RE: port security and SPAN

From: Volkov, Dmitry (Toronto - BCE) (dmitry_volkov@ca.ml.com)
Date: Wed Sep 04 2002 - 19:51:57 GMT-3

• Next message: Jay: "Re: ip rip send version 1 2"
• Previous message: Grant Shackelford: "Re: Updated Practice Materials"
• Next in thread: Bauer, Rick: "RE: port security and SPAN"
• Maybe reply: Bauer, Rick: "RE: port security and SPAN"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Ok, No answers :(

Well, I repeated all steps described below on the other switch 5513 sup III
CatOS 5.5.(13a)
(first test was done on 5000 sup II CatOS 4.x)

When I tried to configure "set port security 3/6 enable" on port were
destination SPAN was previously configured, I got message.
"Feature not allowed on span port" - switch refused it.
Well, I put "set port security 3/6 00-10-4b-a2-e7-39" and It was accepted.
Again I got "monitor" port that was able to capture packet on other port and
"port security" enabled the same time.
So, despite here
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat5000/rel_5_5/sw_cfg/s
ec_port.htm
said "You cannot configure port security on a SPAN destination port and vice
versa." - You can do it !

Now, looks like here again issue of interpretation of words on CCO, because:

Sniffer can be not configured for TCP/IP. You can unbind TCP/IP from NIC and
leave only sniffer driver enabled on NIC.
This is well known "stealth mode". In this case switch port will not learn
any mac address on span port where sniffer is plugged in. So "Port Security"
- even being enabled - just doesn't make sense in this case !

I think the sentence "You cannot configure port security on a SPAN
destination port and vice versa." can be interpreted as:
"You can do it, but Why ? Since Port security will not be able do its
functions it has to do."

Taken into consideration all above and.. below looks like it's very unsecure
to leave span port enabled since there no any steps can be done to prevent
any user plug anything and sniff traffic if span session exist already.

Can somebody disprove it ?

Thanks,

Dmitry

> -----Original Message-----
> From: Volkov, Dmitry (Toronto - BCE) [mailto:dmitry_volkov@ca.ml.com]
> Sent: Friday, August 30, 2002 3:35 PM
> To: 'ccielab@groupstudy.com'
> Subject: port security and SPAN
>
>
> Hi,
>
> cco said : You cannot configure port security on a SPAN
> destination port and
> vice versa
> I tried to configure it and it works. What I did:
>
> 1) plug sniffer laptop (mac 00-10-4b-a2-e7-39) to port 3/6
> 2) sw-9> (enable) set span 3/2 3/6
> 3) sw-9> (enable) set port security 3/6 ena
> 4) 2002 Aug 30 09:51:46 EST -04:00 %SECURITY-1-PORTSHUTDOWN:Port 3/6
> shutdown due t
> o security violation - Port went to "shutdown"
> 5) sw-9> (enable) set port 3/6 enable
> And now I have port monitor status and security enabled.
> Sniffer captures packets comming to/from port 3/2
>
> sw-9> (enable) sh port 3/6
> Port Name Status Vlan Level Duplex
> Speed Type
> ----- ------------------ ---------- ---------- ------ ------ -----
> ------------
> 3/6 monitor 30 high a-full a-100
> 10/100BaseTX
>
> Port Security Secure-Src-Addr Last-Src-Addr Shutdown
> Trap IfIndex
> ----- -------- ----------------- ----------------- --------
> -------- -------
> 3/6 enabled 00-10-4b-a2-e7-39 No
> disabled 268
>
> sw-9> (enable) sh span
> Status : enabled
> Admin Source : Port 3/2
> Oper Source : Port 3/2
> Destination : Port 3/6
> Direction : transmit/receive
> Incoming Packets: disabled
>
> 6) I unplugged laptop from 3/6 plugged other host to 3/6 (differ mac)
> sw-9> (enable) 2002 Aug 30 10:08:39 EST -04:00
> %SPANTREE-3-PORTDEL_FAILNOTFOUND:
> 3/6 in vlan 30 not found (LinkUpdPrcs)
> 2002 Aug 30 10:08:41 EST -04:00 %SECURITY-1-PORTSHUTDOWN:Port
> 3/6 shutdown
> due t
> o security violation
>
> sw-9> (enable) sh port 3/6
> Port Name Status Vlan Level Duplex
> Speed Type
> ----- ------------------ ---------- ---------- ------ ------ -----
> ------------
> 3/6 shutdown 30 high auto auto
> 10/100BaseTX
>
> Port Security Secure-Src-Addr Last-Src-Addr Shutdown
> Trap IfIndex
> ----- -------- ----------------- ----------------- --------
> -------- -------
> 3/6 enabled 00-10-4b-a2-e7-39 00-00-0c-4e-47-88 Yes
> disabled 268
>
> 7) I unplugged this host from 3/6 and plugged laptop back to port 3/6
> 8) sw-9> (enable) set port enable 3/6
> 9) sw-9> (enable) sh port 3/6
> Port Name Status Vlan Level Duplex
> Speed Type
> ----- ------------------ ---------- ---------- ------ ------ -----
> ------------
> 3/6 monitor 30 high a-full a-100
> 10/100BaseTX
>
> Port Security Secure-Src-Addr Last-Src-Addr Shutdown
> Trap IfIndex
> ----- -------- ----------------- ----------------- --------
> -------- -------
> 3/6 enabled 00-10-4b-a2-e7-39 No
> disabled 268
>
> Laptop captures packets.
>
> ANY Comments ?
>
> Thanks,
>
> Dmitry
>
> sw-9> (enable) sh ver
> WS-C5000 Software, Version McpSW: 4.5(9) NmpSW: 4.5(9)
> Copyright (c) 1995-2000 by Cisco Systems
> NMP S/W compiled on Sep 28 2000, 15:21:37
> MCP S/W compiled on Sep 28 2000, 15:25:26
> _________________________________________________________________
> Commercial lab list: http://www.groupstudy.com/list/commercial.html
> Please discuss commercial lab solutions on this list.

• Next message: Jay: "Re: ip rip send version 1 2"
• Previous message: Grant Shackelford: "Re: Updated Practice Materials"
• Next in thread: Bauer, Rick: "RE: port security and SPAN"
• Maybe reply: Bauer, Rick: "RE: port security and SPAN"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Oct 07 2002 - 07:43:44 GMT-3