.106.0 255.255.255.0
lease 2
!
ip dhcp pool 2950-400
network 192.168.108.0 255.255.255.0
lease 2
!
!

shutdown vlan 888

!
!
crypto pki trustpoint TP-self-signed-1777811328
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1777811328
revocation-check none
rsakeypair TP-self-signed-1777811328
!
!
crypto pki certificate chain TP-self-signed-1777811328
certificate self-signed 01 nvram:IOS-Self-Sig#3803.cer
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
ip ssh authentication-retries 5
!
!
!
!
!
interface FastEthernet0/1
switchport access vlan 300
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 300
switchport mode trunk
switchport port-security
switchport port-security violation protect
!
interface FastEthernet0/2
switchport access vlan 400
switchport trunk encapsulation dot1q
switchport trunk native vlan 888
switchport trunk allowed vlan 400
switchport mode trunk
switchport port-security maximum 24
switchport port-security
switchport port-security aging time 5
switchport port-security violation protect
switchport port-security mac-address sticky
switchport port-security mac-address sticky 000f.245e.3d00 vlan 400
switchport port-security mac-address sticky 000f.245e.3d01 vlan 400
!
interface FastEthernet0/3
description "TFTP network for firmware"
switchport access vlan 700
switchport mode access
switchport port-security
!
interface FastEthernet0/4
description "disabled ports"
switchport access vlan 888
switchport mode dynamic desirable
!
interface FastEthernet0/5

Cisco-3550-Bravo#show port
Cisco-3550-Bravo#show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)

Fa0/1 1 1 0 Protect
Fa0/2 24 2 0 Protect
Fa0/3 1 0 0 Shutdown

Total Addresses in System (excluding one mac per port) : 1
Max Addresses limit in System (excluding one mac per port) : 5120
Cisco-3550-Bravo#show arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 192.168.108.1 5 000f.245e.3d00 ARPA Vlan400
Internet 192.168.105.4 - 0014.69f7.3f80 ARPA Vlan700
Internet 192.168.106.11 - 0014.69f7.3f80 ARPA Vlan300
Internet 192.168.108.11 - 0014.69f7.3f80 ARPA Vlan400
Internet 172.16.8.9 46 0016.c853.d8c0 ARPA FastEthernet0/48
Internet 172.16.8.10 - 0014.69f7.3f80 ARPA FastEthernet0/48
Cisco-3550-Bravo#show port-security inter fa0/2
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 5 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 24
Total MAC Addresses : 2
Configured MAC Addresses : 0
Sticky MAC Addresses : 2
Last Source Address:Vlan : 000f.245e.3d00:400
Security Violation Count : 0

Cisco-3550-Bravo#

Total Addresses in System (excluding one mac per port) : 1
Max Addresses limit in System (excluding one mac per port) : 5120
Cisco-3550-Bravo#show arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 192.168.108.1 5 000f.245e.3d00 ARPA Vlan400
Internet 192.168.105.4 - 0014.69f7.3f80 ARPA Vlan700
Internet 192.168.106.11 - 0014.69f7.3f80 ARPA Vlan300
Internet 192.168.108.11 - 0014.69f7.3f80 ARPA Vlan400
Internet 172.16.8.9 46 0016.c853.d8c0 ARPA FastEthernet0/48
Internet 172.16.8.10 - 0014.69f7.3f80 ARPA FastEthernet0/48
Cisco-3550-Bravo#show port-security inter fa0/2
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 5 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 24
Total MAC Addresses : 2
Configured MAC Addresses : 0
Sticky MAC Addresses : 2
Last Source Address:Vlan : 000f.245e.3d00:400
Security Violation Count : 0

Cisco-3550-Bravo#
Cisco-3550-Bravo#config t
Enter configuration commands, one per line. End with CNTL/Z.
Cisco-3550-Bravo(config)#inter fa0/2
Cisco-3550-Bravo(config-if)#switchport port-security violation protect
Cisco-3550-Bravo(config-if)#exit
Cisco-3550-Bravo(config)#exit
Cisco-3550-Bravo#wr mem
Building configuration...

01:04:06: %SYS-5-CONFIG_I: Configured from console by console[OK]
Cisco-3550-Bravo#
Cisco-3550-Bravo#
Cisco-3550-Bravo#
Cisco-3550-Bravo#
Cisco-3550-Bravo#
Cisco-3550-Bravo#
Cisco-3550-Bravo#
Cisco-3550-Bravo#show config
Using 8207 out of 393216 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Cisco-3550-Bravo
!
enable secret 5 $1$bwOd$WZ4tZalTgp1OFkDpHXRt.0
!
no aaa new-model
ip subnet-zero
ip routing
ip domain-name G15IT.com
ip dhcp excluded-address 192.168.108.2 192.168.108.50
ip dhcp excluded-address 192.168.106.2 192.168.106.50
!
ip dhcp pool 2950-300
network 192.168.106.0 255.255.255.0
lease 2
!
ip dhcp pool 2950-400
network 192.168.108.0 255.255.255.0
lease 2
!
!

shutdown vlan 888

!
!
crypto pki trustpoint TP-self-signed-1777811328
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1777811328
revocation-check none
rsakeypair TP-self-signed-1777811328
!
!
crypto pki certificate chain TP-self-signed-1777811328
certificate self-signed 01 nvram:IOS-Self-Sig#3803.cer
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
ip ssh authentication-retries 5
!
!
!
!
!
interface FastEthernet0/1
switchport access vlan 300
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 300
switchport mode trunk
switchport port-security
switchport port-security violation protect
!
interface FastEthernet0/2
switchport access vlan 400
switchport trunk encapsulation dot1q
switchport trunk native vlan 888
switchport trunk allowed vlan 400
switchport mode trunk
switchport port-security maximum 24
switchport port-security
switchport port-security aging time 5
switchport port-security violation protect
switchport port-security mac-address sticky
switchport port-security mac-address sticky 000f.245e.3d00 vlan 400
switchport port-security mac-address sticky 000f.245e.3d01 vlan 400
!
interface FastEthernet0/3
description "TFTP network for firmware"
switchport access vlan 700

Cisco-3550-Bravo#ping 192.168.108.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.108.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Cisco-3550-Bravo#ping 192.168.108.11

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.108.11, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
Cisco-3550-Bravo#show port
Cisco-3550-Bravo#show port-security int
Cisco-3550-Bravo#show port-security interface fa0/2
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Protect
Aging Time : 5 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 24
Total MAC Addresses : 2
Configured MAC Addresses : 0
Sticky MAC Addresses : 2
Last Source Address:Vlan : 000f.245e.3d00:400
Security Violation Count : 0

Cisco-3550-Bravo#show cdp det
^
% Invalid input detected at '^' marker.

Cisco-3550-Bravo#show cdp neigh
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone

Device ID Local Intrfce Holdtme Capability Platform Port ID
Cisco-2600-R4 Fas 0/48 149 R S I 2610XM Fas 0/0
Cisco2950-300 Fas 0/1 164 S I WS-C2950- Fas 0/1
Cisco2950-400 Fas 0/2 157 S I WS-C2950C Fas 0/1

Find more posts tagged with

Comments

OfWolfAndMan

The first device with a MAC that connects to the network is associated with the sticky address on the interface, so any device after that will not be able to connect to the port, assuming you have the maximum set to 1. Aging time basically says, after specified time, if the last MAC that was connected to the port is not seen after a specified time, age it out, meaning you can connect another device to the port.

Deathmage

OfWolfAndMan wrote: »

The first device with a MAC that connects to the network is associated with the sticky address on the interface, so any device after that will not be able to connect to the port, assuming you have the maximum set to 1. Aging time basically says, after specified time, if the last MAC that was connected to the port is not seen after a specified time, age it out, meaning you can connect another device to the port.

hrm, so not quite what I had in mind, dam it.

Was looking for a way to limit the number of mac address to go over the uplink to 24 since it's a 24 port switch on the access layer. - in essence in a production world a 24 port (IDF) switch would use all 24 ports for workstations during a normal business day and the thought was to make all of the addresses sticky on the 2950 and then allow only those 24 mac-addresses that travel over the uplink to the 3550 (MDF) to be allowed with the aging time.

again, if this is possible I presume it's in a later study; just curious if it is possible.

OfWolfAndMan

The MAC address is only relevant to the first port it is plugged in, however any neighboring switch will see the MACs of your clients over the trunk, yes. I have never seen port security run on a trunk though. What would your use case be for something like this? Aging time is configured on the access port, no trunk as well.

awitt11

Wouldn't setting the maximum allowed to 24 mean just the first 24 MAC address to come across the link? So if someone had an IP phone and a few VMs on their machine, then a single port on the 2950 could have 5 MAC addresses. Any reason why you aren't setting port security on the 2950?

Deathmage

awitt11 wrote: »

Wouldn't setting the maximum allowed to 24 mean just the first 24 MAC address to come across the link? So if someone had an IP phone and a few VMs on their machine, then a single port on the 2950 could have 5 MAC addresses. Any reason why you aren't setting port security on the 2950?

It's setup on the 2950 as-well but I'm just curious if it could be done on a uplink to prevent foreign addresses that haven't been learned in the past to be blocked.

It's more conceptual than anything..

tomtom1

awitt11 wrote: »

Wouldn't setting the maximum allowed to 24 mean just the first 24 MAC address to come across the link? So if someone had an IP phone and a few VMs on their machine, then a single port on the 2950 could have 5 MAC addresses. Any reason why you aren't setting port security on the 2950?

Setting the maximum to 24 would allow for a total of 24 MAC addresses on the port. I'd conceptually advise against deploying port-security on trunk interfaces and rather deploy it on the access layer, it would just make more sense that way. Also make sure to set your violation policy to something other than shutdown, otherwise you'd lose your link to the switch.

Deathmage

tomtom1 wrote: »

Setting the maximum to 24 would allow for a total of 24 MAC addresses on the port. I'd conceptually advise against deploying port-security on trunk interfaces and rather deploy it on the access layer, it would just make more sense that way. Also make sure to set your violation policy to something other than shutdown, otherwise you'd lose your link to the switch.

Indeed; I wanted to see what it did when I used shutdown and it was handy to see in in action when I intentionally sent a 2nd hello packet when sticky was set to 1 mac-address.

I also reckon'd I answered my own question cause I noticed the 1st line in the config on the port was a switchport mode access, and it wouldn't let me remove it since it was a port-security addition so it makes logical sense why having on a trunk port is a bad idea...