Port security problem

Unanswered Question
Jul 30th, 2007
User Badges:

Hi,


I've got a 2950 configured with port security on fa0/13 and fa0/14, both with sticky learning. The results of a show run for each of these interfaces is shown below:


Current configuration : 291 bytes

!

interface FastEthernet0/13

switchport access vlan 34

switchport mode access

switchport port-security

switchport port-security violation restrict

switchport port-security mac-address sticky

switchport port-security mac-address sticky 0014.22c4.45a9

spanning-tree portfast trunk

end


Switch#show run int fa0/14

Building configuration...


Current configuration : 285 bytes

!

interface FastEthernet0/14

switchport access vlan 34

switchport mode access

switchport port-security

switchport port-security violation restrict

switchport port-security mac-address sticky

switchport port-security mac-address sticky 0014.22c4.45a9

spanning-tree portfast

end


According to the documentation it should not have been possible for the switch to learn the same MAC address for two secure ports. When plugging the laptop into the second port (fa0/14) the switch should have dropped all traffic based on the source MAC address already existing on another secure port (fa0/13) and logged a violation. Neither of these things happened.


Anyone able to help with this?


Cheers,

Ben.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
rajatsetia Tue, 07/31/2007 - 00:28
User Badges:
  • Bronze, 100 points or more

Hi Ben,


can you try one thing, replace this "spanning-tree portfast trunk " command with "spanning-tree portfast " at fa0/13 and check again.


rgds



jvr_infotech Tue, 07/31/2007 - 02:00
User Badges:



can you try this commands,

switchport mode access

switchport port-security

switchport port-security aging time 5

switchport port-security aging type inactivity


ARUNPRABHU A Tue, 07/31/2007 - 02:06
User Badges:

Hi Ben,

I think , actually what the sticky command will do is " It will save mac-address of the laptop in the running config to that port in your case it is fa 0/14 , it will not restrict if the same laptop is connected to the fa 0/13 port because it will stick the mac-address to that port thats all.The sticky command will not make it as secure port ".

The sticky command doesnot make the switch to cross check with other port whether that source is already connected.

I think you will understand what i mean for you ....

Reg,

Arun

rajatsetia Tue, 07/31/2007 - 02:53
User Badges:
  • Bronze, 100 points or more

Hi Arun,


In my point of view, Sticky option will create an CAM table entry mapping the MAC address to the port. With this in mind, if the same secure MAC address appear in another port, it will in multiple entries in the CAM table for that address..


I think this is not a desirable situation ...


rgds

ben_johnson Tue, 07/31/2007 - 15:56
User Badges:

Hi guys,


Thanks for the input so far. The following is an extract from Cisco's doco on the 2950 config:


"Security Violations


It is a security violation when one of these situations occurs:


?The maximum number of secure MAC addresses have been added to the address table, and a station whose MAC address is not in the address table attempts to access the interface.


?An address learned or configured on one secure interface is seen on another secure interface in the same VLAN. "


I understand that a port can't be a trunk, but I didn't think the portfast mode caused a port to be treated as a trunk. I have changed that config though, as suggested.


Also, is the secure MAC address only local to the switch, or does it get propagated around the network somehow??


Cheers,

Ben.

rajatsetia Tue, 07/31/2007 - 19:34
User Badges:
  • Bronze, 100 points or more

Hi Ben,


Is your original problem solved now ?


I donnt think if Secure MAC information get propagated in the network.


rgds

rajatsetia Fri, 08/03/2007 - 04:50
User Badges:
  • Bronze, 100 points or more

hi


sorry for the late reply, saw your post that problem is still there..


This is strange behaviour that same secure mac address is allowed on different ports, ok, try this :-


reconfigure the sticky configuration and clear the cam table and check again


regret that presently i am not in position simulate this kind of test setup at my end.


also you have not defined the max number of secure mac address a port can learn dynamically so by default it is one, so you also try connecting different desktops on secure ports and then interchange the desktop switch ports to check if port security is really being applied .


rgds

aking56256 Fri, 08/03/2007 - 10:28
User Badges:

Ben,

Try this command:

switchport port-security maximum 1


Cheers.

ben_johnson Sun, 08/05/2007 - 22:26
User Badges:

Hi guys,


Thanks for the input. I have done both of those things already. Maximum 1 setting is default and doesn't appear in the visible config even if you specifically type it. Following is output from "show port-security" and running config for both interfaces being tested:


======== config =========

switch#show port-sec

Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action

(Count) (Count) (Count)

---------------------------------------------------------------------------

Fa0/13 1 1 0 Shutdown

Fa0/14 1 1 0 Shutdown

---------------------------------------------------------------------------

Total Addresses in System (excluding one mac per port) : 0

Max Addresses limit in System (excluding one mac per port) : 1024


switch#show run int fa0/13

Building configuration...


Current configuration : 240 bytes

!

interface FastEthernet0/13

switchport access vlan 34

switchport mode access

switchport port-security

switchport port-security mac-address sticky

switchport port-security mac-address sticky 0014.22c4.45a9

spanning-tree portfast

end


switch#show run int fa0/14

Building configuration...


Current configuration : 240 bytes

!

interface FastEthernet0/14

switchport access vlan 34

switchport mode access

switchport port-security

switchport port-security mac-address sticky

switchport port-security mac-address sticky 0014.22c4.45a9

spanning-tree portfast

end

======= end config ==========


As you can see, even after clearing the CAM tables and reloading the switch the problem is still the same. I found a caveat saying that this can occur if you use "restrict" as the violation setting so I tried both protect and shutdown but still see the same results.


The switch is running IOS ver 12.1(20)EA1. The same test on a similar switch with a later IOS version produces the result I would expect to see (ie. port-security violation registered and second port not forwarding traffic).


Cheers,

Ben.

ben_johnson Tue, 08/07/2007 - 22:39
User Badges:

Hi all,


In case anyone comes back to this thread, or picks it up in a search - I upgraded the IOS to ver 12.1(22)EA10 (which was the latest at the time for the Cat2950) and this has resolved the issue.


Unfortunately, nothing I tried prior to the IOS upgrade resolved the issue.


Cheers,

Ben.

Actions

This Discussion