12-20-2018 09:25 PM - edited 03-08-2019 04:52 PM
Hello Everyone,
I'm facing an issue with Port-Security. I'm not sure if this is a normal operation or a exception condition or may be issue with TP-link router. Please could you help me to configure it?
I configured Port-Security (limit is five) my access Cisco Switches 2960. The configuration is ok and the operation is working fine. But, when an user/unknown tries to connect with router with wrong password and authentication failed, the switch learnt that user/unknown mac address, so port security mac-addresses limit reached and a genuine user can n't connect with the router else I manually clear the switch mac-address.
You can find my configuration below:
interface fastEthernet0/xx
switchport mode access
switchport port-security maximum 5
switchport port-security
switchport port-security violation restrict
switchport port-security aging time 60
switchport port-security mac-address sticky
Any help would be greatly appreciated.
Thank you in advance.
Regards,
Talal.
12-21-2018 02:17 AM
Unfortunately, there's not so much to help with.
Everything works as designed. Port-security just limits MAC addresses allowed to be seen on port. You need to have maintain physical security, or your employees needs to know they will be fired if they will plug inappropriate device into socket in question, or so ... Port-security just detects violations of network operating rules and take last-resort countermeasure to save network security, even at the cost of denial of service for legitimate user.
If you are wishing to distinguish authorized and unauthorized users, it's 802.1x feature you are asking for.
12-24-2018 02:01 AM - edited 12-24-2018 02:02 AM
Thanks Dan Lukes.
Actually, We are allowed to set the max. users limit, not specifying with their mac address.
I checked by manually trying to connect with WiFi router(which is connected with 2960 port-security config switch), and I set the wrong password, after authentication failed and in 2960 it learnt my device mac-address .
My concept about port-security is, after successful authentication it would learnt the mac-address!!
Either I'm wrong with my configs or is this normal?
12-24-2018 02:31 AM
If I understand your network topology, your wireless client is connecting to a WiFi router. Despite it fail to authenticate, client MAC address is learned on switch connected behind the router.
It sounds like broken router (or it's configuration). Router must not pass packets from unauthenticated/unassociated wireless client to network. As long as inappropriate packets leaks trough router, your concept can't work.
I'm not familiar with TP-Link configuration - if it's configuration issue, correct the configuration. If it is firmware bug, ask vendor for support (may be a firmware upgrade ?) or just replace router by unbroken one.
12-25-2018 11:01 PM - edited 12-25-2018 11:35 PM
Yes, exactly that's the issue. But in our building few floors, tp-link routers are connected with cisco 2960 and few with 3com/baystack switches. Only on cisco switches we are facing this issue, if this may be TP-linik router side issue then I think the issue should be on 3com/baystack switches side(there is no issue on it).
Note: Same configs on all tp-link routers.
12-26-2018 12:45 AM
Assuming all TP-Link routers are leaking packets from unauthenticated clients ...
I have no enough experience with 3Com to guess exact kind of deviation. It looks like 3Com doesn't learn source MAC from some input packets (it sounds like bug to me - may be it works for you just because of 3Com firmware bug).
So sorry, I have no advice here. May be someone else will have a valuable idea ...
12-26-2018 08:27 PM
12-27-2018 05:32 AM
It should not. AP (TP-Link here) should pass no packet from client to internal network unless client is authenticated. And it shall not send packet on behalf of client (stealing it's MAC). I know no meaningful reason for such behavior. With no packet passed, devices behind (like Cisco or 3Com) should have nothing to learn source MAC from.
Capture packets sent from TP-Link to Cisco then search for packet with rogue source MAC. Number, type and content of packets captured may disclose more.
All at all, as long as TP-Link will be leaking packets from unauthorized clients, limit on number of MAC seen on port will not work on Cisco switch.
12-21-2018 02:53 AM - edited 12-21-2018 02:58 AM
Hello
@Talal wrote:
so port security mac-addresses limit reached and a genuine user can n't connect with the router else I manually clear the switch mac-address.
You can find my configuration below:
interface fastEthernet0/xx
switchport port-security mac-address sticky
I think the reason being is the persistent mac address learning you have enabled, if/once the mac limit is reached on a port no additional host(s) would be able to attach obviously because not only has that port reached its mac limit its also has registered 5 specific host mac addresses.
Now if you move one of those hosts to another access port without clearing the cam table of the persistent learn mac address from its previous port then that host wont be able to connect.
Clear ethernet-switching table x prior to re-attaching a host that had previously been registered/learned on a port with persistent mac address learning (ie- switchport port-security mac-address sticky) as you have stated would be the only way to obtain connectivity unless you remove persistent mac learning.
12-24-2018 02:05 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide