Port security – secure ?

damien2008damien2008 Member Posts: 45 ■□□□□□□□□□
in CCNA & CCENT
Hi All,

Am studying for the CCENT and have just been running though Port Security.
The 3 options are Protect - Restrict - Shutdown

I have discovered that from a connected PC with a invalid mac address with the
protect and restrict options you can still :

  • ping the switches VLAN1 Interface
  • telnet into the switch

Anyone else think this is not really secure ?
· Share on FacebookShare on Twitter

Comments

  • SecurityThroughObscuritySecurityThroughObscurity Member Posts: 212 ■■■□□□□□□□
    What configuration have you done on the interface?
    · Share on FacebookShare on Twitter
  • damien2008damien2008 Member Posts: 45 ■□□□□□□□□□
    SecurityThroughObscurity wrote: »
    What configuration have you done on the interface?

    OK, I have a switch with 2 PCs connected

    PC 1 is in fa 0/1 - 192.168.1.3 - mac address 0040.CA60.67E8
    PC 2 is in fa 0/4 - 192.168.1.4

    The vlan 1 interface is 192.168.1.2

    I have a 3rd PC which is not yet connected - 192.168.1.7 - mac address 0030.054A.59E2

    Port security on int fa 0/1 configured as below
    interface FastEthernet0/1
    switchport mode access
    switchport port-security
    switchport port-security violation restrict
    switchport port-security mac-address 0040.ca60.67e8

    output from show port-security int fa 0/1

    TOP_SWITCH#sh port-security int fa 0/1
    Port Security: Enabled
    Port Status: Secure-up
    Violation Mode: Restrict
    Aging Time: 0 mins
    Aging Type: Absolute
    SecureStatic Address Aging : Disabled
    Maximum MAC Addresses: 1
    Total MAC Addresses: 1
    Configured MAC Addresses: 1
    Sticky MAC Addresses: 0
    Last Source Address: 0000.0000.0000
    Security Violation Count: 0

    The 3rd PC is plugged in int fa 0/1in place of PC 1

    Switch status message


    00:17:01: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0030.054a.59e2 on port FastEthernet0/1.

     With the 3rd PC in fa 0/1 I cannot ping other hosts on the switch - i.e PC 2 in fa 0/4

     However I still can ping int vlan 1 (192.168.1.2) and telnet into the switch .

    After pinging the switches vlan 1 interface and accessing the switch via telnet the security violation count increases as below...

     TOP_SWITCH#show port-security int fa 0/1
     Port Security : Enabled
     Port Status : Secure-up
     Violation Mode : Restrict
     Aging Time : 0 mins
     Aging Type : Absolute
     SecureStatic Address Aging : Disabled
     Maximum MAC Addresses : 1
     Total MAC Addresses : 1
     Configured MAC Addresses : 1
     Sticky MAC Addresses : 0
     Last Source Address : 0030.054a.59e2
     Security Violation Count : 77
    · Share on FacebookShare on Twitter
  • SecurityThroughObscuritySecurityThroughObscurity Member Posts: 212 ■■■□□□□□□□
    failed to reproduce that behavior in packet tracer.
    Ping was blocked.
    I'll try on a real switch.
    · Share on FacebookShare on Twitter
  • tomtom1tomtom1 Member Posts: 375
    I was not able to reproduce this on a real switch. When the port was in restrict mode, all frames should be dropped with a syslog and SNMP trap (as it should). I was not able to ping and telnet, and the security violation counter kept increasing.
    SW01#sh run int fa0/4
Building configuration...


Current configuration : 239 bytes
!
interface FastEthernet0/4
 description link to mini1-tb
 switchport access vlan 200
 switchport mode access
 switchport port-security
 switchport port-security violation restrict
 switchport port-security mac-address 000c.29f2.1b2d

    *Mar  1 00:27:47.529: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 000c.29f2.1b2c on port FastEthernet0/4.


SW01#sh port-security interface fa0/4
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Restrict
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 1
Configured MAC Addresses   : 1
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 000c.29f2.1b2c:200
Security Violation Count   : 11
    · Share on FacebookShare on Twitter
  • Magic JohnsonMagic Johnson Member Posts: 414
    Yes it's secure. It blocks all frames (L2). This naturally means no packets (L3) get through and therefore things like ping or telnet will definitely not work.
    · Share on FacebookShare on Twitter
  • damien2008damien2008 Member Posts: 45 ■□□□□□□□□□
    Morning,

    Right, I have just tried this on all my switches (3 x 2950) and the output is still the same.
    Upon configuring port security with violation restrict then plugging another host into the interface I can still.
    • Ping the switches vlan 1 interface – 192.168.1.2 255.255.255.0
    • Telnet into the switch
    One note to add is when trying this on the bottom switch it did not display sys log messages alerting me to a port security violation.
    Could this have something to do with the software versions, they are all slightly different with the bottom switch being the oldest ?
    Show version output below:
    Top_Switch#sh version
    Cisco Internetwork Operating System Software
    IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(22)EA12, RELEASE SOFTWARE (fc1)

    Middle_Switch#sh version
    Cisco Internetwork Operating System Software
    IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(12c)EA1, RELEASE SOFTWARE (fc1)

    Bottom_Switch#sh version
    Cisco Internetwork Operating System Software
    IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(11)EA1, RELEASE SOFTWARE (fc1)

    · Share on FacebookShare on Twitter
Sign In or Register to comment.