Solved: Port Security and Port mirroring together

MadyS · ‎03-18-2020

Hello,

I have Cisco switches and on some of my switches I want to use port-mirroring to capture traffic from certain VLANs. But the problem is that I have the port-security feature that is enabled on all ports, while destination ports cannot port-mirroring if they have port-security.

Do you know a way to implement this.

Note: The listening ports should sniff packets of voice vlan.

thank you

Cristian Matei · ‎03-24-2020

Hi,

There is no workaround for it, you have to remove post-security. However, you don't loose anything, think about it. Why do you have port-security configured, so there you can control which MAC addresses can send traffic. As said, a destination SPAN port, by default ingress traffic is not allowed, so you're as secure as you can be.

Regards,

Cristian Matei.

View solution in original post

Mark Malone · ‎03-18-2020

Hi

Can you not remove PS from the destination port so it can work with SPAN ? i dont think there's a way around it , its a limitation

Cristian Matei · ‎03-18-2020

Hi,

By default, the destination port for a SPAN session, does not allow any inbound traffic, so usually a destination SPAN port has no configuration because it's ignored anyways; if you want the switch to allow ingress traffic from a SPAN destination port, you need to configure it via the "ingress" keyword. Thus, the switch pretty much tells you that you those features are not supported, but you shouldn't bother.

Take the capture, stop the SPAN session and reconfigure your port as you want. If you're afraid you'll forget the port like that and someone could come in and bypass the port-security checks which don't exist, just assign the port to a VLAN which leads nowhere, no other ports in that VLAN and no layer 3 device in that VLAN, so that in case you forget to reconfigure it after your SPAN session is ended, someone connecting to that port will be pretty much black-holed, traffic is dropped ingress on the switch.

Regards,

Cristian Matei.

MadyS · ‎03-24-2020

Hi,

Yes I understand that this is a limitation of the solution but I am in a context which requires listening to certain VLANs continuously (to do data storage). This does not allow me to temporarily deactivate the port-security as we could do in the case of troubleshooting.
My question was to know if it was possible to bypass the deactivation of port-security by installing for example a listening software and which would send traffic to a port or an IP address without the functionality of port-secutrity being activated cause.

Thank you for your help !

Regards,

Madys

Cristian Matei · ‎03-24-2020

Hi,

There is no workaround for it, you have to remove post-security. However, you don't loose anything, think about it. Why do you have port-security configured, so there you can control which MAC addresses can send traffic. As said, a destination SPAN port, by default ingress traffic is not allowed, so you're as secure as you can be.

Regards,

Cristian Matei.

MadyS · ‎03-24-2020

Hello @Cristian Matei,
Yes I understood your explanations, my concern is that a malicious person recovers the traffic by getting on the port which makes it possible to listen.
Thank you and see you soon!

Regards,

MadyS

Cristian Matei · ‎03-27-2020

Hi,

Port-security is an ingress function, not an egress function. On the SPAN destination port, no matter what you configure, it will still send the capture egress, and anyone plugged in is gonna be able to capture it, see it. The fix is, once you're done capturing, stop the SPAN, reconfigure the port to make it "safe" and move on.

Regards,

Cristian Matei.