Posted by: manilageek | April 23, 2010

Port-security on shared hub and err-disable auto recovery


PC1 = 00-0C-F1-xx-xx-xx
PC2 = 00-1D-09-yy-yy-yy

Step 1: (Base configuration)

Switch 2(Edge switch):

Uplink interface: Fa0/16

Fa0/16 config:
switchport access vlan 10
switchport mode access
speed 100
duplex full
spanning-tree portfast disable

Switch 1(Mobile switch):

Uplink interface: Fa0/16
Fa0/16 config:
switchport access vlan 10
switchport mode access
speed 100
duplex full

User interface for PC: Fa0/1, Fa0/2, Fa0/3
Config:
switchport access vlan 10
switchport mode access
speed 100
duplex full
spanning-tree portfast
spanning-tree bpduguard enable

++++++++++++++++++++++++++++++++++++

Step 2: (Added port-security on uplink interface of Switch 2)

Added command below on Fa0/16
(config-if)#sw port-security
(config-if)#sw port-security violation shut
(config-if)#sw port-security mac-address sticky
(config-if)#sw port-security maximum 2

Switch 2(Edge switch):

Fa0/16 config:
switchport access vlan 10
switchport mode access
switchport port-security
switchport port-security maximum 2
switchport port-security mac-address sticky
speed 100
duplex full
spanning-tree portfast disable

++++++++++++++++++++++++++++++++++++

Step 3: (Connect PC1 to Fa0/1 of Switch1)

PC1———-Fa0/1 Switch1

Findings:
Switch1:
1. Log shows that int Fa0/1 of Swtich1 change status to up
2. sh int status fa0/1 shows that the PC is connected
Switch2:
3. sh run int fa0/16 – added –> switchport port-security mac-address sticky 000c.f1xx.xxxx
4. sh port-security address
——————————————————————-
Vlan    Mac Address       Type                Ports   Remaining Age
—-    ———–       —-                —–   ————-
10    000c.f1xx.xxxx    SecureSticky        Fa0/16       –

5. sh port-security int fa0/16
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 2
Total MAC Addresses        : 1
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 1
Last Source Address        : 000c.f1xx.xxxx
Security Violation Count   : 0

++++++++++++++++++++++++++++++++++++

Step 4: (Connect PC1 and PC2 on Fa0/1 and Fa0/2 respectively)

PC1———-Fa0/1 Switch1
PC2———-Fa0/2 Switch1

Findings:
Switch1:
1. Log shows that int Fa0/2 of Swtich1 change status to up
2. sh int status fa0/2 – shows that the PC is connected
Switch2:
3. sh run int fa0/16 – added –> switchport port-security mac-address sticky 001d.09yy.yyyy
4. sh port-security address
Vlan    Mac Address       Type                Ports   Remaining Age
—-    ———–       —-                —–   ————-
10    000c.f1xx.xxxx    SecureSticky        Fa0/16       –
10    001d.09yy.yyyy    SecureSticky        Fa0/16       –
5. sh port-security int fa0/16
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 2
Total MAC Addresses        : 2
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 2
Last Source Address        : 001d.09yy.yyyy
Security Violation Count   : 0

++++++++++++++++++++++++++++++++++++

Step 5: (Connect rouged PC with MAC = 00-1D-09-zz-zz-zz on Fa0/3 of Switch1)

PC1———-Fa0/1 Switch1
PC2———-Fa0/2 Switch1
PC3———-Fa0/3 Switch1

Findings:
Switch1:
1. Log shows that int Fa0/3 of Swtich1 change status to up
2. Log shows that int Fa0/16 of Swtich1 change status to down
3. sh int status fa0/3 – shows that the PC is connected
Switch2:
4. Log shows:
02:19:51: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/16, putting Fa0/16 in err-disable state
02:19:51: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 001d.09zz.zzzz on  port FastEthernet0/16.
02:19:52: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/16, changed state to down
02:19:53: %LINK-3-UPDOWN: Interface FastEthernet0/16, changed state to down

5. sh int fa0/16 status – Uplink interface goes to err-disabled state
Port      Name               Status       Vlan       Duplex  Speed Type
Fa0/16                       err-disabled 10           full    100 10/100BaseTX

++++++++++++++++++++++++++++++++++++

Step 6: (Add errdisable auto recovery on switch2 then remove PC3)

(config)#errdisable recovery cause psecure-violation
(config)#errdisable recovery interval 30

Findings:
Switch1:
1. Log shows that int Fa0/3 of Swtich1 change status to down
2. Log shows that int Fa0/16 of Swtich1 change status to up
3. sh int status fa0/16 – shows that the PC is connected
Switch2:
4. Log shows:
02:29:07: %PM-4-ERR_RECOVER: Attempting to recover from psecure-violation err-di
sable state on Fa0/16
02:29:10: %LINK-3-UPDOWN: Interface FastEthernet0/16, changed state to up
02:29:11: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/16, chan
ged state to up

5. sh int fa0/16 status – Uplink interface goes to connected state
Port      Name               Status       Vlan       Duplex  Speed Type
Fa0/16                       connected    10           full    100 10/100BaseTX

<!–[if gte mso 9]> Normal 0 MicrosoftInternetExplorer4 <![endif]–><!–[endif]–>

————–           —————

| switch 1|———-| switch 2 |

————–           —————

 

PC1 = 00-0C-F1-95-08-73

PC2 = 00-1D-09-05-6A-CD

 

Step 1: (Base configuration)

 

Switch 2(Edge switch):

 

Uplink interface: Fa0/16

 

Fa0/16 config:

switchport access vlan 10

switchport mode access

speed 100

duplex full

spanning-tree portfast disable

 

 

 

Switch 1(Mobile switch):

 

Uplink interface: Fa0/16

Fa0/16 config:

switchport access vlan 10

switchport mode access

speed 100

duplex full

 

 

User interface for PC: Fa0/1, Fa0/2, Fa0/3

Config:

switchport access vlan 10

switchport mode access

speed 100

duplex full

spanning-tree portfast

spanning-tree bpduguard enable

 

++++++++++++++++++++++++++++++++++++

 

Step 2: (Added port-security on uplink interface of Switch 2)

 

Added command below on Fa0/16

(config-if)#sw port-security

(config-if)#sw port-security violation shut

(config-if)#sw port-security mac-address sticky

(config-if)#sw port-security maximum 2

 

Switch 2(Edge switch):

 

Fa0/16 config:

switchport access vlan 10

switchport mode access

switchport port-security

switchport port-security maximum 2

switchport port-security mac-address sticky

speed 100

duplex full

spanning-tree portfast disable

 

++++++++++++++++++++++++++++++++++++

 

Step 3: (Connect PC1 to Fa0/1 of Switch1)

 

PC1———-Fa0/1 Switch1

 

Findings:

Switch1:

1. Log shows that int Fa0/1 of Swtich1 change status to up

2. sh int status fa0/1 shows that the PC is connected

Switch2:

3. sh run int fa0/16 – added –> switchport port-security mac-address sticky 000c.f195.0873

4. sh port-security address

——————————————————————-

Vlan    Mac Address       Type                Ports   Remaining Age

—-    ———–       —-                —–   ————-

10    000c.f195.0873    SecureSticky        Fa0/16

 

5. sh port-security int fa0/16

Port Security              : Enabled

Port Status                : Secure-up

Violation Mode             : Shutdown

Aging Time                 : 0 mins

Aging Type                 : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses      : 2

Total MAC Addresses        : 1

Configured MAC Addresses   : 0

Sticky MAC Addresses       : 1

Last Source Address        : 000c.f195.0873

Security Violation Count   : 0

 

++++++++++++++++++++++++++++++++++++

 

Step 4: (Connect PC1 and PC2 on Fa0/1 and Fa0/2 respectively)

 

PC1———-Fa0/1 Switch1

PC2———-Fa0/2 Switch1

 

Findings:

Switch1:

1. Log shows that int Fa0/2 of Swtich1 change status to up

2. sh int status fa0/2 – shows that the PC is connected

Switch2:

3. sh run int fa0/16 – added –> switchport port-security mac-address sticky 001d.0905.6acd

4. sh port-security address

Vlan    Mac Address       Type                Ports   Remaining Age

—-    ———–       —-                —–   ————-

10    000c.f195.0873    SecureSticky        Fa0/16       –

10    001d.0905.6acd    SecureSticky        Fa0/16       –

5. sh port-security int fa0/16

Port Security              : Enabled

Port Status                : Secure-up

Violation Mode             : Shutdown

Aging Time                 : 0 mins

Aging Type                 : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses      : 2

Total MAC Addresses        : 2

Configured MAC Addresses   : 0

Sticky MAC Addresses       : 2

Last Source Address        : 001d.0905.6acd

Security Violation Count   : 0

 

++++++++++++++++++++++++++++++++++++

 

Step 5: (Connect rouged PC with MAC = 00-1D-09-0D-C4-21 on Fa0/3 of Switch1)

 

PC1———-Fa0/1 Switch1

PC2———-Fa0/2 Switch1

PC3———-Fa0/3 Switch1

 

Findings:

Switch1:

1. Log shows that int Fa0/3 of Swtich1 change status to up

2. Log shows that int Fa0/16 of Swtich1 change status to down

3. sh int status fa0/3 – shows that the PC is connected

Switch2:

4. Log shows:

02:19:51: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/16, putting Fa0/16 in err-disable state

02:19:51: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 001d.090d.c421 on  port FastEthernet0/16.

02:19:52: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/16, changed state to down

02:19:53: %LINK-3-UPDOWN: Interface FastEthernet0/16, changed state to down

 

5. sh int fa0/16 status – Uplink interface goes to err-disabled state

Port      Name               Status       Vlan       Duplex  Speed Type

Fa0/16                       err-disabled 10           full    100 10/100BaseTX

 

 

++++++++++++++++++++++++++++++++++++

 

Step 6: (Add errdisable auto recovery on switch2 then remove PC3)

 

(config)#errdisable recovery cause psecure-violation

(config)#errdisable recovery interval 30

 

Findings:

Switch1:

1. Log shows that int Fa0/3 of Swtich1 change status to down

2. Log shows that int Fa0/16 of Swtich1 change status to up

3. sh int status fa0/16 – shows that the PC is connected

Switch2:

4. Log shows:

02:29:07: %PM-4-ERR_RECOVER: Attempting to recover from psecure-violation err-di

sable state on Fa0/16

02:29:10: %LINK-3-UPDOWN: Interface FastEthernet0/16, changed state to up

02:29:11: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/16, chan

ged state to up

 

5. sh int fa0/16 status – Uplink interface goes to connected state

Port      Name               Status       Vlan       Duplex  Speed Type

Fa0/16                       connected    10           full    100 10/100BaseTX

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Categories

%d bloggers like this: