From: router0160 (router0160@sinaman.com)
Date: Sat Sep 07 2002 - 00:55:35 GMT-3
Hi all,
How about to implement on C3550 switch?
>-----Original Message-----
>From: Volkov, Dmitry (Toronto - BCE) [mailto:dmitry_volkov@ca.ml.com]
>Sent: Wednesday, September 04, 2002 6:52 PM
>To: 'ccielab@groupstudy.com'
>Subject: RE: port security and SPAN
>
>
>Ok, No answers :(
>
>Well, I repeated all steps described below on the other switch 5513 sup III
>CatOS 5.5.(13a)
>(first test was done on 5000 sup II CatOS 4.x)
>
>When I tried to configure "set port security 3/6 enable" on port were
>destination SPAN was previously configured, I got message.
>"Feature not allowed on span port" - switch refused it.
>Well, I put "set port security 3/6 00-10-4b-a2-e7-39" and It was accepted.
>Again I got "monitor" port that was able to capture packet on other port and
>"port security" enabled the same time.
>So, despite here
>http://www.cisco.com/univercd/cc/td/doc/product/lan/cat5000/rel_5_5/sw_cfg/s
>ec_port.htm
>said "You cannot configure port security on a SPAN destination port and vice
>versa." - You can do it !
>
>Now, looks like here again issue of interpretation of words on CCO, because:
>
>Sniffer can be not configured for TCP/IP. You can unbind TCP/IP from NIC and
>leave only sniffer driver enabled on NIC.
>This is well known "stealth mode". In this case switch port will not learn
>any mac address on span port where sniffer is plugged in. So "Port Security"
>- even being enabled - just doesn't make sense in this case !
>
>I think the sentence "You cannot configure port security on a SPAN
>destination port and vice versa." can be interpreted as:
>"You can do it, but Why ? Since Port security will not be able do its
>functions it has to do."
>
>Taken into consideration all above and.. below looks like it's very unsecure
>to leave span port enabled since there no any steps can be done to prevent
>any user plug anything and sniff traffic if span session exist already.
>
>Can somebody disprove it ?
>
>Thanks,
>
>
>Dmitry
>
>> -----Original Message-----
>> From: Volkov, Dmitry (Toronto - BCE) [mailto:dmitry_volkov@ca.ml.com]
>> Sent: Friday, August 30, 2002 3:35 PM
>> To: 'ccielab@groupstudy.com'
>> Subject: port security and SPAN
>>
>>
>> Hi,
>>
>> cco said : You cannot configure port security on a SPAN
>> destination port and
>> vice versa
>> I tried to configure it and it works. What I did:
>>
>> 1) plug sniffer laptop (mac 00-10-4b-a2-e7-39) to port 3/6
>> 2) sw-9> (enable) set span 3/2 3/6
>> 3) sw-9> (enable) set port security 3/6 ena
>> 4) 2002 Aug 30 09:51:46 EST -04:00 %SECURITY-1-PORTSHUTDOWN:Port 3/6
>> shutdown due t
>> o security violation - Port went to "shutdown"
>> 5) sw-9> (enable) set port 3/6 enable
>> And now I have port monitor status and security enabled.
>> Sniffer captures packets comming to/from port 3/2
>>
>> sw-9> (enable) sh port 3/6
>> Port Name Status Vlan Level Duplex
>> Speed Type
>> ----- ------------------ ---------- ---------- ------ ------ -----
>> ------------
>> 3/6 monitor 30 high a-full a-100
>> 10/100BaseTX
>>
>> Port Security Secure-Src-Addr Last-Src-Addr Shutdown
>> Trap IfIndex
>> ----- -------- ----------------- ----------------- --------
>> -------- -------
>> 3/6 enabled 00-10-4b-a2-e7-39 No
>> disabled 268
>>
>> sw-9> (enable) sh span
>> Status : enabled
>> Admin Source : Port 3/2
>> Oper Source : Port 3/2
>> Destination : Port 3/6
>> Direction : transmit/receive
>> Incoming Packets: disabled
>>
>> 6) I unplugged laptop from 3/6 plugged other host to 3/6 (differ mac)
>> sw-9> (enable) 2002 Aug 30 10:08:39 EST -04:00
>> %SPANTREE-3-PORTDEL_FAILNOTFOUND:
>> 3/6 in vlan 30 not found (LinkUpdPrcs)
>> 2002 Aug 30 10:08:41 EST -04:00 %SECURITY-1-PORTSHUTDOWN:Port
>> 3/6 shutdown
>> due t
>> o security violation
>>
>> sw-9> (enable) sh port 3/6
>> Port Name Status Vlan Level Duplex
>> Speed Type
>> ----- ------------------ ---------- ---------- ------ ------ -----
>> ------------
>> 3/6 shutdown 30 high auto auto
>> 10/100BaseTX
>>
>> Port Security Secure-Src-Addr Last-Src-Addr Shutdown
>> Trap IfIndex
>> ----- -------- ----------------- ----------------- --------
>> -------- -------
>> 3/6 enabled 00-10-4b-a2-e7-39 00-00-0c-4e-47-88 Yes
>> disabled 268
>>
>> 7) I unplugged this host from 3/6 and plugged laptop back to port 3/6
>> 8) sw-9> (enable) set port enable 3/6
>> 9) sw-9> (enable) sh port 3/6
>> Port Name Status Vlan Level Duplex
>> Speed Type
>> ----- ------------------ ---------- ---------- ------ ------ -----
>> ------------
>> 3/6 monitor 30 high a-full a-100
>> 10/100BaseTX
>>
>> Port Security Secure-Src-Addr Last-Src-Addr Shutdown
>> Trap IfIndex
>> ----- -------- ----------------- ----------------- --------
>> -------- -------
>> 3/6 enabled 00-10-4b-a2-e7-39 No
>> disabled 268
>>
>> Laptop captures packets.
>>
>> ANY Comments ?
>>
>> Thanks,
>>
>> Dmitry
>>
>> sw-9> (enable) sh ver
>> WS-C5000 Software, Version McpSW: 4.5(9) NmpSW: 4.5(9)
>> Copyright (c) 1995-2000 by Cisco Systems
>> NMP S/W compiled on Sep 28 2000, 15:21:37
>> MCP S/W compiled on Sep 28 2000, 15:25:26
>> _________________________________________________________________
>> Commercial lab list: http://www.groupstudy.com/list/commercial.html
>> Please discuss commercial lab solutions on this list.
>========================================================================
>This email message is for the sole use of the intended recipient (s) and may
>contain confidential and privileged information. Any unauthorized review,
>use, disclosure or distribution is prohibited. If you are not the intended
>recipient, please contact the sender by reply email and destroy all copies
>of the original message. To reply to our email administrator directly, send
>an email to EmailAdmin@toysrus.com.
>Toys "R" Us, Inc.
>.
>
==================================================================
&\4L08939aAn?oA|!Ghttp://sms.sina.com.hk/ringtone/
This archive was generated by hypermail 2.1.4 : Mon Oct 07 2002 - 07:43:46 GMT-3