Link to home
Start Free TrialLog in
Avatar of Steven Carnahan
Steven CarnahanFlag for United States of America

asked on

port security report

We have port security set on our Cisco switches. The problem is that we have all ports active with dummy MAC's assigned initially. This causes an alert when a rouge device is plugged in which is good.  What isn't good is if we move a device from one port to another the old port doesn't get the dummy MAC assigned leaving it vulnerable to a rouge device.  We would like to have something that can look at ports to:

1. check for ports with port-security not turned on
2. check for ports with port-security turned on but no, or not enough since we also have phones on some of the same ports, MAC's assigned to it.  
3. send an email daily with the results of 1&2

Thank you
Avatar of Steven Carnahan
Steven Carnahan
Flag of United States of America image

ASKER

I have added Powershell and Windows Batch to the catagories.  I have all the configs in text files so could this be accomplished by reading the files and looking for missing information?
What isn't good is if we move a device from one port to another the old port doesn't get the dummy MAC assigned leaving it vulnerable to a rouge device.
Just configure port not to forget address that was on port. Set switchport port-security mac-address sticky in combination with switchport port-security aging to not to forget MAC address (default behavior). After device is moved to another port you can still have MAC address of previous device assigned to that port.
2. check for ports with port-security turned on but no, or not enough since we also have phones on some of the same ports, MAC's assigned to it.
3. send an email daily with the results of 1&2
That is job for network configuration manager (NCM).

But, anyway, looks like that better solution for your needs is to use RADIUS in your network.
If MAC address is not already in RADIUS it should not get access to network.
Okay, a little more background might be helpful. We use Kiwi CatTools to backup our configurations and also to report on changes. Audit and management don't feel that is sufficient and I tend to agree. It tells us of changes but is too time consuming to go through and discover ports with incorrect/missing port-security.

What we are looking for is a way to receive a daily email with that information.

This is what a typical port looks like when configured properly.  

interface FastEthernet0/6
 description Fa0/6
 switchport mode access
 switchport nonegotiate
 switchport voice vlan 100
 switchport port-security maximum 2
 switchport port-security maximum 2 vlan access
 switchport port-security maximum 1 vlan voice
 switchport port-security
 switchport port-security mac-address sticky
 switchport port-security mac-address sticky 0000.85bc.ad20 vlan access
 switchport port-security mac-address sticky aaaa.0108.a006 vlan voice

Since there is no phone currently attached to this port the last line has a dummy MAC assigned.

No let's say the computer on this port is moved to another port on the same switch today. Since you can't have the same MAC on two ports the second to last line would be removed so that the computer will work on the new port. This can be done either by a third party switch port management tool we use or by someone actually accessing the switch remotely and putting in the "no" command.  Either way it results in the configuration being changed to:

interface FastEthernet0/6
 description Fa0/6
 switchport mode access
 switchport nonegotiate
 switchport voice vlan 100
 switchport port-security maximum 2
 switchport port-security maximum 2 vlan access
 switchport port-security maximum 1 vlan voice
 switchport port-security
 switchport port-security mac-address sticky
 switchport port-security mac-address sticky aaaa.0108.a006 vlan voice

This leaves the port vulnerable to someone connecting a rouge computer to the port and not tripping the port security.  Ideally a dummy MAC would be assigned however that almost never gets done.

We have lots of moves daily so we are looking for a way to receive an email every day that lists the switch and port that either doesn't have port-security set or is missing one or more of the lines that have the MAC.  

There are other ways to do this however this is what our audit and management have asked for.  It should be easy enough to accomplish since we have all the configurations saved nightly in text files.  If they were stored on a Linux box we could simply use GREP however they are stored on a windows box.

We do use RADIUS for any outside access to the network however we can't lock that down by MAC since some people use their own computers and may sometimes need to use a different computer altogether.  We use MFA so it doesn't matter what machine they use.
No let's say the computer on this port is moved to another port on the same switch today. Since you can't have the same MAC on two ports the second to last line would be removed so that the computer will work on the new port.
Almost true, but you can have two ports configured with the same switchport port security MAC address. It is just MAC address that is allowed to use port, but not actual MAC address in CAM table.
So you don't have to use "no" command, previously assigned MAC addresses can stay on port without any risk (permits that host to use port, but not other hosts).. Try it, but it is basically the same as using the same dummy address everywhere.
We run a unicast environment which does not permit the same MAC on multiple ports on the same physical switch. When we try to move a machine from one port to another it tells us that it has found that MAC on another port and puts the new port into err-disabled.
SOLUTION
Avatar of eeRoot
eeRoot

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
When we try to move a machine from one port to another it tells us that it has found that MAC on another port and puts the new port into err-disabled.
Yes, I totally forgot about that one, it is enough just to have MAC configured on port in the same VLAN.
A security violation occurs in either of these two situations:

- When the maximum number of secure MAC addresses is reached on a secure port and the source MAC address of the ingress traffic differs from any of the identified secure MAC addresses
  In this case, port security applies the configured violation mode.
- If traffic with a secure MAC address that is configured or learned on one secure port attempts to access another secure port in the same VLAN
Learned MAC addresses can be easily removed from old port (not to wait MAC age timer) by issue clear mac address-table interface Gi x/y, but I totally forgot for the first part (bolded). I tested it with packet tracer just in case and in packet tracer everything is OK with that scenario - It does not reflect reality. :)
@eeRoot

Thank you, I will look into Cisco ISE since we are run Cisco exclusively.  However, I am not sure that it is really worth the effort due to our size.  

@Predrag Jovic

Thank you, I have looked at several options but basically all I need is a daily email showing me what ports either don't have port security configured or don't have the proper, or any, MAC's assigned.  

Since I have the configurations backed up nightly isn't there something similar to Linux's GREP that can be used to look at the configuration text files and create such a report? We are not looking to actually lock the network down any tighter.  It is just that the examiners (audit) are complaining that we are not monitoring our exiting controls properly and therefore some holes have happened.

I hope that all makes sense.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Ended up writing my own script in PS that accomplishes what I was after to a degree.

Thank you everyone.