User avatar
scottsee
Post Whore
Posts:
1804
Joined:
Wed Feb 10, 2010 2:45 am
Certs:
NA:R&S, NA:Sec

port-security confusion

Tue Nov 30, 2010 1:12 am

I thought that each mode <protect>, <restrict> and <shutdown> are suppose to disregard offending mac-address's traffic to the incoming switch port. I'm only able to get <shutdown> to stop offending traffic from reaching the layer 3 Vlan1 address of my switch.

As I understand this:

  • Protect disregards offending mac-address traffic on the incoming port, doesn't send any SNMP trap messages and doesn't increment security violation counter.
  • Restrict disregards offending mac-address traffic on the incoming port, send an SNMP trap messages and increment security violation counter.
  • Shutdown shuts down the port, send an SNMP trap messages and increment security violation counter.

When I use protect, nothing happens.. I'm able to SSH into the switches Vlan1 management IP interface successfully
When I use Restrict I receive SNMP for the violation, the counter increments but I'm still able to SSH into the switch
Shutdown works as expected..

What gives? I thought the offending mac-address traffic were suppose to be dropped..

Code: Select all
SW3#show running | be 0/1
interface FastEthernet0/1
 switchport mode access
 switchport port-security
 switchport port-security violation restrict
 switchport port-security mac-address 0000.1111.2222


Code: Select all
SW3#show port-security address
          Secure Mac Address Table
-------------------------------------------------------------------
Vlan    Mac Address       Type                Ports   Remaining Age
                                                         (mins)
----    -----------       ----                -----   -------------
   1    0000.1111.2222    SecureConfigured    Fa0/1        -
-------------------------------------------------------------------
Total Addresses in System (excluding one mac per port)     : 0
Max Addresses limit in System (excluding one mac per port) : 1024


Code: Select all
SW3#show mac-address-table
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
 All    000d.29ac.9300    STATIC      CPU
 All    0100.0ccc.cccc    STATIC      CPU
 All    0100.0ccc.cccd    STATIC      CPU
 All    0100.0cdd.dddd    STATIC      CPU
   1    0000.1111.2222    STATIC      Fa0/1
Total Mac Addresses for this criterion: 5


Code: Select all
SW3#show port-security interface fastEthernet 0/1
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Restrict
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 1
Configured MAC Addresses   : 1
Sticky MAC Addresses       : 0
Last Source Address        : 0022.6856.1294
Security Violation Count   : 104

Retired Account
Post Whore
Posts:
3512
Joined:
Mon Nov 16, 2009 8:10 pm

Re: port-security confusion

Tue Nov 30, 2010 10:40 am

I don't remember needing to know this for the CCNA, but I'm definitely studying this for the CCNP Switch. Interesting question. So we see a security violation count increasing. Can you do more than just reach the management interface? Can you actually log in and make changes?

User avatar
scottsee
Post Whore
Posts:
1804
Joined:
Wed Feb 10, 2010 2:45 am
Certs:
NA:R&S, NA:Sec

Re: port-security confusion

Tue Nov 30, 2010 10:51 am

I can SSH in authenticated to my privilege level 15 user account. I ran a couple show commands, but left it at that..

Retired Account
Post Whore
Posts:
3512
Joined:
Mon Nov 16, 2009 8:10 pm

Re: port-security confusion

Tue Nov 30, 2010 10:54 am

I was doing some looking around but couldn't find anything. Can you post a show ver? I'll try this out at home tonight (If I remember.), and let you know what I find on my 2950 and 3550 EMI.

Sounds like a wierd issue... especially if it's flagging violations.

User avatar
scottsee
Post Whore
Posts:
1804
Joined:
Wed Feb 10, 2010 2:45 am
Certs:
NA:R&S, NA:Sec

Re: port-security confusion

Tue Nov 30, 2010 10:58 am

I have 3 switches. 2950, 2950g and 3550. I only tried this on my 2950si, it was 11:30pm. The IOS version is 12.1(22)xx, I thought it might just be something I over looked.. I'll test it out on the other 2 switches when I get a little time this evening.
Last edited by scottsee on Tue Nov 30, 2010 1:19 pm, edited 1 time in total.

User avatar
jdsilva
Post Whore
Posts:
5347
Joined:
Mon Jan 17, 2005 11:01 pm
Certs:
CCNP

Re: port-security confusion

Tue Nov 30, 2010 11:01 am

Just a guess...

The default maximum macs is 128. If you configure 1 mac statically the rest are learned dynamically. Add in the command 'switch port maximum mac 1' and try it again.

User avatar
wirerat
Post Whore
Posts:
5340
Joined:
Tue Mar 31, 2009 4:15 pm
Certs:
More than none

Re: port-security confusion

Tue Nov 30, 2010 11:06 am

Infinite wrote:Just a guess...

The default maximum macs is 128. If you configure 1 mac statically the rest are learned dynamically. Add in the command 'switch port maximum mac 1' and try it again.

I thought one MAC address was the maximum default.
"See packet, be packet, you are packet. Ignore all else!" -The Networker
packetsdropped.wordpress.com

User avatar
jdsilva
Post Whore
Posts:
5347
Joined:
Mon Jan 17, 2005 11:01 pm
Certs:
CCNP

Re: port-security confusion

Tue Nov 30, 2010 11:08 am


User avatar
wirerat
Post Whore
Posts:
5340
Joined:
Tue Mar 31, 2009 4:15 pm
Certs:
More than none

Re: port-security confusion

Tue Nov 30, 2010 11:09 am

Infinite wrote:Not according to step 4 here:

http://www.cisco.com/en/US/docs/switche ... #wp1044863

Going to have to go back over my CCNP training, I coulda swore somewhere in there it said 1 was the default max. My memory is horrible so that is most likely the problem. :)
"See packet, be packet, you are packet. Ignore all else!" -The Networker
packetsdropped.wordpress.com

User avatar
scottsee
Post Whore
Posts:
1804
Joined:
Wed Feb 10, 2010 2:45 am
Certs:
NA:R&S, NA:Sec

Re: port-security confusion

Tue Nov 30, 2010 11:11 am

Infinite wrote:Not according to step 4 here:

http://www.cisco.com/en/US/docs/switche ... #wp1044863


That page indicates a default maximum as 1, and I'm almost 100% positive the default is 1, but I've been wrong before..

I just skimmed my CCNP Switch Book on Port-Security and found a tip I'll try

Code: Select all
Tip: If an interface is undergoing the restrict or protect condition, you might need to clear
the learned MAC addresses so that a specific host can use the switch port. You can clear a
MAC address or the complete port cache with the following command:
Switch# clear port-security dynamic [address mac-addr | interface type mod/num]

User avatar
jdsilva
Post Whore
Posts:
5347
Joined:
Mon Jan 17, 2005 11:01 pm
Certs:
CCNP

Re: port-security confusion

Tue Nov 30, 2010 11:13 am

Ahh eff. I linked to the 6500 document. The 2950 12.1(20) config guide says 1 mac.

http://www.cisco.com/en/US/docs/switche ... #wp1038552

User avatar
Vito_Corleone
Moderator
Posts:
9850
Joined:
Mon Apr 07, 2008 10:38 am
Certs:
CCNP RS, CCNP DC, CCDP, CCIP

Re: port-security confusion

Tue Nov 30, 2010 11:15 am

1 should be the default. Most of our switches are configured with port-security and we leave the max at the default, which blocks more than one MAC.
http://blog.alwaysthenetwork.com

User avatar
jdsilva
Post Whore
Posts:
5347
Joined:
Mon Jan 17, 2005 11:01 pm
Certs:
CCNP

Re: port-security confusion

Tue Nov 30, 2010 11:17 am

show port-security will tell you. scottsee posted that in his first post. The max is one.

User avatar
scottsee
Post Whore
Posts:
1804
Joined:
Wed Feb 10, 2010 2:45 am
Certs:
NA:R&S, NA:Sec

Re: port-security confusion

Tue Nov 30, 2010 12:39 pm

Yeah, so I figured maybe it was a problem with the mac-address table so I unplugged my cat6 cable from the switch, turned it on configured port security without the switch ever learning a dynamic MAC from my NIC and issue still occurs.

I tried the following command to flush any dynamic MAC but it didn't stop the offending frames from entering the Vlan1 interface..
Code: Select all
#clear port-security dynamic interface fastEthernet 0/1


I wonder if the VLAN1 management interface is an exception to port-security?..

User avatar
scottsee
Post Whore
Posts:
1804
Joined:
Wed Feb 10, 2010 2:45 am
Certs:
NA:R&S, NA:Sec

Re: port-security confusion

Tue Nov 30, 2010 1:03 pm

Yep. I turned on another switch and trunked a link between the two. Communication to the VLAN management interface is successful even though port-security is configured on the switch, but it will not process frames designated to any other ip address. ICMP ping and Telnet session requests from my desktop to the 2nd switched failed every time while the port-security counters increase as expect. Essentially doing the job that it should. When I turned off port-security on the offending f/01 port layer 3 communication goes back to normal and I'm able to reach my second switch.

Interesting..
Last edited by scottsee on Tue Nov 30, 2010 1:17 pm, edited 3 times in total.

User avatar
Vito_Corleone
Moderator
Posts:
9850
Joined:
Mon Apr 07, 2008 10:38 am
Certs:
CCNP RS, CCNP DC, CCDP, CCIP

Re: port-security confusion

Tue Nov 30, 2010 1:14 pm

i'm confused
http://blog.alwaysthenetwork.com

User avatar
scottsee
Post Whore
Posts:
1804
Joined:
Wed Feb 10, 2010 2:45 am
Certs:
NA:R&S, NA:Sec

Re: port-security confusion

Tue Nov 30, 2010 1:14 pm

Me too.. The 2950's IOS version is 12.1(22). Maybe it's a glitch in the matrix. :shock:

Retired Account
Post Whore
Posts:
3512
Joined:
Mon Nov 16, 2009 8:10 pm

Re: port-security confusion

Tue Nov 30, 2010 3:09 pm

Yeah... that sounds very wierd. I'll try it on my 2950, 2950T, and 3550 and see what I find.

User avatar
scottsee
Post Whore
Posts:
1804
Joined:
Wed Feb 10, 2010 2:45 am
Certs:
NA:R&S, NA:Sec

Re: port-security confusion

Tue Nov 30, 2010 3:12 pm

Please do..

User avatar
ristau5741
Post Whore
Posts:
10398
Joined:
Tue Aug 21, 2007 2:15 pm
Certs:
Instanity

Re: port-security confusion

Tue Nov 30, 2010 4:21 pm

maybe the difference is the plane you are riding on, data vs. management plane.
are you going to the switch or through the switch.

'
Next

Return to scottsee's CCNA Journey

Who is online

Users browsing this forum: No registered users and 1 guest