Port-security and Native VLANs « www.networking-forum.com/blog

« Accelerating through Cisco Networking Academy Network Fundamentals

Port-security and Native VLANs	posted in Cisco Networking
by scottsee on December 10th, 2010	tags: Cisco, native VLAN, port-security

A few days ago I was scratching my head over a rather simple lab testing the effects of port-security on a catalyst switch. The idea was simple: Working with a default switch configuration setup the switch with port security and log the effects of each security mode (protect, restrict and shutdown). Nothing brainiac about it, or so I thought. After performing the rather simple switch configurations on the switchport connected to a pc I noticed I still had connectivity to my switches Vlan management Interface IP address. “That’s weird” I remember saying. I did a little looking around, everything seemed to be configured appropriately. The port was securely configured, violation counters were incrementing, so why was I still able to SSH into my switch?!

SW3#show running | be 0/1
interface FastEthernet0/1
switchport mode access
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address 0000.1111.2222

SW3#show port-security address
Secure Mac Address Table
-------------------------------------------------------------------
Vlan    Mac Address       Type                Ports   Remaining Age
(mins)
----    -----------       ----                -----   -------------
1    0000.1111.2222    SecureConfigured    Fa0/1        -
-------------------------------------------------------------------
Total Addresses in System (excluding one mac per port)     : 0
Max Addresses limit in System (excluding one mac per port) : 1024

SW3#show mac-address-table
Mac Address Table
-------------------------------------------
Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
All    000d.29ac.9300    STATIC      CPU
All    0100.0ccc.cccc    STATIC      CPU
All    0100.0ccc.cccd    STATIC      CPU
All    0100.0cdd.dddd    STATIC      CPU
1    0000.1111.2222    STATIC      Fa0/1
Total Mac Addresses for this criterion: 5

SW3#show port-security interface fastEthernet 0/1
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Restrict
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 1
Configured MAC Addresses   : 1
Sticky MAC Addresses       : 0
Last Source Address        : 0022.6856.1294
Security Violation Count   : 104

As it turns out the answer to what I thought was a configuration issue is actually the way default Vlan association operate. The details still elude me a little as to why the non-default port-security violation modes are effected in this way, and It never really dawned on me until that point why Cisco recommends you keep traffic off the management Vlan. It’s a HUGE security issue!

To prevent unauthorized access to your Management Interface you can do 2 things.

Keep the Cisco default violation mode of “shutdown”

Move your Management Vlan to it’s own isolated/dedicated Vlan.

Comments

A thread has been created on the site forum specifically for commenting on this blog post.