?
Solved

Question on port security

Posted on 2004-09-18
7
Medium Priority
?
336 Views
Last Modified: 2010-04-17
On cisco switches that is (2900 series).

When you implement it with say:

int fa0/1
switchport port-security
switchport port-security maximum 1  


This means only one MAC address is allowed to traverse that port.  What does the switch base it's decision on when you use port security?  The arp table?     What happens if you change the network card in your PC?  It will obviously have a different MAC.

Thanks
0
Comment
Question by:dissolved
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
7 Comments
 
LVL 50

Accepted Solution

by:
Don Johnston earned 800 total points
ID: 12093788
Correct. Only one address will be learned when traffic enters that port.

Layer 2 switches don't care (or know) about IP addresses. They only care (learn) MAC addresses. If another address is learned on that port, it will either not add the address to the MAC-Address-Table or it will disable the port. If the NIC is changed on the PC connected to that port, the previous address will have to age out (300 seconds by default) before the new MAC address will be learned.

-dj
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 1200 total points
ID: 12093832
You can also set the port-security to "sticky" which means that it won't time out. So if someone changes their NIC, you have to go into the switch to clear it before they gain access to the network (or until the switch reboots)

You can also specify the MAC address that it will accept on that port. We're seeing more and more companys implement this feature.

Too bad that a $30 soho router will bypass all that good security with the mac address "clone" feature and permit up to 250 users behind that one MAC....

0
 

Author Comment

by:dissolved
ID: 12093843
"Too bad that a $30 soho router will bypass all that good security with the mac address "clone" feature and permit up to 250 users behind that one MAC...."

Holy crap, thats crazy!  How would you detect something like that? I guess you would see RIP advertisements from the soho router and trace it back to that IP.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 79

Expert Comment

by:lrmoore
ID: 12093864
No rip, nothing. I've proven this point many times by taking my Linksys router onsite to do security vulnerability assessments..  I have to provide my laptop's MAC address, then secretly assign that MAC to my Linksys, hook it up under the desk, and bingo! I can setup as many systems as I want behind it. I usually carry at least 2 laptops, 1 with Linux and Nessus and the other XP... fire up a nessus scan and do other stuff on the XP laptop...
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12093868
The solution is 802.1x port-level authentication. Make users authenticate to get access to the port. This is often a no-go simply because the users won't put up with multiple logins..
0
 

Author Comment

by:dissolved
ID: 12093869
Wow, that is scary. Thanks for the info.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12093875
If it weren't for those darn users, we could build a pretty secure network...
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While it is possible to put two routes in place with the secondary having a higher metric, this may not always work. In the event of a failure that does not bring down the physical interface on the router the primary route is not removed. There is a…
We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question