cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
652
Views
10
Helpful
7
Replies

Port security filter

Hello everyone, I make a premise I have already tried in the learning forum, only one user answered me and he also thinks that what is written in the book sounds strange. I have advanced some hypotheses but I still do not understand the reason that prompted the author to write what you can see in the photos. In particular, the author mentions two sentences on page 546 "Port security does not filter frames sent by R2" and on page 549 LAN switch port security issues that filter A's packets (based on A's MAC address). I can't understand how port security can prevent Host A from pinging Host B as you can see in the attached pages. Technically port securiy blocks frames not packets; Then R2 recreates the frame with the interface data and then passes it to sw2. I also did some tests. I set port security maximum on gi0 / 1 I also set port security on host B port but just to remove the doubt but I already knew that it had nothing to do with port security. But the book mentions it that is according to what the book says if there was port security on sw2 the ping from host A to host B failed. I hope someone can answer me. I have also attached the lab I would simply like to know how to avoid that hostA does not return packets from HostB when it launches the ping. The book says that if there is port security, the ping fails.

1 ACCEPTED SOLUTION

Accepted Solutions

Hello
Port security is a L2 security feature that allows a limited number host(s) to be able to attached to a single switchport, it isn't an access security control policy to negate ip/icmp communication to do that you would apply a Port or Routed access control list.



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future

View solution in original post

7 REPLIES 7
MHM Cisco World
Rising star

.....

Hi thanks for your intervention. But doesn't port security serve to limit the forwarding of frames on the port where the host is connected? I set port security on fa0 / 1 where host B is connected but I can always ping from Host A the packets are returned correctly to Host A. That is where you would apply port security so that Host A will not return the packets when it launches the ping

Hello
Port security is a L2 security feature that allows a limited number host(s) to be able to attached to a single switchport, it isn't an access security control policy to negate ip/icmp communication to do that you would apply a Port or Routed access control list.



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future

View solution in original post

So in short if I have a router connected with a switch on gi0 / 1, even if I apply port-security on gi0 / 1 that connects to the router the icmp packets are forwarded. Quite right?

Hi Paul you have it is clear that port security does not filter network layer messages. But the book some page onwards says this: Router LAN interfaces can fail to reach a working up/up state for several reasons, including the common
reasons listed in Table 24-1. Then right side host B receives the frame from with mac source interface of the router so port security does not filter. But from the left side that is whoever sends the packet, here it says that there may be problems with the switch connected to the router for port security. In fact, if you see the attached file it says: "The neighboring switch port uses port security, which has put port in an err-disabled state" then next to Router interface State: down / down. From here it is understood that port security has been applied (according to what the book says) on the gi / 01 interface (switch A of the sender user ping) to gi0 / 1 router A. I tried to apply port security on the interface putting as a filter the mac of the sending host manually with "violation = protect" "maximum = 2" so set the ping goes i ntime out while if I send it from another host connected to switch A the ping works. If I increase the "maximum" even to 10, the ping from secure host doesn't work anyway but the others do. So when the book says: "The neighboring switch port uses port security, which has put port in an err-disabled state" it does not explain what it refers to and on the net I have seen there is no documentation that explains you. The only thing I thought and correct me if I'm wrong is that the interface status of the router goes down / down when the ROAS is set between the router and the switch to route the frames between the vlan. So by setting the secure mac on gi / 1 after setting the ROAS and inserting the pc in different vlan, the router could go down / down. I have no other explanation regarding this reason for the router's down / down status. HOST A - SWITCH A - ROUTER A - ROUTER B - HOST B

I have attached the lab

MHM Cisco World
Rising star

.....