Cisco CCNA Port Security


Click here to see the presentation

 

Cisco CCNA-Port Security

Here what I have:

Pc1=10.10.10.1

pc2=10.10.10.2

pc3=10.10.10.3 connected to port f0/3 which is located in Lobby

hacker=10.10.10.4

 

 

The goal is I want to protect the port f0/3 located in lobby and make sure only PC3=sales3 be able to connect and do his work.

 Hint:You will go int f0/3 and start with switchport?

Step 1) Make sure you enable port-security

 

SW1(config)#

SW1(config)#int f0/3

SW1(config-if)#switchport ?

access         Set access mode characteristics of the interface

mode           Set trunking mode of the interface

native         Set trunking native characteristics when interface is in

trunking mode

nonegotiate    Device will not engage in negotiation protocol on this

interface

port-security  Security related command

priority       Set appliance 802.1p priority

trunk          Set trunking characteristics of the interface

voice          Voice appliance attributes

SW1(config-if)#switchport port

SW1(config-if)#switchport port-security ?

mac-address  Secure mac address

maximum      Max secure addresses

violation    Security violation mode

<cr>

SW1(config-if)#switchport port-security

Command rejected: FastEthernet0/3 is a dynamic port.

SW1(config-if)#sw

SW1(config-if)#switchport mo

SW1(config-if)#switchport mode acc

SW1(config-if)#switchport mode ?

access   Set trunking mode to ACCESS unconditionally

dynamic  Set trunking mode to dynamically negotiate access or trunk mode

trunk    Set trunking mode to TRUNK unconditionally

SW1(config-if)#switchport mode dy

SW1(config-if)#switchport mode dynamic ?

auto       Set trunking mode dynamic negotiation parameter to AUTO

desirable  Set trunking mode dynamic negotiation parameter to DESIRABLE

SW1(config-if)#switchport mode acc

SW1(config-if)#switchport mode access

SW1(config-if)#switchport port-security

 

 

Hint:make sure when you do above; you have made the port mode access;

 

Step 2) define how many mac-address can be connected the

        Default=1 (if I write show run ) it will not be seen for default  value

 

SW1#config tEnter configuration commands, one per line.  End with CNTL/Z.

SW1(config)#int f0/3

SW1(config-if)#sw

SW1(config-if)#switchport po

SW1(config-if)#switchport port-security ?

mac-address  Secure mac address

maximum      Max secure addresses

violation    Security violation mode

<cr>

SW1(config-if)#switchport port-security max

SW1(config-if)#switchport port-security maximum ?

<1-132>  Maximum addresses

SW1(config-if)#switchport port-security maximum 2

 

Step 3) tell what is the Mac of the PC connected;

Hint: I can do in two way:

 

 

 

SW1(config-if)#sw

SW1(config-if)#switchport po

SW1(config-if)#switchport port-security ?

mac-address  Secure mac address

maximum      Max secure addresses

violation    Security violation mode

<cr>

SW1(config-if)#switchport port-security mac

SW1(config-if)#switchport port-security mac-address ?

H.H.H   48 bit mac address

sticky  Configure dynamic secure addresses as sticky

SW1(config-if)#switchport port-security mac-address st

SW1(config-if)#switchport port-security mac-address sticky ?

H.H.H  48 bit mac address

<cr>

SW1(config-if)#switchport port-security mac-address sticky

SW1(config-if)#

SW1(config-if)#switchport port-security mac-address ?

H.H.H   48 bit mac address

sticky  Configure dynamic secure addresses as sticky

SW1(config-if)#switchport port-security mac-address 2222.2222.2222

 

Step 4) Tell switch what kind of action to take

 

SW1(config-if)#

SW1(config-if)#sw

SW1(config-if)#switchport po

SW1(config-if)#switchport port-security ?

mac-address  Secure mac address

maximum      Max secure addresses

violation    Security violation mode

<cr>

SW1(config-if)#switchport port-security viol

SW1(config-if)#switchport port-security violation ?

protect   Security violation protect mode

restrict  Security violation restrict mode

shutdown  Security violation shutdown mode

SW1(config-if)#switchport port-security violation shur

SW1(config-if)#switchport port-security violation shut

SW1(config-if)#switchport port-security violation shutdown

 

Hint: The default is Shutdown as we see in the show run it will not show up.

 interface FastEthernet0/3

 switchport mode access

 switchport port-security

 switchport port-security maximum 2

 switchport port-security mac-address sticky

 switchport port-security mac-address 2222.2222.2222

!

 

As we see the default shutdown is not above:

I go and I ping pc3

PC>ping 10.10.10.3

 

Pinging 10.10.10.3 with 32 bytes of data:

 

Reply from 10.10.10.3: bytes=32 time=109ms TTL=128

Reply from 10.10.10.3: bytes=32 time=62ms TTL=128

Reply from 10.10.10.3: bytes=32 time=63ms TTL=128

Reply from 10.10.10.3: bytes=32 time=62ms TTL=128

 

Ping statistics for 10.10.10.3:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 62ms, Maximum = 109ms, Average = 74ms

 

PC>

Now let’s look at show run:

 

 

interface FastEthernet0/3

 switchport mode access

 switchport port-security

 switchport port-security maximum 2

 switchport port-security mac-address sticky

 switchport port-security mac-address 2222.2222.2222

 switchport port-security mac-address sticky 00D0.D320.E74C

 

Here is before any violations:

 

SW1#show port

SW1#show port-security int f0/3

Port Security              : Enabled

Port Status                : Secure-up

Violation Mode             : Shutdown

Aging Time                 : 0 mins

Aging Type                 : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses      : 2

Total MAC Addresses        : 2

Configured MAC Addresses   : 1

Sticky MAC Addresses       : 1

Last Source Address:Vlan   : 00D0.D320.E74C:1

Security Violation Count   : 0

 

Now i will remove the cable from Pc3 and Hacker will come and connect to the port f0/3

 

 

SW1#show port-security int f0/3

Port Security              : Enabled

Port Status                : Secure-shutdown

Violation Mode             : Shutdown

Aging Time                 : 0 mins

Aging Type                 : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses      : 2

Total MAC Addresses        : 2

Configured MAC Addresses   : 1

Sticky MAC Addresses       : 1

Last Source Address:Vlan   : 00E0.A38B.4828:1

Security Violation Count   : 1

 

As we see I have port in secure shutdown mode

Here is another show commands:

 

SW1#show int f0/3

FastEthernet0/3 is down, line protocol is down (err-disabled)

 

Let’s look at Port 1 that I did not configure port security

SW1#

SW1#show port-security int f0/1

Port Security              : Disabled

Port Status                : Secure-down

Violation Mode             : Shutdown

Aging Time                 : 0 mins

Aging Type                 : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses      : 1

Total MAC Addresses        : 0

Configured MAC Addresses   : 0

Sticky MAC Addresses       : 0

Last Source Address:Vlan   : 0000.0000.0000:0

Security Violation Count   : 0

As we see in this case I did not enable it port security; so I see the first line says disabled

 

How do you fixed it?

You as administrator must go to that port; give shut and no shut

 

 

Receive our Cisco CCNA Packet Tracer!
Get our complete tutorial in PDF

 

 

[bs_icon name=”glyphicon glyphicon-expand”] Watch the video and you will be able to understand Cisco Port Security much better and Please subscribe to our YouTube Channel.

Want more information on how to become Cisco CCNA Certified? Learn more!
Join our Cisco CCNA facebook study group!

Also published on Medium.

Exit mobile version