Hi Rene,
What should be the best practise to configure a port security with IPSG and DAI with VMs ?
Thanks
Hello Giovanni
According to Cisco, port security is not recommended within a VM infrastructure in a Cisco environment:
ā¦due to the need for the VM MAC addresses to move from one switchport to a different switchport on the same or a different switch and on the same VLAN without the port physically going down.
See Page 50 in the following Cisco document:
Although there are many professionals that disagree with this philosophy, as there are ways of dealing with the shifting of VM MACs. Ultimately, I would go with Ciscoās recommendations unless your particular implementations absolutely needs port security, in which case you can implement it appropriately for your needs. Unfortunately there is no one clear answer to this, but maybe this gives you some guidelines.
As for IPSG and DAI, there are no specialized requirements for the implementation of these features within a virtual environment beyond those stipulated in a more traditional datacenter implementation.
I hope this has been helpful!
Laz
Hi,
I have a problem during the configuration of a port-security on my sw.
This is the configuration.
interface GigabitEthernet0/4
description 99_FW_OOB
switchport access vlan 99
switchport mode access
switchport port-security maximum 5
switchport port-security mac-address sticky
spanning-tree portfast
!
If I try an attack using macof the switch not put the port on err-disable and I can see all the mac in the cam table on the port g0/4.
Solved,
I forgotted the port-security command 
1 Like
I have a question.I want to prevent anyone from getting a new ip from the dhcp server.I know I can use a dhcp snooping,but my challenge is that our main trunk to the GPON currently has dhcp snooping trust set.We intend to do this on a voice vlan on the switch.most subnets are beyond the trunk
How do you advise i approach this?.
Hello Temitope
One way you could do this is to configure the DHCP server to stop giving out new DHCP addresses. You can maintain the current address leases, lock them to the specific MACs that are already in the DHCP bindings, and simply donāt give out any more. The current leases can be renewed, but no new ones will be provided.
In a GPON network (or any network for that matter), if you already having snooping trust set, and you donāt have control over that network, then you canāt use it to block DHCP messages.
Can you share a little more about your network topology and what you want to achieve? As well as what portions of the network you have control over (and can thus configure) and which you donāt? Maybe that way weāll be able to suggestion something more specific.
I hope this has been helpful!
Laz
Hi,
Can you help me to understand these logs.
Jun 27 12:01:09 79.33.42.119 8515 .Jun 27 10:01:08.036: PSECURE: psecure_vp_fwdchange invoked
Jun 27 12:01:09 79.33.42.119 8516 .Jun 27 10:01:08.041: PSECURE: psecure_linkchange: Gi0/8 hwidb=0x5734918
Jun 27 12:01:09 79.33.42.119 8517 .Jun 27 10:01:08.041: PSECURE: Link is going down
Jun 27 12:01:09 79.33.42.119 8518 .Jun 27 10:01:08.041: PSECURE: psecure_linkdown_init: Gi0/8 hwidb = 0x5734918
Jun 27 12:01:09 79.33.42.119 8519 .Jun 27 10:01:08.041: PSECURE: psecure_deactivate_port_security: Deactivating port-security feature
Jun 27 12:01:09 79.33.42.119 8520 .Jun 27 10:01:08.041: PSECURE: port_deactivate: port status is 1
Jun 27 12:01:09 79.33.42.119 8521 .Jun 27 10:01:08.041: PSECURE: port security not active on GigabitEthernet0/8
For issues that Iāve discovered in my network, Ive decided to remove enterly port-security from interfacesā¦but I can see on logs something with PSECURE , even if it is disabled
In my configuration I have not any port-security commands on g0/8.
Why is it happaning?
Hello Giovanni
This series of port security syslog messages seem to indicate that port security is being deactivated on the interface. The last one also indicates that port security is not active on the interface. Did these messages appear at the time that you actually deactivated port security on the interface or at some time after that? Do you find that other PSECURE messages appear even after port security is completely removed form all ports?
Let us know so we can help you further in your troubleshooting process.
I hope this has been helpful!
Laz
Hi,
I have question regarding the network lan security. Letās say a vendor visited my company and heās using his personal laptop. He connected his laptop using my data ports or interface and he got my MAC address, now my question is will he get internet connection and why?!. And if yes, how to prevent this type of attack?! Plus how to make my environment secure?!
Hello Khawla
If you donāt configure any security features, and you have DHCP enabled on your network, then the laptop that was plugged into your network port will obtain an IP address, and would also gain access to your network and to the Internet as wellā¦
In order to prevent this from happening, you should implement port security, which is a series of layer 2 security features that enable or disable connectivity to hosts at the switch port. You can find out more about it at this lesson as well as in subsequent related lessons:
I hope this has been helpful!
Laz
Dear Lazaros Agapides,
Appreciating your reply, that is if the port found another MAC address, but nowadays thereās a way to change the MAC address of the laptop itself, in this case is there a way to catch or will my port know this. Since same MAC address, same IP address and same interface, same username and password. But the person is not. In this case how to protect, I know you will reply physical security, but logically?!
Hello Khawla
Even if you change the MAC address of the laptop, it is possible to set port security so that it allows only one MAC address. For ports that are not in continuous use, say a network jack in your lobby or your conference room, you can set that switch port so that it accepts NO MAC address at all. So it will only be enabled when you go in and allow it to be enabled.
Even if a malicious user unplugs a PC and plugs in their own, that port can be configured to work only with the MAC address of the PC. Now if the malicious user learns the MAC address of the PC and changes the MAC address on their laptop to match, then yes they will be able to gain access. However, in such a case, you can use 802.1x. In this case, on your laptop, you will be prompted for a password in order to enable the port and gain access. More information on how you can configure this can be found here:
I hope this has been helpful!
Laz
1 Like
Is there a way to limit the number of MAC addresses that a particular port can learn? Iām aware of the switchport port-security maximum command, but Iām just wondering if I can simply limit the number of MACs on a port without configuring the switchport port-security command in either a dynamic, static, or sticky method? In other words, I donāt care what MAC address the port learns, but I only want it to allow 1, 2, or whatever number MAC addresses I choose. For example, I just want it to learn 3 mac addresses and every MAC after 3 gets ignored. I hope my question makes sense. Thank you.
Hello Mike
That sounds very much like port security with a maximum setting of three and the sticky feature enabled. The only other way to allow or block frames based on their MAC addresses is to use a MAC access list, which is essentially an access list that operates on the source and destination MAC addresses of Ethernet frames. There you can statically permit or deny frames with specific source and destination MAC addresses. More information about this can be found in the following Cisco documentation:
I hope this has been helpful!
Laz