Home > CCNA Sec, Layer2 security > LAB – Port Security

LAB – Port Security

September 16th, 2010 martinrenshaw Leave a comment Go to comments

I have been playing with “Port Security” because I wanted to answer some of these questions.

  1. What happens if I run macof without PortSecurity enabled?
  2. What happens if I run macof with PortSecurity in its different forms?
  3. What will happen if I change my MAC address?

Topology, Equipment & Software Using a laptop plugged into FastEthernet0/2 on a 2950 switch, on the laptop I will be using a piece if software called “macof” to generate masses of source MAC addresses.

Fig1 – Laptop plugged into Cisco 2950 switch, the laptop is also connected to the console port.

What happens if I run macof without PortSecurity enabled?

Well as you would expect the switch ‘failsopen’ and should therefor act like a hub/repeater and forward all frames out of all interfaces, although I didn’t see this happening when I tried to user Wireshark and sniff the traffic (I will keep trying until i can prove this works)

What happens if I run macof with PortSecurity in its different forms?

Here are the config options for “port-security”

switch(config-if)# switchport mode access

!Set the interface mode as access!

switch(config-if)# switchport port-security

!Enable port-security on the interface!

switch(config-if)# switchport port-security mac-address { <mac_addr> | sticky }

!Enable port security on the MAC address as H.H.H or record the first MAC addresses connected to the interface!

switch(config-if)# switchport port-security maximum <max_addresses>

!Set maximum number of MAC addresses on the port!

switch(config-if)# switchport port-security violation { protect | restrict | shutdown }

!Protect, Restrict or Shutdown the port. Cisco recommends the shutdown option, shutdown is the default!







Violation Shutdown


!
interface FastEthernet0/2
switchport access vlan 10
switchport mode access
switchport port-security
switchport port-security maximum 5
switchport port-security mac-address sticky
switchport port-security violation shutdown
end
!



Now to run the macof software to flood the CAM table, this is done from a Linux PC







As soon as the CAM table passes 5 mac addresses I saw the following message.


2950_sw_1#
12:54:44: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/2, putting Fa0/2 in err-disable state
12:54:44: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 6cca.e319.99e3 on po.
12:54:45: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/2, changed state to down
12:54:46: %LINK-3-UPDOWN: Interface FastEthernet0/2, changed state to down



I noticed that the port fa0/2 went into “errordisable” so I wanted to check.


2950_sw_1#sh int f0/2 status                                                                                          

Port      Name               Status       Vlan       Duplex  Speed Type
Fa0/2                        err-disabled 10           auto   auto 10/100BaseTX
2950_sw_1#



When I then looked at the config for fa0/2 it showed that the first 5 source mac addresses learned when then written into the config, this is what the sticky feature does. It allows the mac addresses to be saved even after a reload.


!
interface FastEthernet0/2
 switchport access vlan 10
 switchport mode access
 switchport port-security
 switchport port-security maximum 5
 switchport port-security mac-address sticky
 switchport port-security mac-address sticky 0013.72a5.6d34
 switchport port-security mac-address sticky 3ea4.e70a.f669
 switchport port-security mac-address sticky 58ec.bf7f.8377
 switchport port-security mac-address sticky 7cf5.5864.15d2
 switchport port-security mac-address sticky ee6b.f378.a2a1
 spanning-tree portfast
end



To finish an reset port-security config the config back to before it learned and mac addresses I used the following command. Please assume I did these each time before running macof again.


 2950_sw_1#clear port-security sticky







Violation Protect



Violation Protect learns the mac addresses, doesn’t send a syslog, doesn’t shut/errordisable the port.
In the config above only the first five source mac addresses will be allowed pass frames.


!
interface FastEthernet0/2
 switchport access vlan 10
 switchport mode access
 switchport port-security
 switchport port-security maximum 5
 switchport port-security violation protect
 switchport port-security mac-address sticky
 spanning-tree portfast
end
!



Now to run the macof software to flood the CAM table.




I didn’t see and logging on the console screen and I had to look at the config to see the changes.


!
interface FastEthernet0/2
 switchport access vlan 10
 switchport mode access
 switchport port-security
 switchport port-security maximum 5
 switchport port-security violation protect
 switchport port-security mac-address sticky
 switchport port-security mac-address sticky 0013.72a5.6d34
 switchport port-security mac-address sticky 0048.8305.ff6e
 switchport port-security mac-address sticky 0632.0036.908b
 switchport port-security mac-address sticky 36bc.5370.cd65
 switchport port-security mac-address sticky a0ec.090c.14e1
 spanning-tree portfast
end

!
2950_sw_1#sh int f0/2 status                                                                                         

Port      Name               Status       Vlan       Duplex  Speed Type
Fa0/2                        connected    10         a-full  a-100 10/100BaseTX
2950_sw_1#







Violation restrict




With the restrict violation a Syslog message is sent, but port not shut or in errordisable.


Now to run the macof software to flood the CAM table.

2950_sw_1#
13:20:32: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address ce96.df1b.275e on port FastEthernet0/2

Here is what was written to the config

!
interface FastEthernet0/2
 switchport access vlan 10
 switchport mode access
 switchport port-security
 switchport port-security maximum 5
 switchport port-security violation restrict
 switchport port-security mac-address sticky
 switchport port-security mac-address sticky 0013.72a5.6d34
 switchport port-security mac-address sticky 72dd.5e68.afd5
 switchport port-security mac-address sticky a47a.9a59.fc41
 switchport port-security mac-address sticky c4f0.8269.136a
 switchport port-security mac-address sticky d83c.7f68.93fb
 spanning-tree portfast
end

And the interface is still up but only forwarding for the mac addresses it learn’t

2950_sw_1#sh int f0/2 status                                                                                         

Port      Name               Status       Vlan       Duplex  Speed Type
Fa0/2                        connected    10         a-full  a-100 10/100BaseTX
2950_sw_1#

And finally I used the command “show port-security” to see the information about port-security.

!
2950_sw_1#sh port-sec
Secure Port  MaxSecureAddr  CurrentAddr  SecurityViolation  Security Action
                (Count)       (Count)          (Count)
---------------------------------------------------------------------------
      Fa0/2              5            5                  0          Restrict
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port)     : 4
Max Addresses limit in System (excluding one mac per port) : 1024                                                    

2950_sw_1#
!
Categories: CCNA Sec, Layer2 security Tags: ,
  1. No comments yet.
  1. No trackbacks yet.
CAPTCHA Image
*