Falla de port security en Packet Tracer 5.3.3.0019

Fecha: 4 de Abril 2013

 

Escenario

 

Observación: Se asume la configuración por defecto del Catalyst 2960.

 

1. Configuración de la seguridad de puerto

 

Switch#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Switch(config)#interface FastEthernet0/1

Switch(config-if)#switchport mode access

Switch(config-if)#switchport port-security

Switch(config-if)#switchport port-security mac-address sticky

Switch(config-if)#switchport port-security violation shutdown

Switch(config-if)#^Z

Switch#

 

2. Verificación

 

Switch#sh runn

Building configuration...

 

Current configuration : 1189 bytes

!

version 12.2

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname Switch

!

!

spanning-tree mode pvst

!

interface FastEthernet0/1

 switchport mode access

 switchport port-security

 switchport port-security mac-address sticky

 switchport port-security mac-address sticky 0090.2B66.2DAD

!

interface FastEthernet0/2

!

---resumido---

Switch#

 

3. Prueba desde un PC

 

PC>ipconfig

 

IP Address......................: 192.168.0.2

Subnet Mask...................: 255.255.255.0

Default Gateway.............: 0.0.0.0

 

PC>ping 192.168.0.3

 

Pinging 192.168.0.3 with 32 bytes of data:

 

Reply from 192.168.0.3: bytes=32 time=125ms TTL=128

Reply from 192.168.0.3: bytes=32 time=62ms TTL=128

Reply from 192.168.0.3: bytes=32 time=63ms TTL=128

Reply from 192.168.0.3: bytes=32 time=63ms TTL=128

 

Ping statistics for 192.168.0.3:

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 62ms, Maximum = 125ms, Average = 78ms

 

PC>

 

4. Prueba desde otro PC en mismo puerto

 

PC>ipconfig

 

IP Address......................: 192.168.0.1 (diferente equipo)

Subnet Mask...................: 255.255.255.0

Default Gateway.............: 0.0.0.0

 

PC>ping 192.168.0.3

 

Pinging 192.168.0.3 with 32 bytes of data:

 

Request timed out. (actúa el port-security)

Request timed out.

Request timed out.

Request timed out.

 

Ping statistics for 192.168.0.3:

    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

 

PC>

 

5. Verificamos seguridad

 

Switch#sh port-security

Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action

               (Count)       (Count)        (Count)

--------------------------------------------------------------------

        Fa0/1        1          1                 1         Shutdown

----------------------------------------------------------------------

Switch#

 

6. Habilitamos rapid PVST

 

Se realiza esta operación ya que las sospechas de la falla son derivadas de un escenario mas complejo

en donde existen redundancias de vínculos entre SW, para ganar tiempo se habilitó RPVST, pero falló

la seguridad, que era el tema de la clase.

 

Switch#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

 

Switch(config)#spanning-tree mode rapid-pvst

Switch(config)#^Z

 

7. Activamos el puerto bloqueado

 

Switch#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Switch(config)#interface FastEthernet0/1

Switch(config-if)#shutdown

Switch(config-if)#no shutdown

Switch(config-if)#exit

 

8. Prueba desde PC bloqueado en mismo puerto

 

PC>ipconfig

IP Address......................: 192.168.0.1

Subnet Mask.....................: 255.255.255.0

Default Gateway.................: 0.0.0.0

 

PC>ping 192.168.0.3

 

Pinging 192.168.0.3 with 32 bytes of data:

 

Reply from 192.168.0.3: bytes=32 time=125ms TTL=128 (debería bloquearse)

Reply from 192.168.0.3: bytes=32 time=62ms TTL=128

Reply from 192.168.0.3: bytes=32 time=63ms TTL=128

Reply from 192.168.0.3: bytes=32 time=63ms TTL=128

 

Ping statistics for 192.168.0.3:

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 62ms, Maximum = 125ms, Average = 78ms

 

PC>

 

9.  Verificamos running-config

 

Switch#sh runn

Building configuration...

 

Current configuration : 1255 bytes

!

version 12.2

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname Switch

!

!

spanning-tree mode rapid-pvst

!

interface FastEthernet0/1

 switchport mode access

 switchport port-security

 switchport port-security mac-address sticky

 switchport port-security mac-address sticky 000C.85A3.2022  (PC original)

 switchport port-security mac-address sticky 0090.2B66.2DAD (PC agregado por la falla)

!

interface FastEthernet0/2

---resumido---

Switch#

 

10. Contrapruebas

 

10.1 Retiramos MAC habilitada por error

 

Switch(config)#interface FastEthernet0/1

Switch(config-if)#no switchport port-security mac-address sticky 0090.2B66.2DAD

Switch(config-if)#exit

 

10.2 Desactivamos RPVST

 

Switch(config)#no spanning-tree mode rapid-pvst

Switch(config)#^Z

Switch#

 

10.3 Verificamos seguridad

 

PC>ipconfig

IP Address......................: 192.168.0.1 (PC agregado)

Subnet Mask...................: 255.255.255.0

Default Gateway.............: 0.0.0.0

 

PC>ping 192.168.0.3

 

Pinging 192.168.0.3 with 32 bytes of data:

 

Request timed out.

Request timed out.

Request timed out.

Request timed out.

 

Ping statistics for 192.168.0.3:

    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

 

PC>

 

10.4 Verificamos seguridad

 

Switch#sh port-security

Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action

               (Count)       (Count)        (Count)

--------------------------------------------------------------------

        Fa0/1        1          1                 1         Shutdown

----------------------------------------------------------------------

Switch#

 

(2013) Ernesto Vilarrasa

Cisco CCAI, CCAI Security

Rosario, Argentina