Port Security Lab

In a previous post I described what a CAM Table Overflow Attack was and how to mitigate it using port security. So let get straight into it.

Topology I’m using

startPS

Straight forward topology PC-1 and PC-2 are on the same subnet.

PC-1:

  • IP Address 192.168.1.1
  • MAC Address: 0060.3E94.1111

PC-2:

  • IP Address: 192.168.1.2
  • MAC Address: 0001.C710.2222

I changed the MAC addresses manually in the PC configuration to end with .1111 for PC-1 and .2222 for PC-2 as it makes it easier to know what MAC belongs to what PC.

To stop a CAM Table Overflow Attack from being successful we can and should enable port security on the switch.

First lets look at the MAC address table as it stands on the switch. We can see the MAC addresses from PC-1 and PC-2 and what ports they are connected on.

SP_mac_table

The next step is to configure port security.

Switch(config)#interface range fa0/1 – 2

Switch(config-if-range)#switchport mode access

Switch(config-if-range)#switchport port-security

Switch(config-if-range)#switchport port-security maximum 1

Switch(config-if-range)#switchport port-security violation shutdown

Switch(config-if-range)#switchport port-security mac-address sticky

Switch(config-if-range)#end

port-sec_config

Thats all there is to it. Remember that the port cannot be a dynamic port and you must use the switchport mode command to change the port to an access port.

To verify the configuration use the following show commands (output below).

  • show mac address-table
  • show port-security address
  • show port-security

Note below that instead of the Type being Dynamic it has changed to Static this is because we used the command of mac-address sticky above.

SPshowcommands

To force a violation in Packet Tracker we can go into one of the PCs configuration and change the MAC address of the PC this should cause a psecure violation.

pcmacconfig

I changed PC-1 here so that its MAC address is now ending with .3333 instead of .1111 this should cause the port to shutdown.

portsecviolation

As you can see from the output above the link has changed to down.

Also if you run the same commands from earlier we can see that Fa0/1 has a SecurityViolation count of 1.

If you run the command #show port-security interface fa0/1 we can get more details on the violation.

  • Port Status : Secure – shutdown
  • Last Source Address:Vlan: 0060.3E94.3333:1
  • Security Violation Count: 1

A closer look at the output we can see the port status is shutdown and the last MAC address on the port was from 0060.3E94.3333 and it caused the violation and lastly the count has gone up to 1.

To bring the port back up you have to go into the interface that is down and run:

  • #shutdown
  • #no shutdown

OR

You can use the errdisable command but I can’t show you that as unfortunately Packet Tracer doesn’t support the command. The command will automatically bring the interface back up after X amount of time.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s