11-05-2008 06:55 AM - edited 03-06-2019 02:19 AM
Hi guys and girls,
I'm trying to set up port-security on my network using sticky mac addresses instead of manually entering the macs to reduce the workload on my colleagues .
My switch port has a maximum of 3 nodes on it (1 PC, 1 telephone and 1 VM) and looked like this before being 'secured'
interface FastEthernet1/0/1
switchport access vlan 2
switchport voice vlan 10
priority-queue out
mls qos trust cos
no mdix auto
fair-queue
spanning-tree portfast
and after:
interface FastEthernet1/0/1
switchport access vlan 2
switchport mode access
switchport voice vlan 10
switchport port-security
switchport port-security maximum 3
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0003.ff53.553c
switchport port-security mac-address sticky 001e.c952.553c
priority-queue out
mls qos trust cos
no mdix auto
fair-queue
spanning-tree portfast
The switchport port-security mac-address sticky addresses were obtained automaticly
a show port-security interface fa1/0/1 looks like this:
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Restrict
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 5
Total MAC Addresses : 3
Configured MAC Addresses : 0
Sticky MAC Addresses : 2
Last Source Address : 0001.e324.6f48:10
Security Violation Count : 0
and my show version looks like this:
Cisco Internetwork Operating System Software
IOS (tm) C3750 Software (C3750-I9-M), Version 12.2(20)SE4, RELEASE SOFTWARE (fc1
Now the 'stickyness' has picked up my 2 PC Nodes but not my telephone that is included in the 'Total MAC Addresses' bit.
This means that if I unplug my telephone and replace it with a PC, this PC will access my network. Bad news!
And now for the million doller question:
How can I set up my port to auto learn my telephone and put this in the sticky table thus bloking any traffic that is not coming
from a trusted or learned node and keeping my port safe and sound. We cannot enter the macs manually as we have a 192 port stack and no time!
Please help,
Chris
11-05-2008 07:11 AM
Chris,
Try changing the port-security max count to 4 and check if your phone's mac comes in the table.
11-05-2008 07:17 AM
Thanks for the quick reply.
I have raised it to 4 and it looks like this:
3750-LL-1#show port-security inter fa1/0/1
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Restrict
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 4
Total MAC Addresses : 3
Configured MAC Addresses : 0
Sticky MAC Addresses : 2
Last Source Address : 0001.e324.6f48:10
Security Violation Count : 0
3750-LL-1#show port-security address
Secure Mac Address Table
-------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- -------------
2 0003.ff53.553c SecureSticky Fa1/0/1 -
2 001e.c952.553c SecureSticky Fa1/0/1 -
10 0001.e324.6f48 SecureDynamic Fa1/0/1 -
Thanks again,
Chris
11-05-2008 07:22 AM
Chris,
Did you do a write mem after configuring the port-security sticky on the port. You need to do a write mem in order to have all the mac-addresses added to the running-config of the switch.
-amit singh
11-05-2008 07:26 AM
Just did it.
Same result :-(
Chris
11-05-2008 07:41 AM
Chris,
Please paste the "show run" from the switch and show version.
-amit singh
11-05-2008 07:43 AM
3750-LL-1#show version
Cisco Internetwork Operating System Software
IOS (tm) C3750 Software (C3750-I9-M), Version 12.2(20)SE4, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2005 by cisco Systems, Inc.
Compiled Sun 09-Jan-05 00:09 by antonino
Image text-base: 0x00003000, data-base: 0x0099748C
ROM: Bootstrap program is C3750 boot loader
BOOTLDR: C3750 Boot Loader (C3750-HBOOT-M) Version 12.1(19r)EA1b, RELEASE SOFTWARE (fc2)
3750-LL-1 uptime is 1 year, 48 weeks, 5 days, 21 hours, 46 minutes
System returned to ROM by power-on
System image file is "flash:c3750-i9-mz.122-20.SE4.bin"
cisco WS-C3750-48P (PowerPC405) processor (revision D0) with 118784K/12280K bytes of memory.
Processor board ID CAT0847R1TY
Last reset from power-on
2 Virtual Ethernet/IEEE 802.3 interface(s)
192 FastEthernet/IEEE 802.3 interface(s)
16 Gigabit Ethernet/IEEE 802.3 interface(s)
The password-recovery mechanism is enabled.
512K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address : 00:12:80:9D:7B:00
Motherboard assembly number : 73-8310-07
Power supply part number : 341-0029-03
Motherboard serial number : CAT08470DAE
Power supply serial number : LIT08440AFH
Model revision number : D0
Motherboard revision number : A0
Model number : WS-C3750-48PS-S
System serial number : CAT0847R1TY
SFP Module assembly part number : 73-7757-02
SFP Module revision Number : A0
SFP Module serial number : CAT0843076Q
Top Assembly Part Number : 800-21980-02
Top Assembly Revision Number : B0
Version ID : N/A
Hardware Board Revision Number : 0x0C
Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
1 52 WS-C3750-48P 12.2(20)SE4 C3750-I9-M
2 52 WS-C3750-48P 12.2(20)SE4 C3750-I9-M
3 52 WS-C3750-48P 12.2(20)SE4 C3750-I9-M
* 4 52 WS-C3750-48P 12.2(20)SE4 C3750-I9-M
Switch 01
---------
Switch Uptime : 1 year, 48 weeks, 5 days, 21 hours, 41 minutes
Base ethernet MAC Address : 00:12:80:DB:7D:80
Motherboard assembly number : 73-8310-07
Power supply part number : 341-0029-03
Motherboard serial number : CAT0848010K
Power supply serial number : LIT08440A5G
Model revision number : D0
Motherboard revision number : A0
Model number : WS-C3750-48PS-S
System serial number : CAT0847R27Q
SFP Module assembly part number : 73-7757-02
SFP Module revision number : A0
SFP Module serial number : CAT084501J8
Top assembly part number : 800-21980-02
Top assembly revision number : B0
Version ID : N/A
Switch 02
---------
Switch Uptime : 1 year, 48 weeks, 5 days, 21 hours, 42 minutes
Base ethernet MAC Address : 00:12:80:9D:9E:80
Motherboard assembly number : 73-8310-07
Power supply part number : 341-0029-03
Motherboard serial number : CAT08470D8T
Power supply serial number : LIT084409VW
Model revision number : D0
Motherboard revision number : A0
Model number : WS-C3750-48PS-S
System serial number : CAT0847R1S5
SFP Module assembly part number : 73-7757-02
SFP Module revision number : A0
SFP Module serial number : CAT08430CHK
Top assembly part number : 800-21980-02
Top assembly revision number : B0
Version ID : N/A
Switch 03
---------
Switch Uptime : 1 year, 48 weeks, 5 days, 21 hours, 41 minutes
Base ethernet MAC Address : 00:12:80:DB:72:80
11-05-2008 07:48 AM
The show run is too big.
which parts of it do you need?
regards,
Chris
11-05-2008 07:51 AM
The config for the switch that you are working on currently with the port-security with you PC and Ip phones.
11-05-2008 07:55 AM
version 12.2
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname 3750-LL-1
!
logging buffered 131072 debugging
!
clock timezone MEZ 1
clock summer-time MESZ recurring last Sun Mar 2:00 last Sun Oct 3:00
switch 1 provision ws-c3750-48p
switch 2 provision ws-c3750-48p
switch 3 provision ws-c3750-48p
switch 4 provision ws-c3750-48p
ip subnet-zero
no ip source-route
!
vtp domain csu-bayern.de
vtp mode transparent
cluster enable 3750-LL-C1 0
!
mls qos srr-queue input cos-map queue 1 threshold 1 5
mls qos srr-queue input cos-map queue 2 threshold 1 6 7
mls qos
spanning-tree mode rapid-pvst
spanning-tree portfast bpduguard default
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!
power inline consumption default 7000
!
!
vlan 2
name data
!
vlan 7
name admin
!
vlan 10
name voice
!
vlan 4093
name csu-default
!
vlan 4094
name csu-native
!
interface FastEthernet1/0/1
switchport access vlan 2
switchport mode access
switchport voice vlan 10
switchport port-security
switchport port-security maximum 4
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0003.ff53.553c
switchport port-security mac-address sticky 001e.c952.553c
priority-queue out
mls qos trust cos
no mdix auto
fair-queue
spanning-tree portfast
11-05-2008 08:14 AM
for a test have you tried to input the phone mac address manually "switchport port-security mac-address [phone mac address]".
Francisco
11-06-2008 12:52 AM
OK Francisco - I'll give it a try.
So after entering the ip phone address (switchport port-security mac-address 0001.e324.6f48) I have the following results:
750-LL-1#show port-security address
Secure Mac Address Table
-------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- -------------
2 0001.e324.6f48 SecureConfigured Fa1/0/1 -
2 0003.ff53.553c SecureSticky Fa1/0/1 -
2 001e.c952.553c SecureSticky Fa1/0/1 -
10 0001.e324.6f48 SecureDynamic Fa1/0/1 -
As you can see, the phone has 2 entries, one as SecureConfigured and one as SecureDynamic.
But with different VLANS!
Now the best thing here would be to reduce the maximum allowed macs to 3, right. Lets try:
3750-LL-1(config-if)#switchport port-security maximum 3
Maximum is less than number of currently secured mac-addresses.
Baaaaaaaaaaaaaah!
So now I will try to sum this one up:
I'm trying to set up port-security on my network using sticky mac addresses instead of manually entering the macs to reduce the workload on my colleagues .
My switch port has a maximum of 3 nodes on it (1 PC, 1 telephone and 1 VM) so I have set the maximum of allowed mac addresses to 3. I have also enabled the
mac-address sticky function which should convert to already learned macs (Securedynamic) into SecureSticky macs. This works for the pcs but not for the ip phone.
The ip phone remains as a Securedynamic address. After entering the ip phone address as a SecureConfigured address, the phone appears twice in the Secure Mac Address Table.
The result of this is that my phone is not included in my switchport port-security policy and I cannot prevent somebody unplugging a phone and plugging in a non-trustred pc
into my network. Eeeek!
So after reading the release notes, I have got this to work with:
When a voice VLAN is configured on a secure port that is also configured as a sticky secure port,
all addresses on the voice VLAN are learned as dynamic secure addresses, and all addresses seen on
the access VLAN to which the port belongs are learned as sticky secure addresses.
⢠You cannot configure static secure MAC addresses in the voice VLAN.
What I don not understand is why my SecureDynamic macs do not work with my port-security settings.
11-06-2008 03:53 AM
By default the IP Phone does not know the Voice VLAN Tag so when it initially boots up it will appear on the access VLAN. As soon as CDP kicks in it will then begin to transmit packets with the Voice VLAN tag so you will see two entries in the CAM table (and port-security table). There was a behaviour change in IOS whereby once the switch saw CDP from the IP Phone it would remove the MAC entry for it from the access VLAN.
I think this came in 12.2(35)SE so I would suggest you upgrade the IOS (latest is 12.2(46)SE). I am not sure if this will solve the issue though as the phone will always initially appear on the access VLAN. However try it and see.
As an access-port template we normally deploy port-security to prevent people plugging in unauthorised hubs and switches. I have played around with sticky MAC addresses but almost always remove it due due to the administrative overhead.
Andy
11-06-2008 05:09 AM
Thanks Andy for the detailed information.
We use access lists as well but with 192 FE ports per stack, this is terrilble!
What I don't get is that if I have 2 SecureSticky nodes (PCs) and 1 SecureDynamic node (telephone) as shown here:
2 0003.ff53.553c SecureSticky Fa1/0/1 -
2 001e.c952.553c SecureSticky Fa1/0/1 -
10 0001.e324.6f48 SecureDynamic Fa1/0/1 -
why doesn't the 'switchport port-security violation restrict' action kick in if my limit of 3 macs if violated. Doesn't it take the SecureDynamic macs into account?
Thanks again,
Chris
11-06-2008 05:44 AM
Now I get it, the dynamic entries are really dynamic and as soon as I unplug a node, the macs are released from the switch unless I use the sticky commands.
Chris
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: