Switchport Port-Security
Netstudent
Member Posts: 1,693 ■■■□□□□□□□
in CCNA & CCENT
Alright so I'm playing around with STP and mac-address-table, and some port security options. For some reason I can't get my port-security enabled interface to go "err-disabled" after intentionally violating the sticky address.
Here the output
Error message after plugging another NIC into the Port-Security enabled INT.
Show run verifying Sticky config.
And here is the show port-sec int fa0/2
OKay so violation parameter has been set, sticky address is in running-config, error messages saying incorrect address, BUT the port will not shutdown. WHY? Could this have something to do with the bpduguard being enabled on the int as well? Thanks!
One other thing is it seems I can't create an Etherchannel connection either.
c2900xl-c3h2s-mz
Does anyone know if this version supports channel-groups? I can do a show Etherchannel ? and I get some possible commands, but in interface config mode, I can't do a channel-group command.
Here the output
Error message after plugging another NIC into the Port-Security enabled INT.
%Error: Cannot add secure address 00d0.5840.4620 %Error: Total secure addresses on interface reached its max limit of 1
Show run verifying Sticky config.
interface FastEthernet0/2 switchport mode access switchport port-security switchport port-security mac-address sticky switchport port-security mac-address sticky 00d0.5842.58a0 no ip address
And here is the show port-sec int fa0/2
port-security int fa0/2 Port Security : Enabled Port status : SecureUp Violation mode : Shutdown Maximum MAC Addresses : 1 Total MAC Addresses : 1 Configured MAC Addresses : 0 Sticky MAC Addresses : 1 Aging time : 0 mins Aging type : Absolute SecureStatic address aging : Disabled Security Violation count : 0
OKay so violation parameter has been set, sticky address is in running-config, error messages saying incorrect address, BUT the port will not shutdown. WHY? Could this have something to do with the bpduguard being enabled on the int as well? Thanks!
One other thing is it seems I can't create an Etherchannel connection either.
c2900xl-c3h2s-mz
Does anyone know if this version supports channel-groups? I can do a show Etherchannel ? and I get some possible commands, but in interface config mode, I can't do a channel-group command.
There is no place like 127.0.0.1 BUT 209.62.5.3 is my 127.0.0.1 away from 127.0.0.1!
Comments
-
tech-airman Member Posts: 953Netstudent,
What do you think "switchport port-security mac-address sticky" is supposed to do? -
Netstudent Member Posts: 1,693 ■■■□□□□□□□it is supposed to limit that port to the first learned MAC address, which it did. But I configured the violation parameter to shutdown and I also plugged in another MAC address(NIC). It isn't taking the interface out of service like the book says it should. I just figured there was a configuration option i missed,There is no place like 127.0.0.1 BUT 209.62.5.3 is my 127.0.0.1 away from 127.0.0.1!
-
tech-airman Member Posts: 953Netstudent,
Looks like you did more than just plug in another NIC. You added an extra configuration line of ...switchport port-security mac-address sticky 00d0.5842.58a0
Is the MAC address of 00d0.5842.58a0 for:- First NIC?
- Second NIC?
-
Netstudent Member Posts: 1,693 ■■■□□□□□□□I added "switchport port-security mac-address sticky" and then the
switchport port-security mac-address sticky 00d0.5842.58a0 was automatically added to the running-config after the first address was learned.
This is the first NIC. Sticky learned the first source MAC address from the first frame sent to the port. The errors messages I posted includes the MAC for the 2nd NIC that is violating the sticky rule.
I will add that the NICs I am talking about are just routers. I'm using the routers to test and verify port security options.There is no place like 127.0.0.1 BUT 209.62.5.3 is my 127.0.0.1 away from 127.0.0.1! -
Cucumber Member Posts: 192Just for curiosity, what does your switch show with this command?
show errdisable recoveryI hate pandas -
sprkymrk Member Posts: 4,884 ■■■□□□□□□□I see in the config where it appears you set the violation to shutdown, but not in your commands. Also, what happens if you try "restrict" instead of "shutdown"?
switchport mode access switchport port-security switchport port-security violation restrict switchport port-security mac-address sticky
All things are possible, only believe. -
tech-airman Member Posts: 953Netstudent wrote:I added "switchport port-security mac-address sticky" and then the
switchport port-security mac-address sticky 00d0.5842.58a0 was automatically added to the running-config after the first address was learned.
This is the first NIC. Sticky learned the first source MAC address from the first frame sent to the port. The errors messages I posted includes the MAC for the 2nd NIC that is violating the sticky rule.
I will add that the NICs I am talking about are just routers. I'm using the routers to test and verify port security options.
Netstudent,
Did you know that "switchport port-security" is supposed to be used for hosts instead of networking devices such as routers? -
mgeorge Member Posts: 774 ■■■□□□□□□□Well this is a common question I get asked alot from people.
Port security is used to do one simple thing, which is to block other devices from connecting to a
a port that is required for a specified device set by a network engineer.
And yes, in a totally secure network (such as Department of Defense or FBI, etc..) you will use port security on every device, and for routers and switches, the port sec policy will not be learnt,
it will be specified by an engineer.
But keep in mind when a port sec violation happens the port does not disable like you think.
Your probably thinking the IOS should issue the "shutdown int f0/21" command which it dosent.
The switch will disable the port logically but not physically, thus rendering it inert to communicate
to the network. Yes the actvity lights will still be active and it will still look like the port is active,
but that port will not be able to communicate to the network unless the switch determines the
device specified in the security table is attached to that port. That is the logic behind why cisco
did it this way. If the port was to disable its self phyiscally (ie; shutdown int f0/1) then how would
the switch know if the correct device has been reconnected? This costs time where the admin
has to go back into the switch and type in "no shut int f0/1". This is listed under an RFC I beleive.
Does this answer your question?There is no place like 127.0.0.1 -
tech-airman Member Posts: 953mgeorge27 wrote:Well this is a common question I get asked alot from people.
Port security is used to do one simple thing, which is to block other devices from connecting to a
a port that is required for a specified device set by a network engineer.
And yes, in a totally secure network (such as Department of Defense or FBI, etc..) you will use port security on every device, and for routers and switches, the port sec policy will not be learnt,
it will be specified by an engineer.
mgeorge27,
I guess I sit corrected. -
Netstudent Member Posts: 1,693 ■■■□□□□□□□mgeorge27 wrote:Well this is a common question I get asked alot from people.
Port security is used to do one simple thing, which is to block other devices from connecting to a
a port that is required for a specified device set by a network engineer.
And yes, in a totally secure network (such as Department of Defense or FBI, etc..) you will use port security on every device, and for routers and switches, the port sec policy will not be learnt,
it will be specified by an engineer.
But keep in mind when a port sec violation happens the port does not disable like you think.
Your probably thinking the IOS should issue the "shutdown int f0/21" command which it dosent.
The switch will disable the port logically but not physically, thus rendering it inert to communicate
to the network. Yes the actvity lights will still be active and it will still look like the port is active,
but that port will not be able to communicate to the network unless the switch determines the
device specified in the security table is attached to that port. That is the logic behind why cisco
did it this way. If the port was to disable its self phyiscally (ie; shutdown int f0/1) then how would
the switch know if the correct device has been reconnected? This costs time where the admin
has to go back into the switch and type in "no shut int f0/1". This is listed under an RFC I beleive.
Does this answer your question?
That makes complete sense. Thanks matt. But shouldn't I still get an err-disable output in the show port-sec int fa0/2?
CUCUMBER here is the output:
Switch#show errdisable recovery
ErrDisable Reason Timer Status
udld Disabled
bpduguard Disabled
channel-misconfig Disabled
pagp-flap Disabled
dtp-flap Disabled
link-flap Disabled
psecure-violation Disabled
gbic-invalid Disabled
Timer interval: 300 secondsThere is no place like 127.0.0.1 BUT 209.62.5.3 is my 127.0.0.1 away from 127.0.0.1! -
mgeorge Member Posts: 774 ■■■□□□□□□□Can you do a sh int f0/2 (w/e the port is you have setup with sec) and see if its up and the lp is down?There is no place like 127.0.0.1
-
Netstudent Member Posts: 1,693 ■■■□□□□□□□okay so I have a Broadcast OSPF network setup already. All router ethernet interfaces are connected to the switch and in the same subnet. Since I already had that setup, I tried to ping a neighboring router from a violating router and it wouldnt ping. So i intentionally connected the wrong router into the secured switchport, and I could not transmit squat. So i guess port-security is working even though I am not seeing a err-disabled notification in the show port-sec int fa0/2 ouput. So i guess I should have been testing the larger picture and not worrying about the port status.There is no place like 127.0.0.1 BUT 209.62.5.3 is my 127.0.0.1 away from 127.0.0.1!
-
mgeorge Member Posts: 774 ■■■□□□□□□□Well I had to do some "google'ing" on this question to find out the 100% total correct answer.
Some switches will disable the port phyiscally and some switches will not... This is limited by the
IOS running on the switch, the "restriction" will keep the port active but deny all data received.
So my guess would be that newer switches will support this RFC to disable the port logically and
isolate it. The older switches will physically disable the port. ie "Administratively shut down, Line
protocol down"
Chances are your 2900XL should disable it phyiscally. "not 100% sure, its been 3 years since ive
used a 2900xl" but check and see if you can do a violation restriction.
Also look in my IOS guide and you will find a link to cisco's website where you can download
switch ios's free. Download the latest IOS. Be sure to set the boot paramters on the switch
before you reload after upgrading ios or you will have a long night.
this link may help a little bit with understanding port sec on the 2900 and 3500xl
http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.1_9_ea1/configuration/guide/swtrafc.html#wpxref93821
this is actually an interesting post
Im guessing keep playing with this topic and you'll figure it out completely.There is no place like 127.0.0.1 -
Netstudent Member Posts: 1,693 ■■■□□□□□□□mgeorge27 wrote:Can you do a sh int f0/2 (w/e the port is you have setup with sec) and see if its up and the lp is down?
FastEthernet0/2 is up, line protocol is up
Hardware is Fast Ethernet, address is 000a.f4bb.ee82 (bia 000a.f4bb.ee82)
MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Half-duplex, 10Mb/s
this output was taken while the wrong router was connected to the security enabled switchport. It looks like my switch logically disabled the port.There is no place like 127.0.0.1 BUT 209.62.5.3 is my 127.0.0.1 away from 127.0.0.1! -
mgeorge Member Posts: 774 ■■■□□□□□□□heres the link to the switch ios's on cisco's website, you need just a guest TCO account.
http://tools.cisco.com/support/downloads/pub/MDFTree.x?butype=switchesThere is no place like 127.0.0.1 -
mgeorge Member Posts: 774 ■■■□□□□□□□yep latest version for your switch if its a 2900xl should be 12.0.5-WC17(ED)There is no place like 127.0.0.1
-
Netstudent Member Posts: 1,693 ■■■□□□□□□□here is the one I have
flash:/c2950-i6q4l2-mz.121-11.EA1.bin"
that 2900XL I mentioned earlier was a different switch I was trying to do etherchannel with. Separate issue. 2924
the port-sec is on a 2950..There is no place like 127.0.0.1 BUT 209.62.5.3 is my 127.0.0.1 away from 127.0.0.1! -
mgeorge Member Posts: 774 ■■■□□□□□□□Ahhh so your using a 2950!! okay, i got the impression you was using a 2900xl from the post.
2950's do support port restriction.
Also you can download that ios as well from that link free, the latest is 12.1.22-EA10(ED)There is no place like 127.0.0.1 -
Netstudent Member Posts: 1,693 ■■■□□□□□□□what exactly do you mean when you say "port-restriction"?
Are you talking about the violation parameter?
Switch(config-if)#switchport port-security violation ?
protect Security violation protect mode
restrict Security violation restrict mode
shutdown Security violation shutdown mode
IN which case the definition would be
restrict—A port security violation restricts data and depending on the type of secure address, sends a system log message, sends an SNMP trap, and causes the SecurityViolation counter to increment.
Sorry about the confusion..There is no place like 127.0.0.1 BUT 209.62.5.3 is my 127.0.0.1 away from 127.0.0.1! -
mgeorge Member Posts: 774 ■■■□□□□□□□Cisco explains it as "blocking all bidirectional data per port per violation"
the link i posted above & below agian, will explain the vilation actions in detail. just scan through it
http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.1_9_ea1/configuration/guide/swtrafc.html#wpxref93821switchport port-security violation {protect | restrict | shutdown}
(Optional) Set the violation mode, the action to be taken when a security violation is detected, as one of these:
•protect—When the number of port secure MAC addresses reaches the maximum limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses to drop below the maximum value.
•restrict—A port security violation restricts data and causes the SecurityViolation counter to increment.
•shutdown—The interface is error-disabled when a security violation occurs.
Note When a secure port is in the error-disabled state, you can bring it out of this state by entering the errdisable recovery cause psecure-violation global configuration command or you can manually re-enable it by entering the shutdown and no shut down interface configuration commands.There is no place like 127.0.0.1 -
Netstudent Member Posts: 1,693 ■■■□□□□□□□oh okay...ya I actually had that article already pulled up and was skimming through it when you first posted it...Well I guess I'm not going to worry about not seeing the "err-disbaled" option. I mean i tested it with ICMP and I could not send out a echo-reply, but when I connected the correct MAC back into the port, I could ping everything from everything. So thanks for the help.There is no place like 127.0.0.1 BUT 209.62.5.3 is my 127.0.0.1 away from 127.0.0.1!
-
mgeorge Member Posts: 774 ■■■□□□□□□□yeah i guess i needa go to bed, man my brain is starting to hurt with all the confussion in the air
any who download the latest ios for that switch and their might be some new features for ya to
play with. any who enjoyThere is no place like 127.0.0.1 -
dtlokee Member Posts: 2,378 ■■■■□□□□□□And yes, in a totally secure network (such as Department of Defense or FBI, etc..) you will use port security on every device, and for routers and switches, the port sec policy will not be learnt, it will be specified by an engineer.
Since when? We use nothing but Dot1x authentication with computer certificates, port security would be too much to maintain (I do work for a subcontractor to the NSA)
Here is the switch config, basically what you configured:interface FastEthernet0/1 switchport mode access switchport port-security switchport port-security mac-address sticky switchport port-security mac-address sticky 0007.85c2.9a3f
Here is the output of "show port-security interface fa0/1"SW1(config-if)#do sh port-sec int fa0/1 Port Security : Enabled Port Status : Secure-up Violation Mode : Shutdown Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 1 Total MAC Addresses : 1 Configured MAC Addresses : 0 Sticky MAC Addresses : 1 Last Source Address:Vlan : 0007.85c2.9a3f:1 Security Violation Count : 0
I then changed the mac-address of the router connected to the interface using the "mac-address 0001.2345.6789" command (the router fa0/0 is connected to the switch fa0/1)00:09:30: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/1, putting Fa0/1 in err-disable state 00:09:30: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0001.2345.6789 on port FastEthernet0/1. 00:09:31: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down 00:09:32: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to down SW1(config-if)# SW1(config-if)#do sh port-sec int fa0/1 Port Security : Enabled Port Status : Secure-shutdown Violation Mode : Shutdown Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 1 Total MAC Addresses : 1 Configured MAC Addresses : 0 Sticky MAC Addresses : 1 Last Source Address:Vlan : 0001.2345.6789:1 Security Violation Count : 1 SW1(config-if)#do sh int fa0/1 FastEthernet0/1 is down, line protocol is down (err-disabled) Hardware is Fast Ethernet, address is 001a.e3a8.8f03 (bia 001a.e3a8.8f03) MTU 1504 bytes, BW 100000 Kbit, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Auto-duplex, Auto-speed, media type is 10/100BaseTX <<output cut>>
That is what you should see in your output. Notice in the output after the console messages the interface "port status :Secure-Shutdown" and in the output of the show interface fa0/1 command it says "FastEthernet0/1 is down, line protocol is down (err-disabled)"
HTHThe only easy day was yesterday! -
Netstudent Member Posts: 1,693 ■■■□□□□□□□SO you can change the MAC of the router's ethernet interface by using that command "mac-address 0001.2345.6789"? I did not know that!!
So why didn't my interface go down when I switched routers on the fa0/2 switch interface? It did deny all traffic from the violating router, I couldn't ping out, but it did not shut down the interface. err-disbaled
So what did I miss? I posted all the relevant configs. Could it be my IOS version? I tried setting the violation parameter to shutdown and restricted.
What model switch and IOS version are you running Derek?There is no place like 127.0.0.1 BUT 209.62.5.3 is my 127.0.0.1 away from 127.0.0.1! -
dtlokee Member Posts: 2,378 ■■■■□□□□□□The IOS version is 12.2 on a 3560, I don't have remote access to ay 2950's in the lab.
Although it seems the IOS name you posted is a 2900xl, not sure what you have going on there, did somone rename it from c2950 to c2900xl? What version do you have when you enter a "show version" command? I am pretty sure all the 2950 ios versions act the same for port security.The only easy day was yesterday! -
Netstudent Member Posts: 1,693 ■■■□□□□□□□flash:/c2950-i6q4l2-mz.121-11.EA1.bin"
No that 2900XL is a 2924 that I had problems creating Etherchannels on. The 2950 is the switch i had the port sec. issues with. I posted the IOS version for the 2950. Sorry about the confusion. I was trying to kill two birds with one stone. But i'm still curious about this Mac-address xx-xx-xx-xx-xx-xx command that you used. So that CAN change the MAC address for the ethernet nic in my router???? I'm on vacation now so i can't recreate the lab to do further testing. I'll try again when i get back home. Thanks for the help derek and matt!!!!! IF you have any sugestions on what could have went wrong, I'll be in the forum from time to time. I'm addicted.There is no place like 127.0.0.1 BUT 209.62.5.3 is my 127.0.0.1 away from 127.0.0.1! -
mgeorge Member Posts: 774 ■■■□□□□□□□dtlokee wrote:And yes, in a totally secure network (such as Department of Defense or FBI, etc..) you will use port security on every device, and for routers and switches, the port sec policy will not be learnt, it will be specified by an engineer.
Since when? We use nothing but Dot1x authentication with computer certificates, port security would be too much to maintain (I do work for a subcontractor to the NSA)
Their are alot of federal buildings that use port sec still. I was just making an example that could be understood in leau of this topic; (a ccna topic, not ccnp/ccsp) Of course, time changes and new security protocols/standards are released. 802.1x was released mid 2001 and its just now becomming a widley accepted standard within most businesses. Where I'm located at, I actually see more people use portsec rather than 802.1x but I guess it's just my area.There is no place like 127.0.0.1 -
sprkymrk Member Posts: 4,884 ■■■□□□□□□□I've seen a lot of port security in the Army. Not everywhere, but enough to be fairly common even in large (4000+) networks. At my installation we use it on about 25% of our switches.All things are possible, only believe.
-
dtlokee Member Posts: 2,378 ■■■■□□□□□□Their are alot of federal buildings that use port sec still
Yes there are, we use it here and there but it increases the management of the network substantially with moves and adds. The other problem is it isn't truly secure in that if you spoof the MAC address you can bypass the security. You can also inflict a DoS attack against the network by spoofing the MAC address assigned to a secure port on a different device in the network. Attaching a router with PAT configured to the port will allow somone to connect more hosts than port security was configured to allow. It's not a great solution. On the other hand for a small company getting involved with dot1x authentication is overkill in most cases. But the company I have a contract with, their security policy requires all USB interfaces to be disabled in the OS and filled with epoxy, I think that's nuts.
The main reason I use port security is to restrict the number of addresses that are learned on an interface to prevent MAC overflow attacks.
your original statement "you will use port security" concerned me. I was pointing out there are other options.The only easy day was yesterday! -
mgeorge Member Posts: 774 ■■■□□□□□□□sprkymrk, I've seen alot of air force sites use port sec as well lol...
My intention was that "you will use portsec" as in the least secure scenario; as if you would "at least use port sec"
You got the wrong ideal >.< but yes I agree with you 100%, if you can use 802.1x then my lord use it.There is no place like 127.0.0.1