SlideShare a Scribd company logo

Switchport port security explained with examples

Download as DOCX, PDF
T
teameassefa

Switch_port Port Security Explained With Examples

Technology
1 of 11
Switchport Port Security Explained With Examples This tutorial explains Switchport security modes (Protect, Restrict and Shutdown), sticky address, mac address, maximum number of hosts and Switchport security violation rules in detail with examples. Learn how to secure a switch port with Switchport security feature step by step. Anyone can access unsecure network resources by simply plugging his host into one of our available switch ports. A user can also change his physical location in LAN network without telling the admin. You can secure layer two accesses as well as keep users in their tracks by using port security feature. To explain Switchport port security modes and commands, I will use packet tracer network simulator software. You can use any network simulator software or can use a real Cisco switch to follow this guide. There is no difference in output as long as your selected software contains the commands explained in this tutorial. Create a simple practice lab as shown in following figure. If require, you can download the latest as well as earlier version of Packet Tracer from here. Download Packet Tracer Click PC0 and Click Desktop and Click IP Configuration and select Static from radio options and assign the IP address (10.0.0.10) and subnet mask (255.0.0.0)
Follow same process to assign IP address (10.0.0.20) and subnet mask (255.0.0.0) to PC1. Click Server0 and click Desktop and click IP Configuration and select Static from radio options and assign IP address (10.0.0.100) and subnet mask (255.0.0.0) That's all initial configuration we need to understand the switch port security. How to configure port security To configure port security we need to access the command prompt of switch. Click Switch and click CLI and press Enter Key. Port can be secure from interface mode. Use enable command to move in Privilege Exec mode. From Privilege Exec mode use configure terminalcommand to enter in Global Configuration mode. From global configuration mode enter in specific interface.
Following figure illustrates available commands for port security. How to enable switchport port-security Port security is disabled by default. switchport port-security command is used to enables it. Port security feature does not work on three types of ports.  Trunk ports  Ether channel ports  Switch port analyzer ports Port security work on host port. In order to configure port security we need to set it as host port. It could be done easily by switchport mode accesscommand. switchport port-security limit maximum number of hosts According to our requirements we can limit the number hosts that can be associated with an interface. We can set this limit anywhere from 1 to 132. Maximum number of devices that can be associated with the interface is 132. By default it is set to 1. switchport port-security maximum valuecommand will set the maximum number of hosts. switchport port-security mac address We have two options static and dynamic to associate mac address with interface. In static method we have to manually define the exact mac address of host with switchport port-security mac-address MAC_address command. This is the most secure method but requires a lot of manual works.
In dynamic method we use sticky feature that allows interface to learn mac address automatically. Interface will learn mac addresses until it reaches maximum number of allowed hosts. switchport port-security violation We need to specify what action; it should take in security violation. Three possible modes are available: Protect: - This mode will only work with sticky option. In this mode frames from non-allowed address would be dropped. It will not make log entry for dropped frames. Interface will learn address until it reach maximum allowed number. Any additionally learned addresses would be dropped while keeping interface operational. Restrict: - In restrict mode frames from non-allowed address would be dropped. But in this mode, switch will make a log entry and generate a security violation alert. Shutdown: - In this mode switch will generate the violation alert and disable the port. Only way to re- enable the port is to manually enter no shutdowncommand. This is the default violation mode. switchport port security example In our topology PC0 is connected with F0/1 port of switch. Enter following commands to secure F0/1 port. Following table explains above commands in detail Command Description Switch>enable Move in privilege exec mode Switch#configure terminal Move in global configuration mode Switch(config)#interface fastethernet 0/1 Move in interface mode Switch(config-if)#switchport mode access Assign port as host port Switch(config-if)#switchport port-security Enable port security feature on this port Switch(config-if)#switchport port-security maximum 1 Set limit for hosts that can be associated with interface. D Switch(config-if)#switchport port-security violation shutdown Set security violation mode. Default mode is shutdown. Sk Switch(config-if)#switchport port-security mac-address sticky Enable sticky feature.
We have successfully secured F0/1 port of switch. We used dynamic address learning feature of interface. Switch will associate first learned mac address (on interface F0/1) with this port. You can check MAC Address table for currently associated address. So far no mac address is associated with F0/1 port. Switch learns mac address from incoming frames. We need to generate frame from PC0 that would be receive on F0/1 port of switch. ping command is used to test the connectivity between two hosts. In our scenario we have connectivity between server and pc. We can use this utility to generate frames from PC0. To access command prompt of PC0 click PC0 and click Desktop menu item and click Command Prompt. Use ping command to generate frames.
Now check again the MAC Address table on switch.
One interesting thing that you may notice here is the type. Switch learns this address dynamically but it is showing as STATIC. This is the magic of sticky option, which we used with port security command. Sticky option automatically converts dynamically learned address in static address. Switchport port security testing In our topology we have one additional PC. Assume that, this is the cracker's PC. To gain unauthorized access in network he unplugged the Ethernet cable from pc (PC0) and plugged in his pc (PC1).
Click red X button on the right hand partition of packet tracer window and place the X over the connection between Switch and PC0. This will remove the connection. Click lightning bolt button on the bottom left-handed corner and click copper straight–through connection. Click PC1 and select FastEthernet port. Next click Switch and select the same F0/1 port. From the command prompt of PC1 try to ping the Server IP.
What happened this time? Why ping command did not get response from server? Because switch detected the mac address change and shutdown the port. Verify port security We have three commands to verify the port security show port-security This command displays port security information about all the interfaces on switch. show port-security address Display statically defined or dynamically learned address with port security. show port-security interface interface Display port security information about the specific interface.
How to reset an interface that is disabled due to violation of port security When an interface is down due to port security violation, we have two options to bring it back. First is following global configuration mode command Switch(config)# errdisable recovery cause psecure-violation This command neither includes in CCNA exam nor available in packet tracer. Second option is manually restart the interface. Unplugged cable from unauthorized pc and plugged back it to authorized pc. Run following commands on switch and test connectivity from pc
Switchport port security explained with examples

Recommended

Port Security
Port SecurityPort Security
Port SecurityNetProtocol Xpert
 
Le protocole stp
Le protocole stpLe protocole stp
Le protocole stpEL AMRI El Hassan
 
Network Security- port security.pptx
Network Security- port security.pptxNetwork Security- port security.pptx
Network Security- port security.pptxSulSya
 
Concepts et configuration de base de la commutation
Concepts et configuration de base de la commutationConcepts et configuration de base de la commutation
Concepts et configuration de base de la commutationEL AMRI El Hassan
 
Multiple access protocols in data communication networks
Multiple access protocols in data communication networksMultiple access protocols in data communication networks
Multiple access protocols in data communication networksNt Arvind
 
CSMA/CD
CSMA/CDCSMA/CD
CSMA/CDsainadh kamatala
 
Switching and Port Security
Switching and Port Security Switching and Port Security
Switching and Port Securityusman19
 
Ccna PPT2
Ccna PPT2Ccna PPT2
Ccna PPT2AIRTEL
 

Recommended

Port Security
Port SecurityPort Security
Port SecurityNetProtocol Xpert
 
Le protocole stp
Le protocole stpLe protocole stp
Le protocole stpEL AMRI El Hassan
 
Network Security- port security.pptx
Network Security- port security.pptxNetwork Security- port security.pptx
Network Security- port security.pptxSulSya
 
Concepts et configuration de base de la commutation
Concepts et configuration de base de la commutationConcepts et configuration de base de la commutation
Concepts et configuration de base de la commutationEL AMRI El Hassan
 
Multiple access protocols in data communication networks
Multiple access protocols in data communication networksMultiple access protocols in data communication networks
Multiple access protocols in data communication networksNt Arvind
 
CSMA/CD
CSMA/CDCSMA/CD
CSMA/CDsainadh kamatala
 
Switching and Port Security
Switching and Port Security Switching and Port Security
Switching and Port Securityusman19
 
Ccna PPT2
Ccna PPT2Ccna PPT2
Ccna PPT2AIRTEL
 
Spannig tree
Spannig treeSpannig tree
Spannig tree1 2d
 
Cours sécurité 2_asr
Cours sécurité 2_asrCours sécurité 2_asr
Cours sécurité 2_asrTECOS
 
Data link layer
Data link layerData link layer
Data link layersbkbca
 
Bgp protocol
Bgp protocolBgp protocol
Bgp protocolSmriti Tikoo
 
4.4.1.3 packet tracer configuring a zone-based policy firewall (zpf) instru...
4.4.1.3 packet tracer configuring a zone-based policy firewall (zpf) instru...4.4.1.3 packet tracer configuring a zone-based policy firewall (zpf) instru...
4.4.1.3 packet tracer configuring a zone-based policy firewall (zpf) instru...Salem Trabelsi
 
Cisco Switch Security
Cisco Switch SecurityCisco Switch Security
Cisco Switch Securitydkaya
 
Travaux Dirigée: Equipements d'interconnexion
Travaux Dirigée: Equipements d'interconnexionTravaux Dirigée: Equipements d'interconnexion
Travaux Dirigée: Equipements d'interconnexionInes Kechiche
 
Ccna 200-120 Exam Dumps
Ccna 200-120 Exam DumpsCcna 200-120 Exam Dumps
Ccna 200-120 Exam DumpsEng. Emad Al-Atoum
 
Telnet & SSH
Telnet & SSH Telnet & SSH
Telnet & SSH NetProtocol Xpert
 
Attacking the spanning tree protocol
Attacking the spanning tree protocolAttacking the spanning tree protocol
Attacking the spanning tree protocolAsmadzakirah
 
Ethernet and switching
Ethernet and switchingEthernet and switching
Ethernet and switchingHari Prasetyo Utomo
 
Multicast routing
Multicast routingMulticast routing
Multicast routingGunasekara Reddy
 
Introduction aux réseaux informatiques
Introduction aux réseaux informatiquesIntroduction aux réseaux informatiques
Introduction aux réseaux informatiquesZakariyaa AIT ELMOUDEN
 
SSH
SSHSSH
SSHZach Dennis
 
CCNAv5 - S3: Chapter2 Lan Redundancy
CCNAv5 - S3: Chapter2 Lan RedundancyCCNAv5 - S3: Chapter2 Lan Redundancy
CCNAv5 - S3: Chapter2 Lan RedundancyVuz Dở Hơi
 
Vlan
Vlan Vlan
Vlan sanss40
 
Access Control List (ACL)
Access Control List (ACL)Access Control List (ACL)
Access Control List (ACL)ISMT College
 
MIPI DevCon 2016: Accelerating UFS and MIPI UniPro Interoperability Testing
MIPI DevCon 2016: Accelerating UFS and MIPI UniPro Interoperability TestingMIPI DevCon 2016: Accelerating UFS and MIPI UniPro Interoperability Testing
MIPI DevCon 2016: Accelerating UFS and MIPI UniPro Interoperability TestingMIPI Alliance
 
EtherChannel Configuration
EtherChannel ConfigurationEtherChannel Configuration
EtherChannel ConfigurationNetProtocol Xpert
 
Etherchannel
EtherchannelEtherchannel
EtherchannelRaj sekar
 
How to Configure Port-Security on Cisco Switch for Enhanced Network Security ...
How to Configure Port-Security on Cisco Switch for Enhanced Network Security ...How to Configure Port-Security on Cisco Switch for Enhanced Network Security ...
How to Configure Port-Security on Cisco Switch for Enhanced Network Security ...INFitunes
 
Cisco Switch How To - Secure a Switch Port
Cisco Switch How To - Secure a Switch PortCisco Switch How To - Secure a Switch Port
Cisco Switch How To - Secure a Switch PortIPMAX s.r.l.
 

More Related Content

What's hot

Spannig tree
Spannig treeSpannig tree
Spannig tree1 2d
 
Cours sécurité 2_asr
Cours sécurité 2_asrCours sécurité 2_asr
Cours sécurité 2_asrTECOS
 
Data link layer
Data link layerData link layer
Data link layersbkbca
 
4.4.1.3 packet tracer configuring a zone-based policy firewall (zpf) instru...
4.4.1.3 packet tracer configuring a zone-based policy firewall (zpf) instru...4.4.1.3 packet tracer configuring a zone-based policy firewall (zpf) instru...
4.4.1.3 packet tracer configuring a zone-based policy firewall (zpf) instru...Salem Trabelsi
 
Cisco Switch Security
Cisco Switch SecurityCisco Switch Security
Cisco Switch Securitydkaya
 
Travaux Dirigée: Equipements d'interconnexion
Travaux Dirigée: Equipements d'interconnexionTravaux Dirigée: Equipements d'interconnexion
Travaux Dirigée: Equipements d'interconnexionInes Kechiche
 
Attacking the spanning tree protocol
Attacking the spanning tree protocolAttacking the spanning tree protocol
Attacking the spanning tree protocolAsmadzakirah
 
Introduction aux réseaux informatiques
Introduction aux réseaux informatiquesIntroduction aux réseaux informatiques
Introduction aux réseaux informatiquesZakariyaa AIT ELMOUDEN
 
CCNAv5 - S3: Chapter2 Lan Redundancy
CCNAv5 - S3: Chapter2 Lan RedundancyCCNAv5 - S3: Chapter2 Lan Redundancy
CCNAv5 - S3: Chapter2 Lan RedundancyVuz Dở Hơi
 
Access Control List (ACL)
Access Control List (ACL)Access Control List (ACL)
Access Control List (ACL)ISMT College
 
MIPI DevCon 2016: Accelerating UFS and MIPI UniPro Interoperability Testing
MIPI DevCon 2016: Accelerating UFS and MIPI UniPro Interoperability TestingMIPI DevCon 2016: Accelerating UFS and MIPI UniPro Interoperability Testing
MIPI DevCon 2016: Accelerating UFS and MIPI UniPro Interoperability TestingMIPI Alliance
 
Etherchannel
EtherchannelEtherchannel
EtherchannelRaj sekar
 

What's hot (20)

Spannig tree
Spannig treeSpannig tree
Spannig tree
 
Cours sécurité 2_asr
Cours sécurité 2_asrCours sécurité 2_asr
Cours sécurité 2_asr
 
Data link layer
Data link layerData link layer
Data link layer
 
Bgp protocol
Bgp protocolBgp protocol
Bgp protocol
 
4.4.1.3 packet tracer configuring a zone-based policy firewall (zpf) instru...
4.4.1.3 packet tracer configuring a zone-based policy firewall (zpf) instru...4.4.1.3 packet tracer configuring a zone-based policy firewall (zpf) instru...
4.4.1.3 packet tracer configuring a zone-based policy firewall (zpf) instru...
 
Cisco Switch Security
Cisco Switch SecurityCisco Switch Security
Cisco Switch Security
 
Travaux Dirigée: Equipements d'interconnexion
Travaux Dirigée: Equipements d'interconnexionTravaux Dirigée: Equipements d'interconnexion
Travaux Dirigée: Equipements d'interconnexion
 
Ccna 200-120 Exam Dumps
Ccna 200-120 Exam DumpsCcna 200-120 Exam Dumps
Ccna 200-120 Exam Dumps
 
Telnet & SSH
Telnet & SSH Telnet & SSH
Telnet & SSH
 
Attacking the spanning tree protocol
Attacking the spanning tree protocolAttacking the spanning tree protocol
Attacking the spanning tree protocol
 
Ethernet and switching
Ethernet and switchingEthernet and switching
Ethernet and switching
 
Multicast routing
Multicast routingMulticast routing
Multicast routing
 
Introduction aux réseaux informatiques
Introduction aux réseaux informatiquesIntroduction aux réseaux informatiques
Introduction aux réseaux informatiques
 
SSH
SSHSSH
SSH
 
CCNAv5 - S3: Chapter2 Lan Redundancy
CCNAv5 - S3: Chapter2 Lan RedundancyCCNAv5 - S3: Chapter2 Lan Redundancy
CCNAv5 - S3: Chapter2 Lan Redundancy
 
Vlan
Vlan Vlan
Vlan
 
Access Control List (ACL)
Access Control List (ACL)Access Control List (ACL)
Access Control List (ACL)
 
MIPI DevCon 2016: Accelerating UFS and MIPI UniPro Interoperability Testing
MIPI DevCon 2016: Accelerating UFS and MIPI UniPro Interoperability TestingMIPI DevCon 2016: Accelerating UFS and MIPI UniPro Interoperability Testing
MIPI DevCon 2016: Accelerating UFS and MIPI UniPro Interoperability Testing
 
EtherChannel Configuration
EtherChannel ConfigurationEtherChannel Configuration
EtherChannel Configuration
 
Etherchannel
EtherchannelEtherchannel
Etherchannel
 

Similar to Switchport port security explained with examples

How to Configure Port-Security on Cisco Switch for Enhanced Network Security ...
How to Configure Port-Security on Cisco Switch for Enhanced Network Security ...How to Configure Port-Security on Cisco Switch for Enhanced Network Security ...
How to Configure Port-Security on Cisco Switch for Enhanced Network Security ...INFitunes
 
Cisco Switch How To - Secure a Switch Port
Cisco Switch How To - Secure a Switch PortCisco Switch How To - Secure a Switch Port
Cisco Switch How To - Secure a Switch PortIPMAX s.r.l.
 
Configuring dynamic switchport security
Configuring dynamic switchport securityConfiguring dynamic switchport security
Configuring dynamic switchport securityIT Tech
 
Security Concerns in LANs.pptx
Security Concerns in LANs.pptxSecurity Concerns in LANs.pptx
Security Concerns in LANs.pptxjoko
 
How to configure port security in cisco switch
How to configure port security in cisco switchHow to configure port security in cisco switch
How to configure port security in cisco switchIT Tech
 
Securing Switch Access
Securing Switch Access Securing Switch Access
Securing Switch Access Netwax Lab
 
Ccna 3 chapter 2 v4.0 answers 2011
Ccna 3 chapter 2 v4.0 answers 2011Ccna 3 chapter 2 v4.0 answers 2011
Ccna 3 chapter 2 v4.0 answers 2011Dân Chơi
 
2.2.4.9 packet tracer configuring switch port security instructions - ig
2.2.4.9 packet tracer configuring switch port security instructions - ig2.2.4.9 packet tracer configuring switch port security instructions - ig
2.2.4.9 packet tracer configuring switch port security instructions - igAlex Ramirez
 
Mitigating Layer2 Attacks
Mitigating Layer2 AttacksMitigating Layer2 Attacks
Mitigating Layer2 Attacksdkaya
 
Cpu224 xp eth-ethernet_interface
Cpu224 xp eth-ethernet_interfaceCpu224 xp eth-ethernet_interface
Cpu224 xp eth-ethernet_interfacearco zhang
 
Chapter 14 - Sw Conf
Chapter 14 - Sw ConfChapter 14 - Sw Conf
Chapter 14 - Sw Confphanleson
 
Chapter 13 : Introduction to switched networks
Chapter 13 : Introduction to switched networksChapter 13 : Introduction to switched networks
Chapter 13 : Introduction to switched networksteknetir
 
Bill redirect manual
Bill redirect manualBill redirect manual
Bill redirect manualtopomax
 
CCNAv5 - S2: Chapter2 Basic Switching Concepts and Configuration
CCNAv5 - S2: Chapter2 Basic Switching Concepts and ConfigurationCCNAv5 - S2: Chapter2 Basic Switching Concepts and Configuration
CCNAv5 - S2: Chapter2 Basic Switching Concepts and ConfigurationVuz Dở Hơi
 
Chapter 02 - Introduction to Switched Networks
Chapter 02 - Introduction to Switched NetworksChapter 02 - Introduction to Switched Networks
Chapter 02 - Introduction to Switched NetworksYaser Rahmati
 
KPUCC-Rs instructor ppt_chapter2_final
KPUCC-Rs instructor ppt_chapter2_finalKPUCC-Rs instructor ppt_chapter2_final
KPUCC-Rs instructor ppt_chapter2_finalFisal Anwari
 

Similar to Switchport port security explained with examples (20)

How to Configure Port-Security on Cisco Switch for Enhanced Network Security ...
How to Configure Port-Security on Cisco Switch for Enhanced Network Security ...How to Configure Port-Security on Cisco Switch for Enhanced Network Security ...
How to Configure Port-Security on Cisco Switch for Enhanced Network Security ...
 
Cisco Switch How To - Secure a Switch Port
Cisco Switch How To - Secure a Switch PortCisco Switch How To - Secure a Switch Port
Cisco Switch How To - Secure a Switch Port
 
Cap2 configuring switch
Cap2 configuring switchCap2 configuring switch
Cap2 configuring switch
 
SRWE_Module_11.pptx
SRWE_Module_11.pptxSRWE_Module_11.pptx
SRWE_Module_11.pptx
 
Configuring dynamic switchport security
Configuring dynamic switchport securityConfiguring dynamic switchport security
Configuring dynamic switchport security
 
Security Concerns in LANs.pptx
Security Concerns in LANs.pptxSecurity Concerns in LANs.pptx
Security Concerns in LANs.pptx
 
How to configure port security in cisco switch
How to configure port security in cisco switchHow to configure port security in cisco switch
How to configure port security in cisco switch
 
Ch6
Ch6Ch6
Ch6
 
Securing Switch Access
Securing Switch Access Securing Switch Access
Securing Switch Access
 
Ccna 3 chapter 2 v4.0 answers 2011
Ccna 3 chapter 2 v4.0 answers 2011Ccna 3 chapter 2 v4.0 answers 2011
Ccna 3 chapter 2 v4.0 answers 2011
 
2.2.4.9 packet tracer configuring switch port security instructions - ig
2.2.4.9 packet tracer configuring switch port security instructions - ig2.2.4.9 packet tracer configuring switch port security instructions - ig
2.2.4.9 packet tracer configuring switch port security instructions - ig
 
Mitigating Layer2 Attacks
Mitigating Layer2 AttacksMitigating Layer2 Attacks
Mitigating Layer2 Attacks
 
Switch security
Switch securitySwitch security
Switch security
 
Cpu224 xp eth-ethernet_interface
Cpu224 xp eth-ethernet_interfaceCpu224 xp eth-ethernet_interface
Cpu224 xp eth-ethernet_interface
 
Chapter 14 - Sw Conf
Chapter 14 - Sw ConfChapter 14 - Sw Conf
Chapter 14 - Sw Conf
 
Chapter 13 : Introduction to switched networks
Chapter 13 : Introduction to switched networksChapter 13 : Introduction to switched networks
Chapter 13 : Introduction to switched networks
 
Bill redirect manual
Bill redirect manualBill redirect manual
Bill redirect manual
 
CCNAv5 - S2: Chapter2 Basic Switching Concepts and Configuration
CCNAv5 - S2: Chapter2 Basic Switching Concepts and ConfigurationCCNAv5 - S2: Chapter2 Basic Switching Concepts and Configuration
CCNAv5 - S2: Chapter2 Basic Switching Concepts and Configuration
 
Chapter 02 - Introduction to Switched Networks
Chapter 02 - Introduction to Switched NetworksChapter 02 - Introduction to Switched Networks
Chapter 02 - Introduction to Switched Networks
 
KPUCC-Rs instructor ppt_chapter2_final
KPUCC-Rs instructor ppt_chapter2_finalKPUCC-Rs instructor ppt_chapter2_final
KPUCC-Rs instructor ppt_chapter2_final
 

Recently uploaded

Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsAndrey Dotsenko
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 

Recently uploaded (20)

Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 

Switchport port security explained with examples

  • 1. Switchport Port Security Explained With Examples This tutorial explains Switchport security modes (Protect, Restrict and Shutdown), sticky address, mac address, maximum number of hosts and Switchport security violation rules in detail with examples. Learn how to secure a switch port with Switchport security feature step by step. Anyone can access unsecure network resources by simply plugging his host into one of our available switch ports. A user can also change his physical location in LAN network without telling the admin. You can secure layer two accesses as well as keep users in their tracks by using port security feature. To explain Switchport port security modes and commands, I will use packet tracer network simulator software. You can use any network simulator software or can use a real Cisco switch to follow this guide. There is no difference in output as long as your selected software contains the commands explained in this tutorial. Create a simple practice lab as shown in following figure. If require, you can download the latest as well as earlier version of Packet Tracer from here. Download Packet Tracer Click PC0 and Click Desktop and Click IP Configuration and select Static from radio options and assign the IP address (10.0.0.10) and subnet mask (255.0.0.0)
  • 2. Follow same process to assign IP address (10.0.0.20) and subnet mask (255.0.0.0) to PC1. Click Server0 and click Desktop and click IP Configuration and select Static from radio options and assign IP address (10.0.0.100) and subnet mask (255.0.0.0) That's all initial configuration we need to understand the switch port security. How to configure port security To configure port security we need to access the command prompt of switch. Click Switch and click CLI and press Enter Key. Port can be secure from interface mode. Use enable command to move in Privilege Exec mode. From Privilege Exec mode use configure terminalcommand to enter in Global Configuration mode. From global configuration mode enter in specific interface.
  • 3. Following figure illustrates available commands for port security. How to enable switchport port-security Port security is disabled by default. switchport port-security command is used to enables it. Port security feature does not work on three types of ports.  Trunk ports  Ether channel ports  Switch port analyzer ports Port security work on host port. In order to configure port security we need to set it as host port. It could be done easily by switchport mode accesscommand. switchport port-security limit maximum number of hosts According to our requirements we can limit the number hosts that can be associated with an interface. We can set this limit anywhere from 1 to 132. Maximum number of devices that can be associated with the interface is 132. By default it is set to 1. switchport port-security maximum valuecommand will set the maximum number of hosts. switchport port-security mac address We have two options static and dynamic to associate mac address with interface. In static method we have to manually define the exact mac address of host with switchport port-security mac-address MAC_address command. This is the most secure method but requires a lot of manual works.
  • 4. In dynamic method we use sticky feature that allows interface to learn mac address automatically. Interface will learn mac addresses until it reaches maximum number of allowed hosts. switchport port-security violation We need to specify what action; it should take in security violation. Three possible modes are available: Protect: - This mode will only work with sticky option. In this mode frames from non-allowed address would be dropped. It will not make log entry for dropped frames. Interface will learn address until it reach maximum allowed number. Any additionally learned addresses would be dropped while keeping interface operational. Restrict: - In restrict mode frames from non-allowed address would be dropped. But in this mode, switch will make a log entry and generate a security violation alert. Shutdown: - In this mode switch will generate the violation alert and disable the port. Only way to re- enable the port is to manually enter no shutdowncommand. This is the default violation mode. switchport port security example In our topology PC0 is connected with F0/1 port of switch. Enter following commands to secure F0/1 port. Following table explains above commands in detail Command Description Switch>enable Move in privilege exec mode Switch#configure terminal Move in global configuration mode Switch(config)#interface fastethernet 0/1 Move in interface mode Switch(config-if)#switchport mode access Assign port as host port Switch(config-if)#switchport port-security Enable port security feature on this port Switch(config-if)#switchport port-security maximum 1 Set limit for hosts that can be associated with interface. D Switch(config-if)#switchport port-security violation shutdown Set security violation mode. Default mode is shutdown. Sk Switch(config-if)#switchport port-security mac-address sticky Enable sticky feature.
  • 5. We have successfully secured F0/1 port of switch. We used dynamic address learning feature of interface. Switch will associate first learned mac address (on interface F0/1) with this port. You can check MAC Address table for currently associated address. So far no mac address is associated with F0/1 port. Switch learns mac address from incoming frames. We need to generate frame from PC0 that would be receive on F0/1 port of switch. ping command is used to test the connectivity between two hosts. In our scenario we have connectivity between server and pc. We can use this utility to generate frames from PC0. To access command prompt of PC0 click PC0 and click Desktop menu item and click Command Prompt. Use ping command to generate frames.
  • 6. Now check again the MAC Address table on switch.
  • 7. One interesting thing that you may notice here is the type. Switch learns this address dynamically but it is showing as STATIC. This is the magic of sticky option, which we used with port security command. Sticky option automatically converts dynamically learned address in static address. Switchport port security testing In our topology we have one additional PC. Assume that, this is the cracker's PC. To gain unauthorized access in network he unplugged the Ethernet cable from pc (PC0) and plugged in his pc (PC1).
  • 8. Click red X button on the right hand partition of packet tracer window and place the X over the connection between Switch and PC0. This will remove the connection. Click lightning bolt button on the bottom left-handed corner and click copper straight–through connection. Click PC1 and select FastEthernet port. Next click Switch and select the same F0/1 port. From the command prompt of PC1 try to ping the Server IP.
  • 9. What happened this time? Why ping command did not get response from server? Because switch detected the mac address change and shutdown the port. Verify port security We have three commands to verify the port security show port-security This command displays port security information about all the interfaces on switch. show port-security address Display statically defined or dynamically learned address with port security. show port-security interface interface Display port security information about the specific interface.
  • 10. How to reset an interface that is disabled due to violation of port security When an interface is down due to port security violation, we have two options to bring it back. First is following global configuration mode command Switch(config)# errdisable recovery cause psecure-violation This command neither includes in CCNA exam nor available in packet tracer. Second option is manually restart the interface. Unplugged cable from unauthorized pc and plugged back it to authorized pc. Run following commands on switch and test connectivity from pc