Switchport Port-Security

NetstudentNetstudent Member Posts: 1,693 ■■■□□□□□□□
Alright so I'm playing around with STP and mac-address-table, and some port security options. For some reason I can't get my port-security enabled interface to go "err-disabled" after intentionally violating the sticky address.

Here the output

Error message after plugging another NIC into the Port-Security enabled INT.
%Error: Cannot add secure address 00d0.5840.4620
%Error: Total secure addresses on interface reached its max limit of 1

Show run verifying Sticky config.
interface FastEthernet0/2
 switchport mode access
 switchport port-security
 switchport port-security mac-address sticky
 switchport port-security mac-address sticky 00d0.5842.58a0
 no ip address

And here is the show port-sec int fa0/2
port-security int fa0/2
Port Security : Enabled
Port status : SecureUp
Violation mode : Shutdown
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 1
Aging time : 0 mins
Aging type : Absolute
SecureStatic address aging : Disabled
Security Violation count : 0

OKay so violation parameter has been set, sticky address is in running-config, error messages saying incorrect address, BUT the port will not shutdown. WHY? Could this have something to do with the bpduguard being enabled on the int as well? Thanks!

One other thing is it seems I can't create an Etherchannel connection either.
c2900xl-c3h2s-mz

Does anyone know if this version supports channel-groups? I can do a show Etherchannel ? and I get some possible commands, but in interface config mode, I can't do a channel-group command.
There is no place like 127.0.0.1 BUT 209.62.5.3 is my 127.0.0.1 away from 127.0.0.1!

Comments

  • tech-airmantech-airman Member Posts: 953
    Netstudent,

    What do you think "switchport port-security mac-address sticky" is supposed to do?
  • NetstudentNetstudent Member Posts: 1,693 ■■■□□□□□□□
    it is supposed to limit that port to the first learned MAC address, which it did. But I configured the violation parameter to shutdown and I also plugged in another MAC address(NIC). It isn't taking the interface out of service like the book says it should. I just figured there was a configuration option i missed,
    There is no place like 127.0.0.1 BUT 209.62.5.3 is my 127.0.0.1 away from 127.0.0.1!
  • tech-airmantech-airman Member Posts: 953
    Netstudent,

    Looks like you did more than just plug in another NIC. You added an extra configuration line of ...
    switchport port-security mac-address sticky 00d0.5842.58a0 
    

    Is the MAC address of 00d0.5842.58a0 for:
    1. First NIC?
    2. Second NIC?
  • NetstudentNetstudent Member Posts: 1,693 ■■■□□□□□□□
    I added "switchport port-security mac-address sticky" and then the
    switchport port-security mac-address sticky 00d0.5842.58a0 was automatically added to the running-config after the first address was learned.

    This is the first NIC. Sticky learned the first source MAC address from the first frame sent to the port. The errors messages I posted includes the MAC for the 2nd NIC that is violating the sticky rule.

    I will add that the NICs I am talking about are just routers. I'm using the routers to test and verify port security options.
    There is no place like 127.0.0.1 BUT 209.62.5.3 is my 127.0.0.1 away from 127.0.0.1!
  • CucumberCucumber Member Posts: 192
    Just for curiosity, what does your switch show with this command?

    show errdisable recovery
    I hate pandas
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    I see in the config where it appears you set the violation to shutdown, but not in your commands. Also, what happens if you try "restrict" instead of "shutdown"?
    switchport mode access
    switchport port-security
    switchport port-security violation restrict
    switchport port-security mac-address sticky
    
    All things are possible, only believe.
  • tech-airmantech-airman Member Posts: 953
    Netstudent wrote:
    I added "switchport port-security mac-address sticky" and then the
    switchport port-security mac-address sticky 00d0.5842.58a0 was automatically added to the running-config after the first address was learned.

    This is the first NIC. Sticky learned the first source MAC address from the first frame sent to the port. The errors messages I posted includes the MAC for the 2nd NIC that is violating the sticky rule.

    I will add that the NICs I am talking about are just routers. I'm using the routers to test and verify port security options.

    Netstudent,

    Did you know that "switchport port-security" is supposed to be used for hosts instead of networking devices such as routers?
  • mgeorgemgeorge Member Posts: 774 ■■■□□□□□□□
    Well this is a common question I get asked alot from people.

    Port security is used to do one simple thing, which is to block other devices from connecting to a
    a port that is required for a specified device set by a network engineer.

    And yes, in a totally secure network (such as Department of Defense or FBI, etc..) you will use port security on every device, and for routers and switches, the port sec policy will not be learnt,
    it will be specified by an engineer.

    But keep in mind when a port sec violation happens the port does not disable like you think.

    Your probably thinking the IOS should issue the "shutdown int f0/21" command which it dosent.
    The switch will disable the port logically but not physically, thus rendering it inert to communicate
    to the network. Yes the actvity lights will still be active and it will still look like the port is active,
    but that port will not be able to communicate to the network unless the switch determines the
    device specified in the security table is attached to that port. That is the logic behind why cisco
    did it this way. If the port was to disable its self phyiscally (ie; shutdown int f0/1) then how would
    the switch know if the correct device has been reconnected? This costs time where the admin
    has to go back into the switch and type in "no shut int f0/1". This is listed under an RFC I beleive.

    Does this answer your question?
    There is no place like 127.0.0.1
  • tech-airmantech-airman Member Posts: 953
    mgeorge27 wrote:
    Well this is a common question I get asked alot from people.

    Port security is used to do one simple thing, which is to block other devices from connecting to a
    a port that is required for a specified device set by a network engineer.

    And yes, in a totally secure network (such as Department of Defense or FBI, etc..) you will use port security on every device, and for routers and switches, the port sec policy will not be learnt,
    it will be specified by an engineer.

    mgeorge27,

    I guess I sit corrected. :)
  • NetstudentNetstudent Member Posts: 1,693 ■■■□□□□□□□
    mgeorge27 wrote:
    Well this is a common question I get asked alot from people.

    Port security is used to do one simple thing, which is to block other devices from connecting to a
    a port that is required for a specified device set by a network engineer.

    And yes, in a totally secure network (such as Department of Defense or FBI, etc..) you will use port security on every device, and for routers and switches, the port sec policy will not be learnt,
    it will be specified by an engineer.

    But keep in mind when a port sec violation happens the port does not disable like you think.

    Your probably thinking the IOS should issue the "shutdown int f0/21" command which it dosent.
    The switch will disable the port logically but not physically, thus rendering it inert to communicate
    to the network. Yes the actvity lights will still be active and it will still look like the port is active,
    but that port will not be able to communicate to the network unless the switch determines the
    device specified in the security table is attached to that port. That is the logic behind why cisco
    did it this way. If the port was to disable its self phyiscally (ie; shutdown int f0/1) then how would
    the switch know if the correct device has been reconnected? This costs time where the admin
    has to go back into the switch and type in "no shut int f0/1". This is listed under an RFC I beleive.

    Does this answer your question?

    That makes complete sense. Thanks matt. But shouldn't I still get an err-disable output in the show port-sec int fa0/2?

    CUCUMBER here is the output:
    Switch#show errdisable recovery
    ErrDisable Reason Timer Status

    udld Disabled
    bpduguard Disabled
    channel-misconfig Disabled
    pagp-flap Disabled
    dtp-flap Disabled
    link-flap Disabled
    psecure-violation Disabled
    gbic-invalid Disabled

    Timer interval: 300 seconds
    There is no place like 127.0.0.1 BUT 209.62.5.3 is my 127.0.0.1 away from 127.0.0.1!
  • mgeorgemgeorge Member Posts: 774 ■■■□□□□□□□
    Can you do a sh int f0/2 (w/e the port is you have setup with sec) and see if its up and the lp is down?
    There is no place like 127.0.0.1
  • NetstudentNetstudent Member Posts: 1,693 ■■■□□□□□□□
    okay so I have a Broadcast OSPF network setup already. All router ethernet interfaces are connected to the switch and in the same subnet. Since I already had that setup, I tried to ping a neighboring router from a violating router and it wouldnt ping. So i intentionally connected the wrong router into the secured switchport, and I could not transmit squat. So i guess port-security is working even though I am not seeing a err-disabled notification in the show port-sec int fa0/2 ouput. So i guess I should have been testing the larger picture and not worrying about the port status.
    There is no place like 127.0.0.1 BUT 209.62.5.3 is my 127.0.0.1 away from 127.0.0.1!
  • mgeorgemgeorge Member Posts: 774 ■■■□□□□□□□
    Well I had to do some "google'ing" on this question to find out the 100% total correct answer.

    Some switches will disable the port phyiscally and some switches will not... This is limited by the
    IOS running on the switch, the "restriction" will keep the port active but deny all data received.
    So my guess would be that newer switches will support this RFC to disable the port logically and
    isolate it. The older switches will physically disable the port. ie "Administratively shut down, Line
    protocol down"

    Chances are your 2900XL should disable it phyiscally. "not 100% sure, its been 3 years since ive
    used a 2900xl" but check and see if you can do a violation restriction.

    Also look in my IOS guide and you will find a link to cisco's website where you can download
    switch ios's free. Download the latest IOS. Be sure to set the boot paramters on the switch
    before you reload after upgrading ios or you will have a long night.

    this link may help a little bit with understanding port sec on the 2900 and 3500xl
    http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.1_9_ea1/configuration/guide/swtrafc.html#wpxref93821

    this is actually an interesting post icon_lol.gif

    Im guessing keep playing with this topic and you'll figure it out completely.
    There is no place like 127.0.0.1
  • NetstudentNetstudent Member Posts: 1,693 ■■■□□□□□□□
    mgeorge27 wrote:
    Can you do a sh int f0/2 (w/e the port is you have setup with sec) and see if its up and the lp is down?

    FastEthernet0/2 is up, line protocol is up
    Hardware is Fast Ethernet, address is 000a.f4bb.ee82 (bia 000a.f4bb.ee82)
    MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,
    reliability 255/255, txload 1/255, rxload 1/255
    Encapsulation ARPA, loopback not set
    Keepalive set (10 sec)
    Half-duplex, 10Mb/s

    this output was taken while the wrong router was connected to the security enabled switchport. It looks like my switch logically disabled the port.
    There is no place like 127.0.0.1 BUT 209.62.5.3 is my 127.0.0.1 away from 127.0.0.1!
  • mgeorgemgeorge Member Posts: 774 ■■■□□□□□□□
    heres the link to the switch ios's on cisco's website, you need just a guest TCO account.

    http://tools.cisco.com/support/downloads/pub/MDFTree.x?butype=switches
    There is no place like 127.0.0.1
  • mgeorgemgeorge Member Posts: 774 ■■■□□□□□□□
    yep latest version for your switch if its a 2900xl should be 12.0.5-WC17(ED)
    There is no place like 127.0.0.1
  • NetstudentNetstudent Member Posts: 1,693 ■■■□□□□□□□
    here is the one I have
    flash:/c2950-i6q4l2-mz.121-11.EA1.bin"

    that 2900XL I mentioned earlier was a different switch I was trying to do etherchannel with. Separate issue. 2924

    the port-sec is on a 2950..
    There is no place like 127.0.0.1 BUT 209.62.5.3 is my 127.0.0.1 away from 127.0.0.1!
  • mgeorgemgeorge Member Posts: 774 ■■■□□□□□□□
    Ahhh so your using a 2950!! okay, i got the impression you was using a 2900xl from the post.
    2950's do support port restriction.

    Also you can download that ios as well from that link free, the latest is 12.1.22-EA10(ED)
    There is no place like 127.0.0.1
  • NetstudentNetstudent Member Posts: 1,693 ■■■□□□□□□□
    what exactly do you mean when you say "port-restriction"?

    Are you talking about the violation parameter?
    Switch(config-if)#switchport port-security violation ?
    protect Security violation protect mode
    restrict Security violation restrict mode
    shutdown Security violation shutdown mode

    IN which case the definition would be

    restrict—A port security violation restricts data and depending on the type of secure address, sends a system log message, sends an SNMP trap, and causes the SecurityViolation counter to increment.

    Sorry about the confusion..
    There is no place like 127.0.0.1 BUT 209.62.5.3 is my 127.0.0.1 away from 127.0.0.1!
  • mgeorgemgeorge Member Posts: 774 ■■■□□□□□□□
    Cisco explains it as "blocking all bidirectional data per port per violation"

    the link i posted above & below agian, will explain the vilation actions in detail. just scan through it
    http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.1_9_ea1/configuration/guide/swtrafc.html#wpxref93821
    switchport port-security violation {protect | restrict | shutdown}
    (Optional) Set the violation mode, the action to be taken when a security violation is detected, as one of these:

    •protect—When the number of port secure MAC addresses reaches the maximum limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses to drop below the maximum value.

    •restrict—A port security violation restricts data and causes the SecurityViolation counter to increment.

    •shutdown—The interface is error-disabled when a security violation occurs.

    Note When a secure port is in the error-disabled state, you can bring it out of this state by entering the errdisable recovery cause psecure-violation global configuration command or you can manually re-enable it by entering the shutdown and no shut down interface configuration commands.
    There is no place like 127.0.0.1
  • NetstudentNetstudent Member Posts: 1,693 ■■■□□□□□□□
    oh okay...ya I actually had that article already pulled up and was skimming through it when you first posted it...Well I guess I'm not going to worry about not seeing the "err-disbaled" option. I mean i tested it with ICMP and I could not send out a echo-reply, but when I connected the correct MAC back into the port, I could ping everything from everything. So thanks for the help.
    There is no place like 127.0.0.1 BUT 209.62.5.3 is my 127.0.0.1 away from 127.0.0.1!
  • mgeorgemgeorge Member Posts: 774 ■■■□□□□□□□
    yeah i guess i needa go to bed, man my brain is starting to hurt with all the confussion in the air

    any who download the latest ios for that switch and their might be some new features for ya to
    play with. any who enjoy icon_lol.gif
    There is no place like 127.0.0.1
  • dtlokeedtlokee Member Posts: 2,378 ■■■■□□□□□□
    And yes, in a totally secure network (such as Department of Defense or FBI, etc..) you will use port security on every device, and for routers and switches, the port sec policy will not be learnt, it will be specified by an engineer.

    Since when? We use nothing but Dot1x authentication with computer certificates, port security would be too much to maintain (I do work for a subcontractor to the NSA)

    Here is the switch config, basically what you configured:
    interface FastEthernet0/1
     switchport mode access
     switchport port-security
     switchport port-security mac-address sticky
     switchport port-security mac-address sticky 0007.85c2.9a3f
    

    Here is the output of "show port-security interface fa0/1"
    SW1(config-if)#do sh port-sec int fa0/1
    Port Security              : Enabled
    Port Status                : Secure-up
    Violation Mode             : Shutdown
    Aging Time                 : 0 mins
    Aging Type                 : Absolute
    SecureStatic Address Aging : Disabled
    Maximum MAC Addresses      : 1
    Total MAC Addresses        : 1
    Configured MAC Addresses   : 0
    Sticky MAC Addresses       : 1
    Last Source Address:Vlan   : 0007.85c2.9a3f:1
    Security Violation Count   : 0
    

    I then changed the mac-address of the router connected to the interface using the "mac-address 0001.2345.6789" command (the router fa0/0 is connected to the switch fa0/1)
    00:09:30: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/1, putting Fa0/1 in err-disable state
    00:09:30: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0001.2345.6789 on port FastEthernet0/1.
    00:09:31: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down
    00:09:32: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to down
    SW1(config-if)#
    SW1(config-if)#do sh port-sec int fa0/1
    Port Security              : Enabled
    Port Status                : Secure-shutdown
    Violation Mode             : Shutdown
    Aging Time                 : 0 mins
    Aging Type                 : Absolute
    SecureStatic Address Aging : Disabled
    Maximum MAC Addresses      : 1
    Total MAC Addresses        : 1
    Configured MAC Addresses   : 0
    Sticky MAC Addresses       : 1
    Last Source Address:Vlan   : 0001.2345.6789:1
    Security Violation Count   : 1
    
    SW1(config-if)#do sh int fa0/1
    
    FastEthernet0/1 is down, line protocol is down (err-disabled)
      Hardware is Fast Ethernet, address is 001a.e3a8.8f03 (bia 001a.e3a8.8f03)
      MTU 1504 bytes, BW 100000 Kbit, DLY 100 usec, 
         reliability 255/255, txload 1/255, rxload 1/255
      Encapsulation ARPA, loopback not set
      Keepalive set (10 sec)
      Auto-duplex, Auto-speed, media type is 10/100BaseTX
    <<output cut>>
    
    

    That is what you should see in your output. Notice in the output after the console messages the interface "port status :Secure-Shutdown" and in the output of the show interface fa0/1 command it says "FastEthernet0/1 is down, line protocol is down (err-disabled)"

    HTH
    The only easy day was yesterday!
  • NetstudentNetstudent Member Posts: 1,693 ■■■□□□□□□□
    SO you can change the MAC of the router's ethernet interface by using that command "mac-address 0001.2345.6789"? I did not know that!!

    So why didn't my interface go down when I switched routers on the fa0/2 switch interface? It did deny all traffic from the violating router, I couldn't ping out, but it did not shut down the interface. err-disbaled

    So what did I miss? I posted all the relevant configs. Could it be my IOS version? I tried setting the violation parameter to shutdown and restricted.

    What model switch and IOS version are you running Derek?
    There is no place like 127.0.0.1 BUT 209.62.5.3 is my 127.0.0.1 away from 127.0.0.1!
  • dtlokeedtlokee Member Posts: 2,378 ■■■■□□□□□□
    The IOS version is 12.2 on a 3560, I don't have remote access to ay 2950's in the lab.

    Although it seems the IOS name you posted is a 2900xl, not sure what you have going on there, did somone rename it from c2950 to c2900xl? What version do you have when you enter a "show version" command? I am pretty sure all the 2950 ios versions act the same for port security.
    The only easy day was yesterday!
  • NetstudentNetstudent Member Posts: 1,693 ■■■□□□□□□□
    flash:/c2950-i6q4l2-mz.121-11.EA1.bin"



    No that 2900XL is a 2924 that I had problems creating Etherchannels on. The 2950 is the switch i had the port sec. issues with. I posted the IOS version for the 2950. Sorry about the confusion. I was trying to kill two birds with one stone. But i'm still curious about this Mac-address xx-xx-xx-xx-xx-xx command that you used. So that CAN change the MAC address for the ethernet nic in my router???? I'm on vacation now so i can't recreate the lab to do further testing. I'll try again when i get back home. Thanks for the help derek and matt!!!!! IF you have any sugestions on what could have went wrong, I'll be in the forum from time to time. I'm addicted.
    There is no place like 127.0.0.1 BUT 209.62.5.3 is my 127.0.0.1 away from 127.0.0.1!
  • mgeorgemgeorge Member Posts: 774 ■■■□□□□□□□
    dtlokee wrote:
    And yes, in a totally secure network (such as Department of Defense or FBI, etc..) you will use port security on every device, and for routers and switches, the port sec policy will not be learnt, it will be specified by an engineer.

    Since when? We use nothing but Dot1x authentication with computer certificates, port security would be too much to maintain (I do work for a subcontractor to the NSA)

    Their are alot of federal buildings that use port sec still. I was just making an example that could be understood in leau of this topic; (a ccna topic, not ccnp/ccsp) Of course, time changes and new security protocols/standards are released. 802.1x was released mid 2001 and its just now becomming a widley accepted standard within most businesses. Where I'm located at, I actually see more people use portsec rather than 802.1x but I guess it's just my area.
    There is no place like 127.0.0.1
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    I've seen a lot of port security in the Army. Not everywhere, but enough to be fairly common even in large (4000+) networks. At my installation we use it on about 25% of our switches.
    All things are possible, only believe.
  • dtlokeedtlokee Member Posts: 2,378 ■■■■□□□□□□
    Their are alot of federal buildings that use port sec still

    Yes there are, we use it here and there but it increases the management of the network substantially with moves and adds. The other problem is it isn't truly secure in that if you spoof the MAC address you can bypass the security. You can also inflict a DoS attack against the network by spoofing the MAC address assigned to a secure port on a different device in the network. Attaching a router with PAT configured to the port will allow somone to connect more hosts than port security was configured to allow. It's not a great solution. On the other hand for a small company getting involved with dot1x authentication is overkill in most cases. But the company I have a contract with, their security policy requires all USB interfaces to be disabled in the OS and filled with epoxy, I think that's nuts.

    The main reason I use port security is to restrict the number of addresses that are learned on an interface to prevent MAC overflow attacks.

    your original statement "you will use port security" concerned me. I was pointing out there are other options.
    The only easy day was yesterday!
  • mgeorgemgeorge Member Posts: 774 ■■■□□□□□□□
    sprkymrk, I've seen alot of air force sites use port sec as well lol...

    My intention was that "you will use portsec" as in the least secure scenario; as if you would "at least use port sec"

    You got the wrong ideal >.< but yes I agree with you 100%, if you can use 802.1x then my lord use it.
    There is no place like 127.0.0.1
Sign In or Register to comment.