6 Replies Latest reply on Mar 5, 2012 2:24 PM by levi

    1335 Port Security

    cburgamy New Member

      I have one 1335 and 2 1224s hanging off the defualt vlan. Every time I enable port security and sticky mac, regardless if there is even a mac address assosicated with the port, the port locks down when I try and ping or telnet into the 1224. There are also other devices connected to this 1335 that are having the same problems, but not every port though. I updated firmware to 17-9-5 and rebooted. issue remians. Now i have experienced something similar with GUI interface not displaying the port security information correctly when compared to the CLI, but this is not the samething thing.

        • Re: 1335 Port Security
          levi Employee

          When you get a chance will you please reply with a copy of the configuration that you need assistance with?  Please be sure to remove any IP addresses, MAC addresses, and/or passwords that may be sensitive to your company.

           

          Levi

            • Re: 1335 Port Security
              cburgamy New Member

              Here are the configs.

                • Re: 1335 Port Security
                  levi Employee

                  cburgamy

                  Thank you for replying with the configurations.  There are several things that potentially could be causing these symptoms.  First, typically, switch to switch connections are not used for port security, though it is a valid design.  Usually, two switches are in a trunk configuration where port security, can be, but is seldom used.  However, in AOS firmware release 17.09.01, support for port security was added to the VLAN trunk ports. VLAN-aware port security is used to provide security in networks with both voice and data traffic; for example, a network in which an IP phone is connected directly to a trunked port with a computer connected to the IP phone. In this scenario, port security provides a secure MAC address for the phone, as well as a secure MAC address for the PC, and splits the voice and data traffic into two secure VLANs.

                   

                  In the configuration you submitted, you do not have the switches connected via a trunk port and have only allowed a single MAC address; therefore, traffic not sourced from this address will cause a violation and by default shutdown.  So, when you telnet to the other switch, the switch will reply from the CPU MAC address, not the directly connected switchport MAC address.  Therefore, that MAC address will also need to be allowed for the application described, or create a trunk port between the two switches and disable port security on the connected trunk links.

                   

                  Furthermore, since everything appears to be in a single VLAN, when traffic traverses the switches, all of those MACs will have to be allowed through as well (if you do not make the connections a trunk).  For example, if a PC connected to the NetVanta 1335 tries to communicate to a PC on the NetVanta 1224, if the link connecting the two switches does not allow that MAC address, again, the violation will cause the port to shutdown.

                   

                  For additional reference, here is our Configuring Port Access Control in AOS document.

                   

                  Levi

                  1 of 1 people found this helpful
                    • Re: 1335 Port Security
                      cburgamy New Member

                      So basically trunk the ports?
                      If I trunk the uplink ports, could someone take a laptop and connect via that port to gain access?

                        • Re: 1335 Port Security
                          levi Employee

                          cburgamy:

                           

                          To better understand your application and question, maybe I should learn more about what your intentions are for using port security in this network design.

                           

                          Generally, it is best practice to apply port security as close to the end device as possible.  Trunk ports between switches rarely need port security because the links connecting switches should be physically secured.  If the ports connecting the two switches are not physically secure, and your intentions are to prevent unauthorized access on these ports, then you will need to configure each MAC address that will be permitted to traverse the link connecting the switches to be allowed in the port security configuration.

                           

                          I understand, in your application, there is only a single VLAN; thus, trunking between switches is not technically required.  If your goal is to prevent devices from communicating between switches, then port security is not the preferred method to achieve this.  This is typically done through multiple VLANs, which create different segments, and firewall rules to specify network connectivity.

                           

                          If you would like to add additional information about the goal of port security in your network design, I will be happy to tailor my recommendations.

                           

                          Levi