cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
449
Views
0
Helpful
1
Replies

port-security unsecure

Josias Lima
Level 1
Level 1

We applied the following configuration at my switch but I am not so secure as I thought.

interface FastEthernet0/1
description Uplink Roteador

switchport trunk encapsulation dot1q
switchport mode trunk
ip arp inspection trust
speed 100
duplex full
priority-queue out
mls qos trust dscp
spanning-tree portfast trunk
ip dhcp snooping trust
no shutdown
!

interface FastEthernet0/2

description Users

switchport access vlan 1

switchport mode access

switchport voice vlan 15

switchport port-security maximum 3

switchport port-security

switchport port-security aging time 2

switchport port-security violation shutdown

switchport port-security aging type inactivity

ip arp inspection limit rate 100

no logging event link-status

srr-queue bandwidth share 1 40 30 30

priority-queue out

spanning-tree portfast

spanning-tree bpduguard enable

ip dhcp snooping limit rate 100

no shutdown

The main problem is that the uplink port is not port-security "trusted" so, if I sent a packet (at port Fa0/2) with the same mac of my gateway, this mac is mapped as static at the Fa0/2 port and all other users lose the access to the gateway til the agging time.

Normaly the MAC address of my gateway is learned by Fa0/1 port

show mac- add 0000.0c07.ac0c | incl 0000

1 0000.0c07.ac0c DYNAMIC Fa0/1


As dynamic, but when I sent a packet with the source MAC as 0000.0c07.ac0c (gateway MAC) because the port security, the MAC is placed as STATIC on Fa0/2 port and even if the gateway sent a packet with this source mac, no more is learned by the switch.

show mac- add 0000.0c07.ac0c | incl 0000

1 0000.0c07.ac0c STATIC Fa0/2


If I keep sending this "DoS os Man in the Middle" packet I stop all gateways traffic at the switch.
Anyone has a solution for this problem? I believe that a good one is that MAC learned by a unsecured port must has more priority (gateways is place on that ports) than a STATIC MAC learned by port-secure port.  Any way, it is a good puzzle to think about.

1 Reply 1

Peter Paluch
Cisco Employee
Cisco Employee

Hello Josias,

I believe that one possible solution would be to run IP Source Guard on the Fa0/2 port. The IPSG can be configured to make sure that only those packets and frames are accepted whose sender IP and MAC is correctly learned in the DHCP Snooping database for the Fa0/2 port. Here, the theoretical inability of the station to possess the router's MAC address and yet have a correct IP/MAC binding in the DHCP Snooping database should prevent the station from sending messages with a spoofed MAC address. I would have to verify the effectivity of this solution, though.

Another way of approaching this problem could be to define a static MAC address table entry for the gateway and point it towards the Fa0/1 interface. With this static MAC address entry in place, the spoofing station should hopefully not be able to confuse the port-security. Again, i would need to test this assumption.

Best regards,

Peter

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: