A problem with port security

levitan.eli · ‎07-09-2019

Hi everyone,

I'm kinda new to r&s and just started learning through cbt nuggets and got to port security and I have a question:

I made with Packet Tracer a model of normalSwitch-normalPC and "evil" switch-"evil" PC, as the name suggests- it is evil.

so i configured the normal switch's port security with max:1 ,MAC sticky , violation: shutdown so no one else should connect through that port and when I disconnected the normal PC and replaced it with evilSwitch it worked as expected.

BUT when i change violation to restrict the colors between the normal switch and "evil" switch are turning green (!) and no warning is on my console.
Isn't the sticky MAC should disable the evil switch from connecting ? And why there is no warning on the screen ?

Thanks, Eli !

Mark Malone · ‎07-09-2019

Hi
I dont use PT but it could just be an emulator issue that its not dropping the packets , regarding screen output if your over vty port you need terminal monitor configured , if over console logging console should be enabled to be able to see the issues as they occur or alerts

is the security violation even incrementing when you check the PS status for that port when the bad PC is connected ?
show port-security interface | i Viol

switchport port-security violation
To set the action to be taken when a security violation is detected, use the switchport port-security violation command. To revert to the default settings, use the no form of this command.

switchport port-security violation { protect | restrict | shutdown }
no switchport port-security violation { protect | restrict | shutdown }

Syntax Description

protect
Drops all the packets from the insecure hosts at the port-security process level but does not increment the security-violation count.

restrict
Drops all the packets from the insecure hosts at the port-security process level and increments the security-violation count.

shutdown
Shuts down the port if there is a security violation.

levitan.eli · ‎07-09-2019

Thanks for the comment,

The security violation count jumped to astronomous amounts- 700~ ! and later on even to 1000~...

(checked by "show port-security interface fa 0/1")

By your explanation it seems i've done everything right...

Edit: Added a screenshot

Mark Malone · ‎07-09-2019

Looks good , i would send packets and watch the counters go up as you do it , that will confirm its working , its only restrict mode so packets not getting through is what you want but not shut down the port

PT is very good tool to start out with but you should look at IOU and GNS3 too as they run full images and you can run into less emulator issues but what your seeing looks fine

levitan.eli · ‎07-09-2019

Appearently there's a bug in pt that doesnt allow me to trace a packet. I'm starting to think I've done everything right.
By the way the counter is incrementing automatically even with no action to trigger it... seems odd...

EDIT: I tried installing gns3 because solving this issue is important to me but this program is REALLY annoying....

Got tons of questions in the installing process and now it wants to connect to a server and fails. this is so fraustrating....

Everton de Paula S Pinto · ‎07-09-2019

Hello @levitan.eli

In addition to the port-security violation settings, you must enable port-security in the interface, with the switchport port-security command, without this, the breach settings have no effect.

There are 3 options for dealing with violations:

switchport port-security violation protect -> does not allow only the amount of MAC defined
switchport port-security violation restrict -> does not allow the violation and generates an alert
switchport port-security violation shutdown -> puts the interface in shutdown state when the violation happens

The commands below have been run on a Cisco Catalyst 2960 device and help with port-security troubleshooting. I can not be sure if they all work on the packet tracer.

show port-securityshow port-security interface fa0/20

Regards
---
Everton

levitan.eli · ‎07-09-2019

Thanks for the comment.
I just did the switchport port-security to make sure it's enabled and still everything the same.

paul driver · ‎07-09-2019

Hello

Did you save the running config after you enabled port sec mac sticky otherwise the dynamically learn mac isn’t saved to the cam table and it will then have to be relearnt so it’s possible why it allowed you to add a different device

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

levitan.eli · ‎07-09-2019

Thanks for the comment.
Actually at first I didn't save the config but now I did and still I am able to replace the PC with the evil-switch with no warning on console or red lights...

michaeleastongodwin · ‎10-25-2023

I've had a similar issue, but on my end on PT restrict mode drops packets as desired but does not increment the violation counter at all. I'm still at 0 violation count despite being in restrict mode and sending about 12 different pings from an unauthorized MAC address. Definitely looking into GNS3 now.