User avatar
scottsee
Post Whore
Posts:
1800
Joined:
Wed Feb 10, 2010 2:45 am
Certs:
NA:R&S, NA:Sec

Re: port-security confusion

Tue Dec 07, 2010 3:08 am

I took the time tonight to figure this out because it had been bugging me. I've found as long as I separate the management vlan from a ports native vlan everything works as expected. It's when both are on the same vlan that port security will still allow management access to the switch during Restrict and Protect violation modes. I used routing on a stick to facilitate and test the inter-vlan routing. I'm sure the same thing could be achieved via Layer 3 switching but I didn't test it.

Retired Account
Post Whore
Posts:
3512
Joined:
Mon Nov 16, 2009 8:10 pm

Re: port-security confusion

Wed Dec 08, 2010 2:57 am

Yeah I suspected it had to do with having everything on VLAN 1.

User avatar
matgar
Ultimate Member
Posts:
722
Joined:
Wed Nov 17, 2010 5:53 pm
Certs:
CCNP, CCIP, CCNA Security

Re: port-security confusion

Wed Dec 08, 2010 6:35 am

Probably one of the reason Cisco recommends never to use VLAN1.

joshuamorgan
Member
Posts:
120
Joined:
Thu Sep 02, 2010 3:18 am
Certs:
CCNA, CCNA Voice, CCNP, CCDA

Re: port-security confusion

Thu Dec 09, 2010 4:54 am

Steven King wrote:Yeah I suspected it had to do with having everything on VLAN 1.


I've tested this scenario too using 2950s, but on VLAN192 - the switch's management interface is Vlan192 and the switch interface my offending NIC was connected to was in VLAN #192. Thus, it's not solely VLAN 1.

User avatar
scottsee
Post Whore
Posts:
1800
Joined:
Wed Feb 10, 2010 2:45 am
Certs:
NA:R&S, NA:Sec

Re: port-security confusion

Thu Dec 09, 2010 10:30 am

joshuamorgan wrote:
Steven King wrote:Yeah I suspected it had to do with having everything on VLAN 1.


I've tested this scenario too using 2950s, but on VLAN192 - the switch's management interface is Vlan192 and the switch interface my offending NIC was connected to was in VLAN #192. Thus, it's not solely VLAN 1.


Yeah, as long as you separate the management vlan from a connecting switchports native access vlan all will be fine. It's when both the switchport and the management interface share the same native vlan that you effectively negate any Restrict and Protect port-security for devices physical connected to the switch.

I think it's cool, I love little unexpected results like this!

User avatar
ristau5741
Post Whore
Posts:
10296
Joined:
Tue Aug 21, 2007 2:15 pm
Certs:
Instanity

Re: port-security confusion

Thu Dec 09, 2010 10:48 am

just keep in mind, real world results do not necessarily coincide with the correct answers on the exam.

User avatar
Halo
Post Whore
Posts:
1008
Joined:
Thu Oct 14, 2010 4:39 am
Certs:
CCNP (R&S, Security), ITILv3 Foundation

Re: port-security confusion

Thu Dec 09, 2010 11:03 am

scottsee wrote:Yeah, as long as you separate the management vlan from a connecting switchports native access vlan all will be fine. It's when both the switchport and the management interface share the same native vlan that you effectively negate any Restrict and Protect port-security for devices physical connected to the switch.


I've skimmed the thread so apologies if I've missed the answer to this question but does the port security restriction affect management traffic passing through the switch? I'd sort of expect it to allow traffic heading to the switch control plane but I'd be a little puzzled if allowed traffic on a management VLAN to pass through the switch.

User avatar
scottsee
Post Whore
Posts:
1800
Joined:
Wed Feb 10, 2010 2:45 am
Certs:
NA:R&S, NA:Sec

Re: port-security confusion

Thu Dec 09, 2010 11:50 am

Halo wrote:
scottsee wrote:Yeah, as long as you separate the management vlan from a connecting switchports native access vlan all will be fine. It's when both the switchport and the management interface share the same native vlan that you effectively negate any Restrict and Protect port-security for devices physical connected to the switch.


I've skimmed the thread so apologies if I've missed the answer to this question but does the port security restriction affect management traffic passing through the switch? I'd sort of expect it to allow traffic heading to the switch control plane but I'd be a little puzzled if allowed traffic on a management VLAN to pass through the switch.


No need to apologize, I hate reading 5-6 pages just to get caught up!

As I tested it, this is the case: If the offending switchport is configured as Protect or Restrict and is on the same native (access) vlan as the management interface, once connected to the switch (ssh or telnet) offending device can pass traffic through the switch as if port security was not configured. The security violations counters will increment, but no port restrictions will actually be applied. I haven't tested this thoroughly, but from what I've seen I had no problems telneting into any other devices on my network or reaching my default gateway, name server, or using ICMP on outside ip addresses.

I think that answers your question, If I'm missing the point just hit me on the head.. :P

Retired Account
Post Whore
Posts:
3512
Joined:
Mon Nov 16, 2009 8:10 pm

Re: port-security confusion

Thu Dec 09, 2010 3:52 pm

Scott you realize you're testing a CCNP-level topic right? Kudos sir. :D

User avatar
scottsee
Post Whore
Posts:
1800
Joined:
Wed Feb 10, 2010 2:45 am
Certs:
NA:R&S, NA:Sec

Re: port-security confusion

Thu Dec 09, 2010 4:29 pm

Steven King wrote:Scott you realize you're testing a CCNP-level topic right? Kudos sir. :D


Well, it didn't exactly start out that way. I was just trying to figure out why port-security wasn't functioning as expected..

joshuamorgan
Member
Posts:
120
Joined:
Thu Sep 02, 2010 3:18 am
Certs:
CCNA, CCNA Voice, CCNP, CCDA

Re: port-security confusion

Fri Dec 10, 2010 1:37 am

Steven King wrote:Scott you realize you're testing a CCNP-level topic right? Kudos sir. :D


I'm sorry but how is port-security restrict/protect/shutdown behavior CCNP-level? It's covered in ICND1?

User avatar
matgar
Ultimate Member
Posts:
722
Joined:
Wed Nov 17, 2010 5:53 pm
Certs:
CCNP, CCIP, CCNA Security

Re: port-security confusion

Fri Dec 10, 2010 2:38 am

joshuamorgan wrote:
Steven King wrote:Scott you realize you're testing a CCNP-level topic right? Kudos sir. :D


I'm sorry but how is port-security restrict/protect/shutdown behavior CCNP-level? It's covered in ICND1?

It comes down to the level of testing done. Steven King was just commenting that Scott was taking it farther than CCNA is meant to. (perhaps the wording should be needs to)
For example Spanning Tree, I would think its covered in CCENT. Its also part of the CCIE. Does that make it a CCENT level if you need to test/troubleshoot STP in the CCIE test/lab?

joshuamorgan
Member
Posts:
120
Joined:
Thu Sep 02, 2010 3:18 am
Certs:
CCNA, CCNA Voice, CCNP, CCDA

Re: port-security confusion

Fri Dec 10, 2010 5:11 am

matgar wrote:
joshuamorgan wrote:
Steven King wrote:Scott you realize you're testing a CCNP-level topic right? Kudos sir. :D


I'm sorry but how is port-security restrict/protect/shutdown behavior CCNP-level? It's covered in ICND1?

It comes down to the level of testing done. Steven King was just commenting that Scott was taking it farther than CCNA is meant to. (perhaps the wording should be needs to)
For example Spanning Tree, I would think its covered in CCENT. Its also part of the CCIE. Does that make it a CCENT level if you need to test/troubleshoot STP in the CCIE test/lab?


You raise a good point, for some reason I've been trying to learn everything I absolutely can about a given topic. For instance, I'm currently learning spanning tree protocol at the moment and I've gone to the extent of reading the IEEE specifications so I can get a firm grasp on how it works. I guess my approach is over the top.

User avatar
matgar
Ultimate Member
Posts:
722
Joined:
Wed Nov 17, 2010 5:53 pm
Certs:
CCNP, CCIP, CCNA Security

Re: port-security confusion

Fri Dec 10, 2010 5:54 am

Well it all comes down to what your goal is.
I always prefer learning as much as I can about a subject.

But for certification purposes, lets say ccent or ccna in this case. Reading the IEE specifications, RFC's or whitepapers are outside the scope of the exam.

From a learning perspective only yourself can answer as to on what level you want to be.
Having a good grasp of something from the beginning can help you later on if you are thinking of studying more. Or if you get a job within networking.

User avatar
Halo
Post Whore
Posts:
1008
Joined:
Thu Oct 14, 2010 4:39 am
Certs:
CCNP (R&S, Security), ITILv3 Foundation

Re: port-security confusion

Fri Dec 10, 2010 6:10 am

I'm looking forward to testing this once I start putting my routing/switching lab together in the new year.

joshuamorgan
Member
Posts:
120
Joined:
Thu Sep 02, 2010 3:18 am
Certs:
CCNA, CCNA Voice, CCNP, CCDA

Re: port-security confusion

Fri Dec 10, 2010 6:21 am

matgar wrote:Well it all comes down to what your goal is.
I always prefer learning as much as I can about a subject.

But for certification purposes, lets say ccent or ccna in this case. Reading the IEE specifications, RFC's or whitepapers are outside the scope of the exam.

From a learning perspective only yourself can answer as to on what level you want to be.
Having a good grasp of something from the beginning can help you later on if you are thinking of studying more. Or if you get a job within networking.


Yeah, I'm the same way (prefer to learn as much as I can about a subject). I currently work within networking and have found that by knowing how something works, rather than simply knowing how to configure/troubleshoot according to procedures, often works better.

User avatar
titaniumpower
Member
Posts:
205
Joined:
Thu Nov 18, 2010 1:40 pm
Certs:
A+, Network+

Re: port-security confusion

Fri Dec 10, 2010 10:57 am

Halo wrote:I'm looking forward to testing this once I start putting my routing/switching lab together in the new year.


I will be doing the same thing Halo. I just got so much stuff to do right now that I dont want to half @#$ my studies.

Retired Account
Post Whore
Posts:
3512
Joined:
Mon Nov 16, 2009 8:10 pm

Re: port-security confusion

Wed Dec 22, 2010 12:07 am

Jeez, I didn't mean it as some serious comment, more like a "more power to ya" for Scott for digging in depth into the concepts.

joshuamorgan
Member
Posts:
120
Joined:
Thu Sep 02, 2010 3:18 am
Certs:
CCNA, CCNA Voice, CCNP, CCDA

Re: port-security confusion

Wed Dec 22, 2010 12:12 am

Steven King wrote:Jeez, I didn't mean it as some serious comment, more like a "more power to ya" for Scott for digging in depth into the concepts.


Yes, I apologize, my post was possibly a little harsh.

Retired Account
Post Whore
Posts:
3512
Joined:
Mon Nov 16, 2009 8:10 pm

Re: port-security confusion

Thu Dec 23, 2010 7:06 pm

Apology accepted.

/marks Joshua off the list of people to kill and puts on some lipstick

POP QUIZ! What movie is that from!?

'
PreviousNext

Return to scottsee's CCNA Journey

Who is online

Users browsing this forum: No registered users and 4 guests