Scribd
Upload
56 views6 pages

Dcom Lab 11

Port security was implemented on switches to secure the campus network from unhealthy systems. Port security restricts a port's ingress traffic by limiting the MAC addresses allowed to send traffic into the port. The lab exercise secured ports in the range of FastEthernet 0/1 to 0/10 by applying sticky MAC addresses, setting a maximum of 1 MAC address, and configuring the violation mode to shutdown. When the PC's MAC address was changed on port FastEthernet 0/5, it caused a violation that shut down the port and incremented the violation count.

Uploaded by

Mahnoor Mansoor
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
56 views6 pages

Dcom Lab 11

Port security was implemented on switches to secure the campus network from unhealthy systems. Port security restricts a port's ingress traffic by limiting the MAC addresses allowed to send traffic into the port. The lab exercise secured ports in the range of FastEthernet 0/1 to 0/10 by applying sticky MAC addresses, setting a maximum of 1 MAC address, and configuring the violation mode to shutdown. When the PC's MAC address was changed on port FastEthernet 0/5, it caused a violation that shut down the port and incremented the violation count.

Uploaded by

Mahnoor Mansoor
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 6

LAB # 11: Port Security SSUET/QR/114

LAB # 11
PORT SECURITY
OBJECTIVE
To secure campus network from unhealthy systems by implementing port security on switches.

THEORY

PORT SECURITY
Port security can be used with dynamically learned and static MAC addresses to restrict a port's
ingress traffic by limiting the MAC addresses that are allowed to send traffic into the port. When
you assign secure MAC addresses to a secure port, the port does not forward ingress traffic that
has source addresses outside the group of defined addresses. If you limit the number of secure
MAC addresses to one and assign a single secure MAC address, the device attached to that port
has the full bandwidth of the port.

A security violation occurs in either of these situations:

• When the maximum number of secure MAC addresses is reached on a secure port and
the source MAC address of the ingress traffic is different from any of the identified
secure MAC addresses, port security applies the configured violation mode.
• If traffic with a secure MAC address that is configured or learned on one secure port
attempts to access another secure port in the same VLAN, applies the configured
violation mode.

Fig 12.1 Port security restricts port access by MAC address

CE-312: Data Communication 77


LAB # 11: Port Security SSUET/QR/114

NETWORK SETUP

Fig 12.2 Network setup for applying port security

EXERCISE 12.1

Verify MAC table and ports


Checking the MAC Address table first, DYNAMIC means that no MAC address has been
configured on ports. Use the privileged EXEC mode to view the MAC Address table

Switch# show mac-address-table


Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports


---- ----------- -------- -----

1 0001.4267.74a9 DYNAMIC Fa0/6


1 0002.4a20.a5ed DYNAMIC Fa0/1
1 0003.e4b2.29a0 DYNAMIC Fa0/10
1 0004.9a54.2174 DYNAMIC Fa0/9
1 0004.9ab2.c6c8 DYNAMIC Fa0/7
1 000b.be7c.7c4b DYNAMIC Fa0/3
1 00d0.5830.a010 DYNAMIC Fa0/5
1 00d0.58de.4a21 DYNAMIC Fa0/8
1 00e0.b0d2.49c7 DYNAMIC Fa0/4

It is good practice to check that all ports are up

CE-312: Data Communication 78


LAB # 11: Port Security SSUET/QR/114

Switch#sh ip interface brief

Interface IP-Address OK? Method Status Protocol

FastEthernet0/1 unassigned YES manual up up

FastEthernet0/2 unassigned YES manual up up

FastEthernet0/3 unassigned YES manual up up

FastEthernet0/4 unassigned YES manual up up

FastEthernet0/5 unassigned YES manual up up

FastEthernet0/6 unassigned YES manual up up

FastEthernet0/7 unassigned YES manual up up

FastEthernet0/8 unassigned YES manual up up

FastEthernet0/9 unassigned YES manual up up

FastEthernet0/10 unassigned YES manual up up

--More--

EXERCISE 12.2

STEP 1: SELECT RANGE TO APPLY PORT SECURITY


Interface configuration commands modify the operation. In order to configure a specific interface
range, you need to enter interface configuration mode, from global configuration mode, by
entering the interface interface range command. The prompt Switch (config-if)# indicates that
you are in interface configuration mode.

Switch(config)# interface range fastEthernet 0/1 - 10

STEP 2: ACCESS MODE


By default, the port security is turned off on all interfaces. In order to turn it on, a port must be in
an access mode. Otherwise the command will be rejected. Check out the below attempt of
enabling it when the port is in a 'dynamic desirable' rather than an access mode.

Switch(config-if-range)# switchport mode access

CE-312: Data Communication 79


LAB # 11: Port Security SSUET/QR/114

STEP 3: APPLYING MAC-ADDRESS-STICKY


Port security with sticky MAC addresses provides many of the same benefits as port security with
static MAC addresses, but sticky MAC addresses can be learned dynamically. Port security with
sticky MAC addresses retains dynamically learned MAC addresses during a link-down condition.

Switch(config-if-range)# switchport port-security mac-address sticky

STEP 4: SET MAXIMUM ADDRESS TO LEARN


How many MAC addresses can be considered secure on a given port (platform dependent). The
default is: 1.

Switch(config-if-range)# switchport port-security maximum 1

STEP 5: VIOLATION CONDITION TO SHUTDOWN


When configuring port security violation modes, note the following information:

• Protect—Drops packets with unknown source addresses until you remove a sufficient
number of secure MAC addresses to drop below the maximum value.
• Restrict—Drops packets with unknown source addresses until you remove a sufficient
number of secure MAC addresses to drop below the maximum value and causes the
SecurityViolation counter to increment.
• Shutdown—Puts the interface into the error-disabled state immediately and sends an
SNMP trap notification

Switch(config-if-range)# switchport port-security violation shutdown

STEP 6: APPLYING PORT SECURITY


If this command is not performed than port security will not be applied
Switch(config-if-range)# switchport port-security

STEP 7: CHECKING PORT SECURITY

Switch# show port-security interface fastEthernet 0/5

Port Security : Enabled


Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses :1
Total MAC Addresses :1
Configured MAC Addresses :0
Sticky MAC Addresses :1
Last Source Address:Vlan : 00d0.5830.a010

CE-312: Data Communication 80


LAB # 11: Port Security SSUET/QR/114

Security Violation Count :0

EXERCISE 12.3

CHANGE THE PC ON PORT FASTETHERNET 0/5 AND VERIFY PORT


SECURITY

Switch# show port-security interface fastEthernet 0/5

Port Security : Enabled


Port Status : Secure-shutdown
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses :1
Total MAC Addresses :1
Configured MAC Addresses :0
Sticky MAC Addresses :1
Last Source Address:Vlan : 0001.C971.1829:1
Security Violation Count :1

CHECK THAT LAST SOURCE MAC ADDRESS AND COMPARE IT WITH


MAC ADDRESS IN LAST EXERCISE

Switch# show ip interface brief

Interface IP-Address OK? Method Status Protocol

FastEthernet0/1 unassigned YES manual up up

FastEthernet0/2 unassigned YES manual up up

FastEthernet0/3 unassigned YES manual up up

FastEthernet0/4 unassigned YES manual up up

FastEthernet0/5 unassigned YES manual down down

FastEthernet0/6 unassigned YES manual up up

FastEthernet0/7 unassigned YES manual up up

Switch# show interfaces fastEthernet 0/5

CE-312: Data Communication 81


LAB # 11: Port Security SSUET/QR/114

FastEthernet0/5 is down, line protocol is down (err-disabled)


Hardware is Lance, address is 0030.a354.e505 (bia 0030.a354.e505)
BW 100000 Kbit, DLY 1000 usec,
reliability 255/255, txload 1/255, rxload 1/255

<OUTPUT OMITTED>

HOME ASSIGNMENTS

Q1: Perform other violation modes on other ports.

CE-312: Data Communication 82

You might also like