Port Security in Cisco Switch

EXPERIMENT No-9

OBJECT: Simulation of Cisco Port Security
REQUIRED SOFTWARE: Cisco Packet Tracer 8.1.1

Packet Tracer- Configuring Switch Port security
Addressing Table

DeviceInterfaceIP addressSubnet Mask
S1VLAN110.10.10.2255.0.0.0
PC1NIC10.10.10.10255.0.0.0
PC2NIC10.10.10.11255.0.0.0
Rough LaptopNIC10.10.10.12255.0.0.0

Objective
Part 1: Configure Port Security
Part 2: Verify Port Security
Background

In this activity, you will configure and verify port security on a switch. Port security allows you to restrict a port’s ingress traffic by limiting the MAC address that are allowed to send traffic into the port.

Part 1: Configure Port Security

  1. Access the command line for S1 and enable port security on Fast Ethernet ports 0/0 and 0/2.
  2. Set the maximum so that only one device can access the Fast Ethernet ports 0/1 and 0/2.
  3. Secure the ports so that the MAC address of a device is dynamically learned and added to the running configuration.
  4. Set the violation so that the Fast Ethernet ports 0/1 and 0/2 are not disabled when a violation occurs, but packets are dropped from and unknown source.
  5. Disable all the remaining unused ports, Hint: Use the range keyword to apply this configuration to all the ports simultaneously.

Part 2: Verify Port Security

  1. From PC1 ping PC2.
  2. Verify port security is enabled and MAC address of PC1 and PC2 were added to the running configuration.
  3. Attach Rouge Laptop to any unused switch port and notice that the link lights are red.
  4. Enable the port and verify that Rouge Laptop can ping PC1 and PC2. After verification shutdown the port connects to Rouge Laptop.
  5. Disconnect PC2 and connect Rouge Laptop to PC2’s port. Verify that Rouge Laptop is unable to ping PC1.
  6. Display the port security violations for the port Rouge Laptop is connected to.
  7. Disconnected Rouge Laptop and reconnect PC2 verify PC2 can PC1.
  8. Why PC2 is able to ping PC1, but the Rouge Laptop is not?

Network Diagram

Setup this network:

Port Security in Cisco Switch
Switch>en
Switch#config t
Switch(config)#hostname S1
S1(config)#int range fastEthernet 0/1-2
S1(config-if)# switchport mode access
S1(config-if)# switchport port-security
S1(config-if)# switchport port-security maximum 1
S1(config-if)# switchport port-security mac-address sticky
S1(config-if)# switchport port-security violation shutdown
S1(config-if-range)#exit
S1(config-if)#int range fa0/3-24
S1(config-if-range)#shutdown

Go to PC1 & ping PC2
PC>ping 10.10.10.11
Pinging 10.10.10.11 with 32 bytes of data:
Reply from 10.10.10.11: bytes=32 time=0ms TTL=128
Reply from 10.10.10.11: bytes=32 time=15ms TTL=128
Reply from 10.10.10.11: bytes=32 time=14ms TTL=128
Reply from 10.10.10.11: bytes=32 time=0ms TTL=128
S1#show port-security interface fastEthernet 0/1
Port Security              : Enabled
Port Status                 : Secure-up
Violation Mode           : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
Secure Static Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses              : 1
Configured MAC Addresses    : 0
Sticky MAC Addresses            : 1
Last Source Address:Vlan   : 0060.5C70.6530:1
Security Violation Count      : 0
Go to PC2 & ping PC1
PC>ping 10.10.10.10
Pinging 10.10.10.10 with 32 bytes of data:
Reply from 10.10.10.10: bytes=32 time=23ms TTL=128
Reply from 10.10.10.10: bytes=32 time=9ms TTL=128
Reply from 10.10.10.10: bytes=32 time=9ms TTL=128
Reply from 10.10.10.10: bytes=32 time=14ms TTL=128
PC>ping 10.10.10.11
Pinging 10.10.10.11 with 32 bytes of data:
Reply from 10.10.10.11: bytes=32 time=0ms TTL=128
Reply from 10.10.10.11: bytes=32 time=15ms TTL=128
Reply from 10.10.10.11: bytes=32 time=14ms TTL=128
Reply from 10.10.10.11: bytes=32 time=0ms TTL=128
S1#show port-security interface fastEthernet 0/2
Port Security              : Enabled
Port Status                 : Secure-up
Violation Mode           : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses              : 1
Configured MAC Addresses    : 0
Sticky MAC Addresses            : 1
Last Source Address:Vlan   : 0090.21CD.A69E:1
Security Violation Count      : 0
S1#show mac-address-table
          Mac Address Table
——————————————————-
Vlan    Mac Address       Type        Ports
——-   ——————–    ——–     ———
   1    0060.5c70.6530    STATIC      Fa0/1
   1    0090.21cd.a69e    STATIC      Fa0/2

S1#show port
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
                       (Count)                   (Count)              Count)
—————————————————————————————————————–
Fa0/1                  1                              1                        0               Shutdown
Fa0/2                  1                              1                        0               Shutdown
—————————————————————————————————————–

After that Add 3 PC via cable
Go to PC1 & ping PC2
Go to PC2 & ping PC1

Pinging 10.10.10.10 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

S1#config t
S1(config)#int  fa0/3
S1(config )#no shut
S1(config )#shutdown

Cut 3rd PC wire
Cut 2nd PC wire
Joint 3rd PC wire in fa0/2
PC>ping 10.10.10.10
Pinging 10.10.10.10 with 32 bytes of data:
Reply from 10.10.10.10: bytes=32 time=23ms TTL=128
Reply from 10.10.10.10: bytes=32 time=9ms TTL=128
Reply from 10.10.10.10: bytes=32 time=9ms TTL=128
Reply from 10.10.10.10: bytes=32 time=14ms TTL=128

S1#config t
S1(config)#int vlan 1
S1(config-if)#ip add 10.10.10.2  255.0.0.0
S1(config-if)# no shut

Protect:—The PFC (Policy Feature Card ) drops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value.

Restrict: —  In restrict mode frames from non-allowed address would be dropped. But in this mode, switch will make a log entry and generate a violation alert and the violation counter increments.

Shutdown:—Puts the interface into the error-disabled state immediately and sends a trap notification.

Example 

Switch#sh port
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
            (Count)         (Count)         (Count)
—————————————————————————
Fa0/1         2               2                1           Shutdown
Fa0/2         2               2                0           Protect
Fa0/3         2               2                7           Restrict
—————————————————————————

What is Port Security

It is quite easy for any hacker or attacker to access a network incorrectly when they are able to enter the network. In this case, Ethernet LANs are very weak as all their switch ports can be used by anyone. This can result in a number of attacks such as a DOS attack on layer two or an address spoofing attack. If the network of the organization is secure, the feature used to control all such switch ports is called Port Security.

To secure any port, the user has to follow these two steps:

  1. The number of MAC addresses on any single port has to be reduced. So that we can use fewer PCs. For example, if MAC Address is reduced to 1, then we will be able to use only one PC. It benefits from this that if any port has more MAC addresses than set or confined. Then appropriate action can be taken. Example: MAC Address 1 has been set and as soon as another PC is installed, its MAC address will change, and then we will easily fined out that another PC has been accessed on this port.
  2. If one gets access information of any permission, then using any option, traffic can be stopped immediately or the user can generate a log-message, which can cause external access to be captured.

Switches know the MAC address only when the frame is sent by the switch port. Using port security, the user can limit the number of times a MAC address is learned by a switch.

Port security Modes

There are three ways we can secure Port

  1. Protected
  2. Restrict
  3. Shutdown

Protect– In this, we bind the PC to the MAC address and as soon as another PC is installed we send the packet, then it ends the packet and does not let it go forward because it does not get the MAC address right.

Restrict–  In this, we bind the PC to the MAC address and as soon as another PC is installed we send the packet, then it ends the packet and does not let it go forward because it does not get the MAC address right. It performs the same function as the Protect. This means that it also continues to drop packets until you delete all MAC addresses that exceed the maximum limit. Apart from this it also generates a log-message, increases the value of counter and also sends SNMP trap.

Shut down– This mode is preferred over the banked mode as it closes the port forever when information is received on any port without permission. It also generates log-messages, sends SNMP traps and increases the value of the counter. It keeps the port closed until the manager removes it via the “No Shutdown” command.

Sticky– This is not a violation mode. Using this command, the user can provide static MAC address security without having to type absolute MAC address. For example, if the user gives the maximum limit of 2, then the first 2 MAC addresses that are learned on the port will be put in the running-configuration. And if a third MAC address is found there, then action can be taken by using the appropriate violation code.

Note– Port Security only works in access mode, which means that the user must first make it an access mode to enable port security.

Port security configuration

Enable port security on the Switch’s Fa0 / 1 interface. First of all, the port has to be converted into an access port so that port security is enabled.

S1(config)#int fa0/1
S1(config-if)#switchport mode access
S1(config-if)#switchport port-security
Use Sticky Command as it learns the MAC address dynamically

And establishes a limit after which appropriate action can be taken:

S1(config-if)#switchport port-security mac-address sticky
S1(config-if)#switchport port-security maximum 2
S1(config-if)#switchport port-security violation shutdown
If the user wants to give a static entry, it can do so by stating the MAC address:

S1(config-if)#switchport port-security mac-address aa.bb.cc.dd.ee.ff

If you have any question or suggestion related to this Experiment, you can write it in the comment box below.



Download Cisco Packet Tracer 6.22
Download Cisco Packet Tracer 8.1.1

MCQ-SET 1

Dear Students, This Purpose of Preparation of Computer Network Online Test is in 30 Questions English. There is a collection of questions asked in the CCNA Exam. On answering each question one point will be given. And it is mandatory to bring 50% marks to pass. To start the test you have to click on Start Button. All the questions will have to be answered. Go to Last and click on Finish Button, after which your Result will appear on the screen. After clicking Finish, there will be three option shows below 1.Restart Quiz 2.View Question 3.Show Leader-board. After filling your name and e-mail id by clicking on the show leader-board, click on send, after which your result will be shown.

MCQ-SET 2

1. What is the port number of the SMTP




Answer is D)
25


2. TCP is ______________




Answer is C)
Both A & B


3. Which is a network protocol that is based on UDP and is a component of the Internet Protocol Suite, defined by IETF(Internet Engineering Task Force)




Answer is D)
SNMP

4. In X.25 defines the protocols from




Answer is B)
Layer 1 to Layer 3

5. Advantages of cell relay are




Answer is D)
Both A & B

6. When compared with the OSI reference model, the IEEE standard contains the following layers:




Answer is D)
All of these

7. In a token ring, the stations are connected to the __________




Answer is B)
Logical ring

8. A _________ preamble is used to synchronize the receiver’s clock




Answer is A)
One-byte

9. The destination address and source address field is similar to




Answer is D)
IEEE 802.3 or CSMA/CD bus

10. IPv4 Address is




Answer is B)
32 bit

11. Which function allows dumping of invalid packets for a specific network instead of forwarding




Answer is C)
Filtering function

12. The word SLIP stands for




Answer is D)
Serial Line IP

13. What is the port number of the FTP




Answer is B)
20/21

14. The SMDS is similar to which transfer mode




Answer is C)
Asynchronous transfer mode

15. PDUs contain




Answer is C)
Both A & B

16. Frame relay indicates network congestion using two flags namely ________ bits in data frames




Answer is D)
Both A & B

17. ISDN is a group of __________ standards relating to digital transmission across conventional copper wire telephone lines, as also other media




Answer is B)
Both A & C

18. The B-channel is capable of carrying both




Answer is D)
Both A & B

19. Network of networks is known as _________




Answer is C)
internet

20. An interconnection of ________________________ computers is called an Internet




Answer is B)
Autonomous

21. When a packet with the code is transmitted, it is received and processed by every machine on the network. This mode of operation is called




Answer is D)
broadcasting

22. point-to-point transmission with one sender and one receiver is sometimes called ________




Answer is C)
unicasting

23. The entities comprising the corresponding layers on different machine are called ________




Answer is C)
peers

24. When the packets are small and all the same size, they are often called ________




Answer is C)
cells

25. A collection of interconnected networks is called as __________




Answer is D)
internet

26. Starting around 1988, the more advanced ______ twisted pairs were introduced.




Answer is C)
category5

27. Each ray is said to have a different mode, so a fiber having this property is called ________




Answer is B)
multimode

28. The number of oscillations per second of a wave is called its ______




Answer is C)
frequency

29. If a computer on the network shares resources for others to use, it is called _____




Answer is D)
server

30. For large networks _____ topology is used.




Answer is B)
star

About me