In a previous post I described what a CAM Table Overflow Attack was and how to mitigate it using port security. So let get straight into it.
Topology I’m using
Straight forward topology PC-1 and PC-2 are on the same subnet.
- IP Address 192.168.1.1
- MAC Address: 0060.3E94.1111
- IP Address: 192.168.1.2
- MAC Address: 0001.C710.2222
I changed the MAC addresses manually in the PC configuration to end with .1111 for PC-1 and .2222 for PC-2 as it makes it easier to know what MAC belongs to what PC.
To stop a CAM Table Overflow Attack from being successful we can and should enable port security on the switch.
First lets look at the MAC address table as it stands on the switch. We can see the MAC addresses from PC-1 and PC-2 and what ports they are connected on.
The next step is to configure port security.
Switch(config)#interface range fa0/1 – 2
Switch(config-if-range)#switchport mode access
Switch(config-if-range)#switchport port-security maximum 1
Switch(config-if-range)#switchport port-security violation shutdown
Switch(config-if-range)#switchport port-security mac-address sticky
Thats all there is to it. Remember that the port cannot be a dynamic port and you must use the switchport mode command to change the port to an access port.
To verify the configuration use the following show commands (output below).
- show mac address-table
- show port-security address
- show port-security
Note below that instead of the Type being Dynamic it has changed to Static this is because we used the command of mac-address sticky above.
To force a violation in Packet Tracker we can go into one of the PCs configuration and change the MAC address of the PC this should cause a psecure violation.
I changed PC-1 here so that its MAC address is now ending with .3333 instead of .1111 this should cause the port to shutdown.
As you can see from the output above the link has changed to down.
Also if you run the same commands from earlier we can see that Fa0/1 has a SecurityViolation count of 1.
If you run the command #show port-security interface fa0/1 we can get more details on the violation.
- Port Status : Secure – shutdown
- Last Source Address:Vlan: 0060.3E94.3333:1
- Security Violation Count: 1
A closer look at the output we can see the port status is shutdown and the last MAC address on the port was from 0060.3E94.3333 and it caused the violation and lastly the count has gone up to 1.
To bring the port back up you have to go into the interface that is down and run:
- #no shutdown
You can use the errdisable command but I can’t show you that as unfortunately Packet Tracer doesn’t support the command. The command will automatically bring the interface back up after X amount of time.