Community discussions

 
_saik0
Member Candidate
Member Candidate
Topic Author
Posts: 127
Joined: Sun Aug 26, 2007 11:18 pm

Switch chip - port security

Wed Jul 23, 2014 1:34 am

RB2011UAS-2HnD with latest OS/fw.

Is it possible to set static mac address for a certain switch port so that no other host/mac is allowed - much like port security?

It doesn't seem to be possible to define a rule to drop any mac address under
/interface ethernet switch host
With host entry to drop mac 00:00:00:00:00:00 this doesn't seem to work as a new dynamic entry is added when a new host is plugged, so this automatically allows the newcomer.

Should be a fairly simple option?
Last edited by _saik0 on Wed Jul 23, 2014 1:47 am, edited 1 time in total.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 2946
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: Switch chip - port security

Wed Jul 23, 2014 1:37 am

use pppoe server on that port, without any other service/ip/config
I'm Italian, not English. Sorry for my imperfect grammar.
 
_saik0
Member Candidate
Member Candidate
Topic Author
Posts: 127
Joined: Sun Aug 26, 2007 11:18 pm

Re: Switch chip - port security

Wed Jul 23, 2014 1:44 am

Thanks for the fast response!

Uh this should be a switchport functionality so no CPU involved...
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 2946
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: Switch chip - port security

Wed Jul 23, 2014 1:47 am

You neeed it to MANAGE or for data only from one device?

VLAN can be one option?
I'm Italian, not English. Sorry for my imperfect grammar.
 
_saik0
Member Candidate
Member Candidate
Topic Author
Posts: 127
Joined: Sun Aug 26, 2007 11:18 pm

Re: Switch chip - port security

Wed Jul 23, 2014 1:49 am

I edited the first post for more clarification...

I want to drop all incoming packets with MAC other than aaaa.bbbb.cccc just like port security on e.g. cisco switch works. Switchport functionality only.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 2946
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: Switch chip - port security

Wed Jul 23, 2014 2:00 am

"You" can make one script... schedule it on reasonable time.

supposing ether1 is the interface you want "block", switch1 the switch where port are linked, and aa:bb:cc:dd:ee:ff the only MAC you want accept:
:foreach i in=[/interface ethernet switch host find where mac-address!=aa:bb:cc:dd:ee:ff and ports=ether1 and dynamic=yes] do={
 :local currMAC value=[/interface ethernet switch host get $i value-name=mac-address];
 /interface ethernet switch host remove [find where mac-address=$currMAC and ports=ether1 and dynamic=yes];
 /interface ethernet switch host add mac-address=$currMAC drop=yes ports=ether1 switch=switch1;
};
I'm Italian, not English. Sorry for my imperfect grammar.
 
CblP
newbie
Posts: 29
Joined: Mon Mar 25, 2013 11:05 am

Re: Switch chip - port security

Wed Jul 23, 2014 8:57 am

not sure if its gonna work as intended, but you could try something like
add new-vlan-priority=0 ports=etherX src-mac-address=\
    01:02:03:04:05:06/01:02:03:04:05:06
add new-dst-ports="" ports=etherX src-mac-address=\
    00:00:00:00:00:00/FF:FF:FF:FF:FF:FF
where 01:02:03:04:05:06 is the allowed MAC, and 2nd rule is last for the given port.
 
User avatar
Janevski
newbie
Posts: 35
Joined: Sat Dec 31, 2016 10:29 pm
Contact:

Re: Switch chip - port security

Thu Nov 09, 2017 2:57 am

Same question as OP.

How can i set up a Cisco-like port security on MikroTik switch?
What i mean is allow only one mac on that port.
 
becs
MikroTik Support
MikroTik Support
Posts: 479
Joined: Thu Jul 07, 2011 8:26 am

Re: Switch chip - port security

Thu Nov 09, 2017 1:07 pm

Hello, CRS1xx/2xx series switches support such feature:
https://wiki.mikrotik.com/wiki/Manual:C ... s_per_Port
 
User avatar
TomjNorthIdaho
Forum Veteran
Forum Veteran
Posts: 990
Joined: Mon Oct 04, 2010 11:25 pm
Location: North Idaho
Contact:

Re: Switch chip - port security

Fri Nov 10, 2017 1:44 am

re: Cisco-like port security

FYI
I don't want to scare anybody or post what we know - however ...

We have identified some network security holes on Cisco switches
Depending on your Cisco switch configuration
If we are at an IP-Phone, we are able to:
- knock down the entire IP-Phone network
- hack into any vlan on the Cisco switch
- knock down any vlan network or knock down any device on any vlan
- Even with some basic MAC address security which limits to only a single MAC address, we can still get onto any network and have multiple computers injected into those networks.
- Inject our own DHCP server and have it take control of DHCP services
- Inject our own gateway on any vlan network
- Redirect devices on other vlans to use our gatway - and span monitor all traffic then
- find/scan for server vulnerabilities on any vlan

I'm not trying to be scary - I am however stating :
- network security is often overlooked or never checked
- all networks everywhere usually have some huge gaping security holes for bad guys to get through
- when it comes to "port security" , you really need to think out-of-the-box and think about how many ways and methods could the NSA use to get into your network.

Another FYI - I kinda suspect the next big world-wide network security vulnerabilities will be CPU micro-code and CPU hidden Minix code . . . (AKA - did you know your CPU processors hava a built-in hidden CPU & operating system & web browser interface ?)


Tom Jones
 
User avatar
Janevski
newbie
Posts: 35
Joined: Sat Dec 31, 2016 10:29 pm
Contact:

Re: Switch chip - port security

Fri Nov 10, 2017 4:25 am

Hello, CRS1xx/2xx series switches support such feature:
https://wiki.mikrotik.com/wiki/Manual:C ... s_per_Port
Thank You!
re: Cisco-like port security

FYI
I don't want to scare anybody or post what we know - however ...

We have identified some network security holes on Cisco switches
Depending on your Cisco switch configuration
If we are at an IP-Phone, we are able to:
- knock down the entire IP-Phone network
- hack into any vlan on the Cisco switch
- knock down any vlan network or knock down any device on any vlan
- Even with some basic MAC address security which limits to only a single MAC address, we can still get onto any network and have multiple computers injected into those networks.
- Inject our own DHCP server and have it take control of DHCP services
- Inject our own gateway on any vlan network
- Redirect devices on other vlans to use our gatway - and span monitor all traffic then
- find/scan for server vulnerabilities on any vlan

I'm not trying to be scary - I am however stating :
- network security is often overlooked or never checked
- all networks everywhere usually have some huge gaping security holes for bad guys to get through
- when it comes to "port security" , you really need to think out-of-the-box and think about how many ways and methods could the NSA use to get into your network.

Another FYI - I kinda suspect the next big world-wide network security vulnerabilities will be CPU micro-code and CPU hidden Minix code . . . (AKA - did you know your CPU processors hava a built-in hidden CPU & operating system & web browser interface ?)


Tom Jones
Would You care to elaborate any further?
Is this perhaps vtp related? Are static vlans affected?
Did You test the same thing on MikroTik? How did it go?
 
User avatar
TomjNorthIdaho
Forum Veteran
Forum Veteran
Posts: 990
Joined: Mon Oct 04, 2010 11:25 pm
Location: North Idaho
Contact:

Re: Switch chip - port security

Fri Nov 10, 2017 5:11 am

Hello, CRS1xx/2xx series switches support such feature:
https://wiki.mikrotik.com/wiki/Manual:C ... s_per_Port
Thank You!
re: Cisco-like port security

FYI
I don't want to scare anybody or post what we know - however ...

We have identified some network security holes on Cisco switches
Depending on your Cisco switch configuration
If we are at an IP-Phone, we are able to:
- knock down the entire IP-Phone network
- hack into any vlan on the Cisco switch
- knock down any vlan network or knock down any device on any vlan
- Even with some basic MAC address security which limits to only a single MAC address, we can still get onto any network and have multiple computers injected into those networks.
- Inject our own DHCP server and have it take control of DHCP services
- Inject our own gateway on any vlan network
- Redirect devices on other vlans to use our gatway - and span monitor all traffic then
- find/scan for server vulnerabilities on any vlan

I'm not trying to be scary - I am however stating :
- network security is often overlooked or never checked
- all networks everywhere usually have some huge gaping security holes for bad guys to get through
- when it comes to "port security" , you really need to think out-of-the-box and think about how many ways and methods could the NSA use to get into your network.

Another FYI - I kinda suspect the next big world-wide network security vulnerabilities will be CPU micro-code and CPU hidden Minix code . . . (AKA - did you know your CPU processors hava a built-in hidden CPU & operating system & web browser interface ?)


Tom Jones
Would You care to elaborate any further?
Is this perhaps vtp related? Are static vlans affected?
Did You test the same thing on MikroTik? How did it go?
Re: Would You care to elaborate any further?
Not much at this time. I am still looking for other vulnerabilities when on Cisco switches connected to VoIP phones.
FYI - this is not specifically a Cisco thing , it is a related to but not necessarily a VoIP thing and how things are configured

Re: Is this perhaps vtp related? Are static vlans affected?
Kinda (not vtp domain related) but Vlan related

Re: Did You test the same thing on MikroTik? How did it go?
I used a Cisco switch & PC & a Mikrotik something we all have access to and might already own

North Idaho Tom Jones

Who is online

Users browsing this forum: Google [Bot], MSN [Bot] and 86 guests