Solved

Question on port security

Posted on 2004-09-18
7
325 Views
Last Modified: 2010-04-17
On cisco switches that is (2900 series).

When you implement it with say:

int fa0/1
switchport port-security
switchport port-security maximum 1  


This means only one MAC address is allowed to traverse that port.  What does the switch base it's decision on when you use port security?  The arp table?     What happens if you change the network card in your PC?  It will obviously have a different MAC.

Thanks
0
Comment
Question by:dissolved
  • 4
  • 2
7 Comments
 
LVL 50

Accepted Solution

by:
Don Johnston earned 200 total points
ID: 12093788
Correct. Only one address will be learned when traffic enters that port.

Layer 2 switches don't care (or know) about IP addresses. They only care (learn) MAC addresses. If another address is learned on that port, it will either not add the address to the MAC-Address-Table or it will disable the port. If the NIC is changed on the PC connected to that port, the previous address will have to age out (300 seconds by default) before the new MAC address will be learned.

-dj
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 300 total points
ID: 12093832
You can also set the port-security to "sticky" which means that it won't time out. So if someone changes their NIC, you have to go into the switch to clear it before they gain access to the network (or until the switch reboots)

You can also specify the MAC address that it will accept on that port. We're seeing more and more companys implement this feature.

Too bad that a $30 soho router will bypass all that good security with the mac address "clone" feature and permit up to 250 users behind that one MAC....

0
 

Author Comment

by:dissolved
ID: 12093843
"Too bad that a $30 soho router will bypass all that good security with the mac address "clone" feature and permit up to 250 users behind that one MAC...."

Holy crap, thats crazy!  How would you detect something like that? I guess you would see RIP advertisements from the soho router and trace it back to that IP.
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 79

Expert Comment

by:lrmoore
ID: 12093864
No rip, nothing. I've proven this point many times by taking my Linksys router onsite to do security vulnerability assessments..  I have to provide my laptop's MAC address, then secretly assign that MAC to my Linksys, hook it up under the desk, and bingo! I can setup as many systems as I want behind it. I usually carry at least 2 laptops, 1 with Linux and Nessus and the other XP... fire up a nessus scan and do other stuff on the XP laptop...
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12093868
The solution is 802.1x port-level authentication. Make users authenticate to get access to the port. This is often a no-go simply because the users won't put up with multiple logins..
0
 

Author Comment

by:dissolved
ID: 12093869
Wow, that is scary. Thanks for the info.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12093875
If it weren't for those darn users, we could build a pretty secure network...
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Netgear Switches 3 120
Adtran access-list command lines 15 54
Wireless connection 6 46
Force VPN connection to use a network adapter 6 58
In a WLAN, anything you broadcast over the air can be intercepted.  By default a wireless network is wide open to all until security is configured. Even when security is configured information can still be intercepted! It is very important that you …
New Server 172.16.200.2  was moved from behind Router R2 f0/1 to behind router R1 int f/01 and has now address 172.16.100.2. But we want users still to be able to connected to it by old IP. How to do it ? We can used destination NAT (DNAT).  In DNAT…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now