Port Security -- Allowing changing macs, but not a switch.

Unanswered Question
Jul 10th, 2007

Currently we are about to implement port-security to keep people from plugging switches into cube ports. I am aware and have used the sticky-mac authentication, coupled with protect violation mode via:

switchport mode access

switchport port-security

switchport port-security violation protect

This is a problem, however, when people want to plug their laptops into other peoples jacks (showing them sales figures, etc) and will add to some administration headache.

The real reason we will be implementing this policy is to eliminate the ability for people to plug in switches.

Is there any way to allow only one MAC address across a port (to allow people to plug in their laptops in multiple cube jacks) but not allow multiple macs from coming down from one port (and thus eliminating the possibility someone will plug in a switch)?

Even if I allow...say...the port to learn 10 mac addresses...it is still possible one of those macs will be a switch...which is what we wish to squash.

Any suggestions?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Francois Tallet Tue, 07/10/2007 - 15:46

You don't have to worry about a switch. Switches are "transparent", meaning that they don't alter the frames they are switching. Well, practically, this is not true any more, but at least a switch will not rewrite the source mac address of the devices connected to it. So if you put a limit to the number of mac addresses allowed on a port, a switch will not aggregate several devices behind one mac address, and you will still be able see the mac address of every host connected.

Now on the other hand, a simple Linksys router (with NAT) will do the trick with almost no configuration. There is nothing you can do counting mac addresses on the port when all the devices behind the router will use the router's source mac address:-(



vincentledford Wed, 07/11/2007 - 04:28

Try using "spanning-tree bpduguard enable" on access ports if you want to stop switches from being plugged in on access ports. In short, this command will shutdown a port if it detects a bpdu on that access port.

I have found that using port-security with the default of 1 MAC without the "mac-address sticky" command will allow end users to move PCs around but it will stop someone from being able to plug in a HUB or switch at their desk.

jamesmpoplar Wed, 07/11/2007 - 08:32

I believe I may be overlooking a detail of somesort, considering the setup I have in my lab currently.

Right now I have a laptop setup to be, and a cisco 2960 setup to be on vlan1.

My testing port is fa0/2, and in IOS the configuration looks like so:

--snipping useless info--

no file verify auto

spanning-tree mode pvst

spanning-tree portfast bpduguard default

spanning-tree extend system-id

interface FastEthernet0/2

switchport mode access

switchport port-security

switchport port-security violation protect

spanning-tree portfast

--snipping useless info--

If I plug in the laptop, it works.

If I plug the belkin desktop switch in, and plug the laptop into the belkin switch...it still works.

I am hopefully missing an IOS option somewhere...because this belkin I am testing with was the one that started to bring down the entire intranet just a couple of days ago...and I would like to see things like this Belkin be denied on the port.

I'd reccomend adding spanning-tree portfast bpdu-guard to fa0/2. This will lock out the port if any spanning tree traffic is recieved from a switch.

The the current setup you have will shut down the port if more than 1 host mac address source is seen on the switch port, even though you have a switch you only have one host connected to the port, try plugging in belkin then attaching 2 laptops or other host devices into the belkin and see what happens.

Hope this helps, please rate if it does.

vincentledford Wed, 07/11/2007 - 09:14

The 2960 will not see a MAC from the Belkin, it will only see MACs of devices connected to the Belkin.

So, the laptop still works when it is connected to the Belkin because the 2960 is still only seeing the laptop's MAC on that port.

You will only get an error on that switchport if you exceed the default number of MACs (1) by plugging in an additional device into the Belkin.

Even though you have "spanning-tree portfast bpduguard default", try putting the command on the individual port anyway. Unless the Belkin isn't sending out BPDUs, the BPDUguard feature should shut the port down.

You could also try putting "no mdix-auto" on the port.

Hope this helps.

jamesmpoplar Wed, 07/11/2007 - 09:33

Well, with that last clarification I saw I was barking up the wrong tree on looking for what to expect from the Belkin in my test network.

It's the little things. :)

Thanks everyone...I believe we have solved the issue. I believe I will also, for good luck, be implenting storm-control on the ports as well to stop any other possible broadcasts issues.

Thank you very much for the prompt replies!

vincentledford Wed, 07/11/2007 - 09:42

Glad to help. Don't forget forget that turning off Auto-MDIX can stop someone that doesn't know to use a cross-over cable. ; )

Francois Tallet Wed, 07/11/2007 - 12:49

The belkin switch is probably not sourcing any traffic (thus not adding any entry in the cam table). Again, switches are mostly transparent and may not be detected at all. That's the hosts connected to the switch that you will try to detect.


This Discussion