cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

299
Views
0
Helpful
8
Replies
Beginner

A problem with port security

Hi everyone,

I'm kinda new to r&s and just started learning through cbt nuggets and got to port security and I have a question:

I made with Packet Tracer a model of normalSwitch-normalPC and "evil" switch-"evil" PC, as the name suggests- it is evil.

so i configured the normal switch's port security with max:1 ,MAC sticky , violation: shutdown so no one else should connect through that port and when I disconnected the normal PC and replaced it with evilSwitch it worked as expected.

BUT when i change violation to restrict the colors between the normal switch and "evil" switch are turning green (!) and no warning is on my console.
Isn't the sticky MAC should disable the evil switch from connecting ? And why there is no warning on the screen ?

Thanks, Eli !

Everyone's tags (1)
8 REPLIES 8
VIP Mentor

Re: A problem with port security

Hi
I dont use PT but it could just be an emulator issue that its not dropping the packets , regarding screen output if your over vty port you need terminal monitor configured , if over console logging console should be enabled to be able to see the issues as they occur or alerts

is the security violation even incrementing when you check the PS status for that port when the bad PC is connected ?
show port-security interface | i Viol

switchport port-security violation
To set the action to be taken when a security violation is detected, use the switchport port-security violation command. To revert to the default settings, use the no form of this command.

switchport port-security violation { protect | restrict | shutdown }
no switchport port-security violation { protect | restrict | shutdown }

Syntax Description

protect
Drops all the packets from the insecure hosts at the port-security process level but does not increment the security-violation count.

restrict
Drops all the packets from the insecure hosts at the port-security process level and increments the security-violation count.

shutdown
Shuts down the port if there is a security violation.
Beginner

Re: A problem with port security

Thanks for the comment,

The security violation count jumped to astronomous amounts- 700~ ! and later on even to 1000~...

(checked by "show port-security interface fa 0/1")

By your explanation it seems i've done everything right...

Edit: Added a screenshot

pt.jpg

 

VIP Mentor

Re: A problem with port security

Looks good , i would send packets and watch the counters go up as you do it , that will confirm its working , its only restrict mode so packets not getting through is what you want but not shut down the port

PT is very good tool to start out with but you should look at IOU and GNS3 too as they run full images and you can run into less emulator issues but what your seeing looks fine
Beginner

Re: A problem with port security

Appearently there's a bug in pt that doesnt allow me to trace a packet. I'm starting to think I've done everything right.
By the way the counter is incrementing automatically even with no action to trigger it... seems odd...

 

EDIT: I tried installing gns3 because solving this issue is important to me but this program is REALLY annoying....

Got tons of questions in the installing process and now it wants to connect to a server and fails. this is so fraustrating....

 

Highlighted

Re: A problem with port security

Hello @levitan.eli 

In addition to the port-security violation settings, you must enable port-security in the interface, with the switchport port-security command, without this, the breach settings have no effect.
There are 3 options for dealing with violations:
  • switchport port-security violation protect -> does not allow only the amount of MAC defined
  • switchport port-security violation restrict -> does not allow the violation and generates an alert
  • switchport port-security violation shutdown -> puts the interface in shutdown state when the violation happens

The commands below have been run on a Cisco Catalyst 2960 device and help with port-security troubleshooting. I can not be sure if they all work on the packet tracer.

 

port-security01.pngshow port-securityport-security02.pngshow port-security interface fa0/20

Regards
---
Everton
Beginner

Re: A problem with port security

Thanks for the comment.
I just did the switchport port-security to make sure it's enabled and still everything the same.
VIP Advisor

Re: A problem with port security

Hello 

Did you save the running config after you enabled port sec mac sticky otherwise the dynamically learn mac isn’t saved to the cam table and it will then have to be relearnt so it’s possible why it allowed you to add a different device 



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
Beginner

Re: A problem with port security

Thanks for the comment.
Actually at first I didn't save the config but now I did and still I am able to replace the PC with the evil-switch with no warning on console or red lights...
CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards