SlideShare a Scribd company logo

Configure Dynamic Switchport Security

Download as DOCX, PDF
IT Tech
IT Tech

Port security limits the number of MAC addresses that can be learned on a switch port to prevent MAC address flooding attacks. It can be configured with the switchport port-security command. The lab demonstrates configuring port security on interface Fa0/1 of SW1 to allow a maximum of 3 MAC addresses and shutdown the port if exceeded. Testing validated the configuration works as expected, shutting down the port after 3 MAC address changes on connected router R1's Fa0/0 interface.

1 of 6
How to Configure Dynamic Switchport Security? Due to the limited feature support of the NM-16ESW, this lab CANNOT be completed using the Free CCNA Workbook GNS3 topology. However, this lab can be completed using the Stub Lab. Real World Application & Core Knowledge It’s common knowledge that when a switch reaches the maximum limit for its mac address table it starts flooding traffic out all ports like a hub. Hackers know this and they will use this to gain access into a network. They know if they can flood the switch with thousands of fake mac addresses then the switch will become basically a hub and all traffic will be forwarded to their machine, in this case they could sniff telnet or any other insecure protocol used in the environment to gain further access into the network. A way to prevent this “mac address table poisoning” vulnerability is to use a feature called “Port Security” Port Security is essentially a layer 2 securitymechanisms that can limit the number of mac addresses that can be learned on a single switch port or perhaps be used as a security barrier to prevent anyone from unplugging a network device and plugging in a new device without authorization. Ideally, no more than three MAC addresses should be learned at any given time on a Cisco network. Why 3? Most Networks envision a future where VoIP will be utilized on their network and when using a Cisco VoIP Solution, the Cisco VoIP Phone has a built in mini switch. When you connect a phone to the network it will advertise three MAC addresses to the switch. one MAC for the built in phone switch, another MAC for the phone its self and the last mac for the directly connected PC. There are several configuration requirements to enable port-security correctly such as port security mac address aging which sets a timeout timer which is used to determine how long a MAC address should stay associated with a particular port. Port security mac-address which can be dynamic or sticky (Discussed in the next lab), the maximum MAC addresses that can be associated with a particular port and the violation action; rather it protect, restrict or shutdown the port once the max MAC address limit has been exceeded or a device does not match the configured MAC address on the port security configuration. There are three different types of violation methods you can use with Port Security, the first being a protected port. A Protected port security violation will still allow permissible traffic from authorized MAC addresses but all other traffic with unknown MAC addresses will be dropped. A Restricted port security violation will restrict all
traffic and generate an SNMP trap to the SNMP Server for administrative reference. The last port mode is “shutdown”, which places the port into “Err-Disabled” Mode once a port security violation has occurred. In this lab you will familiarize yourself with the following commands; Lab Prerequisites If you are using GNS3 than load the Free CCNA Workbook GNS3 topology than start devices; R1 and SW1. Establish a console session with devices R1 than configure the devices respected hostname(s). Assign the IP Address 10.1.1.1/24 to R1 Fa0/0 and the IP Address 10.1.1.10/24 to SW1′ s Vlan1 interface than verify IP connectivity between R1 and SW1. Command Description switchport port-security This command is executed in interface configuration mode and enables port security on the configured port. switchport port-security aging This command is executed in interface configuration mode and sets the MAC address aging timer, which determines how long a MAC address is associated to a particular port with port-security enabled. switchport port-security mac {hhhh.hhhh.hhhh | sticky} This command is executed in interface configuration mode and specifies a static MAC address or a converts the the learn MAC addresses into static configured MAC addresses. switchport port-security maximum # This command is executed in interface configuration mode and specifies the maximum limit of mac addresses that can be learned on that switchport before a violation is triggered. switchport port-security {protected | restricted | shutdown} This command is executed in interface configuration mode and specifies the action to be taken upon a port security violation. show port-security This command is executed in privileged mode to view the current status of all ports on the switch if they are participating in port-security. show port-security interface interfacename#/# This command is executed in privileged mode to view the details of port-security on a particular port including status, timeout, violation type, max mac addresses and other configurable options. show port-security interface interfacename#/# address This command is executed in privileged mode to view the port’s current port-security associated mac addresses.
Lab Objectives Enable port-security on SW1 interface Fa0/1 and allow a maximum of 3 MAC addresses. Configure interface Fa0/1 on SW1 to shut down the port if there is a port-security violation. Verify your port-security configuration on SW1 by changing the MAC addresses on R1′ s FastEthernet0/0 interface to aaaa.aaaa.aaaa then aaaa.aaaa.aaab and finally aaaa.aaaa.aaac to trigger a violation. Lab Instruction Step1. –Enable port-security on SW1 interface Fa0/1 and allow a maximum of 3 MAC addresses To enable port security on a specific port you use the switchport port-security command in interface configuration mode as shown below; SW1 con0 is now available Press RETURN to get started. SW1>enable SW1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. SW1(config)#interface fa0/1 SW1(config-if)#switchport port-security SW1(config-if)#switchport port-security maximum 3 SW1(config-if)# Step2.–Configure interface Fa0/1 on SW1 to shut down the port if there is a port-security violation. To shut down a port once a violation is triggered you’ll use the switchport port-security violation shutdown command in interface configuration mode as shown below; SW1(config-if)#switchport port-security violation shutdown Step3.–Verify your port-security configuration on SW1 by changing the MAC addresses on R1′ s FastEthernet0/0 interface to aaaa.aaaa.aaaa then aaaa.aaaa.aaab and finally aaaa.aaaa.aaac to trigger a violation. You can first verify your configuration by using the show port-security interface fa0/1 command in privileged mode to view current port-security configuration on a per-port basis as shown below; SW1(config-if)#end SW1# %SYS-5-CONFIG_I: Configured from console by console
SW1#show port-security interface fa0/1 Port Security : Enabled Port Status : Secure-up Violation Mode : Shutdown Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 3 Total MAC Addresses : 1 Configured MAC Addresses : 0 Sticky MAC Addresses : 0 Last Source Address:Vlan : 000f.242e.bf80:1 Security Violation Count : 0 SW1# As you can see from above the port status is currently “Secure-Up” meaning port security is enabled and the maximum address count is 3. You can test this port-security configuration by changing the MAC address on R1 3 times, and after the 3rd change, a violation will occur due to the MAC addresses associated with the switch port exceeding the limit of 3. You can change the MAC address of a routers interface by using the mac-address xxxx.xxxx.xxxx command in interface configuration mode as shown below; R1 con0 is now available Press RETURN to get started. R1#enable R1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. R1(config)#interface fa0/0 R1(config-if)#mac-address aaaa.aaaa.aaaa R1(config-if)#mac-address aaaa.aaaa.aaab R1(config-if)#mac-address aaaa.aaaa.aaac R1(config-if)# %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to down R1(config-if)# If you were keeping track on SW1 after changing the MAC address each time on R1 then you’d see the following changes until the port was automatically placed into
Err-Disabled mode as shown below; SW1#show port-security interface fa0/1 address Secure Mac Address Table ------------------------------------------------------------------------ Vlan Mac Address Type Ports Remaining Age (mins) ---- ----------- ---- ----- ------------- 1 000f.242e.bf80 SecureDynamic Fa0/1 - ------------------------------------------------------------------------ Total Addresses: 1 SW1#show port-security interface fa0/1 address Secure Mac Address Table ------------------------------------------------------------------------ Vlan Mac Address Type Ports Remaining Age (mins) ---- ----------- ---- ----- ------------- 1 000f.242e.bf80 SecureDynamic Fa0/1 - 1 aaaa.aaaa.aaaaSecureDynamic Fa0/1 - ------------------------------------------------------------------------ Total Addresses: 2 SW1#show port-security interface fa0/1 address Secure Mac Address Table ------------------------------------------------------------------------ Vlan Mac Address Type Ports Remaining Age (mins) ---- ----------- ---- ----- ------------- 1 000f.242e.bf80 SecureDynamic Fa0/1 - 1 aaaa.aaaa.aaaaSecureDynamic Fa0/1 - 1 aaaa.aaaa.aaabSecureDynamic Fa0/1 - ------------------------------------------------------------------------ Total Addresses: 3 SW1# %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/1, putting Fa0/1 in err-disable state SW1# %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address aaaa.aaaa.aaac on port FastEthernet0/1. SW1# %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down
SW1# %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to down SW1# More Related Topics: Switchport Security & Configuration How to Configure Dynamic DNS on a Cisco Router?

Recommended

Cisco Switch How To - Secure a Switch Port
Cisco Switch How To - Secure a Switch PortCisco Switch How To - Secure a Switch Port
Cisco Switch How To - Secure a Switch PortIPMAX s.r.l.
 
Cisco Switch Security
Cisco Switch SecurityCisco Switch Security
Cisco Switch Securitydkaya
 
How to configure port security in cisco switch
How to configure port security in cisco switchHow to configure port security in cisco switch
How to configure port security in cisco switchIT Tech
 
Switchport port security explained with examples
Switchport port security explained with examplesSwitchport port security explained with examples
Switchport port security explained with examplesteameassefa
 
Cap2 configuring switch
Cap2 configuring switchCap2 configuring switch
Cap2 configuring switchHector Camba Lainez
 
Port Security
Port SecurityPort Security
Port SecurityNetProtocol Xpert
 
Switching and Port Security
Switching and Port Security Switching and Port Security
Switching and Port Securityusman19
 
2.2.4.9 packet tracer configuring switch port security instructions - ig
2.2.4.9 packet tracer configuring switch port security instructions - ig2.2.4.9 packet tracer configuring switch port security instructions - ig
2.2.4.9 packet tracer configuring switch port security instructions - igAlex Ramirez
 

Recommended

Cisco Switch How To - Secure a Switch Port
Cisco Switch How To - Secure a Switch PortCisco Switch How To - Secure a Switch Port
Cisco Switch How To - Secure a Switch PortIPMAX s.r.l.
 
Cisco Switch Security
Cisco Switch SecurityCisco Switch Security
Cisco Switch Securitydkaya
 
How to configure port security in cisco switch
How to configure port security in cisco switchHow to configure port security in cisco switch
How to configure port security in cisco switchIT Tech
 
Switchport port security explained with examples
Switchport port security explained with examplesSwitchport port security explained with examples
Switchport port security explained with examplesteameassefa
 
Cap2 configuring switch
Cap2 configuring switchCap2 configuring switch
Cap2 configuring switchHector Camba Lainez
 
Port Security
Port SecurityPort Security
Port SecurityNetProtocol Xpert
 
Switching and Port Security
Switching and Port Security Switching and Port Security
Switching and Port Securityusman19
 
2.2.4.9 packet tracer configuring switch port security instructions - ig
2.2.4.9 packet tracer configuring switch port security instructions - ig2.2.4.9 packet tracer configuring switch port security instructions - ig
2.2.4.9 packet tracer configuring switch port security instructions - igAlex Ramirez
 
Mitigating Layer2 Attacks
Mitigating Layer2 AttacksMitigating Layer2 Attacks
Mitigating Layer2 Attacksdkaya
 
Switch security
Switch securitySwitch security
Switch securitynullowaspmumbai
 
CCIE R&S Real Lab Workbbok 2018 updated
CCIE R&S Real Lab Workbbok 2018 updatedCCIE R&S Real Lab Workbbok 2018 updated
CCIE R&S Real Lab Workbbok 2018 updatedCCIERNSTRICKS.COM
 
Exploit wep flaws in six steps using backtrack 5 r3 (crack hack wireless)
Exploit wep flaws in six steps using backtrack 5 r3 (crack hack wireless)Exploit wep flaws in six steps using backtrack 5 r3 (crack hack wireless)
Exploit wep flaws in six steps using backtrack 5 r3 (crack hack wireless)Mohammed Omar
 
Ip Access Lists
Ip Access ListsIp Access Lists
Ip Access ListsCCNAResources
 
How to Configure Private VLANs on Cisco Switches
How to Configure Private VLANs on Cisco SwitchesHow to Configure Private VLANs on Cisco Switches
How to Configure Private VLANs on Cisco SwitchesHarris Andrea
 
Chapter 14 - Sw Conf
Chapter 14 - Sw ConfChapter 14 - Sw Conf
Chapter 14 - Sw Confphanleson
 
Communication & switching networks lab manual
Communication & switching networks lab manualCommunication & switching networks lab manual
Communication & switching networks lab manualMUSAAB HASAN
 
Frame - MAC Address Threats & Vulnerabilities
Frame - MAC Address Threats & VulnerabilitiesFrame - MAC Address Threats & Vulnerabilities
Frame - MAC Address Threats & VulnerabilitiesMarc-Andre Heroux
 
Ch2 ccna exploration 3 lan switching and wireless
Ch2 ccna exploration 3 lan switching and wirelessCh2 ccna exploration 3 lan switching and wireless
Ch2 ccna exploration 3 lan switching and wirelesskratos2424
 
Packet Tracer Tutorial # 2
Packet Tracer Tutorial # 2Packet Tracer Tutorial # 2
Packet Tracer Tutorial # 2Abdul Basit
 
Configuration steps for the cisco 300 series switches v3
Configuration steps for the cisco 300 series switches v3Configuration steps for the cisco 300 series switches v3
Configuration steps for the cisco 300 series switches v3Conrad Cruz
 
Basic Cisco 800 Router Configuration for Internet Access
Basic Cisco 800 Router Configuration for Internet AccessBasic Cisco 800 Router Configuration for Internet Access
Basic Cisco 800 Router Configuration for Internet AccessHarris Andrea
 
Telnet configuration
Telnet configurationTelnet configuration
Telnet configurationMdAlAmin187
 
Cohesive Networks Support Docs: VNS3 Administration
Cohesive Networks Support Docs: VNS3 AdministrationCohesive Networks Support Docs: VNS3 Administration
Cohesive Networks Support Docs: VNS3 AdministrationCohesive Networks
 
Important cisco-chow-commands
Important cisco-chow-commandsImportant cisco-chow-commands
Important cisco-chow-commandsssusere31b5c
 
Cman
CmanCman
CmanMohsen B
 
SRWE_Module_11.pptx
SRWE_Module_11.pptxSRWE_Module_11.pptx
SRWE_Module_11.pptxJosimar Caitano
 
Security Concerns in LANs.pptx
Security Concerns in LANs.pptxSecurity Concerns in LANs.pptx
Security Concerns in LANs.pptxjoko
 
VLAN
VLANVLAN
VLANAnuj Kumar
 
Ch6
Ch6Ch6
Ch6scary5800
 
How to Configure Port-Security on Cisco Switch for Enhanced Network Security ...
How to Configure Port-Security on Cisco Switch for Enhanced Network Security ...How to Configure Port-Security on Cisco Switch for Enhanced Network Security ...
How to Configure Port-Security on Cisco Switch for Enhanced Network Security ...INFitunes
 

More Related Content

What's hot

Mitigating Layer2 Attacks
Mitigating Layer2 AttacksMitigating Layer2 Attacks
Mitigating Layer2 Attacksdkaya
 
CCIE R&S Real Lab Workbbok 2018 updated
CCIE R&S Real Lab Workbbok 2018 updatedCCIE R&S Real Lab Workbbok 2018 updated
CCIE R&S Real Lab Workbbok 2018 updatedCCIERNSTRICKS.COM
 
Exploit wep flaws in six steps using backtrack 5 r3 (crack hack wireless)
Exploit wep flaws in six steps using backtrack 5 r3 (crack hack wireless)Exploit wep flaws in six steps using backtrack 5 r3 (crack hack wireless)
Exploit wep flaws in six steps using backtrack 5 r3 (crack hack wireless)Mohammed Omar
 
How to Configure Private VLANs on Cisco Switches
How to Configure Private VLANs on Cisco SwitchesHow to Configure Private VLANs on Cisco Switches
How to Configure Private VLANs on Cisco SwitchesHarris Andrea
 
Chapter 14 - Sw Conf
Chapter 14 - Sw ConfChapter 14 - Sw Conf
Chapter 14 - Sw Confphanleson
 
Communication & switching networks lab manual
Communication & switching networks lab manualCommunication & switching networks lab manual
Communication & switching networks lab manualMUSAAB HASAN
 
Frame - MAC Address Threats & Vulnerabilities
Frame - MAC Address Threats & VulnerabilitiesFrame - MAC Address Threats & Vulnerabilities
Frame - MAC Address Threats & VulnerabilitiesMarc-Andre Heroux
 
Ch2 ccna exploration 3 lan switching and wireless
Ch2 ccna exploration 3 lan switching and wirelessCh2 ccna exploration 3 lan switching and wireless
Ch2 ccna exploration 3 lan switching and wirelesskratos2424
 
Packet Tracer Tutorial # 2
Packet Tracer Tutorial # 2Packet Tracer Tutorial # 2
Packet Tracer Tutorial # 2Abdul Basit
 
Configuration steps for the cisco 300 series switches v3
Configuration steps for the cisco 300 series switches v3Configuration steps for the cisco 300 series switches v3
Configuration steps for the cisco 300 series switches v3Conrad Cruz
 
Basic Cisco 800 Router Configuration for Internet Access
Basic Cisco 800 Router Configuration for Internet AccessBasic Cisco 800 Router Configuration for Internet Access
Basic Cisco 800 Router Configuration for Internet AccessHarris Andrea
 
Telnet configuration
Telnet configurationTelnet configuration
Telnet configurationMdAlAmin187
 
Cohesive Networks Support Docs: VNS3 Administration
Cohesive Networks Support Docs: VNS3 AdministrationCohesive Networks Support Docs: VNS3 Administration
Cohesive Networks Support Docs: VNS3 AdministrationCohesive Networks
 
Important cisco-chow-commands
Important cisco-chow-commandsImportant cisco-chow-commands
Important cisco-chow-commandsssusere31b5c
 

What's hot (17)

Mitigating Layer2 Attacks
Mitigating Layer2 AttacksMitigating Layer2 Attacks
Mitigating Layer2 Attacks
 
Switch security
Switch securitySwitch security
Switch security
 
CCIE R&S Real Lab Workbbok 2018 updated
CCIE R&S Real Lab Workbbok 2018 updatedCCIE R&S Real Lab Workbbok 2018 updated
CCIE R&S Real Lab Workbbok 2018 updated
 
Exploit wep flaws in six steps using backtrack 5 r3 (crack hack wireless)
Exploit wep flaws in six steps using backtrack 5 r3 (crack hack wireless)Exploit wep flaws in six steps using backtrack 5 r3 (crack hack wireless)
Exploit wep flaws in six steps using backtrack 5 r3 (crack hack wireless)
 
Ip Access Lists
Ip Access ListsIp Access Lists
Ip Access Lists
 
How to Configure Private VLANs on Cisco Switches
How to Configure Private VLANs on Cisco SwitchesHow to Configure Private VLANs on Cisco Switches
How to Configure Private VLANs on Cisco Switches
 
Chapter 14 - Sw Conf
Chapter 14 - Sw ConfChapter 14 - Sw Conf
Chapter 14 - Sw Conf
 
Communication & switching networks lab manual
Communication & switching networks lab manualCommunication & switching networks lab manual
Communication & switching networks lab manual
 
Frame - MAC Address Threats & Vulnerabilities
Frame - MAC Address Threats & VulnerabilitiesFrame - MAC Address Threats & Vulnerabilities
Frame - MAC Address Threats & Vulnerabilities
 
Ch2 ccna exploration 3 lan switching and wireless
Ch2 ccna exploration 3 lan switching and wirelessCh2 ccna exploration 3 lan switching and wireless
Ch2 ccna exploration 3 lan switching and wireless
 
Packet Tracer Tutorial # 2
Packet Tracer Tutorial # 2Packet Tracer Tutorial # 2
Packet Tracer Tutorial # 2
 
Configuration steps for the cisco 300 series switches v3
Configuration steps for the cisco 300 series switches v3Configuration steps for the cisco 300 series switches v3
Configuration steps for the cisco 300 series switches v3
 
Basic Cisco 800 Router Configuration for Internet Access
Basic Cisco 800 Router Configuration for Internet AccessBasic Cisco 800 Router Configuration for Internet Access
Basic Cisco 800 Router Configuration for Internet Access
 
Telnet configuration
Telnet configurationTelnet configuration
Telnet configuration
 
Cohesive Networks Support Docs: VNS3 Administration
Cohesive Networks Support Docs: VNS3 AdministrationCohesive Networks Support Docs: VNS3 Administration
Cohesive Networks Support Docs: VNS3 Administration
 
Important cisco-chow-commands
Important cisco-chow-commandsImportant cisco-chow-commands
Important cisco-chow-commands
 
Cman
CmanCman
Cman
 

Similar to Configure Dynamic Switchport Security

Security Concerns in LANs.pptx
Security Concerns in LANs.pptxSecurity Concerns in LANs.pptx
Security Concerns in LANs.pptxjoko
 
How to Configure Port-Security on Cisco Switch for Enhanced Network Security ...
How to Configure Port-Security on Cisco Switch for Enhanced Network Security ...How to Configure Port-Security on Cisco Switch for Enhanced Network Security ...
How to Configure Port-Security on Cisco Switch for Enhanced Network Security ...INFitunes
 
Network Security- port security.pptx
Network Security- port security.pptxNetwork Security- port security.pptx
Network Security- port security.pptxSulSya
 
Ccna 3 chapter 2 v4.0 answers 2011
Ccna 3 chapter 2 v4.0 answers 2011Ccna 3 chapter 2 v4.0 answers 2011
Ccna 3 chapter 2 v4.0 answers 2011Dân Chơi
 
LAN Switching and Wireless: Ch2 - Basic Switch Concepts and Configuration
LAN Switching and Wireless: Ch2 - Basic Switch Concepts and ConfigurationLAN Switching and Wireless: Ch2 - Basic Switch Concepts and Configuration
LAN Switching and Wireless: Ch2 - Basic Switch Concepts and ConfigurationAbdelkhalik Mosa
 
CCNA Security configuration
CCNA Security configurationCCNA Security configuration
CCNA Security configurationRafat Khandaker
 
Switching vla ns_secugenius_harksh_mikemclain_secugenius security solutions
Switching vla ns_secugenius_harksh_mikemclain_secugenius security solutionsSwitching vla ns_secugenius_harksh_mikemclain_secugenius security solutions
Switching vla ns_secugenius_harksh_mikemclain_secugenius security solutionsMike McLain
 
VLAN, Trunk and 802.1q Router Configuration Objectiv.docx
VLAN, Trunk and 802.1q Router Configuration Objectiv.docxVLAN, Trunk and 802.1q Router Configuration Objectiv.docx
VLAN, Trunk and 802.1q Router Configuration Objectiv.docxdickonsondorris
 
Network Security - Layer 2
Network Security - Layer 2Network Security - Layer 2
Network Security - Layer 2samis
 
Expl sw chapter_02_switches_part_1
Expl sw chapter_02_switches_part_1Expl sw chapter_02_switches_part_1
Expl sw chapter_02_switches_part_1aghacrom
 
Webinar NETGEAR Prosafe Switch, la sicurezza della LAN
Webinar NETGEAR Prosafe Switch, la sicurezza della LANWebinar NETGEAR Prosafe Switch, la sicurezza della LAN
Webinar NETGEAR Prosafe Switch, la sicurezza della LANNetgear Italia
 

Similar to Configure Dynamic Switchport Security (20)

SRWE_Module_11.pptx
SRWE_Module_11.pptxSRWE_Module_11.pptx
SRWE_Module_11.pptx
 
Security Concerns in LANs.pptx
Security Concerns in LANs.pptxSecurity Concerns in LANs.pptx
Security Concerns in LANs.pptx
 
VLAN
VLANVLAN
VLAN
 
Ch6
Ch6Ch6
Ch6
 
How to Configure Port-Security on Cisco Switch for Enhanced Network Security ...
How to Configure Port-Security on Cisco Switch for Enhanced Network Security ...How to Configure Port-Security on Cisco Switch for Enhanced Network Security ...
How to Configure Port-Security on Cisco Switch for Enhanced Network Security ...
 
Network Security- port security.pptx
Network Security- port security.pptxNetwork Security- port security.pptx
Network Security- port security.pptx
 
Ccna 3 chapter 2 v4.0 answers 2011
Ccna 3 chapter 2 v4.0 answers 2011Ccna 3 chapter 2 v4.0 answers 2011
Ccna 3 chapter 2 v4.0 answers 2011
 
Vlan
VlanVlan
Vlan
 
LAN Switching and Wireless: Ch2 - Basic Switch Concepts and Configuration
LAN Switching and Wireless: Ch2 - Basic Switch Concepts and ConfigurationLAN Switching and Wireless: Ch2 - Basic Switch Concepts and Configuration
LAN Switching and Wireless: Ch2 - Basic Switch Concepts and Configuration
 
Switching
SwitchingSwitching
Switching
 
CCNA Security configuration
CCNA Security configurationCCNA Security configuration
CCNA Security configuration
 
Switching vla ns_secugenius_harksh_mikemclain_secugenius security solutions
Switching vla ns_secugenius_harksh_mikemclain_secugenius security solutionsSwitching vla ns_secugenius_harksh_mikemclain_secugenius security solutions
Switching vla ns_secugenius_harksh_mikemclain_secugenius security solutions
 
VLAN, Trunk and 802.1q Router Configuration Objectiv.docx
VLAN, Trunk and 802.1q Router Configuration Objectiv.docxVLAN, Trunk and 802.1q Router Configuration Objectiv.docx
VLAN, Trunk and 802.1q Router Configuration Objectiv.docx
 
Bluetooth
Bluetooth Bluetooth
Bluetooth
 
Network Security - Layer 2
Network Security - Layer 2Network Security - Layer 2
Network Security - Layer 2
 
Expl sw chapter_02_switches_part_1
Expl sw chapter_02_switches_part_1Expl sw chapter_02_switches_part_1
Expl sw chapter_02_switches_part_1
 
Attack.pptx
Attack.pptxAttack.pptx
Attack.pptx
 
Webinar NETGEAR Prosafe Switch, la sicurezza della LAN
Webinar NETGEAR Prosafe Switch, la sicurezza della LANWebinar NETGEAR Prosafe Switch, la sicurezza della LAN
Webinar NETGEAR Prosafe Switch, la sicurezza della LAN
 
Switching
SwitchingSwitching
Switching
 
Switching
SwitchingSwitching
Switching
 

More from IT Tech

Cisco ip phone key expansion module setup
Cisco ip phone key expansion module setupCisco ip phone key expansion module setup
Cisco ip phone key expansion module setupIT Tech
 
Cisco catalyst 9200 series platform spec, licenses, transition guide
Cisco catalyst 9200 series platform spec, licenses, transition guideCisco catalyst 9200 series platform spec, licenses, transition guide
Cisco catalyst 9200 series platform spec, licenses, transition guideIT Tech
 
Cisco isr 900 series highlights, platform specs, licenses, transition guide
Cisco isr 900 series highlights, platform specs, licenses, transition guideCisco isr 900 series highlights, platform specs, licenses, transition guide
Cisco isr 900 series highlights, platform specs, licenses, transition guideIT Tech
 
Hpe pro liant gen9 to gen10 server transition guide
Hpe pro liant gen9 to gen10 server transition guideHpe pro liant gen9 to gen10 server transition guide
Hpe pro liant gen9 to gen10 server transition guideIT Tech
 
The new cisco isr 4461 faq
The new cisco isr 4461 faqThe new cisco isr 4461 faq
The new cisco isr 4461 faqIT Tech
 
New nexus 400 gigabit ethernet (400 g) switches
New nexus 400 gigabit ethernet (400 g) switchesNew nexus 400 gigabit ethernet (400 g) switches
New nexus 400 gigabit ethernet (400 g) switchesIT Tech
 
Tested cisco isr 1100 delivers the richest set of wi-fi features
Tested cisco isr 1100 delivers the richest set of wi-fi featuresTested cisco isr 1100 delivers the richest set of wi-fi features
Tested cisco isr 1100 delivers the richest set of wi-fi featuresIT Tech
 
Aruba campus and branch switching solution
Aruba campus and branch switching solutionAruba campus and branch switching solution
Aruba campus and branch switching solutionIT Tech
 
Cisco transceiver module for compatible catalyst switches
Cisco transceiver module for compatible catalyst switchesCisco transceiver module for compatible catalyst switches
Cisco transceiver module for compatible catalyst switchesIT Tech
 
Cisco ios on cisco catalyst switches
Cisco ios on cisco catalyst switchesCisco ios on cisco catalyst switches
Cisco ios on cisco catalyst switchesIT Tech
 
Cisco's wireless solutions deployment modes
Cisco's wireless solutions deployment modesCisco's wireless solutions deployment modes
Cisco's wireless solutions deployment modesIT Tech
 
Competitive switching comparison cisco vs. hpe aruba vs. huawei vs. dell
Competitive switching comparison cisco vs. hpe aruba vs. huawei vs. dellCompetitive switching comparison cisco vs. hpe aruba vs. huawei vs. dell
Competitive switching comparison cisco vs. hpe aruba vs. huawei vs. dellIT Tech
 
Four reasons to consider the all in-one isr 1000
Four reasons to consider the all in-one isr 1000Four reasons to consider the all in-one isr 1000
Four reasons to consider the all in-one isr 1000IT Tech
 
The difference between yellow and white labeled ports on a nexus 2300 series fex
The difference between yellow and white labeled ports on a nexus 2300 series fexThe difference between yellow and white labeled ports on a nexus 2300 series fex
The difference between yellow and white labeled ports on a nexus 2300 series fexIT Tech
 
Cisco transceiver modules for compatible cisco switches series
Cisco transceiver modules for compatible cisco switches seriesCisco transceiver modules for compatible cisco switches series
Cisco transceiver modules for compatible cisco switches seriesIT Tech
 
Guide to the new cisco firepower 2100 series
Guide to the new cisco firepower 2100 seriesGuide to the new cisco firepower 2100 series
Guide to the new cisco firepower 2100 seriesIT Tech
 
892 f sfp configuration example
892 f sfp configuration example892 f sfp configuration example
892 f sfp configuration exampleIT Tech
 
Cisco nexus 7000 and nexus 7700
Cisco nexus 7000 and nexus 7700Cisco nexus 7000 and nexus 7700
Cisco nexus 7000 and nexus 7700IT Tech
 
Cisco firepower ngips series migration options
Cisco firepower ngips series migration optionsCisco firepower ngips series migration options
Cisco firepower ngips series migration optionsIT Tech
 
Eol transceiver to replacement model
Eol transceiver to replacement modelEol transceiver to replacement model
Eol transceiver to replacement modelIT Tech
 

More from IT Tech (20)

Cisco ip phone key expansion module setup
Cisco ip phone key expansion module setupCisco ip phone key expansion module setup
Cisco ip phone key expansion module setup
 
Cisco catalyst 9200 series platform spec, licenses, transition guide
Cisco catalyst 9200 series platform spec, licenses, transition guideCisco catalyst 9200 series platform spec, licenses, transition guide
Cisco catalyst 9200 series platform spec, licenses, transition guide
 
Cisco isr 900 series highlights, platform specs, licenses, transition guide
Cisco isr 900 series highlights, platform specs, licenses, transition guideCisco isr 900 series highlights, platform specs, licenses, transition guide
Cisco isr 900 series highlights, platform specs, licenses, transition guide
 
Hpe pro liant gen9 to gen10 server transition guide
Hpe pro liant gen9 to gen10 server transition guideHpe pro liant gen9 to gen10 server transition guide
Hpe pro liant gen9 to gen10 server transition guide
 
The new cisco isr 4461 faq
The new cisco isr 4461 faqThe new cisco isr 4461 faq
The new cisco isr 4461 faq
 
New nexus 400 gigabit ethernet (400 g) switches
New nexus 400 gigabit ethernet (400 g) switchesNew nexus 400 gigabit ethernet (400 g) switches
New nexus 400 gigabit ethernet (400 g) switches
 
Tested cisco isr 1100 delivers the richest set of wi-fi features
Tested cisco isr 1100 delivers the richest set of wi-fi featuresTested cisco isr 1100 delivers the richest set of wi-fi features
Tested cisco isr 1100 delivers the richest set of wi-fi features
 
Aruba campus and branch switching solution
Aruba campus and branch switching solutionAruba campus and branch switching solution
Aruba campus and branch switching solution
 
Cisco transceiver module for compatible catalyst switches
Cisco transceiver module for compatible catalyst switchesCisco transceiver module for compatible catalyst switches
Cisco transceiver module for compatible catalyst switches
 
Cisco ios on cisco catalyst switches
Cisco ios on cisco catalyst switchesCisco ios on cisco catalyst switches
Cisco ios on cisco catalyst switches
 
Cisco's wireless solutions deployment modes
Cisco's wireless solutions deployment modesCisco's wireless solutions deployment modes
Cisco's wireless solutions deployment modes
 
Competitive switching comparison cisco vs. hpe aruba vs. huawei vs. dell
Competitive switching comparison cisco vs. hpe aruba vs. huawei vs. dellCompetitive switching comparison cisco vs. hpe aruba vs. huawei vs. dell
Competitive switching comparison cisco vs. hpe aruba vs. huawei vs. dell
 
Four reasons to consider the all in-one isr 1000
Four reasons to consider the all in-one isr 1000Four reasons to consider the all in-one isr 1000
Four reasons to consider the all in-one isr 1000
 
The difference between yellow and white labeled ports on a nexus 2300 series fex
The difference between yellow and white labeled ports on a nexus 2300 series fexThe difference between yellow and white labeled ports on a nexus 2300 series fex
The difference between yellow and white labeled ports on a nexus 2300 series fex
 
Cisco transceiver modules for compatible cisco switches series
Cisco transceiver modules for compatible cisco switches seriesCisco transceiver modules for compatible cisco switches series
Cisco transceiver modules for compatible cisco switches series
 
Guide to the new cisco firepower 2100 series
Guide to the new cisco firepower 2100 seriesGuide to the new cisco firepower 2100 series
Guide to the new cisco firepower 2100 series
 
892 f sfp configuration example
892 f sfp configuration example892 f sfp configuration example
892 f sfp configuration example
 
Cisco nexus 7000 and nexus 7700
Cisco nexus 7000 and nexus 7700Cisco nexus 7000 and nexus 7700
Cisco nexus 7000 and nexus 7700
 
Cisco firepower ngips series migration options
Cisco firepower ngips series migration optionsCisco firepower ngips series migration options
Cisco firepower ngips series migration options
 
Eol transceiver to replacement model
Eol transceiver to replacement modelEol transceiver to replacement model
Eol transceiver to replacement model
 

Configure Dynamic Switchport Security

  • 1. How to Configure Dynamic Switchport Security? Due to the limited feature support of the NM-16ESW, this lab CANNOT be completed using the Free CCNA Workbook GNS3 topology. However, this lab can be completed using the Stub Lab. Real World Application & Core Knowledge It’s common knowledge that when a switch reaches the maximum limit for its mac address table it starts flooding traffic out all ports like a hub. Hackers know this and they will use this to gain access into a network. They know if they can flood the switch with thousands of fake mac addresses then the switch will become basically a hub and all traffic will be forwarded to their machine, in this case they could sniff telnet or any other insecure protocol used in the environment to gain further access into the network. A way to prevent this “mac address table poisoning” vulnerability is to use a feature called “Port Security” Port Security is essentially a layer 2 securitymechanisms that can limit the number of mac addresses that can be learned on a single switch port or perhaps be used as a security barrier to prevent anyone from unplugging a network device and plugging in a new device without authorization. Ideally, no more than three MAC addresses should be learned at any given time on a Cisco network. Why 3? Most Networks envision a future where VoIP will be utilized on their network and when using a Cisco VoIP Solution, the Cisco VoIP Phone has a built in mini switch. When you connect a phone to the network it will advertise three MAC addresses to the switch. one MAC for the built in phone switch, another MAC for the phone its self and the last mac for the directly connected PC. There are several configuration requirements to enable port-security correctly such as port security mac address aging which sets a timeout timer which is used to determine how long a MAC address should stay associated with a particular port. Port security mac-address which can be dynamic or sticky (Discussed in the next lab), the maximum MAC addresses that can be associated with a particular port and the violation action; rather it protect, restrict or shutdown the port once the max MAC address limit has been exceeded or a device does not match the configured MAC address on the port security configuration. There are three different types of violation methods you can use with Port Security, the first being a protected port. A Protected port security violation will still allow permissible traffic from authorized MAC addresses but all other traffic with unknown MAC addresses will be dropped. A Restricted port security violation will restrict all
  • 2. traffic and generate an SNMP trap to the SNMP Server for administrative reference. The last port mode is “shutdown”, which places the port into “Err-Disabled” Mode once a port security violation has occurred. In this lab you will familiarize yourself with the following commands; Lab Prerequisites If you are using GNS3 than load the Free CCNA Workbook GNS3 topology than start devices; R1 and SW1. Establish a console session with devices R1 than configure the devices respected hostname(s). Assign the IP Address 10.1.1.1/24 to R1 Fa0/0 and the IP Address 10.1.1.10/24 to SW1′ s Vlan1 interface than verify IP connectivity between R1 and SW1. Command Description switchport port-security This command is executed in interface configuration mode and enables port security on the configured port. switchport port-security aging This command is executed in interface configuration mode and sets the MAC address aging timer, which determines how long a MAC address is associated to a particular port with port-security enabled. switchport port-security mac {hhhh.hhhh.hhhh | sticky} This command is executed in interface configuration mode and specifies a static MAC address or a converts the the learn MAC addresses into static configured MAC addresses. switchport port-security maximum # This command is executed in interface configuration mode and specifies the maximum limit of mac addresses that can be learned on that switchport before a violation is triggered. switchport port-security {protected | restricted | shutdown} This command is executed in interface configuration mode and specifies the action to be taken upon a port security violation. show port-security This command is executed in privileged mode to view the current status of all ports on the switch if they are participating in port-security. show port-security interface interfacename#/# This command is executed in privileged mode to view the details of port-security on a particular port including status, timeout, violation type, max mac addresses and other configurable options. show port-security interface interfacename#/# address This command is executed in privileged mode to view the port’s current port-security associated mac addresses.
  • 3. Lab Objectives Enable port-security on SW1 interface Fa0/1 and allow a maximum of 3 MAC addresses. Configure interface Fa0/1 on SW1 to shut down the port if there is a port-security violation. Verify your port-security configuration on SW1 by changing the MAC addresses on R1′ s FastEthernet0/0 interface to aaaa.aaaa.aaaa then aaaa.aaaa.aaab and finally aaaa.aaaa.aaac to trigger a violation. Lab Instruction Step1. –Enable port-security on SW1 interface Fa0/1 and allow a maximum of 3 MAC addresses To enable port security on a specific port you use the switchport port-security command in interface configuration mode as shown below; SW1 con0 is now available Press RETURN to get started. SW1>enable SW1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. SW1(config)#interface fa0/1 SW1(config-if)#switchport port-security SW1(config-if)#switchport port-security maximum 3 SW1(config-if)# Step2.–Configure interface Fa0/1 on SW1 to shut down the port if there is a port-security violation. To shut down a port once a violation is triggered you’ll use the switchport port-security violation shutdown command in interface configuration mode as shown below; SW1(config-if)#switchport port-security violation shutdown Step3.–Verify your port-security configuration on SW1 by changing the MAC addresses on R1′ s FastEthernet0/0 interface to aaaa.aaaa.aaaa then aaaa.aaaa.aaab and finally aaaa.aaaa.aaac to trigger a violation. You can first verify your configuration by using the show port-security interface fa0/1 command in privileged mode to view current port-security configuration on a per-port basis as shown below; SW1(config-if)#end SW1# %SYS-5-CONFIG_I: Configured from console by console
  • 4. SW1#show port-security interface fa0/1 Port Security : Enabled Port Status : Secure-up Violation Mode : Shutdown Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 3 Total MAC Addresses : 1 Configured MAC Addresses : 0 Sticky MAC Addresses : 0 Last Source Address:Vlan : 000f.242e.bf80:1 Security Violation Count : 0 SW1# As you can see from above the port status is currently “Secure-Up” meaning port security is enabled and the maximum address count is 3. You can test this port-security configuration by changing the MAC address on R1 3 times, and after the 3rd change, a violation will occur due to the MAC addresses associated with the switch port exceeding the limit of 3. You can change the MAC address of a routers interface by using the mac-address xxxx.xxxx.xxxx command in interface configuration mode as shown below; R1 con0 is now available Press RETURN to get started. R1#enable R1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. R1(config)#interface fa0/0 R1(config-if)#mac-address aaaa.aaaa.aaaa R1(config-if)#mac-address aaaa.aaaa.aaab R1(config-if)#mac-address aaaa.aaaa.aaac R1(config-if)# %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to down R1(config-if)# If you were keeping track on SW1 after changing the MAC address each time on R1 then you’d see the following changes until the port was automatically placed into
  • 5. Err-Disabled mode as shown below; SW1#show port-security interface fa0/1 address Secure Mac Address Table ------------------------------------------------------------------------ Vlan Mac Address Type Ports Remaining Age (mins) ---- ----------- ---- ----- ------------- 1 000f.242e.bf80 SecureDynamic Fa0/1 - ------------------------------------------------------------------------ Total Addresses: 1 SW1#show port-security interface fa0/1 address Secure Mac Address Table ------------------------------------------------------------------------ Vlan Mac Address Type Ports Remaining Age (mins) ---- ----------- ---- ----- ------------- 1 000f.242e.bf80 SecureDynamic Fa0/1 - 1 aaaa.aaaa.aaaaSecureDynamic Fa0/1 - ------------------------------------------------------------------------ Total Addresses: 2 SW1#show port-security interface fa0/1 address Secure Mac Address Table ------------------------------------------------------------------------ Vlan Mac Address Type Ports Remaining Age (mins) ---- ----------- ---- ----- ------------- 1 000f.242e.bf80 SecureDynamic Fa0/1 - 1 aaaa.aaaa.aaaaSecureDynamic Fa0/1 - 1 aaaa.aaaa.aaabSecureDynamic Fa0/1 - ------------------------------------------------------------------------ Total Addresses: 3 SW1# %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/1, putting Fa0/1 in err-disable state SW1# %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address aaaa.aaaa.aaac on port FastEthernet0/1. SW1# %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down
  • 6. SW1# %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to down SW1# More Related Topics: Switchport Security & Configuration How to Configure Dynamic DNS on a Cisco Router?