[c-nsp] Layer 2 security issue

[Justin C. Darby]

I don't know if this is possible for you to do or not, but have you 
considered using static assignments for MAC<->Port mappings (e.g. 
specify a mac address instead of sticky)?

I only use port security on an N7K at the moment, and we had to use 
static mappings due to an outstanding bug related to due to the port 
security mac-address sticky not propigating in the event of a sup 
failover. After doing some reading it seems like it's a good idea to use 
static assignments anyway, since I've seen a lot of reports of problems 
similar to yours (generally, there seem to be a lot of bugs in the whole 
L2 security suite on every platform).

Justin

Varaillon Jean Christophe wrote:
> Hi,
>
>  
>
> We are using Cisco 3550, 3560 for access and 4500 for the core.
>
>  
>
> All the ports of the users are port-secure enabled (switchport port-security
> mac-address sticky).
>
>  
>
> We have enough cases where their ports get in err-disable status due to a
> wrong MAC address source.
>
>  
>
> That mac address source is always the same for all cases that is: the mac
> address of the default gateway of the users (vlan interfaces on 4500).
>
>  
>
> This means that the users are sending packets where the MAC address *source*
> is the one of their default router.
>
>  
>
> An up to date antivirus scanning on those PCs did not lead anywhere.
>
>  
>
> Has anybody seen this recently?
>
>  
>
> Thank you.
>
>  
>
> Christophe
>
> P Please consider your environmental responsibility before printing this
> e-mail 
>
>   _____  
>
>  
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>