Solved

Question on port security

Posted on 2004-09-18
7
334 Views
Last Modified: 2010-04-17
On cisco switches that is (2900 series).

When you implement it with say:

int fa0/1
switchport port-security
switchport port-security maximum 1  


This means only one MAC address is allowed to traverse that port.  What does the switch base it's decision on when you use port security?  The arp table?     What happens if you change the network card in your PC?  It will obviously have a different MAC.

Thanks
0
Comment
Question by:dissolved
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
7 Comments
 
LVL 50

Accepted Solution

by:
Don Johnston earned 200 total points
ID: 12093788
Correct. Only one address will be learned when traffic enters that port.

Layer 2 switches don't care (or know) about IP addresses. They only care (learn) MAC addresses. If another address is learned on that port, it will either not add the address to the MAC-Address-Table or it will disable the port. If the NIC is changed on the PC connected to that port, the previous address will have to age out (300 seconds by default) before the new MAC address will be learned.

-dj
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 300 total points
ID: 12093832
You can also set the port-security to "sticky" which means that it won't time out. So if someone changes their NIC, you have to go into the switch to clear it before they gain access to the network (or until the switch reboots)

You can also specify the MAC address that it will accept on that port. We're seeing more and more companys implement this feature.

Too bad that a $30 soho router will bypass all that good security with the mac address "clone" feature and permit up to 250 users behind that one MAC....

0
 

Author Comment

by:dissolved
ID: 12093843
"Too bad that a $30 soho router will bypass all that good security with the mac address "clone" feature and permit up to 250 users behind that one MAC...."

Holy crap, thats crazy!  How would you detect something like that? I guess you would see RIP advertisements from the soho router and trace it back to that IP.
0
Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

 
LVL 79

Expert Comment

by:lrmoore
ID: 12093864
No rip, nothing. I've proven this point many times by taking my Linksys router onsite to do security vulnerability assessments..  I have to provide my laptop's MAC address, then secretly assign that MAC to my Linksys, hook it up under the desk, and bingo! I can setup as many systems as I want behind it. I usually carry at least 2 laptops, 1 with Linux and Nessus and the other XP... fire up a nessus scan and do other stuff on the XP laptop...
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12093868
The solution is 802.1x port-level authentication. Make users authenticate to get access to the port. This is often a no-go simply because the users won't put up with multiple logins..
0
 

Author Comment

by:dissolved
ID: 12093869
Wow, that is scary. Thanks for the info.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12093875
If it weren't for those darn users, we could build a pretty secure network...
0

Featured Post

Space-Age Communications Transitions to DevOps

ViaSat, a global provider of satellite and wireless communications, securely connects businesses, governments, and organizations to the Internet. Learn how ViaSat’s Network Solutions Engineer, drove the transition from a traditional network support to a DevOps-centric model.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question