Falla de port security en
Packet Tracer 5.3.3.0019
Fecha: 4 de Abril 2013
Escenario
Observación: Se asume la configuración por defecto del Catalyst
2960.
1. Configuración de la seguridad de
puerto
Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#interface FastEthernet0/1
Switch(config-if)#switchport mode access
Switch(config-if)#switchport port-security
Switch(config-if)#switchport port-security
mac-address sticky
Switch(config-if)#switchport port-security
violation shutdown
Switch(config-if)#^Z
Switch#
2. Verificación
Switch#sh runn
Building configuration...
Current configuration : 1189 bytes
!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Switch
!
!
spanning-tree mode pvst
!
interface FastEthernet0/1
switchport
mode access
switchport
port-security
switchport
port-security mac-address sticky
switchport
port-security mac-address sticky 0090.2B66.2DAD
!
interface FastEthernet0/2
!
---resumido---
Switch#
3. Prueba desde un PC
PC>ipconfig
IP Address......................: 192.168.0.2
Subnet Mask...................: 255.255.255.0
Default Gateway.............: 0.0.0.0
PC>ping 192.168.0.3
Pinging 192.168.0.3 with 32 bytes of data:
Reply from 192.168.0.3: bytes=32 time=125ms TTL=128
Reply from 192.168.0.3: bytes=32 time=62ms TTL=128
Reply from 192.168.0.3: bytes=32 time=63ms TTL=128
Reply from 192.168.0.3: bytes=32 time=63ms TTL=128
Ping statistics for 192.168.0.3:
Packets:
Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum =
62ms, Maximum = 125ms, Average = 78ms
PC>
4. Prueba desde otro PC en mismo puerto
PC>ipconfig
IP Address......................: 192.168.0.1
(diferente equipo)
Subnet Mask...................: 255.255.255.0
Default Gateway.............: 0.0.0.0
PC>ping 192.168.0.3
Pinging 192.168.0.3 with 32 bytes of data:
Request timed out. (actúa
el port-security)
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 192.168.0.3:
Packets:
Sent = 4, Received = 0, Lost = 4 (100% loss),
PC>
5. Verificamos seguridad
Switch#sh port-security
Secure Port MaxSecureAddr CurrentAddr
SecurityViolation Security Action
(Count) (Count) (Count)
--------------------------------------------------------------------
Fa0/1 1 1 1
Shutdown
----------------------------------------------------------------------
Switch#
6. Habilitamos rapid PVST
Se realiza esta operación ya que las sospechas de la
falla son derivadas de un escenario mas complejo
en donde existen redundancias de vínculos entre SW,
para ganar tiempo se habilitó RPVST, pero falló
la seguridad, que era el tema de la clase.
Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#spanning-tree mode rapid-pvst
Switch(config)#^Z
7. Activamos el puerto bloqueado
Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#interface FastEthernet0/1
Switch(config-if)#shutdown
Switch(config-if)#no shutdown
Switch(config-if)#exit
8. Prueba desde PC bloqueado en mismo puerto
PC>ipconfig
IP Address......................: 192.168.0.1
Subnet Mask.....................: 255.255.255.0
Default Gateway.................: 0.0.0.0
PC>ping 192.168.0.3
Pinging 192.168.0.3 with 32 bytes of data:
Reply from 192.168.0.3: bytes=32 time=125ms TTL=128 (debería bloquearse)
Reply from 192.168.0.3: bytes=32 time=62ms TTL=128
Reply from 192.168.0.3: bytes=32 time=63ms TTL=128
Reply from 192.168.0.3: bytes=32 time=63ms TTL=128
Ping statistics for 192.168.0.3:
Packets:
Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum =
62ms, Maximum = 125ms, Average = 78ms
PC>
9.
Verificamos running-config
Switch#sh runn
Building configuration...
Current configuration : 1255 bytes
!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Switch
!
!
spanning-tree mode rapid-pvst
!
interface FastEthernet0/1
switchport
mode access
switchport
port-security
switchport
port-security mac-address sticky
switchport
port-security mac-address sticky 000C.85A3.2022 (PC original)
switchport
port-security mac-address sticky 0090.2B66.2DAD (PC
agregado por la falla)
!
interface FastEthernet0/2
---resumido---
Switch#
10. Contrapruebas
10.1 Retiramos MAC habilitada por error
Switch(config)#interface FastEthernet0/1
Switch(config-if)#no switchport port-security
mac-address sticky 0090.2B66.2DAD
Switch(config-if)#exit
10.2 Desactivamos RPVST
Switch(config)#no spanning-tree mode rapid-pvst
Switch(config)#^Z
Switch#
10.3 Verificamos seguridad
PC>ipconfig
IP Address......................: 192.168.0.1 (PC agregado)
Subnet Mask...................: 255.255.255.0
Default Gateway.............: 0.0.0.0
PC>ping 192.168.0.3
Pinging 192.168.0.3 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 192.168.0.3:
Packets:
Sent = 4, Received = 0, Lost = 4 (100% loss),
PC>
10.4 Verificamos seguridad
Switch#sh port-security
Secure Port MaxSecureAddr CurrentAddr
SecurityViolation Security Action
(Count) (Count) (Count)
--------------------------------------------------------------------
Fa0/1 1 1 1 Shutdown
----------------------------------------------------------------------
Switch#
(2013) Ernesto Vilarrasa
Cisco CCAI, CCAI Security
Rosario, Argentina