Hi Rene,
What should be the best practise to configure a port security with IPSG and DAI with VMs ?
Thanks
Hello Giovanni
According to Cisco, port security is not recommended within a VM infrastructure in a Cisco environment:
ā¦due to the need for the VM MAC addresses to move from one switchport to a different switchport on the same or a different switch and on the same VLAN without the port physically going down.
See Page 50 in the following Cisco document:
Although there are many professionals that disagree with this philosophy, as there are ways of dealing with the shifting of VM MACs. Ultimately, I would go with Ciscoās recommendations unless your particular implementations absolutely needs port security, in which case you can implement it appropriately for your needs. Unfortunately there is no one clear answer to this, but maybe this gives you some guidelines.
As for IPSG and DAI, there are no specialized requirements for the implementation of these features within a virtual environment beyond those stipulated in a more traditional datacenter implementation.
I hope this has been helpful!
Laz
Hi,
I have a problem during the configuration of a port-security on my sw.
This is the configuration.
interface GigabitEthernet0/4
description 99_FW_OOB
switchport access vlan 99
switchport mode access
switchport port-security maximum 5
switchport port-security mac-address sticky
spanning-tree portfast
!
If I try an attack using macof the switch not put the port on err-disable and I can see all the mac in the cam table on the port g0/4.
Solved,
I forgotted the port-security command 
1 Like
I have a question.I want to prevent anyone from getting a new ip from the dhcp server.I know I can use a dhcp snooping,but my challenge is that our main trunk to the GPON currently has dhcp snooping trust set.We intend to do this on a voice vlan on the switch.most subnets are beyond the trunk
How do you advise i approach this?.
Hello Temitope
One way you could do this is to configure the DHCP server to stop giving out new DHCP addresses. You can maintain the current address leases, lock them to the specific MACs that are already in the DHCP bindings, and simply donāt give out any more. The current leases can be renewed, but no new ones will be provided.
In a GPON network (or any network for that matter), if you already having snooping trust set, and you donāt have control over that network, then you canāt use it to block DHCP messages.
Can you share a little more about your network topology and what you want to achieve? As well as what portions of the network you have control over (and can thus configure) and which you donāt? Maybe that way weāll be able to suggestion something more specific.
I hope this has been helpful!
Laz
Hi,
Can you help me to understand these logs.
Jun 27 12:01:09 79.33.42.119 8515 .Jun 27 10:01:08.036: PSECURE: psecure_vp_fwdchange invoked
Jun 27 12:01:09 79.33.42.119 8516 .Jun 27 10:01:08.041: PSECURE: psecure_linkchange: Gi0/8 hwidb=0x5734918
Jun 27 12:01:09 79.33.42.119 8517 .Jun 27 10:01:08.041: PSECURE: Link is going down
Jun 27 12:01:09 79.33.42.119 8518 .Jun 27 10:01:08.041: PSECURE: psecure_linkdown_init: Gi0/8 hwidb = 0x5734918
Jun 27 12:01:09 79.33.42.119 8519 .Jun 27 10:01:08.041: PSECURE: psecure_deactivate_port_security: Deactivating port-security feature
Jun 27 12:01:09 79.33.42.119 8520 .Jun 27 10:01:08.041: PSECURE: port_deactivate: port status is 1
Jun 27 12:01:09 79.33.42.119 8521 .Jun 27 10:01:08.041: PSECURE: port security not active on GigabitEthernet0/8
For issues that Iāve discovered in my network, Ive decided to remove enterly port-security from interfaces..but I can see on logs something with PSECURE , even if it is disabled
In my configuration I have not any port-security commands on g0/8.
Why is it happaning?
Hello Giovanni
This series of port security syslog messages seem to indicate that port security is being deactivated on the interface. The last one also indicates that port security is not active on the interface. Did these messages appear at the time that you actually deactivated port security on the interface or at some time after that? Do you find that other PSECURE messages appear even after port security is completely removed form all ports?
Let us know so we can help you further in your troubleshooting process.
I hope this has been helpful!
Laz
Hi,
I have question regarding the network lan security. Letās say a vendor visited my company and heās using his personal laptop. He connected his laptop using my data ports or interface and he got my MAC address, now my question is will he get internet connection and why?!. And if yes, how to prevent this type of attack?! Plus how to make my environment secure?!
Hello Khawla
If you donāt configure any security features, and you have DHCP enabled on your network, then the laptop that was plugged into your network port will obtain an IP address, and would also gain access to your network and to the Internet as wellā¦
In order to prevent this from happening, you should implement port security, which is a series of layer 2 security features that enable or disable connectivity to hosts at the switch port. You can find out more about it at this lesson as well as in subsequent related lessons:
I hope this has been helpful!
Laz
Dear Lazaros Agapides,
Appreciating your reply, that is if the port found another MAC address, but nowadays thereās a way to change the MAC address of the laptop itself, in this case is there a way to catch or will my port know this. Since same MAC address, same IP address and same interface, same username and password. But the person is not. In this case how to protect, I know you will reply physical security, but logically?!
Hello Khawla
Even if you change the MAC address of the laptop, it is possible to set port security so that it allows only one MAC address. For ports that are not in continuous use, say a network jack in your lobby or your conference room, you can set that switch port so that it accepts NO MAC address at all. So it will only be enabled when you go in and allow it to be enabled.
Even if a malicious user unplugs a PC and plugs in their own, that port can be configured to work only with the MAC address of the PC. Now if the malicious user learns the MAC address of the PC and changes the MAC address on their laptop to match, then yes they will be able to gain access. However, in such a case, you can use 802.1x. In this case, on your laptop, you will be prompted for a password in order to enable the port and gain access. More information on how you can configure this can be found here:
I hope this has been helpful!
Laz
1 Like
Is there a way to limit the number of MAC addresses that a particular port can learn? Iām aware of the switchport port-security maximum command, but Iām just wondering if I can simply limit the number of MACs on a port without configuring the switchport port-security command in either a dynamic, static, or sticky method? In other words, I donāt care what MAC address the port learns, but I only want it to allow 1, 2, or whatever number MAC addresses I choose. For example, I just want it to learn 3 mac addresses and every MAC after 3 gets ignored. I hope my question makes sense. Thank you.
Hello Mike
That sounds very much like port security with a maximum setting of three and the sticky feature enabled. The only other way to allow or block frames based on their MAC addresses is to use a MAC access list, which is essentially an access list that operates on the source and destination MAC addresses of Ethernet frames. There you can statically permit or deny frames with specific source and destination MAC addresses. More information about this can be found in the following Cisco documentation:
I hope this has been helpful!
Laz
I have a problem with my cisco 2960 switches when eletricity power is turend off for about 2 houres and on again my running configuration about port security mac address sticky lost. Every time that power comes on, some ports (not all), that have a same configuration, lost their stick mac address then PCs have port security error disabled and I have to run non port security command and then apply port security again.
Considering that the configuration each series are saved with wr command.
This problem happens again every time the power is turned off and on again.
Hello Alireza
Hmm, thatās interesting behavior. By default, when a sticky MAC address is learned, it appears in the running-config under the interface configuration. Once that appears, if you copy your running configuration to your startup configuration (or use the write command) that sticky MAC should remain.
Now even if the sticky MAC address is not saved, when the power comes back on, and the config has the sticky command configured, even if it hasnāt saved the previous sticky MAC address, it should read the MAC address of the host and add it once again as a sticky MAC address.
Assuming you ran the write command after the host connected, the sticky MAC address was saved, and a power cycle occurred, what is in the configuration of the interface in question? Can you copy and paste that and share it with us? Just so we can see the before-and-after of the config for that interface, that will be helpful for us to further help you in your troubleshooting.
I hope this has been helpful!
Laz
Is it possible to enable port-security for port-channels. Please your feedback about this issue.
Hello Javier
The short answer is: it depends 
. Most IOS- and IOS-XE-based switches donāt support it, with some exceptions, depending on the IOS version numbers (i.e., some 65XX, 68XX, 45XX, 48XX series switches do support it). Nexus switches do support it as seen here.
There are several reasons for its limited support. First of all, port security is typically used for ports connected to end devices such as PCs, laptops, and IP telephones. It is rare to have a port channel configured on one of these. You may of course have a server that uses portchannel, but these are typically in secured datacenters, and are not swapped out often to warrent the use of port security.
Secondly, there are some issues when attempting to configure port security on a port channel. Port security tracks source MAC addresses per physical port. With EtherChannel load-balancing, a single MAC can legitimately appear on different members over time, which conflicts with how port-security enforces MAC pinning. For this reason, Cisco disables it on EtherChannel ports on most IOS/IOS-XE platforms.
NX-OS has a feature port-security that supports limiting/learning MACs on Layer-2 interfaces, including Port-channel interfaces, on many Nexus models and releases. However there are some typically caveats:
- Not supported on the vPC peer-link.
- Behavior and support of sticky MAC on Port-channels vary by release.
- For vPC member Port-channels, be cautious with sticky MAC and synchronization between vPC peers. Prefer static secure MACs if you must pin, or simply use a maximum that fits your use case.
I hope this has been helpful!
Laz