Thursday, April 22, 2010

Port-security on shared hub and err-disable auto recovery

'
---------                ----------
| switch 1|----------| switch 2 |
---------  Fa0/16    ----------
|
PC1 = 00-0C-F1-xx-xx-xx
PC2 = 00-1D-09-yy-yy-yy

Step 1: (Base configuration)

Switch 2(Edge switch):

Uplink interface: Fa0/16

Fa0/16 config:
switchport access vlan 10
switchport mode access
speed 100
duplex full
spanning-tree portfast disable


Switch 1(Mobile switch):

Uplink interface: Fa0/16
Fa0/16 config:
switchport access vlan 10
switchport mode access
speed 100
duplex full


User interface for PC: Fa0/1, Fa0/2, Fa0/3
Config:
switchport access vlan 10
switchport mode access
speed 100
duplex full
spanning-tree portfast
spanning-tree bpduguard enable

Step 2: (Added port-security on uplink interface of Switch 2)

Added command below on Fa0/16
(config-if)#sw port-security
(config-if)#sw port-security violation shut
(config-if)#sw port-security mac-address sticky
(config-if)#sw port-security maximum 2

Switch 2(Edge switch):

Fa0/16 config:
switchport access vlan 10
switchport mode access
switchport port-security
switchport port-security maximum 2
switchport port-security mac-address sticky
speed 100
duplex full
spanning-tree portfast disable

Step 3: (Connect PC1 to Fa0/1 of Switch1)

PC1----------Fa0/1 Switch1

Findings:
Switch1:
1. Log shows that int Fa0/1 of Swtich1 change status to up
2. sh int status fa0/1 shows that the PC is connected
Switch2:
3. sh run int fa0/16 - added --> switchport port-security mac-address sticky 000c.f1xx.xxxx
4. sh port-security address
-------------------------------------------------------------------
Vlan    Mac Address       Type                Ports   Remaining Age
----    -----------       ----                -----   -------------
10    000c.f1xx.xxxx    SecureSticky        Fa0/16       -

5. sh port-security int fa0/16
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 2
Total MAC Addresses        : 1
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 1
Last Source Address        : 000c.f1xx.xxxx
Security Violation Count   : 0

Step 4: (Connect PC1 and PC2 on Fa0/1 and Fa0/2 respectively)

PC1----------Fa0/1 Switch1
PC2----------Fa0/2 Switch1

Findings:
Switch1:
1. Log shows that int Fa0/2 of Swtich1 change status to up
2. sh int status fa0/2 - shows that the PC is connected
Switch2:
3. sh run int fa0/16 - added --> switchport port-security mac-address sticky 001d.09yy.yyyy
4. sh port-security address
Vlan    Mac Address       Type                Ports   Remaining Age
----    -----------       ----                -----   -------------
10    000c.f1xx.xxxx    SecureSticky        Fa0/16       -
10    001d.09yy.yyyy    SecureSticky        Fa0/16       -
5. sh port-security int fa0/16
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 2
Total MAC Addresses        : 2
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 2
Last Source Address        : 001d.09yy.yyyy
Security Violation Count   : 0


Step 5: (Connect rouged PC with MAC = 00-1D-09-zz-zz-zz on Fa0/3 of Switch1)

PC1----------Fa0/1 Switch1
PC2----------Fa0/2 Switch1
PC3----------Fa0/3 Switch1

Findings:
Switch1:
1. Log shows that int Fa0/3 of Swtich1 change status to up
2. Log shows that int Fa0/16 of Swtich1 change status to down
3. sh int status fa0/3 - shows that the PC is connected
Switch2:
4. Log shows:
02:19:51: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/16, putting Fa0/16 in err-disable state
02:19:51: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 001d.09zz.zzzz on  port FastEthernet0/16.
02:19:52: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/16, changed state to down
02:19:53: %LINK-3-UPDOWN: Interface FastEthernet0/16, changed state to down

5. sh int fa0/16 status - Uplink interface goes to err-disabled state
Port      Name               Status       Vlan       Duplex  Speed Type
Fa0/16                       err-disabled 10           full    100 10/100BaseTX


Step 6: (Add errdisable auto recovery on switch2 then remove PC3)

(config)#errdisable recovery cause psecure-violation
(config)#errdisable recovery interval 30

Findings:
Switch1:
1. Log shows that int Fa0/3 of Swtich1 change status to down
2. Log shows that int Fa0/16 of Swtich1 change status to up
3. sh int status fa0/16 - shows that the PC is connected
Switch2:
4. Log shows:
02:29:07: %PM-4-ERR_RECOVER: Attempting to recover from psecure-violation err-di
sable state on Fa0/16
02:29:10: %LINK-3-UPDOWN: Interface FastEthernet0/16, changed state to up
02:29:11: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/16, chan
ged state to up

5. sh int fa0/16 status - Uplink interface goes to connected state
Port      Name               Status       Vlan       Duplex  Speed Type
Fa0/16                       connected    10           full    100 10/100BaseTX

--------------           ---------------

| switch 1|----------| switch 2 |

--------------           ---------------


PC1 = 00-0C-F1-95-08-73

PC2 = 00-1D-09-05-6A-CD


Step 1: (Base configuration)


Switch 2(Edge switch):


Uplink interface: Fa0/16


Fa0/16 config:

switchport access vlan 10

switchport mode access

speed 100

duplex full

spanning-tree portfast disable




Switch 1(Mobile switch):


Uplink interface: Fa0/16

Fa0/16 config:

switchport access vlan 10

switchport mode access

speed 100

duplex full



User interface for PC: Fa0/1, Fa0/2, Fa0/3

Config:

switchport access vlan 10

switchport mode access

speed 100

duplex full

spanning-tree portfast

spanning-tree bpduguard enable


++++++++++++++++++++++++++++++++++++


Step 2: (Added port-security on uplink interface of Switch 2)


Added command below on Fa0/16

(config-if)#sw port-security

(config-if)#sw port-security violation shut

(config-if)#sw port-security mac-address sticky

(config-if)#sw port-security maximum 2


Switch 2(Edge switch):


Fa0/16 config:

switchport access vlan 10

switchport mode access

switchport port-security

switchport port-security maximum 2

switchport port-security mac-address sticky

speed 100

duplex full

spanning-tree portfast disable


++++++++++++++++++++++++++++++++++++


Step 3: (Connect PC1 to Fa0/1 of Switch1)


PC1----------Fa0/1 Switch1


Findings:

Switch1:

1. Log shows that int Fa0/1 of Swtich1 change status to up

2. sh int status fa0/1 shows that the PC is connected

Switch2:

3. sh run int fa0/16 - added --> switchport port-security mac-address sticky 000c.f195.0873

4. sh port-security address

-------------------------------------------------------------------

Vlan    Mac Address       Type                Ports   Remaining Age

----    -----------       ----                -----   -------------

10    000c.f195.0873    SecureSticky        Fa0/16 -


5. sh port-security int fa0/16

Port Security              : Enabled

Port Status                : Secure-up

Violation Mode             : Shutdown

Aging Time                 : 0 mins

Aging Type                 : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses      : 2

Total MAC Addresses        : 1

Configured MAC Addresses   : 0

Sticky MAC Addresses       : 1

Last Source Address        : 000c.f195.0873

Security Violation Count   : 0


++++++++++++++++++++++++++++++++++++


Step 4: (Connect PC1 and PC2 on Fa0/1 and Fa0/2 respectively)


PC1----------Fa0/1 Switch1

PC2----------Fa0/2 Switch1


Findings:

Switch1:

1. Log shows that int Fa0/2 of Swtich1 change status to up

2. sh int status fa0/2 - shows that the PC is connected

Switch2:

3. sh run int fa0/16 - added --> switchport port-security mac-address sticky 001d.0905.6acd

4. sh port-security address

Vlan    Mac Address       Type                Ports   Remaining Age

----    -----------       ----                -----   -------------

10    000c.f195.0873    SecureSticky        Fa0/16       -

10    001d.0905.6acd    SecureSticky        Fa0/16       -

5. sh port-security int fa0/16

Port Security              : Enabled

Port Status                : Secure-up

Violation Mode             : Shutdown

Aging Time                 : 0 mins

Aging Type                 : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses      : 2

Total MAC Addresses        : 2

Configured MAC Addresses   : 0

Sticky MAC Addresses       : 2

Last Source Address        : 001d.0905.6acd

Security Violation Count   : 0


++++++++++++++++++++++++++++++++++++


Step 5: (Connect rouged PC with MAC = 00-1D-09-0D-C4-21 on Fa0/3 of Switch1)


PC1----------Fa0/1 Switch1

PC2----------Fa0/2 Switch1

PC3----------Fa0/3 Switch1


Findings:

Switch1:

1. Log shows that int Fa0/3 of Swtich1 change status to up

2. Log shows that int Fa0/16 of Swtich1 change status to down

3. sh int status fa0/3 - shows that the PC is connected

Switch2:

4. Log shows:

02:19:51: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/16, putting Fa0/16 in err-disable state

02:19:51: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 001d.090d.c421 on  port FastEthernet0/16.

02:19:52: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/16, changed state to down

02:19:53: %LINK-3-UPDOWN: Interface FastEthernet0/16, changed state to down


5. sh int fa0/16 status - Uplink interface goes to err-disabled state

Port      Name               Status       Vlan       Duplex  Speed Type

Fa0/16                       err-disabled 10           full    100 10/100BaseTX



++++++++++++++++++++++++++++++++++++


Step 6: (Add errdisable auto recovery on switch2 then remove PC3)


(config)#errdisable recovery cause psecure-violation

(config)#errdisable recovery interval 30


Findings:

Switch1:

1. Log shows that int Fa0/3 of Swtich1 change status to down

2. Log shows that int Fa0/16 of Swtich1 change status to up

3. sh int status fa0/16 - shows that the PC is connected

Switch2:

4. Log shows:

02:29:07: %PM-4-ERR_RECOVER: Attempting to recover from psecure-violation err-di

sable state on Fa0/16

02:29:10: %LINK-3-UPDOWN: Interface FastEthernet0/16, changed state to up

02:29:11: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/16, chan

ged state to up


5. sh int fa0/16 status - Uplink interface goes to connected state

Port      Name               Status       Vlan       Duplex  Speed Type

Fa0/16                       connected    10           full    100 10/100BaseTX


Posted by MarvDMartian at 8:29 PM 1 comments
Labels: , , , , , , ,

Tuesday, April 6, 2010

spanning-tree portfast default and spanning-tree portfast bpduguard default

'
I was trying to simulate this two command:
  1. spanning-tree portfast default
  2. spanning-tree portfast bpduguard default

Before going into details let me give you a little background on this two command:

spanning-tree portfast default – It’s a global command to set all the switch interface to STP portfast. When you issue the command you will received a warning to disable manually portfast on interface connected to hub, bridge and switch, because if not this will cause a temporary bridging loop.

spanning-tree portfast bpduguard default – It’s a global command to set STP bpduguard on all interface configured with portfast.

Combining the two command it is similar to going to each switch interface and enable portfast and bpduguard.

Our problem at first is how to disable portfast? Do we go to the interface and issue a “no spanning-tree portfast” or “spanning-tree portfast disable”.

What I do is enable “debug spanning-tree events” and “debug spanning-tree pvst+”, this is the only debug spanning option I find relevant to what I'm doing. I first capture debug out without the portfast default command, second I issue the portfast default command and lastly I issue the “spanning-tree portfast disable” on trunk interfaces. I then compare the three output and I can’t seem to find the deference.

I then move forward and issue the “spanning-tree portfast bpduguard default” command. When I try to connect a switch on one of the access interface the switch then moved to err-disabled state. It means the two command are working, I then issue “spanning-tree portfast disable” then refresh the node and the interface switch moved to connected state.

I then conclude that if you use the two global commands above, it will be applied on all interface including trunks and to negate the portfast/bpduguard you need to issue the “spanning-tree portfast disable” on the interface to avoid temporary loop on your L2 network.
Posted by MarvDMartian at 6:36 PM 0 comments
Labels: , , , , , ,
Subscribe to: Posts (Atom)