Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
761
Views
0
Helpful
5
Replies

Port security

Andy White
Level 3
Level 3

‎01-26-2015 03:08 AM - edited ‎03-05-2019 12:39 AM

Hello,

 

I'm just configuring a 48 port 2960x for a new site and I have configured ports 1 & 2 for the router HSRP setup as follows:

  • should port security really be used on router ports, or just keep it basic?

I've had to set the ports with a max mac address of 2 as the local and virtual HSRP address were being seen.

Switch config

errdisable recovery cause psecure-violation
errdisable recovery interval 60
 

interface FastEthernet0/1
 description MPLS Primary router 1941 HSRP
 switchport access vlan 10
 switchport mode access
 switchport port-security maximum 2
 switchport port-security aging time 1
 switchport port-security aging type inactivity
 switchport port-security
 spanning-tree portfast
 spanning-tree bpduguard enable
 spanning-tree guard root
 ip dhcp snooping trust
!
interface FastEthernet0/2
 description MPLS backup router 887 HSRP
 switchport access vlan 10
 switchport mode access
 switchport port-security maximum 2
 switchport port-security aging time 1
 switchport port-security aging type inactivity
 spanning-tree portfast
 spanning-tree guard root
 ip dhcp snooping trust

I had to remove BPDU guard for fa 0/2 as it is a 877 it was being seen as a switch and shutting the port down.

Host ports are like this:

interface FastEthernet0/3
 switchport access vlan 10
 switchport mode access
 switchport port-security aging time 1
 switchport port-security aging type inactivity
 switchport port-security
 spanning-tree portfast
 spanning-tree bpduguard enable
 spanning-tree guard root
 

  • I'm hoping if hubs are used then the port will be shutdown for 60s and we get alerted via syslog and then the port "reopens" at 60 seconds?
  • As DHCP snopping is on but the DHCP table is not yet populated, should I turn it off until it is populated then tuen it on?

Thanks

 


 

 

Labels:
0 Helpful
5 Replies 5

Leo Laohoo
Hall of Fame
Hall of Fame

‎01-26-2015 03:28 AM 

I'm hoping if hubs are used then the port will be shutdown for 60s and we get alerted via syslog and then the port "reopens" at 60 seconds?

Won't happen because hubs do not use BPDU.

errdisable recovery cause psecure-violation
errdisable recovery interval 60

Really don't understand the propensity to use the "errdisable recovery" for violation.  If a port goes down it's because its there to help save your network.  If you enable this feature the interface will go down/up every 60 seconds.  This will cause the end user a great deal of discomfort.  Whether or not someone is going to "act" upon the report of the port going to error-disable due to whatever reason is another thing.  

 

Why bother enabling a shutdown of a port due to a security violation and then re-enabling the port 60 seconds later?  It's like stepping on the car's break every 60 seconds.  

0 Helpful

Andy White
Level 3
Level 3
In response to Leo Laohoo

‎01-26-2015 03:40 AM

Points taken and actioned

I removed:

errdisable recovery interval 60
errdisable recovery cause psecure-violation

switchport port-security aging time 1
switchport port-security aging type inactiviy

Would you even bother using port security on router ports, best just keep things simple?

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to Andy White

‎01-26-2015 04:05 AM

Would you even bother using port security on router ports, best just keep things simple?

Personally I wouldn't.

Most of the configuration you have is very useful for end devices because you have little control over what some of your users get up to eg. connecting hubs etc.

But the routers are under your control and should hopefully be in a secure LAN room so I would just have a standard configuration but others may disagree.

Jon

0 Helpful

Andy White
Level 3
Level 3
In response to Jon Marshall

‎01-26-2015 07:19 AM

Many thanks, regarding the DHCP snooping, I guess I juest need to let DHCP populate first for a few days before enabling DHCP snooping for the VLAN as the database will be empty?

0 Helpful

gchialliacn
Level 1
Level 1
In response to Jon Marshall

‎04-21-2015 08:52 AM

There is a case where I see enabling port-security on the router ports could be beneficial.

I'm having an issue where some devices are somehow looping traffic back to the network, and sometimes send Ethernet segments with the source MAC being the HSRP virtual MAC. After this is done, the HSRP virtual MAC becomes a secure address attached to that user port, and also a static entry is added in the MAC address table.

The effect is that all traffic going to the default gateway for that particular VLAN is blackholed.

I still haven't found any good way to prevent this from happening. If I enable port-security in the router ports, the HSRP virtual MAC can be seen in both ports and will trigger a port-security violation. Does anyone have any idea on how to prevent this from happening?

Thanks

-German

0 Helpful
Customers Also Viewed These Support Documents