Header Ads

CCNP Security (SENSS) - PORT SECURITY LAB - Lesson # 04

, ,

PRACTICAL WAY and configurations

Login to the Kali box and launch an attack. It will send bogus MAC addresses to the switch.
root@kali:~# macof –i eth0

Login to switch to see the MAC addresses.
SW1 # show mac address-table count vlan 123











Swtich gots 48 MACs.
5925 addresses are dynamically leanred in VLAN 123.
Now let’s login to switch. Turning on the terminal monitor will able to see log messages.
SW# terminal monitor (switch sends log messages to vty session)
SW# conf t
# default int G0/2
# int g0/2 (Kali box is connected here)

! set port as an access port because port security doesn’t work for dynamic ports.
# switchport mdoe access
# switchport access vlan 123

! set max # of mac, default is 1.
# switchport port-security maximum 5 (normally 10 is okay, some network has VM then switchport can learn about the mac dymaically. But when having like 100, CAM table will overflow)

! set againg parameters
# switchport port-security aging type inactivity
# swtichport port-security aging time 5
(age out after 5 minutes in inactivity. If we set absolute timeout, it will ignore the MAC once it learn by first time, and take violation actions)

! violation action
(default mode is shutdown the switch port. Here we use restriction option)
# switchport port-security violation restrict

! if we want ot add static MAC
# swithport port-security mac-address 0000.1251.2849

! now configuration is done. Remember to enable the features what we configured.
# switchport port-security



Here, SecureStatic address aging is disable state because we didn’t configure any aging timeout for static MAC addresses.
! we can enable sticky learning
# switchport port-security mac-address sticky

Now let push another attack from that Kali box. And let’s see the benefit on it. After done attack done through the Kali box, let’s see switch show port-security in the switch. 


Kali box in connected to G0/2. Here we configured max MAC as 5. All the MAC learned and security violation happened because Kali box sends many MAC to that G0/2 port. Violation option is restricted as we configured.  
Here port g0/6 probably be a trunk port. Let’s configured it and enable the port security.
# default int g0/6
# int g0/6
# switchport trunk encapsulation dot1q
# switchport mode trunk
# switchport port-security maximum 50 vlan 123 (here we can configure what we want. Port security enable and allow 50 mac for vlan 123 only. Once it violate these parameters we can set what action the port will take such as restric or shutdown the port and trigger snmp or syslog messages.)

1.      Port security protect the switch from CAM table overflow attacks.
2.      Sticky Option – Dynamically learn MAC address copy into running config. We can save the MAC into startup config or NVRAM using WR by saving the configuration.
3.      Violation modes (P/R/S/S)
4.      Configuration.

Post a Comment

No comments

Thank you very much for your ideas!

Subscribe to: Post Comments ( Atom )