Re: Port Security

From: Chris Lewis (chrlewiscsco@yahoo.com)
Date: Wed Nov 30 2005 - 14:35:16 GMT-3

• Next message: Chris Lewis: "RE: Port Security"
• Previous message: El ayachi HADEK: "RE: Port Security"
• Maybe in reply to: Chad Hintz: "Port Security"
• Next in thread: Chris Lewis: "RE: Port Security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I don't believe so.
   
  The restrict option will notify you via SNMP or syslog, whichever (or both) you have configured, however it drops packets not from your secure address list and as the default max number of secure addresses is one, the insecure packets will not go through. If you increase this amount, you will lose the notification if addresses other than your preferred one pop up.
   
  MAC acls will also not help much as they only apply to non-IP packets, and I presume most of the traffic would be IP based, plus I don't think the log option is there for MAC ACLs on the 3550 either.
   
  Layer 3 ACLs can give you the flexibility to permit a source IP, then permit any traffic and put the log option at the end to log traffic not from the desired host. That would work if you were allowed to assume no other devices had the IP address of the one your allowed host is using. However it would not notify you of packets with spoofed IP addresses if this was a concern. However having said that, if a hacker had access to the segment attached to your switch, it would be possible to spoof source MAC addresses to get around MAC ACLs or port security in any case.
   
  I don't know if this helps, you certainly have a challenge! Very interested to know what others think.
   
  Chris
   
  Chris

Chad Hintz <ccie_2b2004@yahoo.com> wrote:
  Hi All,

I have been trying to get through a port security question for a customer and wanted to verify my configuration.

If I wanted to setup the switch to only allow the directly connected router's mac address to be allowed on the port and if another is detect to continue to forward packets but log a message. Would this be correct?

Routers' mac:000b.be90.2d72

interface GigabitEthernet0/1
switchport mode access
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address 000b.be90.2d72

Thanks,

Chad

---------------------------------
Yahoo! Music Unlimited - Access over 1 million songs. Try it free.

• Next message: Chris Lewis: "RE: Port Security"
• Previous message: El ayachi HADEK: "RE: Port Security"
• Maybe in reply to: Chad Hintz: "Port Security"
• Next in thread: Chris Lewis: "RE: Port Security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Dec 01 2005 - 09:12:08 GMT-3