Switchport Port-Security

Netstudent,

What do you think "switchport port-security mac-address sticky" is supposed to do?

it is supposed to limit that port to the first learned MAC address, which it did. But I configured the violation parameter to shutdown and I also plugged in another MAC address(NIC). It isn't taking the interface out of service like the book says it should. I just figured there was a configuration option i missed,

Netstudent,

Looks like you did more than just plug in another NIC. You added an extra configuration line of ...

switchport port-security mac-address sticky 00d0.5842.58a0

Is the MAC address of 00d0.5842.58a0 for:

First NIC?
Second NIC?

I added "switchport port-security mac-address sticky" and then the
switchport port-security mac-address sticky 00d0.5842.58a0 was automatically added to the running-config after the first address was learned.

This is the first NIC. Sticky learned the first source MAC address from the first frame sent to the port. The errors messages I posted includes the MAC for the 2nd NIC that is violating the sticky rule.

I will add that the NICs I am talking about are just routers. I'm using the routers to test and verify port security options.

Cucumber

Just for curiosity, what does your switch show with this command?

show errdisable recovery

sprkymrk

I see in the config where it appears you set the violation to shutdown, but not in your commands. Also, what happens if you try "restrict" instead of "shutdown"?

switchport mode access
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address sticky

Netstudent wrote:

I added "switchport port-security mac-address sticky" and then the
switchport port-security mac-address sticky 00d0.5842.58a0 was automatically added to the running-config after the first address was learned.

This is the first NIC. Sticky learned the first source MAC address from the first frame sent to the port. The errors messages I posted includes the MAC for the 2nd NIC that is violating the sticky rule.

I will add that the NICs I am talking about are just routers. I'm using the routers to test and verify port security options.

Netstudent,

Did you know that "switchport port-security" is supposed to be used for hosts instead of networking devices such as routers?

Well this is a common question I get asked alot from people.

Port security is used to do one simple thing, which is to block other devices from connecting to a
a port that is required for a specified device set by a network engineer.

And yes, in a totally secure network (such as Department of Defense or FBI, etc..) you will use port security on every device, and for routers and switches, the port sec policy will not be learnt,
it will be specified by an engineer.

But keep in mind when a port sec violation happens the port does not disable like you think.

Your probably thinking the IOS should issue the "shutdown int f0/21" command which it dosent.
The switch will disable the port logically but not physically, thus rendering it inert to communicate
to the network. Yes the actvity lights will still be active and it will still look like the port is active,
but that port will not be able to communicate to the network unless the switch determines the
device specified in the security table is attached to that port. That is the logic behind why cisco
did it this way. If the port was to disable its self phyiscally (ie; shutdown int f0/1) then how would
the switch know if the correct device has been reconnected? This costs time where the admin
has to go back into the switch and type in "no shut int f0/1". This is listed under an RFC I beleive.

Does this answer your question?

mgeorge27 wrote:

Well this is a common question I get asked alot from people.

Port security is used to do one simple thing, which is to block other devices from connecting to a
a port that is required for a specified device set by a network engineer.

And yes, in a totally secure network (such as Department of Defense or FBI, etc..) you will use port security on every device, and for routers and switches, the port sec policy will not be learnt,
it will be specified by an engineer.

mgeorge27,

I guess I sit corrected.

mgeorge27 wrote:

Well this is a common question I get asked alot from people.

Port security is used to do one simple thing, which is to block other devices from connecting to a
a port that is required for a specified device set by a network engineer.

And yes, in a totally secure network (such as Department of Defense or FBI, etc..) you will use port security on every device, and for routers and switches, the port sec policy will not be learnt,
it will be specified by an engineer.

But keep in mind when a port sec violation happens the port does not disable like you think.

Your probably thinking the IOS should issue the "shutdown int f0/21" command which it dosent.
The switch will disable the port logically but not physically, thus rendering it inert to communicate
to the network. Yes the actvity lights will still be active and it will still look like the port is active,
but that port will not be able to communicate to the network unless the switch determines the
device specified in the security table is attached to that port. That is the logic behind why cisco
did it this way. If the port was to disable its self phyiscally (ie; shutdown int f0/1) then how would
the switch know if the correct device has been reconnected? This costs time where the admin
has to go back into the switch and type in "no shut int f0/1". This is listed under an RFC I beleive.

Does this answer your question?

That makes complete sense. Thanks matt. But shouldn't I still get an err-disable output in the show port-sec int fa0/2?

CUCUMBER here is the output:
Switch#show errdisable recovery
ErrDisable Reason Timer Status

udld Disabled
bpduguard Disabled
channel-misconfig Disabled
pagp-flap Disabled
dtp-flap Disabled
link-flap Disabled
psecure-violation Disabled
gbic-invalid Disabled

Timer interval: 300 seconds

Can you do a sh int f0/2 (w/e the port is you have setup with sec) and see if its up and the lp is down?

okay so I have a Broadcast OSPF network setup already. All router ethernet interfaces are connected to the switch and in the same subnet. Since I already had that setup, I tried to ping a neighboring router from a violating router and it wouldnt ping. So i intentionally connected the wrong router into the secured switchport, and I could not transmit squat. So i guess port-security is working even though I am not seeing a err-disabled notification in the show port-sec int fa0/2 ouput. So i guess I should have been testing the larger picture and not worrying about the port status.

Well I had to do some "google'ing" on this question to find out the 100% total correct answer.

Some switches will disable the port phyiscally and some switches will not... This is limited by the
IOS running on the switch, the "restriction" will keep the port active but deny all data received.
So my guess would be that newer switches will support this RFC to disable the port logically and
isolate it. The older switches will physically disable the port. ie "Administratively shut down, Line
protocol down"

Chances are your 2900XL should disable it phyiscally. "not 100% sure, its been 3 years since ive
used a 2900xl" but check and see if you can do a violation restriction.

Also look in my IOS guide and you will find a link to cisco's website where you can download
switch ios's free. Download the latest IOS. Be sure to set the boot paramters on the switch
before you reload after upgrading ios or you will have a long night.

this link may help a little bit with understanding port sec on the 2900 and 3500xl
http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.1_9_ea1/configuration/guide/swtrafc.html#wpxref93821

this is actually an interesting post

Im guessing keep playing with this topic and you'll figure it out completely.

mgeorge27 wrote:

Can you do a sh int f0/2 (w/e the port is you have setup with sec) and see if its up and the lp is down?

FastEthernet0/2 is up, line protocol is up
Hardware is Fast Ethernet, address is 000a.f4bb.ee82 (bia 000a.f4bb.ee82)
MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Half-duplex, 10Mb/s

this output was taken while the wrong router was connected to the security enabled switchport. It looks like my switch logically disabled the port.

heres the link to the switch ios's on cisco's website, you need just a guest TCO account.

http://tools.cisco.com/support/downloads/pub/MDFTree.x?butype=switches

yep latest version for your switch if its a 2900xl should be 12.0.5-WC17(ED)

here is the one I have
flash:/c2950-i6q4l2-mz.121-11.EA1.bin"

that 2900XL I mentioned earlier was a different switch I was trying to do etherchannel with. Separate issue. 2924

the port-sec is on a 2950..

Ahhh so your using a 2950!! okay, i got the impression you was using a 2900xl from the post.
2950's do support port restriction.

Also you can download that ios as well from that link free, the latest is 12.1.22-EA10(ED)

what exactly do you mean when you say "port-restriction"?

Are you talking about the violation parameter?
Switch(config-if)#switchport port-security violation ?
protect Security violation protect mode
restrict Security violation restrict mode
shutdown Security violation shutdown mode

IN which case the definition would be

restrict—A port security violation restricts data and depending on the type of secure address, sends a system log message, sends an SNMP trap, and causes the SecurityViolation counter to increment.

Sorry about the confusion..

Cisco explains it as "blocking all bidirectional data per port per violation"

the link i posted above & below agian, will explain the vilation actions in detail. just scan through it
http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.1_9_ea1/configuration/guide/swtrafc.html#wpxref93821

switchport port-security violation {protect | restrict | shutdown}
(Optional) Set the violation mode, the action to be taken when a security violation is detected, as one of these:

•protect—When the number of port secure MAC addresses reaches the maximum limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses to drop below the maximum value.

•restrict—A port security violation restricts data and causes the SecurityViolation counter to increment.

•shutdown—The interface is error-disabled when a security violation occurs.

Note When a secure port is in the error-disabled state, you can bring it out of this state by entering the errdisable recovery cause psecure-violation global configuration command or you can manually re-enable it by entering the shutdown and no shut down interface configuration commands.

oh okay...ya I actually had that article already pulled up and was skimming through it when you first posted it...Well I guess I'm not going to worry about not seeing the "err-disbaled" option. I mean i tested it with ICMP and I could not send out a echo-reply, but when I connected the correct MAC back into the port, I could ping everything from everything. So thanks for the help.

yeah i guess i needa go to bed, man my brain is starting to hurt with all the confussion in the air

any who download the latest ios for that switch and their might be some new features for ya to
play with. any who enjoy

dtlokee

And yes, in a totally secure network (such as Department of Defense or FBI, etc..) you will use port security on every device, and for routers and switches, the port sec policy will not be learnt, it will be specified by an engineer.

Since when? We use nothing but Dot1x authentication with computer certificates, port security would be too much to maintain (I do work for a subcontractor to the NSA)

Here is the switch config, basically what you configured:

interface FastEthernet0/1
 switchport mode access
 switchport port-security
 switchport port-security mac-address sticky
 switchport port-security mac-address sticky 0007.85c2.9a3f

Here is the output of "show port-security interface fa0/1"

SW1(config-if)#do sh port-sec int fa0/1
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 1
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 1
Last Source Address:Vlan   : 0007.85c2.9a3f:1
Security Violation Count   : 0

I then changed the mac-address of the router connected to the interface using the "mac-address 0001.2345.6789" command (the router fa0/0 is connected to the switch fa0/1)

00:09:30: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/1, putting Fa0/1 in err-disable state
00:09:30: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0001.2345.6789 on port FastEthernet0/1.
00:09:31: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down
00:09:32: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to down
SW1(config-if)#
SW1(config-if)#do sh port-sec int fa0/1
Port Security              : Enabled
Port Status                : Secure-shutdown
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 1
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 1
Last Source Address:Vlan   : 0001.2345.6789:1
Security Violation Count   : 1

SW1(config-if)#do sh int fa0/1

FastEthernet0/1 is down, line protocol is down (err-disabled)
  Hardware is Fast Ethernet, address is 001a.e3a8.8f03 (bia 001a.e3a8.8f03)
  MTU 1504 bytes, BW 100000 Kbit, DLY 100 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Auto-duplex, Auto-speed, media type is 10/100BaseTX
<<output cut>>

That is what you should see in your output. Notice in the output after the console messages the interface "port status :Secure-Shutdown" and in the output of the show interface fa0/1 command it says "FastEthernet0/1 is down, line protocol is down (err-disabled)"

HTH

SO you can change the MAC of the router's ethernet interface by using that command "mac-address 0001.2345.6789"? I did not know that!!

So why didn't my interface go down when I switched routers on the fa0/2 switch interface? It did deny all traffic from the violating router, I couldn't ping out, but it did not shut down the interface. err-disbaled

So what did I miss? I posted all the relevant configs. Could it be my IOS version? I tried setting the violation parameter to shutdown and restricted.

What model switch and IOS version are you running Derek?

dtlokee

The IOS version is 12.2 on a 3560, I don't have remote access to ay 2950's in the lab.

Although it seems the IOS name you posted is a 2900xl, not sure what you have going on there, did somone rename it from c2950 to c2900xl? What version do you have when you enter a "show version" command? I am pretty sure all the 2950 ios versions act the same for port security.

flash:/c2950-i6q4l2-mz.121-11.EA1.bin"

No that 2900XL is a 2924 that I had problems creating Etherchannels on. The 2950 is the switch i had the port sec. issues with. I posted the IOS version for the 2950. Sorry about the confusion. I was trying to kill two birds with one stone. But i'm still curious about this Mac-address xx-xx-xx-xx-xx-xx command that you used. So that CAN change the MAC address for the ethernet nic in my router???? I'm on vacation now so i can't recreate the lab to do further testing. I'll try again when i get back home. Thanks for the help derek and matt!!!!! IF you have any sugestions on what could have went wrong, I'll be in the forum from time to time. I'm addicted.

dtlokee wrote:

And yes, in a totally secure network (such as Department of Defense or FBI, etc..) you will use port security on every device, and for routers and switches, the port sec policy will not be learnt, it will be specified by an engineer.

Since when? We use nothing but Dot1x authentication with computer certificates, port security would be too much to maintain (I do work for a subcontractor to the NSA)

Their are alot of federal buildings that use port sec still. I was just making an example that could be understood in leau of this topic; (a ccna topic, not ccnp/ccsp) Of course, time changes and new security protocols/standards are released. 802.1x was released mid 2001 and its just now becomming a widley accepted standard within most businesses. Where I'm located at, I actually see more people use portsec rather than 802.1x but I guess it's just my area.

sprkymrk

I've seen a lot of port security in the Army. Not everywhere, but enough to be fairly common even in large (4000+) networks. At my installation we use it on about 25% of our switches.

dtlokee

Their are alot of federal buildings that use port sec still

Yes there are, we use it here and there but it increases the management of the network substantially with moves and adds. The other problem is it isn't truly secure in that if you spoof the MAC address you can bypass the security. You can also inflict a DoS attack against the network by spoofing the MAC address assigned to a secure port on a different device in the network. Attaching a router with PAT configured to the port will allow somone to connect more hosts than port security was configured to allow. It's not a great solution. On the other hand for a small company getting involved with dot1x authentication is overkill in most cases. But the company I have a contract with, their security policy requires all USB interfaces to be disabled in the OS and filled with epoxy, I think that's nuts.

The main reason I use port security is to restrict the number of addresses that are learned on an interface to prevent MAC overflow attacks.

your original statement "you will use port security" concerned me. I was pointing out there are other options.