portsecurity and IP conflicts

Answered Question
Sep 29th, 2009

hello

we are using c3750 stacks in our access layer. we have configured portsecurity feature: we only allow 2 Mac @ per port.

the configuration looks like this:

interface FastEthernet2/0/45

switchport access vlan 110

switchport mode access

switchport port-security maximum 2

switchport port-security

switchport port-security aging time 1

switchport port-security aging type inactivity

switchport port-security aging static

no logging event link-status

spanning-tree portfast

spanning-tree guard root

end

we have noted when IP conflicts occur, portsecurity shutdowns the port causing the conflict.

i can't undertand why? what is the relation between IP conflicts and restricting 2 Mac @ by port?

if i remove commands related to portsecurity, the port will not be shutdown.

any help

I have this problem too.
0 votes
Correct Answer by xcz504d1114 about 7 years 2 months ago

When there is an IP address conflict, the PC that generated the conflict will send out a gratuitous ARP, with the other PC's mac-address, just like ARP poisoning, but the PC is doing it to correc a problem it generated. Run wireshark on a pc and create an address conflict, you will see the GARP.

Why does it GARP? PC1 has an IP address of 1.1.1.1 and a mac-address of a.a.a.a, he is downloading, surfing the internet etc. PC2 comes online with the IP address of 1.1.1.1 and a mac-address of b.b.b.b. PC2 then sends an ARP "Who has 1.1.1.1 tell 1.1.1.1 b.b.b.b" When that happens, your routers ARP table can be poisoned, once PC1 replies with "I have 1.1.1.1" PC2 corrects any potential communication problems by sending our a GARP with PC1's IP and mac-address. Hence, port secureity gets triggered.

HTH,

Craig

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.5 (2 ratings)
Loading.
rducombl Tue, 09/29/2009 - 23:46

What do you mean by IP conflict ?

There are no relation between port security and IP anyway. Port security is solely looking at mac-address.

Could it be there is at some point 3 mac address seen in the port ? that would explain why port sec is kicking in!

Roland

ohassairi Wed, 09/30/2009 - 00:24

HI ROLAND

-take one c3750 switch.

-enable portsecurity on all its ports: only 2 MAC addresses by port. if more --> shutdown.

-now plug one PC to one port:P1 (IP1 and MAC1)

-plug another PC to one other port:P2 (IP1 and MAC2)

-normally there is an IP conflict and windows will discover this. but

-you will see that P2 will be shutdown because of portsecurity. (use debug portsecurity)

i was also surprised by this. that's why i asked the question.

normally there is no relation between IP conflict and portsecurity. however this what i discovered.

Note:since i am not using DHCP i faced this problem many times.

As a short term workaround, change the port security violation config from the default of "shutdown" to "restrict".

Under your test conditions, if you have logging enabled and configured to do so, the offending MAC should be in the log for violations. You can find out what the offending MAC is or even if there is one. That will at least give you new information.

Correct Answer
xcz504d1114 Wed, 09/30/2009 - 06:26

When there is an IP address conflict, the PC that generated the conflict will send out a gratuitous ARP, with the other PC's mac-address, just like ARP poisoning, but the PC is doing it to correc a problem it generated. Run wireshark on a pc and create an address conflict, you will see the GARP.

Why does it GARP? PC1 has an IP address of 1.1.1.1 and a mac-address of a.a.a.a, he is downloading, surfing the internet etc. PC2 comes online with the IP address of 1.1.1.1 and a mac-address of b.b.b.b. PC2 then sends an ARP "Who has 1.1.1.1 tell 1.1.1.1 b.b.b.b" When that happens, your routers ARP table can be poisoned, once PC1 replies with "I have 1.1.1.1" PC2 corrects any potential communication problems by sending our a GARP with PC1's IP and mac-address. Hence, port secureity gets triggered.

HTH,

Craig

ohassairi Wed, 09/30/2009 - 21:14

thanks very much craig

so you said ports security gets triggered because the switch sees the same mac address a.a.a.a in 2 different physical ports!

i was not aware that portsecurity can do that. i thought it only counts the MAC @ number by ports.

xcz504d1114 Thu, 10/01/2009 - 04:58

Portsecurity is local to the switch (or switch stack), it cannot "detect" a mac-address a mile away.

The reason you will see the mac-address a mile away is because of gratuitous ARP, not because of portsecurity. The PC that is at fault for the duplicate IP address will send out the other PC's mac-address (GARP).

HTH,

Craig

ohassairi Sun, 10/18/2009 - 21:35

according to configuration guide:

It is a security violation when one of these situations occurs:

•The maximum number of secure MAC addresses have been added to the address table, and a station whose MAC address is not in the address table attempts to access the interface.

•An address learned or configured on one secure interface is seen on another secure interface in the same VLAN.You can configure the interface for one of four.

in my case we have the second senario. and this explains waht is happening.

the solution we find is to configure: err_disable recovery that brings up the ports again after some time:

errdisable recovery cause psecure-violation

errdisable recovery interval 30

Actions

This Discussion