Portfast, Port-Security, STP BPDU Enable Commands

Unanswered Question
Apr 30th, 2009

Dear freinds,

Kindly share about the specific purpose,functions and requirement of below commands.

1)switchport port-security maximum 3

2)switchport port-security

3)switchport port-security violation restrict

4) spanning-tree portfast

5) spanning-tree bpduguard enable

$Sam

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Thu, 04/30/2009 - 09:59

Hello Sam,

2) switchport port-security

enables port security on the port without this the other port security commands are not effective

1)switchport port-security maximum 3

the port learns dynamically up to 3 MAC addresses this allows for a PC + ip phone

3) )switchport port-security violation restrict

if a 4th MAC address is heard on the port this is a violation : the switch reaction is a restrict action: frames sourced by exceeding MAC addresses are dropped.

For security purposes the recommended action is to put the port in error-disable state.

4) spanning-tree portfast

enables portfast that bypasses listening and learning states when moving the ports from blocking to forwarding state

to be used only on user ports

5) spanning-tree bpduguard enable

the right companion of command 4) it will put in error disable the port if an STP BDPU is heard on the port sign that a switch has been connected

Hope to help

Giuseppe

netbeginner Fri, 05/01/2009 - 00:15

Helo,

Can we use "spanning-tree portfast" command on trunk port. Will this help us in L2 network suspected flooding (If CAM table is showing full utilisation of Unicast MAC address). If not, then what feature will help us in the mention case.

$Sam

Giuseppe Larosa Fri, 05/01/2009 - 01:43

Hello Sam,

if the trunk is an inter-switch link usage of spanning-tree portfast should be avoided.

when you see the CAM table full with

sh mac-address-table count

or you are under a MAC flooding attack or there is a misbehaving network device.

I suggest to enable port-security with violation action errordisable as the most effective countermeasure for this.

Be aware that switches with their CAM tables full need to replicate all frames out all ports in the same vlan and so they can face high cpu usage.

Among possible problems caused by network device we had a problem caused by CSM service modules in C6500 that under heavy load (more then 2Gbps) were generating frames with random source MAC addresses in vlan1. CSM firmware upgrade solved this issue.

try to follow some MAC addresses to see if you find from where they look like to come.

Hope to help

Giuseppe

cisco.net Fri, 05/01/2009 - 05:03

Thanks Giuseppe ,

Actually port security feature what u suggesting is best when we are very sure that the mention problem happening due to STP TCN(Topology Change Notification). But here in this case nothing seems like this.

As for as MAC address following/tracing is concerned, i have tryed level best but unfortunetly does'nt seems that any single source is generatiing spurious traffic.

Your comment please....

$Sam

Giuseppe Larosa Sun, 05/03/2009 - 03:23

Hello Sam,

>> Actually port security feature what u suggesting is best when we are very sure that the mention problem happening due to STP TCN(Topology Change Notification).

My understanding is different: during STP topology changes the CAM aging time is changed to 15s = forward delay.

In this case it is more difficult to fill a CAM table with random MAC addresses because entries are aged out fast.

For example during L2 security tests we had to increase the aging time to be able to fill the CAM of a C6500.

STP port security is a good tool for dealing with MAC address flooding.

>> As for as MAC address following/tracing is concerned, i have tryed level best but unfortunetly does'nt seems that any single source is generatiing spurious traffic.

If there is no evidence of an external source of these random MAC addresses that fill the CAM tables the problem can be internal to one switch: I mentioned a problem we had with CSM service modules we couldn't find an external source of these MAC addresses.

As I wrote switches don't work well when the CAM tables are full so, I would try to make some change like for example to shut the link between the two distribution switches.

Hope to help

Giuseppe

Bill19795_2 Fri, 06/11/2010 - 13:14

Why do I set it to allow 3 MAC's when the documentation and Auto-QOS says to only allow

two?

1)switchport port-security maximum 3

the port learns dynamically up to 3 MAC addresses this allows for a PC + ip phone

Leo Laohoo Fri, 06/11/2010 - 14:48

Why do I set it to allow 3 MAC's when the documentation and Auto-QOS says to only allow two?

If you have VoIP setup, then one MAC for the client and one MAC for the phones.

Actions

This Discussion