Solved

Switchport port-security issue

Posted on 2011-03-15
18
1,335 Views
Last Modified: 2012-05-11
Hi All.

We have a CAT2960 LAN-LITE.  Each port is configure for access and voice vlan.  All our computers are directly connected through IP phones, then the IP Phones are connected through the switch.

I configure the following on a CAT2960 with IOS 12.2(50)SE2 at the interface level

 switchport access vlan 10
 switchport mode access
 switchport voice vlan 11
 switchport port-security maximum 2
 switchport port-security maximum 1 vlan access
 switchport port-security maximum 1 vlan voice
 switchport port-security
 switchport port-security violation restrict

Based on what I read my understanding is the following :

Each port can have two mac-address connected to it, but it must only be one IP Phone, or one computer or one computer and one IP Phone at the same time.  It cannot be 2 IP Phone or 2 Computers, Am I  right ?

If so, I have the following issue :
When an IP Phone is connected to switch port, the switch tries to add the IP Phone to the access vlan twice.  Then the switch add the IP Phone to the right voice vlan.  

But If the Computer connected through the IP Phone has been already added to the access vlan when the IP Phone boots up, the switch will generate Violation for the first 2 attempt of adding the IP Phone to the wrong vlan.

ex.:
05:33:50: PSECURE: Read:2004, Write:2005
05:33:50: PSECURE: swidb = FastEthernet0/11 mac_addr = [Computer MAC-ADDR] vlanid = 10
05:33:50: PSECURE: Adding [Computer MAC-ADDR] as dynamic on port Fa0/11 for vlan 10


05:34:11: PSECURE: Security violation, TrapCount:1
05:34:12: PSECURE: Read:2014, Write:2015
05:34:12: PSECURE: swidb = FastEthernet0/11 mac_addr = [IP Phone MAC-ADDR] vlanid = 10
05:34:12: PSECURE: Adding [IP Phone MAC-ADDR] as dynamic on port Fa0/11 for vlan 10
05:34:12: PSECURE: Violation/duplicate detected upon receiving [IP Phone MAC-ADDR] on vlan 10: port_num_addrs 1 port_max_addrs 2 vlan_addr_ct 1: vlan_addr_max 1 total_addrs 0: max_total_addrs 8192
05:34:12: PSECURE: Security violation, TrapCount:2
05:34:13: PSECURE: Read:2015, Write:2016
05:34:13: PSECURE: swidb = FastEthernet0/11 mac_addr = [IP Phone MAC-ADDR] vlanid = 10
05:34:13: PSECURE: Adding [IP Phone MAC-ADDR] as dynamic on port Fa0/11 for vlan 10
05:34:13: PSECURE: Violation/duplicate detected upon receiving [IP Phone MAC-ADDR] on vlan 10: port_num_addrs 1 port_max_addrs 2 vlan_addr_ct 1: vlan_addr_max 1 total_addrs 0: max_total_addrs 8192
05:34:13: PSECURE: Security violation, TrapCount:3
05:34:13: PSECURE: Read:2016, Write:2017
05:34:13: PSECURE: swidb = FastEthernet0/11 mac_addr = [IP Phone MAC-ADDR] vlanid = 11
05:34:13: PSECURE: Adding [IP Phone MAC-ADDR] as dynamic on port Fa0/11 for vlan 11
05:34:13: PSECURE: Adding address vlan 11 [IP Phone MAC-ADDR] to port-security
05:34:13: PSECURE: Adding addresses to port-security sub block

Am I missing something or maybe the IOS is buged ?

Thanks you very much for your help.

0
Comment
Question by:AdminDetail
  • 9
  • 9
18 Comments
 
LVL 6

Accepted Solution

by:
Dangle79 earned 500 total points
ID: 35141886
not sure if this works on lan-lite, but we do something kind of similar with some video conferencing equipment. it's not dynamic as you seem to be trying to do, but it works if you know all your mac addresses.

set up an access list with your mac IDs, then apply to your ports as you would with IP filtering

mac access-list extended videoconf
 permit host xxxx.xxxx.xxxx any
 permit host yyyy.yyyy.yyyy any

interface FastEthernet0/7
 description Trtmt Room Vconf
 mac access-group videoconf in
0
 
LVL 6

Expert Comment

by:Dangle79
ID: 35141893
granted we know we're dealing with the same four devices that float and we apply that same list to multiple ports on the same switch
0
 

Author Comment

by:AdminDetail
ID: 35141958
The problem is that I cannot know all the MAC address on our network.  We'll have about 100 customers with that kind of setup.  

The only thing we want to do with that is to prevent someone from installing decentralized switches and also prevent someone from installing other switch then ours.

Is this the right feature to do that ?
0
 
LVL 6

Expert Comment

by:Dangle79
ID: 35142008
i'd say you've got the right idea then. it kind of looks like you're dealing with a timeout issue. when a device reboots it's trying to add to the list but you're getting duplicate errors. perhaps try setting the age time.
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/catos/6.x/configuration/guide/sec_port.html#wp1019982
0
 

Author Comment

by:AdminDetail
ID: 35142288
The aging time doesn't change anythings unfortunately.

But the feature works.  It just generate a security violation for nothing.  Considering that I'll receive a SNMP trap each time, it bothers me.

I'm out for the night.  I'll look at this again tomorrow.

Thank for now :)
0
 

Author Comment

by:AdminDetail
ID: 35155765
I had confirmation that I should use the following commands

maximum 3
maximum 2 access
maximum 1 voice.

Considering that the rogue switch should have taken one of the 2 MAC allowed for the "access".

But now my problem is my rogue switch doesn't take a MAC in my secure-port.

Is it normal ?

Thanks
0
 
LVL 6

Expert Comment

by:Dangle79
ID: 35155799
that makes sense. the ip phone is in itself a switch of sorts.

what are you using for a rogue switch? i assume a desktop switch like a dlink or something? i assume you're testing behavior with an "rogue" device...
0
 

Author Comment

by:AdminDetail
ID: 35155875
It's a Cisco Small business 5 ports switch.

I also generated traffic with a PC.  But there is no MAC address for the switch.

Is there a feature to enable that ?
0
 
LVL 6

Expert Comment

by:Dangle79
ID: 35155892
interesting.. how many host devices are you able to run?
curious if it's just recognizing the switch as a bridge and allowing it but will filter on host macs
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 

Author Comment

by:AdminDetail
ID: 35156099
What do you mean by : "How many host are you able to run" ?

I have two nodes connected to my switch yet.  

By the way, I also try a d-link switch but it doesn't work.
0
 
LVL 6

Expert Comment

by:Dangle79
ID: 35156140
i'm trying to piece together what you've got connected.
in my mind i'm seeing it like this:

secured port > 5port switch > IP phone and PC

from what you've said i'm gathering that the secured port is picking up the macs for the phone and the pc but not the switch. my hunch was that it was ignoring the switch in favor of the connected devices (the phone and the PC)
what i was asking is what happens if you were to connect another PC/"malicious host" to the 5 port switch in this scenario, if it would be allowed access to the network by the secured port
0
 

Author Comment

by:AdminDetail
ID: 35156411
Ok, I see :), Sorry

Yes, the second PC connected to the 5 ports switch is permitted.
0
 
LVL 6

Assisted Solution

by:Dangle79
Dangle79 earned 500 total points
ID: 35156448
must admit then, i'm stumped.
should be working as advertised. hate to tell you to cal TAC, but that's actually how we managed to come up with the access-list solution i outlined earlier. do you have active support on your device?
0
 

Author Comment

by:AdminDetail
ID: 35156728
Yes but sometimes it's better with there forums :).  I say something weird.

The IP Phones are managed by a UC540 connected to my router.

Here's where my router is : Router > Switch LAN-LITE (secured port) > 5port switch > IP phone and PC
           
Event if no PC is connected to my network, I see my led blink very fast. (around 50 packet per second on all the connected interface of all my device).

Is the IP phone protocol can cause that fast blink?
Would it be possible that this kind of traffic (or storm) can cause the switch's MAC to not be considered by my main switch ?
0
 

Author Comment

by:AdminDetail
ID: 35158533
I put a span session and snif to see what it's going on, and I received many cisco-sccp packet.  I think it's normal and usefull to let the sccp cisco protocol running.

0
 
LVL 6

Expert Comment

by:Dangle79
ID: 35158684
yeah that's probably okay. my knee jerk answer would have been arp broadcasts but since you're in a bench situation that's not likely.
0
 

Author Comment

by:AdminDetail
ID: 35159259
I heard that since layer 2 switches doesn't send themself packet on network, them won't come up in the MAC address table of other layer 2 devices on a network.

I thinks it's my answer :(
0
 
LVL 6

Expert Comment

by:Dangle79
ID: 35159281
yeah, that's the fancy way of saying what i was thinking. the switch is just a bridge and thus won't originate any packets, that's why i was wondering how many hosts you could connect. your port security should still work with the max address limit set
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Read about achieving the basic levels of HRIS security in the workplace.
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now