Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2236
Views
5
Helpful
9
Replies

Port Security on 2960 with TP-Link Router Connected.

Talal
Level 1
Level 1

‎12-20-2018 09:25 PM - edited ‎03-08-2019 04:52 PM

Hello Everyone,

 

I'm facing an issue with Port-Security. I'm not sure if this is a normal operation or a exception condition or may be issue with TP-link router. Please could you help me to configure it?

 

I configured Port-Security (limit is five) my access Cisco Switches 2960. The configuration is ok and the operation is working fine. But, when an user/unknown tries to connect with router with wrong password and authentication failed, the switch learnt that user/unknown mac address, so port security mac-addresses limit reached and a genuine user can n't connect with the router else I manually clear the switch mac-address. 

 

You can find my configuration below:

 

interface fastEthernet0/xx

switchport mode access

switchport port-security maximum 5

switchport port-security

switchport port-security violation restrict

switchport port-security aging time 60

switchport port-security mac-address sticky

 

Any help would be greatly appreciated.

Thank you in advance.

Regards,

Talal.

Labels:
0 Helpful
9 Replies 9

Dan Lukes
VIP Alumni
VIP Alumni

‎12-21-2018 02:17 AM

Unfortunately, there's not so much to help with.

Everything works as designed. Port-security just limits MAC addresses allowed to be seen on port. You need to have maintain physical security, or your employees needs to know they will be fired if they will plug inappropriate device into socket in question, or so ... Port-security just detects violations of network operating rules and take last-resort countermeasure to save network security, even at the cost of denial of service for legitimate user.

If you are wishing to distinguish authorized and unauthorized users, it's 802.1x feature you are asking for.

0 Helpful

Talal
Level 1
Level 1
In response to Dan Lukes

‎12-24-2018 02:01 AM - edited ‎12-24-2018 02:02 AM

Thanks Dan Lukes.

Actually, We are allowed to set the max. users limit, not specifying with their mac address. 

I checked by manually trying to connect with WiFi router(which is connected with 2960 port-security config switch), and I set the wrong password, after authentication failed and in 2960 it learnt my device mac-address .

My concept about port-security is, after successful authentication it would learnt the mac-address!! 

 Either I'm wrong with my configs or is this normal?

0 Helpful

Dan Lukes
VIP Alumni
VIP Alumni
In response to Talal

‎12-24-2018 02:31 AM

If I understand your network topology, your wireless client is connecting to a WiFi router. Despite it fail to authenticate, client MAC address is learned on switch connected behind the router.

It sounds like broken router (or it's configuration). Router must not pass packets from unauthenticated/unassociated wireless client to network. As long as inappropriate packets leaks trough router, your concept can't work.

I'm not familiar with TP-Link configuration - if it's configuration issue, correct the configuration. If it is firmware bug, ask vendor for support (may be a firmware upgrade ?) or just replace router by unbroken one.

 

Talal
Level 1
Level 1
In response to Dan Lukes

‎12-25-2018 11:01 PM - edited ‎12-25-2018 11:35 PM

Yes, exactly that's the issue. But in our building few floors, tp-link routers are connected with cisco 2960 and few with 3com/baystack switches. Only on cisco switches we are facing this issue, if this may be TP-linik router side issue then I think the issue should be on 3com/baystack switches side(there is no issue on it).
Note: Same configs on all tp-link routers.

0 Helpful

Dan Lukes
VIP Alumni
VIP Alumni
In response to Talal

‎12-26-2018 12:45 AM

Assuming all TP-Link routers are leaking packets from unauthenticated clients ...

I have no enough experience with 3Com to guess exact kind of deviation. It looks like 3Com doesn't learn source MAC from some input packets (it sounds like bug to me - may be it works for you just because of 3Com firmware bug).

So sorry, I have no advice here. May be someone else will have a valuable idea ...

0 Helpful

Talal
Level 1
Level 1
In response to Dan Lukes

‎12-26-2018 08:27 PM

Ok, Could you please confirm me conceptually that WiFi Router(TP-Link connected with configured port-security 2960 switch) forward the 'Authenticated failed' device mac-address to switch or not ?
0 Helpful

Dan Lukes
VIP Alumni
VIP Alumni
In response to Talal

‎12-27-2018 05:32 AM

It should not. AP (TP-Link here) should pass no packet from client to internal network unless client is authenticated. And it shall not send packet on behalf of client (stealing it's MAC). I know no meaningful reason for such behavior. With no packet passed, devices behind (like Cisco or 3Com) should have nothing to learn source MAC from.

 

Capture packets sent from TP-Link to Cisco then search for packet with rogue source MAC. Number, type and content of packets captured may disclose more.

 

All at all, as long as TP-Link will be leaking packets from unauthorized clients, limit on number of MAC seen on port will not work on Cisco switch.

0 Helpful

paul driver
VIP
VIP

‎12-21-2018 02:53 AM - edited ‎12-21-2018 02:58 AM

Hello

@Talal wrote:

so port security mac-addresses limit reached and a genuine user can n't connect with the router else I manually clear the switch mac-address. 

You can find my configuration below:


interface fastEthernet0/xx
switchport port-security mac-address sticky


I think the reason being is the persistent mac address learning you have enabled, if/once the mac limit is reached on a port no additional host(s) would be able to attach obviously because  not only has that port reached its mac limit its also has registered 5 specific host mac addresses.

 

Now if you move one of those hosts to another access port without clearing the cam table of the persistent learn mac address from its previous port then that host wont be able to connect.

Clear ethernet-switching table x prior to re-attaching a host that had previously been registered/learned on a port with persistent mac address learning (ie-  switchport port-security mac-address sticky) as you have stated would be the only way to obtain connectivity unless you remove persistent mac learning.

 

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Talal
Level 1
Level 1
In response to paul driver

‎12-24-2018 02:05 AM

Thanks Paul Driver.
Actually, We are allowed to set the max. users limit, not specifying with their mac address.

I checked by manually trying to connect with WiFi router(which is connected with 2960 port-security config switch), and I set the wrong password, after authentication failed and in 2960 it learnt my device mac-address .
My concept about port-security is, after successful authentication it would learnt the mac-address!!
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card