Поясните что значит этот лог по каталисту.
Правила форума
Убедительная просьба юзать теги [code] при оформлении листингов.
Сообщения не оформленные должным образом имеют все шансы быть незамеченными.
-
Laa
- ст. лейтенант
- Сообщения: 1032
- Зарегистрирован: 2008-02-21 18:25:33
- Откуда: Украина, Россия
Поясните что значит этот лог по каталисту.
Код: Выделить всё
May 14 11:57:05: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/1, putting Fa0/1 in err-disable state
May 14 11:57:05: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 001e.8c50.18ed on port FastEthernet0/1.
May 14 11:57:06: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down
И вообще, в сети с кучей ответвлений от порта каталиста нужно ли включать порт-секьюрити?
exim: помните, что выдавая deny, вы можете недоставить ваше же письмо, зарубив sender-verify удаленного MTA к вашему MTA!!!
-
Хостинг HostFood.ru
Услуги хостинговой компании Host-Food.ru
Хостинг HostFood.ru
Тарифы на хостинг в России, от 12 рублей: https://www.host-food.ru/tariffs/hosting/
Тарифы на виртуальные сервера (VPS/VDS/KVM) в РФ, от 189 руб.: https://www.host-food.ru/tariffs/virtualny-server-vps/
Выделенные сервера, Россия, Москва, от 2000 рублей (HP Proliant G5, Intel Xeon E5430 (2.66GHz, Quad-Core, 12Mb), 8Gb RAM, 2x300Gb SAS HDD, P400i, 512Mb, BBU):
https://www.host-food.ru/tariffs/vydelennyi-server-ds/
Недорогие домены в популярных зонах: https://www.host-food.ru/domains/
-
hizel
- дядя поня
- Сообщения: 9032
- Зарегистрирован: 2007-06-29 10:05:02
- Откуда: Выборг
Re: Поясните что значит этот лог по каталисту.
Непрочитанное сообщение
hizel » 2009-05-14 12:11:45
я завис
It is a security violation when one of these situations occurs:
•The maximum number of secure MAC addresses have been added to the address table, and a station whose MAC address is not in the address table attempts to access the interface.
•An address learned or configured on one secure interface is seen on another secure interface in the same VLAN.
В дурацкие игры он не играет. Он просто жуткий, чу-чу, паровозик, и зовут его Блейн. Блейн — это Боль.
-
Laa
- ст. лейтенант
- Сообщения: 1032
- Зарегистрирован: 2008-02-21 18:25:33
- Откуда: Украина, Россия
Re: Поясните что значит этот лог по каталисту.
Непрочитанное сообщение
Laa » 2009-05-14 12:25:07
А как бы посмотреть и изменить «secure MAC addresses» ?
exim: помните, что выдавая deny, вы можете недоставить ваше же письмо, зарубив sender-verify удаленного MTA к вашему MTA!!!
-
hizel
- дядя поня
- Сообщения: 9032
- Зарегистрирован: 2007-06-29 10:05:02
- Откуда: Выборг
Re: Поясните что значит этот лог по каталисту.
Непрочитанное сообщение
hizel » 2009-05-14 12:47:34
ну там примерно так должно быть
Код: Выделить всё
interface FastEthernet0/2
switchport mode access
switchport port-security
switchport port-security maximum 6
switchport port-security aging time 5
switchport port-security aging static
switchport port-security mac-address sticky
switchport port-security mac-address 0000.0000.000b
switchport port-security mac-address sticky 0000.0000.4141
switchport port-security mac-address sticky 0000.0000.5050
no ip address
В дурацкие игры он не играет. Он просто жуткий, чу-чу, паровозик, и зовут его Блейн. Блейн — это Боль.
-
Laa
- ст. лейтенант
- Сообщения: 1032
- Зарегистрирован: 2008-02-21 18:25:33
- Откуда: Украина, Россия
Re: Поясните что значит этот лог по каталисту.
Непрочитанное сообщение
Laa » 2009-05-14 12:57:25
Вот мой конфиг:
Код: Выделить всё
sw-core-01#sh run int f0/1
Building configuration...
Current configuration : 164 bytes
!
interface FastEthernet0/1
switchport mode access
ip access-group IP_ACL_1 in
load-interval 60
spanning-tree portfast
ip dhcp snooping limit rate 100
end
sw-core-01#
портсекьюрити убрал, я так понял это не для моего случая.
exim: помните, что выдавая deny, вы можете недоставить ваше же письмо, зарубив sender-verify удаленного MTA к вашему MTA!!!
-
Laa
- ст. лейтенант
- Сообщения: 1032
- Зарегистрирован: 2008-02-21 18:25:33
- Откуда: Украина, Россия
Re: Поясните что значит этот лог по каталисту.
Непрочитанное сообщение
Laa » 2009-05-14 13:08:29
hizel, спасибо, понял направление куда читать… 
exim: помните, что выдавая deny, вы можете недоставить ваше же письмо, зарубив sender-verify удаленного MTA к вашему MTA!!!
|
zrad Guest |
#1 Это нравится:0Да/0Нет 24.03.2008 12:13:35 Есть порт, настроенный следующим образом:
То есть, порт защищен от подключения к нему устройств с маками, отличными от заданных. И при такой попытке хождение пакетов через порт блокируется и возобновляется только после рестарта порта.
Но хождение пакетов не блокируется. IOS ™ C2950 Software (C2950-I6Q4L2-M), Version 12.1(22)EA8a, RELEASE SOFTWARE (fc1) |
||||
|
ээ… а там вроде надо задать action, что с портом делать когда случается «Security violation». |
|
|
Для верности поставьте switchport port-security violation shutdown |
|
|
zrad Guest |
#4 Это нравится:0Да/0Нет 25.03.2008 09:50:54
Собственно, вот все опции по портсекьюрити:
и все опции по violation:
Или там другие какие-то пути? |
||||||
|
Зачем вот эта команда нужна Сделай так: switchport port-security mac-address 0007.0e71.f4a1 При security viol shut порт, при попытке прохождения несанкц пакетов переходит в режим err-disable и возвращается либо после рестарта, либо с помощью команды автоматического восстановления…если не хочешь выключеня порта, то ставь режим protect. |
|
|
zrad Guest |
#6 Это нравится:0Да/0Нет 27.03.2008 09:57:42
Эта опция очень удобна, когда у клиента меняется мак. Плюсы в том, что не пустит, пока не уберешь один из заданных маков и в том, что не надо прописывать мак вручную — подцепляется сам.
А разве режим restrict — это не protect + syslog сообщение и snmp trap? |
||||
|
p@rti3@n Guest |
#7 Это нравится:0Да/0Нет 27.03.2008 10:13:42
Именно так, в режиме restrict запрещает траф + syslog сообщение и snmp trap |
||
|
zrad Guest |
#8 Это нравится:0Да/0Нет 27.03.2008 17:42:08
Ну и последний нюанс: запрещает траф в этом случае для всех или только для левых маков? |
||
|
SerGio Guest |
#9 Это нравится:0Да/0Нет 27.03.2008 21:11:12
Тогда тебе необязательно вводить
snmp trap отсылается во всех случаях запрещения.
Если ты хочешь чтобы пропускались только два твоих мака, то sticky команда не нужна, |
||||||
|
Dubrovsky Guest |
#10 Это нравится:0Да/0Нет 09.04.2008 17:30:23
restrict — только предупреждает администратора о подключении |
||
Port security is a layer two traffic control feature on Cisco Catalyst switches. It enables an administrator configure individual switch ports to allow only a specified number of source MAC addresses ingressing the port. Its primary use is to deter the addition by users of «dumb» switches to illegally extend the reach of the network (e.g. so that two or three users can share a single access port). The addition of unmanaged devices complicates troubleshooting by administrators and is best avoided.
Enabling Port Security
Port security can be enabled with default parameters by issuing a single command on an interface:
Switch(config)# interface f0/13 Switch(config-if)# switchport port-security
Although only a single interface is used for illustration in this article, port security, if configured, is typically configured on all user-facing interfaces.
We can view the default port security configuration with show port-security:
Switch# show port-security interface f0/13 Port Security : Enabled Port Status : Secure-down Violation Mode : Shutdown Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 1 Total MAC Addresses : 0 Configured MAC Addresses : 0 Sticky MAC Addresses : 0 Last Source Address:Vlan : 0000.0000.0000:0 Security Violation Count : 0
As you can see, there are a number of attributes which can be adjusted. We’ll cover these in a moment.
When a host connects to the switch port, the port learns the host’s MAC address as the first frame is received:
Switch# show port-security interface f0/13 Port Security : Enabled Port Status : Secure-up Violation Mode : Shutdown Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 1 Total MAC Addresses : 1 Configured MAC Addresses : 0 Sticky MAC Addresses : 0 Last Source Address:Vlan : 001b.d41b.a4d8:10 Security Violation Count : 0
Now, we disconnect the host from the port, connect a small switch or hub, and reconnect the original host plus a second, unauthorized host so that they both attempt to share the access port. Observe what happens as soon as the second host attempts to send traffic:
%PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/13, putting Fa0/13 in err-disable state %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0021.55c8.f13c on port FastEthernet0/13. %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/13, changed state to down %LINK-3-UPDOWN: Interface FastEthernet0/13, changed state to down
Inspecting the status of port security on the port again, we can see that the new MAC address triggered a violation:
Switch# show port-security interface f0/13
Port Security : Enabled
Port Status : Secure-shutdown
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0021.55c8.f13c:10
Security Violation Count : 1
Switch# show interfaces f0/13
FastEthernet0/13 is down, line protocol is down (err-disabled)
Hardware is Fast Ethernet, address is 0013.c412.0f0d (bia 0013.c412.0f0d)
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
...
By default, a port security violation forces the interface into the error-disabled state. An administrator must re-enable the port manually by issuing the shutdown interface command followed by no shutdown. This must be done after the offending host has been removed, or the violation will be triggered again as soon as the second host sends another frame.
Tweaking Port Security
Violation Mode
Port security can be configured to take one of three actions upon detecting a violation:
shutdown (default)
; The interface is placed into the error-disabled state, blocking all traffic.
protect
; Frames from MAC addresses other than the allowed addresses are dropped; traffic from allowed addresses is permitted to pass normally.
restrict
; Like protect mode, but generates a syslog message and increases the violation counter.
By changing the violation mode to restrict, we are still alerted when a violation occurs, but legitimate traffic remains unaffected:
Switch(config-if)# switchport port-security violation restrict Switch(config-if)# ^Z Switch# %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0021.55c8.f13c on port FastEthernet0/13. Switch# show port-security interface f0/13 Port Security : Enabled Port Status : Secure-up Violation Mode : Restrict Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 1 Total MAC Addresses : 1 Configured MAC Addresses : 0 Sticky MAC Addresses : 0 Last Source Address:Vlan : 0021.55c8.f13c:10 Security Violation Count : 3
Unfortunately, violating traffic will continue to trigger log notifications, and the violation counter will continue to increase, until the violating host is dealt with.
Maximum MAC Addresses
By default, port security limits the ingress MAC address count to one. This can be modified, for example, to accommodate both a host and an IP phone connected in series on a switch port:
Switch(config-if)# switchport port-security maximum 2
One also has the option to set a maximum MAC count for the access and voice VLANs independently (assuming a voice VLAN has been configured on the interface):
Switch(config-if)# switchport port-security maximum 1 vlan access Switch(config-if)# switchport port-security maximum 1 vlan voice
MAC Address Learning
An administrator has the option of statically configuring allowed MAC addresses per interface. MAC addresses can optionally be configured per VLAN (access or voice).
Switch(config-if)# switchport port-security mac-address 001b.d41b.a4d8 ? vlan set VLAN ID of the VLAN on which this address can be learned <cr> Switch(config-if)# switchport port-security mac-address 001b.d41b.a4d8 vlan access
The configured MAC address(es) are recorded in the running configuration:
Switch# show running-config interface f0/13 Building configuration... Current configuration : 259 bytes ! interface FastEthernet0/13 switchport access vlan 10 switchport mode access switchport voice vlan 20 switchport port-security switchport port-security violation restrict switchport port-security mac-address 001b.d41b.a4d8 spanning-tree portfast end
Obviously, this is not a scalable practice. A much more convenient alternative is to enable «sticky» MAC address learning; MAC addresses will be dynamically learned until the maximum limit for the interface is reached.
Switch(config-if)# no switchport port-security mac-address 001b.d41b.a4d8 Switch(config-if)# switchport port-security mac-address sticky Switch(config-if)# ^Z Switch# show port-security interface f0/13 Port Security : Enabled Port Status : Secure-up Violation Mode : Restrict Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 1 Total MAC Addresses : 1 Configured MAC Addresses : 0 Sticky MAC Addresses : 1 Last Source Address:Vlan : 001b.d41b.a4d8:10 Security Violation Count : 0
After a MAC address has been learned, it is recorded to the configuration similarly to as if it were entered manually:
Switch# show running-config interface f0/13 Building configuration... Current configuration : 311 bytes ! interface FastEthernet0/13 switchport access vlan 10 switchport mode access switchport voice vlan 20 switchport port-security switchport port-security violation restrict switchport port-security mac-address sticky switchport port-security mac-address sticky 001b.d41b.a4d8 spanning-tree portfast end
MAC Address Aging
By default, secure MAC addresses are learned (in effect) permanently. Aging can be configured so that the addresses expire after a certain amount of time has passed. This allows a new host to take the place of one which has been removed. Aging can be configured to take effect at regular intervals, or only during periods of inactivity. The following example configures expiration of MAC addresses after five minutes of inactivity:
Switch(config-if)# switchport port-security aging time 5 Switch(config-if)# switchport port-security aging type inactivity Switch(config-if)# ^Z Switch# show port-security interface f0/13 Port Security : Enabled Port Status : Secure-up Violation Mode : Restrict Aging Time : 5 mins Aging Type : Inactivity SecureStatic Address Aging : Disabled Maximum MAC Addresses : 1 Total MAC Addresses : 1 Configured MAC Addresses : 0 Sticky MAC Addresses : 0 Last Source Address:Vlan : 001b.d41b.a4d8:10 Security Violation Count : 0
After five minutes of inactivity, we can see that the address has been purged:
Switch# show port-security interface f0/13 Port Security : Enabled Port Status : Secure-up Violation Mode : Restrict Aging Time : 5 mins Aging Type : Inactivity SecureStatic Address Aging : Disabled Maximum MAC Addresses : 1 Total MAC Addresses : 0 Configured MAC Addresses : 0 Sticky MAC Addresses : 0 Last Source Address:Vlan : 001b.d41b.a4d8:10 Security Violation Count : 0
At this point, the old address will be re-learned the next time a frame is sent from that host, or a new host can take its place.
Auto-recovery
To avoid having to manually intervene every time a port-security violation forces an interface into the error-disabled state, one can enable auto-recovery for port security violations. A recovery interval is configured in seconds.
Switch(config)# errdisable recovery cause psecure-violation Switch(config)# errdisable recovery interval 600
Ten minutes after a port was error-disabled, we can see that the port is automatically transitioned back into operation:
%PM-4-ERR_RECOVER: Attempting to recover from psecure-violation err-disable state on Fa0/13 %LINK-3-UPDOWN: Interface FastEthernet0/13, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/13, changed state to up
This is a great way to automatically clear port security violations after the user has been given an opportunity to remove the offending host(s). Note that is the cause is not cleared, the violation will trigger again after the port comes back up, re-initating the auto-recovery cycle.
Footnote
Although a deterrent, port security is not a reliable security feature, as MAC addresses are trivially spoofed, and multiple hosts can still easily be hidden behind a small router. IEEE 802.1X is a much more robust access edge security solution.
Support PacketLife by buying stuff you don’t need!
Comments have closed for this article due to its age.
|
Страница 1 из 1 | [ Сообщений: 5 ] |
CGS-2520-24TC Проблема с port-security
| Автор | Сообщение |
|---|---|
|
Зарегистрирован: 21 фев 2018, 13:42 |
На коммутаторе CGS-2520-24TC при включенном port-security в режиме port-security mac-address sticky & port-security violation restrict & максимально 1 адрес приклеивается по умолчанию не срабатывает защита как предполагалось: отключаем ПК, MAC которого приклеился к порту, включаем другой ПК, который ранее не был подключен, т.е. MAC новый для коммутатора, и при это трафик не блокируется. SecurityViolation счетчик непрерывно растёт, в логе подобные сообщения: Feb 21 15:16:15: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address d850.e6b9.8f3c on port FastEthernet0/11, (т.е. указывающие на новый МАС, которого не является приклеенным на порту и отсутствует в ARP-таблице маршрутизатора, где так же в соответсвие поставлен МАС предыдущего ПК). ПК, который должен быть заблокирован пингуется из любых сегментов сети. Shutdown порт переводит в err-disabled и потом по таймеру включает, далее снова блокируя, этот способ решения не интересен.Проверяли на 2ух версиях IOS. Кто-либо сталкивался с подобной ситуацией? |
| 21 фев 2018, 14:09 |
|
|
|
|
kotofey Зарегистрирован: 07 июл 2016, 18:00 |
Так, а action какой настроен — просто просигналить? |
| 22 фев 2018, 00:19 |
|
|
|
|
moonligh16 Зарегистрирован: 21 фев 2018, 13:42 |
violation restrict |
| 22 фев 2018, 07:08 |
|
|
|
|
moonligh16 Зарегистрирован: 21 фев 2018, 13:42 |
При violation restrict должен увеличиваться счетчик SecurityViolation для порта, пишется лог, пример: |
| 22 фев 2018, 07:17 |
|
|
|
|
moonligh16 Зарегистрирован: 21 фев 2018, 13:42 |
Прошивка до последней доступной IOS решила проблему, алгоритм настройки restricted стал выполняться |
| 22 фев 2018, 11:51 |
|
| Показать сообщения за: Поле сортировки |
CGS-2520-24TC Проблема с port-security
|
|
Страница 1 из 1 | [ Сообщений: 5 ] |
Кто сейчас на конференции |
|
Сейчас этот форум просматривают: нет зарегистрированных пользователей и гости: 17 |
| Вы не можете начинать темы Вы не можете отвечать на сообщения Вы не можете редактировать свои сообщения Вы не можете удалять свои сообщения Вы не можете добавлять вложения |
2,922 views
Overview
In some environments, a network must be secured by controlling what stations can gain access to the network itself. Port security is a feature used on Cisco Catalyst switches which limits the MAC addresses allowed to appear on a specific port. In most cases network administrators use this to secure access to the physical network.
Using this feature only predefined static MAC addresses or limited number of dynamic MAC addresses can access the network. Suppose a user tries to connect to a port which has port security enabled and his MAC address does not appear on the list of allowed MAC addresses. In this case the port will be shut down or the packets arriving on that port will be dropped with a specific action. To resolve this issue the port must be re-enabled manually by the network administrator or automatically after a period of time if the errdisable cause is configured for automatic recovery (by default after 300 seconds).
If you limit the number of secure MAC addresses to one and assign a single secure MAC address, the workstation attached to that port is assured the full bandwidth of the port. By default, port security is turned off on all interfaces.
Before we start configuring port-security we must meet the following conditions:
- the port to be configured must be an static access port (not in dynamic desirable mode which is the default state on most Cisco switches)
- the port must not have any static MAC address already configured
- the port cannot be part of a Etherchannel port group
- the port cannot be a destination port for Switch Port Analyzer (SPAN)
Configuring port security
In order to enable port security on a switch port we must enter in interface configuration mode using the following sequence of commands:
SW01#conf t
SW01(config)#interface fastethernet 0/7
SW01(config)#switchport port-security
By entering the switchport port-security command we accepted the default settings of allowing only one MAC address, which is determined from the first device that communicates on this switch port. We can set the maximum number of addresses allowed to appear on the secure port using the following command:
SW01(config)#switchport port-security maximum
where max-addr is a number in the range 1 – 1024. Catalyst switches support three type of secure MAC addresses:
SW01(config)#switchport port-security mac-address
These MAC addresses are stored in the address table, and added to the switch running configuration. The MAC address is given in dotted-triplet format (xxxx.xxxx.xxxx). If the number of static addresses configured is less than the maximum number of addresses secured on a port, the remaining addresses are learned dynamically.
SW01(config)#switchport port-security mac-address sticky
This command converts all the dynamic secure MAC addresses, including those that were dynamically learned before sticky learning was enabled, to sticky secure MAC addresses.
- Static secure MAC addresses – which are manually configured by using the following interface configuration command
- Dynamic secure MAC addresses – which are dynamically configured, stored only in the address table, and removed when the switch restarts.
- Sticky secure MAC addresses – which can be dynamically learned or manually configured, stored in the address table, and added to the running configuration. If these addresses are saved in the configuration file, when the switch restarts, the interface does not need to dynamically reconfigure them. To enable sticky learning, enter the following interface configuration command:
Port security violations
If an MAC address which is already configured on another interface in the same VLAN attempts to access the secure port or the maximum number of MAC addresses which are allowed on the secure port has been reached a security violation occurs. By default when such a condition is met the port is shut down and put in the errdisable state. This type o violation will display a message on the switch console similar to the below:
%PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/7, putting Fa0/7 in err-disable state
%PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 000f.fe21.cc41 on port FastEthernet0/7.
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/7, changed state to down
%LINK-3-UPDOWN: Interface FastEthernet0/7, changed state to down
Three types of violations can occur depending on the action to be taken:
- Shutdown — the port immediately is put into the errdisable state, which effectively shuts it down and the port LED turns off. It must be reenabled manually or through errdisable recovery mechanism to be reused again.
- Restrict —the port is allowed to stay up, but all packets from violating MAC addresses are dropped. The switch keeps a running count of the number of violating packets and can send an SNMP trap and a syslog message as an alert of the violation.
- Protect — the port is allowed to stay up, as in the restrict mode. Although packets from violating addresses are dropped, no record of the violation is kept.
To configure how a interface should react if a violation occurs on a secure ports use the following interface configuration command:
SW01(config-if)# switchport port-security violation {shutdown | restrict | protect}
The last three keywords between curly braces in the previously command represents each of the violation states described earlier.
Verify port security status
To display the state of a secure port we use the show port-security command like in the example below:
SW01# show port-security interface fastethernet 0/7
Port Security : Enabled
Port Status : Secure-shutdown
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address : 000f.fe21.cc41
Security Violation Count : 1
In this example we observe that port-security is enabled for interface fastethernet 0/7 and the port has been shutdown. We also see that the port status is Secure-shutdown which means the port has been put in err-disable state. An administrator must re-enable the port manually by issuing the shutdown interface command followed by no shutdown. In the last two lines is displayed the offending MAC address and the count for security violation.
If we want to display the ports on which port security has been enabled use the show port-security command like in the following example:
SW01# show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action (Count) (Count) (Count)
——————————————————————————————
Fa0/7 1 1 2 Shutdown
Fa0/14 2 2 0 Restrict
——————————————————————————————
Total Addresses in System (excluding one mac per port) :8
Max Addresses limit in System (excluding one mac per port) :6272
This command it also displays count information and security actions to be taken per interface.
Configuring Port Security Aging
Port security can use a feature call aging in which an existing secure MAC address is deleted after a aging condition is met. Two types of aging are supported per port:
- Absolute — the secure addresses on the port are deleted after the specified aging time.
- Inactivity — the secure addresses on the port are deleted only if the secure addresses are inactive for the specified aging time.
The port security aging feature is disabled and the default time is 0 minutes. The maximum time allowed for aging is 1440 minutes. To enable secure address aging for a particular port, set the aging time to a value other than 0 for that port. To allow limited time access to particular secure addresses, set the aging type as absolute. When the aging time lapses, the secure addresses are deleted. To allow continuous access to a limited number of secure addresses, set the aging type as inactivity. This removes the secure address when it become inactive, and other addresses can become secure. To configure MAC aging on a interface we use the switchport port-security aging interface configuration command with the following syntax:
switchport port-security aging {static | time time | type {absolute | inactivity}}
Let’s say we want to enable aging and set the time for inactivity on a port to 30 minutes. In that case we would run the following sequence of commands on the interface:
SW01(config)# interface fastethernet0/7
SW01(config-if)# switchport port-security aging time 1800
SW01(config-if)# switchport port-security aging type inactivity
SW01(config-if)# switchport port-security aging static
Note: Please be advised that port security aging of sticky secure MAC addresses is not supported.
Port security autorecovery
As I said earlier if a port enters in the ERRDISABLE state due to a secure violation it must be re-enabled manually by the network administrator. This task can become annoying if it happens very often. In order to avoid this situation we can enable the auto-recovery mechanism for a secure port in err-disabled state. For this use the following global configuration commands:
SW01(config)# errdisable recovery cause psecure-violation
SW01(config)# errdisable recovery interval 1800
Here we enabled auto-recovery for all secure ports which are in err-disabled state and set the recovery interval to 30 minutes. The recovery interval is specified in seconds. After the 30 minutes period has elapsed, we observed that the port automatically has returned to its normal state, allowing traffic to pass. If the cause is not cleared, the violation will trigger again after the port comes back up, re-initating the auto-recovery cycle.
%PM-4-ERR_RECOVER: Attempting to recover from psecure-violation err-disable state on Fa0/7
%LINK-3-UPDOWN: Interface FastEthernet0/7, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/7, changed state to up
Clearing or disabling port-security
Sometimes we need to clear all the MAC addresses of a secure port in order to allow a new host to be connected. If order to do this we use the clear port-security privileged EXEC command. This command can be ran on a specific MAC address, on a specific interface or on all secure MAC addresses. For example to to remove all the dynamic secure addresses learned on a specific interface run this command:
SW01# clear port-security dynamic interface fastethernet0/7
If you need to disable completely port-security on a interface or o range of interfaces use the “no” form of the switchport port-security command:
SW01(config)#interface fastethernet 0/7
SW01(config)#no switchport port-security
This with disable all settings regarding port-security on the specified interface.
Conclusion
Overall port-security feature can ease the life of a network administrator by limiting not authorized persons access to a network. Port-security is not a 100% secure solution because MAC addresses can be spoofed. A more elegant solution would be to implement IEEE 802.1X standard.