Solved

Question on port security

Posted on 2004-09-18
7
330 Views
Last Modified: 2010-04-17
On cisco switches that is (2900 series).

When you implement it with say:

int fa0/1
switchport port-security
switchport port-security maximum 1  


This means only one MAC address is allowed to traverse that port.  What does the switch base it's decision on when you use port security?  The arp table?     What happens if you change the network card in your PC?  It will obviously have a different MAC.

Thanks
0
Comment
Question by:dissolved
  • 4
  • 2
7 Comments
 
LVL 50

Accepted Solution

by:
Don Johnston earned 200 total points
ID: 12093788
Correct. Only one address will be learned when traffic enters that port.

Layer 2 switches don't care (or know) about IP addresses. They only care (learn) MAC addresses. If another address is learned on that port, it will either not add the address to the MAC-Address-Table or it will disable the port. If the NIC is changed on the PC connected to that port, the previous address will have to age out (300 seconds by default) before the new MAC address will be learned.

-dj
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 300 total points
ID: 12093832
You can also set the port-security to "sticky" which means that it won't time out. So if someone changes their NIC, you have to go into the switch to clear it before they gain access to the network (or until the switch reboots)

You can also specify the MAC address that it will accept on that port. We're seeing more and more companys implement this feature.

Too bad that a $30 soho router will bypass all that good security with the mac address "clone" feature and permit up to 250 users behind that one MAC....

0
 

Author Comment

by:dissolved
ID: 12093843
"Too bad that a $30 soho router will bypass all that good security with the mac address "clone" feature and permit up to 250 users behind that one MAC...."

Holy crap, thats crazy!  How would you detect something like that? I guess you would see RIP advertisements from the soho router and trace it back to that IP.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 79

Expert Comment

by:lrmoore
ID: 12093864
No rip, nothing. I've proven this point many times by taking my Linksys router onsite to do security vulnerability assessments..  I have to provide my laptop's MAC address, then secretly assign that MAC to my Linksys, hook it up under the desk, and bingo! I can setup as many systems as I want behind it. I usually carry at least 2 laptops, 1 with Linux and Nessus and the other XP... fire up a nessus scan and do other stuff on the XP laptop...
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12093868
The solution is 802.1x port-level authentication. Make users authenticate to get access to the port. This is often a no-go simply because the users won't put up with multiple logins..
0
 

Author Comment

by:dissolved
ID: 12093869
Wow, that is scary. Thanks for the info.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12093875
If it weren't for those darn users, we could build a pretty secure network...
0

Featured Post

Courses: Start Training Online With Pros, Today

Brush up on the basics or master the advanced techniques required to earn essential industry certifications, with Courses. Enroll in a course and start learning today. Training topics range from Android App Dev to the Xen Virtualization Platform.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Building small business network 4 66
Can't access DMZ from internal network 7 66
VirtualBOX on GNS3 11 115
Help logging in to my router 12 45
We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question