Port Security Question

I have a question on port security. I understand it is to protect the port from rogue devices plugging into it, but I keep reading and hearing things about frames coming back into the port from other devices tripping port security. So my question is this; if I enable port security on FastEthernet 0/1 with default settings and I plug 1 computer into that port, should port security trip with normal network traffic? It seems like the answer should be no, but I've also heard that adding port security to a trunk link is a bad idea because of all of the frames that go through it. If port security is only to protect against devices being plugged into that port, then it shouldn't matter how much traffic or which traffic is going through that port. But if it is against all traffic that goes through the port, how can you possibly set it and it never get tripped?

Needless to say, I'm confused about this point on port security and need help understanding what port security is protecting against. As far as configuring/editing/troubleshooting port security, I have that down.

Find more posts tagged with

Comments

TechGromit

Port security ties the port to one mac address, or a limited group of mac addresses. If another device (with a different Mac address) is connected to the port after the mac address has been set, the port disables itself. It doesn't provide any security for the traffic running thru the port, just whats connected to the port. Mac addresses can be spoofed, So it's not a completely secured against intrusion. If I wanted to access the port, i'd unplug the device, determine the Mac address of the device that was plugged into the port, set my spoofed address to that value, and plug my device into the port.

As for setting port security on the Trunk port, I've never hear of this being done, I don't see why it can't be set on a trunk port. The danger is if the port gets tripped, it could take the switch off the network, assuming no redundancy.

Lunchbocks

TechGromit said:

Port security ties the port to one mac address, or a limited group of mac addresses. If another device (with a different Mac address) is connected to the port after the mac address has been set, the port disables itself. It doesn't provide any security for the traffic running thru the port, just whats connected to the port. Mac addresses can be spoofed, So it's not a completely secured against intrusion. If I wanted to access the port, i'd unplug the device, determine the Mac address of the device that was plugged into the port, set my spoofed address to that value, and plug my device into the port.

As for setting port security on the Trunk port, I've never hear of this being done, I don't see why it can't be set on a trunk port. The danger is if the port gets tripped, it could take the switch off the network, assuming no redundancy.

Thanks, I appreciate the clarity. Your explanation is exactly how I thought port security is. In my studies, I am using Odum's book, CBT Nuggets, Chris Bryant's video series, and David Bombal's videos. I'm not sure where I heard about port security monitoring traffic outside of the connected devices, but it muddied up the waters for my understanding.

Using port security on a trunk is definitely a double-edged sword. On one hand, it is definitely a port you would want to protect. But like you said, if it does trip, you could take down a huge portion of your network.

Thanks!