Port-security aging time

Unanswered Question
Sep 25th, 2008

I have reduced the port-security (type inactivity) aging time to the minimum (1 minute) because when you move a data device (laptop) from an IP phone to another port of the same switch port-security blocks this device.

With this new lower aging time I have to wait only one minute to move the device, but my questions are:

1.- With the aging time so low, there is any problem related with flooding?

2.- The tables mac-address-table and port-security address table are the same or they are different?

3.- Do another mac entries (in CAM or in psecurity table) be deleted if they still remain connected to the switch or IP phone?

Thank you very much and best regards

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Thu, 09/25/2008 - 12:01

Hello Luis,

1) it should be able to react to a mac address flooding attack that implies sending of frames with random source MAC addresses at a moderate high rate.

2) the tables are two and separated with the secure MAC address table much smaller (at least it was in CatOS 8.1 when I've tested 1024 secure mac addresses and 65535 mac-address-table)

3) it is unclear to me: if you move a device from a non secure port to a secure port the entry will be deleted on the CAM table and added in the psecurity table

Hope to help

Giuseppe

luis.elvira Thu, 09/25/2008 - 22:38

Hello and thanks Giuseppe,

1.- When I asked if there are any problem with flooding I didn't mean flooding attacks, I meant to flooding problem of the switch due to the short aging time. Do this short aging time affect to the mac entries (also secured) that are active, and that shouldn't be aged? I think that the only problem will be CPU utilization, but I am not sure.

3.- If I have all ports as secured, will all ports be in the psecurity table and not in the CAM table?

Thank you very much for your help, best regards,

Giuseppe Larosa Thu, 09/25/2008 - 23:11

Hello Luis,

1) until the MAC addresses owners speak no problem, when they stop to speak if someone tries to reach them at first you have unicast flooding but as soon as they answer they are mapped again.

default CAM aging time is 300 seconds so it shouldn't be a very big impact on the switch.

3) all learned mac addresses will be in the psecurity table and not in the CAM but interswitch links, if any, should be not secured (multiple mac addresses come on them) or they fill the psecurity table that is smaller then CAM

Hope to help

Giuseppe

luis.elvira Thu, 09/25/2008 - 23:25

Hello Giuseppe,

I have 288 ports configured with psecurity in the same switch (Cat6509E-Sup32-PISA). Almost all with PC+IP phone connected. I want to configure "switchport port-security aging time 1" to solve the problem of moving laptops connected to IP phones. Considering the amount of ports configured, do you still think that there will be no impact with flooding?

Thank you very much.

Luis

Giuseppe Larosa Fri, 09/26/2008 - 05:32

Hello Luis,

so you have 288 * 2 secure MAC addresses on a device like that, as far as I know, you shouldn't have problems.

I strongly recommend to use the option inactivity to get a better result

see

http://www.cisco.com/en/US/docs/ios/interface/command/reference/ir_s7.html#wp1013959

the default is absolute time but inactvity is better and should allow to move laptops with a much less impact on the switch.

See:

You can apply one of two types of aging for automatically learned addresses on a secure port:

•Absolute aging times out the MAC address after the age-time has been exceeded, regardless of the traffic pattern. This default is for any secured port, and the age-time is set to 0.

•Inactivity aging times out the MAC address only after the age_time of inactivity from the corresponding host has been exceeded.

I actually was thinking of the inactivity option in my considerations

Hope to help

Giuseppe

luis.elvira Sun, 09/28/2008 - 23:28

Thank you very much Giuseppe. I will configure inactivity.

Your notes have been really helpful.

Regards,

chris.king@csu-... Thu, 11/06/2008 - 09:00

Hi there,

I am dealing with a similar issue.

I have a crazy question:

Does your switchport port-security work with your ip phones? I had the problem that the mac addresse were just being recorded as 'dynimicsecure' that meant that I could just unplug a phone, plug in any notebook and access my network. If your port-security works with ip phones and pc nodes using the same switch port on different vlans, please please post your config. It would be a great help as I cannot find a solution to my problem.

Cheers!

Chris

luis.elvira Thu, 11/06/2008 - 09:17

Hi,

I think your problem could be the maximum MACs allowed. I have a maximum of 3 (2 will be enough, phone+pc). With this situaton it works fine.

I had the problem that if you change a notebook connected to one IP phone to another IP phone (or other switchport) the port shutdown because the phone doesn't notify that the notebook is not connected yet, and switch "sees" the same mac-address by 2 switchports (which is a port-security violation).

You can short down the aging time and change to restrict mode.

Any way, it is my configuration ( hope help!)

interface GigabitEthernet

description IP PHONE/PC

switchport

switchport access vlan

switchport mode access

switchport nonegotiate

switchport voice vlan

switchport port-security

switchport port-security maximum 3

switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

spanning-tree portfast

spanning-tree bpduguard enable

!

chris.king@csu-... Fri, 11/07/2008 - 02:53

Thanks for the info.

My problem is that my port-security does not work with SecureDynamic addresses.

If I plug in a laptop to a port, it learns the mac but as soon as I unplug it, it dissapears without a trace although the aging time is set.

If you run show port-security address after unplugging a node, does it still appear in the table although the aging time is still valid?

Thanks again,

Chris

luis.elvira Tue, 11/11/2008 - 05:48

No it doesn't. Of course, when you disconnects a pc from your switch the mac dissapears, because of the phisical port goes down. The mac still appears if yuo have a cisco ip phone connected to the switch, and your pc connected to the ip phone, due to ip phones have their own internal switch. So, if you dissconect your pc of the ip phone, the switch still "sees" the mac of the pc connected to that port, in adition of the mac of the ip phone.

chris.king@csu-... Tue, 11/11/2008 - 06:04

Thanks Luis.

So the conclusion is that if you connect a pc to the switch using port-security, you can unplug this pc and plug in a untrusted pc and then access the network. Unless of course you use sticky addresses or fixed addresses in the config.

If you have ip phones, you can use port security for the pcs behind the phones but if somebody unplugs an ip phone, they can also access this port.

Right?

andrew.butterworth Thu, 11/06/2008 - 09:18

As a previous poster stated the CAM & port-security tables have independant timers so flooding will only be an issue if you muck around with the CAM timers.

On the subject of port-security timers I had a similar dilema a while ago with the default port-security aging times (3-minutes). The customer had the same issues you are seeing - i.e. move a PC from one IP-Phone to another before the aging timer had expired and you get port-security errors (default being restrict). When we lowered the timers we then started to have IP Phone issues (Ericsson IP Phones using H.323) where there would be a delay for dialtone. We identified this as a 'feature' of port-security due to the IP Phone not transmitting anything within the port-security timeout period and it's MAC being removed from the port-security table. It would recover however the 1st few packets sent from the IP Phone when there was no MAC for it in the port-security table were discarded due and this resulted in the dialtone delay.

Cisco SCCP is much more chatty (keepalives) so I don't think you will see the same behaviour, however you may see similar behaviour with any devices that don't 'speak' much.

HTH

Andy

Actions

This Discussion