PORT SECURITY
DYNAMIC SECURE
The mac addresses in this configuration aren't saved when the switch reboots
PROCEDURE
Administratively shut down all switch ports that aren't in use
Verify that all unused switch ports have been administratively shutdown
Enable a dynamic secure port security only on the pertinent/used switch ports
Display the default settings for port security on the specified interface
Display all interfaces that have port security enabled including their mac addresses
Configure the interface to only have access to 2 dynamically learned mac addresses
Display the default settings for port security on the specified interface
Display all interfaces that have port security enabled, including their mac addresses
Assign an IP address to the PC
Send out one echo request to the default-gateway * although there is no router/default gateway assigned, the switch will still capture the mac address of the PC
Display all interfaces that have port security enabled including their mac addresses
IMPLEMENTATION
01.Switch1(config)# interface range fa0/9 - fa0/23
Switch1(config-if-range)# shutdown
02.Switch1(config-if-range)# do show ip interface brief
03.Switch1(config)# interface fa0/1
Switch1(config-if)# switchport mode access
* The reason you set LAN interfaces such as the ones connected
to end nodes to switchport mode access is because those ends
doesn't require the sending of DTP messages...and this actually
disables DTP on that interface
Switch1(config-if)# switchport port-security
* The interface must be in access or trunk mode IOT for port
security to be enabled. If the interface is in the default
"dynamic auto" mode, an error message will be displayed
letting the user know that the mode must be first changed
04.Switch1# show port-security interface fa0/1
05.Switch1# show port-security address
06.Switch1(config)# interface fa0/1
Switch1(config-if)# switchport port-security maximum 2
07.Switch1# show port-security interface fa0/1
08.Switch1# show port-security address
09.PC> ip addr add 192.168.1.2/24 dev eth0
PC> ip route add default via 192.168.1.1 dev eth0
* The old method of assigning IPv4 to Linux
- PC > ifconfig eth0 192.168.1.2/24
10.PC > ping -c 1 192.168.1.1
11.Switch1# show port-security addressSTATIC
PROCEDURE
Administratively shut down all switch ports that aren't in use
Verify that all unused switch ports have been administratively shutdown
Enable port security only on the pertinent/used switch ports
Assign an IP address to the PC
Send out one echo request to the default-gateway * although there is no router/default gateway assigned, the switch will still capture the mac address of the PC
Display the default settings for port security on the specified interface
Display all interfaces that have port security enabled, including their mac addresses
Configure the interface to only access a statically learned mac addresses of AAAA.BBBB.CCCC
Display the default settings for port security on the specified interface
Display all interfaces that have port security enabled, including their mac addresses
Reconfigure the interface to have 3 mac addresses allowed
Reconfigure the interface to have the following mac addresses AAAA.BBBB.CCCC, CCCC.DDDD.EEEE and 1234.ABCD.5678
Display the default settings for port security on the specified interface
Display all interfaces that have port security enabled, including mac addresses
IMPLEMENTATION
01.Switch1(config)# interface range fa0/9 - fa0/23
Switch1(config-if-range)# shutdown
02.Switch1(config-if-range)# do show ip interface brief
03.Switch1(config)# interface fa0/1
Switch1(config-if)# switchport mode access
* The reason you set LAN interfaces such as the ones connected
to end nodes to switchport mode access is because those ends
doesn't require the sending of DTP messages...and this
actually disables DTP on that interface
Switch1(config-if)# switchport port-security
* The interface must be in access or trunk mode IOF port
security to be enabled. If the interface is in the default
"dynamic auto" mode, an error message will be displayed
letting the user know that the mode must be first changed
04.PC> ip addr add 192.168.1.2/24 dev eth0
PC> ip route add default via 192.168.1.1 dev eth0
* The old method of assigning IPv4 to Linux
- PC > ifconfig eth0 192.168.1.2/24
05.PC > ping -c 1 192.168.1.1
06.Switch1# show port-security interface fa0/1
07.Switch1# show port-security address
08.Switch1(config)# interface fa0/1
Switch1(config-if)# switchport port-security mac-address AAAA.BBBB.CCCC
* If there is already a mac address assigned on the interface,
you need to shutdown the interface then assign the specified MAC
address...re-enable the interface afterwards
Switch1(config-if)# switchport port-security maximum 1
09.Switch1# show port-security interface fa0/1
10.Switch1# show port-security address
11.Switch1(config)# interface fa0/1
Switch1(config-if)# switchport port-security maximum 3
12.Switch1(config-if)# switchport port-security mac-address AAAA.BBBB.CCCC
Switch1(config-if)# switchport port-security mac-address BBBB.CCCC.DDDD
Switch1(config-if)# switchport port-security mac-address CCCC.DDDD.EEEE
* If there is already a mac address assigned on the interface,
you need to shutdown the interface then assign the specified MAC
address...re-enable the interface afterwards
13.Switch1# show port-security interface fa0/1
14.Switch1# show port-security addressDYNAMIC STICKY
The mac addresses that are dynamically learned in this configuration are saved as long as there is a saved startup-config file
PROCEDURE
Administratively shut down all switch ports that aren't in use
Verify that all unused switch ports have been administratively shutdown
Enable port security only on the pertinent/used switch ports
Display the default settings for port security on the specified interface
Display all interfaces that have port security enabled including their MAC address
Configure the interface to dynamically learn mac addresses in sticky mode with a maximum of 3 addresses
Display the default settings for port security on the specified interface
Display all interfaces that have port security enabled including their MAC address
IMPLEMENTATION
01.Switch1(config)# interface range fa0/9 - fa0/23
Switch1(config-if-range)# shutdown
02.Switch1(config-if-range)# do show run
03.Switch1(config)# interface fa0/1
Switch1(config-if)# switchport mode access
Switch1(config-if)# switchport port-security
* The interface must be in access or trunk mode IOT for port
security to be enabled. If the interface is in the default
"dynamic auto" mode, an error message will be displayed
letting the user know that the mode must be first changed
04.Switch1# show port-security interface fa0/1
05.Switch1# show port-security address
06.Switch1(config)# interface fa0/1
Switch1(config-if)# switchport port-security mac-address sticky
Switch1(config-if)# switchport port-security maximum 3
07.Switch1# show port-security interface fa0/1
08.Switch1# show port-security addressFIXING VIOLATION ISSUES
Procedure for fixing an interface that is in "err-disabled" state
PROCEDURE
Administratively shutdown all switch ports that aren't in use
Verify that all unused switch ports have been administratively shutdown
Enable port security only on the pertinent/used switch ports
Display the default settings for port security on the specified interface
Display all interfaces that have port security enabled including their MAC address
Configure the interface to have a statically learned mac address of host A with a maximum mac address of 1 allowed
Configure a security violation of shutdown on the specified interface
Assign an IPv4 address to Host A & send one packet to the default gateway
Display the default settings for port security on the specified interface
Display all interfaces that have port security enabled including their MAC address
Introduce a new host "Host B" to interface gi0/0 "which has a different" mac address - Configure Host B with an IPv4 address - send one packet to the default gateway using Host B, to trigger port-security
Display the default settings for port security on the specified interface
Display all interfaces that have port security enabled including their MAC address
Display port security violation issues
Remove the intruding host "Host B" from the network
Fix the violation and re-enable the port for Host A
Display the default settings for port security on the specified interface - also display all interfaces that have port security enabled including their MAC address - display any port security violation issues
IMPLEMENTATION
01.Switch1(config)# interface range fa0/9 - fa0/23
Switch1(config-if-range)# shutdown
02.Switch1(config-if-range)# do show run
03.Switch1(config)# interface fa0/1
Switch1(config-if)# switchport mode access
Switch1(config-if)# switchport port-security
* The interface must be in access or trunk mode IOT for port
security to be enabled. If the interface is in the default
"dynamic auto" mode, an error message will be displayed
letting the user know that the mode must be first changed
04.Switch1# show port-security interface fa0/1
05.Switch1# show port-security address
06.Switch1(config)# interface fa0/1
Switch1(config-if)# switchport port-security mac-address <mac of host A>
Switch1(config-if)# switchport port-security maximum 1
07.Switch1(config-if)# switchport port-security violation shutdown
08.root@HostA:~# ifconfig eth0 192.168.1.2/24
root@HostA:~# ping -c 1 192.168.1.1
09.Switch1# show port-security interface fa0/1
10.Switch1# show port-security address
11.Introduce Host B into the network using fa0/1
- root@HostB:~# ifconfig eth0 192.168.1.2/24
- root@HostB:~# ping -c 1 192.168.1.1
12.Switch1# show port-security interface fa0/1
13.Switch1# show port-security address
14.Switch1# show port-security
15.Remove the intruding host "Host B" from the network and re-attach
Host A to fa0/1
16.Switch1(config)# interface fa0/1
Switch1(config-if)# shutdown
Switch1(config-if)# no shutdown
17.Switch1# show port-security interface fa0/1
Switch1# show port-security address
Switch1# show port-securityLast updated