PORT SECURITY

DYNAMIC SECURE

The mac addresses in this configuration aren't saved when the switch reboots

PROCEDURE

Administratively shut down all switch ports that aren't in use
Verify that all unused switch ports have been administratively shutdown
Enable a dynamic secure port security only on the pertinent/used switch ports
Display the default settings for port security on the specified interface
Display all interfaces that have port security enabled including their mac addresses
Configure the interface to only have access to 2 dynamically learned mac addresses
Display the default settings for port security on the specified interface
Display all interfaces that have port security enabled, including their mac addresses
Assign an IP address to the PC
Send out one echo request to the default-gateway * although there is no router/default gateway assigned, the switch will still capture the mac address of the PC
Display all interfaces that have port security enabled including their mac addresses

IMPLEMENTATION

01.Switch1(config)# interface range fa0/9 - fa0/23
   Switch1(config-if-range)# shutdown
02.Switch1(config-if-range)# do show ip interface brief
03.Switch1(config)# interface fa0/1
   Switch1(config-if)# switchport mode access
    * The reason you set LAN interfaces such as the ones connected
      to end nodes to switchport mode access is because those ends
      doesn't require the sending of DTP messages...and this actually
      disables DTP on that interface
   Switch1(config-if)# switchport port-security

    * The interface must be in access or trunk mode IOT for port
      security to be enabled. If the interface is in the default
      "dynamic auto" mode, an error message will be displayed
      letting the user know that the mode must be first changed

04.Switch1# show port-security interface fa0/1
05.Switch1# show port-security address
06.Switch1(config)# interface fa0/1
   Switch1(config-if)# switchport port-security maximum 2
07.Switch1# show port-security interface fa0/1
08.Switch1# show port-security address
09.PC> ip addr add 192.168.1.2/24 dev eth0
   PC> ip route add default via 192.168.1.1 dev eth0
    * The old method of assigning IPv4 to Linux
       - PC > ifconfig eth0 192.168.1.2/24
10.PC > ping -c 1 192.168.1.1
11.Switch1# show port-security address

STATIC

PROCEDURE

Administratively shut down all switch ports that aren't in use
Verify that all unused switch ports have been administratively shutdown
Enable port security only on the pertinent/used switch ports
Assign an IP address to the PC
Send out one echo request to the default-gateway * although there is no router/default gateway assigned, the switch will still capture the mac address of the PC
Display the default settings for port security on the specified interface
Display all interfaces that have port security enabled, including their mac addresses
Configure the interface to only access a statically learned mac addresses of AAAA.BBBB.CCCC
Display the default settings for port security on the specified interface
Display all interfaces that have port security enabled, including their mac addresses
Reconfigure the interface to have 3 mac addresses allowed
Reconfigure the interface to have the following mac addresses AAAA.BBBB.CCCC, CCCC.DDDD.EEEE and 1234.ABCD.5678
Display the default settings for port security on the specified interface
Display all interfaces that have port security enabled, including mac addresses

IMPLEMENTATION

01.Switch1(config)# interface range fa0/9 - fa0/23
   Switch1(config-if-range)# shutdown
02.Switch1(config-if-range)# do show ip interface brief
03.Switch1(config)# interface fa0/1
   Switch1(config-if)# switchport mode access
    * The reason you set LAN interfaces such as the ones connected
      to end nodes to switchport mode access is because those ends
      doesn't require the sending of DTP messages...and this 
      actually disables DTP on that interface
   Switch1(config-if)# switchport port-security

    * The interface must be in access or trunk mode IOF port
      security to be enabled. If the interface is in the default
      "dynamic auto" mode, an error message will be displayed
      letting the user know that the mode must be first changed

04.PC> ip addr add 192.168.1.2/24 dev eth0
   PC> ip route add default via 192.168.1.1 dev eth0
    * The old method of assigning IPv4 to Linux
       - PC > ifconfig eth0 192.168.1.2/24
05.PC > ping -c 1 192.168.1.1
06.Switch1# show port-security interface fa0/1
07.Switch1# show port-security address
08.Switch1(config)# interface fa0/1
   Switch1(config-if)# switchport port-security mac-address AAAA.BBBB.CCCC
    * If there is already a mac address assigned on the interface,
      you need to shutdown the interface then assign the specified MAC
     address...re-enable the interface afterwards
   Switch1(config-if)# switchport port-security maximum 1
09.Switch1# show port-security interface fa0/1
10.Switch1# show port-security address
11.Switch1(config)# interface fa0/1
   Switch1(config-if)# switchport port-security maximum 3
12.Switch1(config-if)# switchport port-security mac-address AAAA.BBBB.CCCC
   Switch1(config-if)# switchport port-security mac-address BBBB.CCCC.DDDD
   Switch1(config-if)# switchport port-security mac-address CCCC.DDDD.EEEE
    * If there is already a mac address assigned on the interface,
      you need to shutdown the interface then assign the specified MAC
      address...re-enable the interface afterwards
13.Switch1# show port-security interface fa0/1
14.Switch1# show port-security address

DYNAMIC STICKY

The mac addresses that are dynamically learned in this configuration are saved as long as there is a saved startup-config file

PROCEDURE

Administratively shut down all switch ports that aren't in use
Verify that all unused switch ports have been administratively shutdown
Enable port security only on the pertinent/used switch ports
Display the default settings for port security on the specified interface
Display all interfaces that have port security enabled including their MAC address
Configure the interface to dynamically learn mac addresses in sticky mode with a maximum of 3 addresses
Display the default settings for port security on the specified interface
Display all interfaces that have port security enabled including their MAC address

IMPLEMENTATION

01.Switch1(config)# interface range fa0/9 - fa0/23
   Switch1(config-if-range)# shutdown
02.Switch1(config-if-range)# do show run
03.Switch1(config)# interface fa0/1
   Switch1(config-if)# switchport mode access
   Switch1(config-if)# switchport port-security

    * The interface must be in access or trunk mode IOT for port
      security to be enabled. If the interface is in the default
      "dynamic auto" mode, an error message will be displayed 
      letting the user know that the mode must be first changed

04.Switch1# show port-security interface fa0/1
05.Switch1# show port-security address
06.Switch1(config)# interface fa0/1
   Switch1(config-if)# switchport port-security mac-address sticky
   Switch1(config-if)# switchport port-security maximum 3
07.Switch1# show port-security interface fa0/1
08.Switch1# show port-security address

FIXING VIOLATION ISSUES

Procedure for fixing an interface that is in "err-disabled" state

PROCEDURE

Administratively shutdown all switch ports that aren't in use
Verify that all unused switch ports have been administratively shutdown
Enable port security only on the pertinent/used switch ports
Display the default settings for port security on the specified interface
Display all interfaces that have port security enabled including their MAC address
Configure the interface to have a statically learned mac address of host A with a maximum mac address of 1 allowed
Configure a security violation of shutdown on the specified interface
Assign an IPv4 address to Host A & send one packet to the default gateway
Display the default settings for port security on the specified interface
Display all interfaces that have port security enabled including their MAC address
Introduce a new host "Host B" to interface gi0/0 "which has a different" mac address - Configure Host B with an IPv4 address - send one packet to the default gateway using Host B, to trigger port-security
Display the default settings for port security on the specified interface
Display all interfaces that have port security enabled including their MAC address
Display port security violation issues
Remove the intruding host "Host B" from the network
Fix the violation and re-enable the port for Host A
Display the default settings for port security on the specified interface - also display all interfaces that have port security enabled including their MAC address - display any port security violation issues

IMPLEMENTATION

01.Switch1(config)# interface range fa0/9 - fa0/23
   Switch1(config-if-range)# shutdown
02.Switch1(config-if-range)# do show run
03.Switch1(config)# interface fa0/1
   Switch1(config-if)# switchport mode access
   Switch1(config-if)# switchport port-security

    * The interface must be in access or trunk mode IOT for port
      security to be enabled. If the interface is in the default
      "dynamic auto" mode, an error message will be displayed
      letting the user know that the mode must be first changed

04.Switch1# show port-security interface fa0/1
05.Switch1# show port-security address
06.Switch1(config)# interface fa0/1
   Switch1(config-if)# switchport port-security mac-address <mac of host A>
   Switch1(config-if)# switchport port-security maximum 1
07.Switch1(config-if)# switchport port-security violation shutdown
08.root@HostA:~# ifconfig eth0 192.168.1.2/24
   root@HostA:~# ping -c 1 192.168.1.1
09.Switch1# show port-security interface fa0/1
10.Switch1# show port-security address
11.Introduce Host B into the network using fa0/1
    - root@HostB:~# ifconfig eth0 192.168.1.2/24
    - root@HostB:~# ping -c 1 192.168.1.1
12.Switch1# show port-security interface fa0/1
13.Switch1# show port-security address
14.Switch1# show port-security
15.Remove the intruding host "Host B" from the network and re-attach
   Host A to fa0/1
16.Switch1(config)# interface fa0/1
   Switch1(config-if)# shutdown
   Switch1(config-if)# no shutdown
17.Switch1# show port-security interface fa0/1
   Switch1# show port-security address
   Switch1# show port-security

PreviousVLAN TRUNKS NextCISCO ROUTER

Last updated 8 months ago