How to Configure Port Security in Cisco Packet Tracer

In this article, we will examine how to use Port Security on a Switch using Packet Tracer software.

Configuring Port Security in Packet Tracer

How to Enable Port Security on Cisco Switch

Setting up Port Security is a straightforward process. To do this, the interface of the port is configured as an access port with the Switchport Mode Access command.

If you do not configure the port as the access mode, the Switch will issue a Dynamic port alert. This is why the sequence of commands you implement is important. Therefore, before configuring any interface, you must switch to the access port.

After Port Security is enabled, you must specify the Violation status for the port.

Violation status consists of 3 types. These;

  • Shutdown
  • Restrict
  • Protect

Since Violation Shutdown is the most robust method for security, in this article, we will only use Shutdown for the violated interface.

We can now proceed to enable and test port security on the Switch.

   Step 1

Open the Cisco Packet Tracer and add one Router, Switch, and two computers to the workspace, then assign the IP address to the Cisco Router.

One Switch and Two Computers Connected to a Cisco Router

   Step 2

Before enabling Port Security, test the network connection between clients. Ping the PC0 to the Router interface and PC1 to test the connection.

Ping from PC0 to Router's Interface and PC1

   Step 3

Similarly, test the connection with Ping from PC1. After the connection test, click on the Cisco Switch.

Ping from PC1 to Router's Interface and PC0

   Step 4

Click on the Switch to open the CLI prompt, and then execute the following commands to enable port security.

Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#interface fastethernet0/1
Switch(config-if)#switchport mode access
Switch(config-if)#switchport port-security
Switch(config-if)#switchport port-security mac-address sticky
Switch(config-if)#switchport port-security maximum 1
Switch(config-if)#switchport port-security violation shutdown
Switch(config-if)#
Switch(config-if)#exit
Switch(config)#
Switch(config)#interface fastethernet0/2
Switch(config-if)#switchport mode access
Switch(config-if)#switchport port-security
Switch(config-if)#switchport port-security mac-address sticky
Switch(config-if)#switchport port-security maximum 1
Switch(config-if)#switchport port-security violation shutdown
Switch(config-if)#
Switch(config-if)#end
Switch#

If we explain the above configuration commands,

  • Port Security is activated in FastEthernet0/1 and FastEthernet0/2 interfaces on the switch.
  • The interface is set to access mode with the Switchport Mode Access command.
  • With the Mac-address sticky command, the MAC addresses of the computers connected to the interfaces are automatically stored.
  • With a maximum of 1 command, only 1 MAC address will be stored, and Port Security will be provided.

In the event of any breach of these interfaces, the Fa0/1 or Fa0/2 interfaces will be shut down.

Configuring Security on Cisco Switch

   Step 5

In the privileged mode of the switch, execute the show port-security command. The SecurityViolation (Count) section is 0 because there are no violations on the interfaces.

show port-security

   Step 6

When you execute the show mac address-table command, you can see that the MAC addresses of the computers connected to the Switch are saved in the table. The MAC addresses here will be compared in case of violations.

Show mac address-table

   Step 7

You can view the detailed information on the FastEthernet0/1 interface by applying the show port-security interface fa0/1 command.

Show port-security interface fa0/1

   Step 8

Now, add another computer to the workspace to test whether port security is working and configure the IP settings of this computer. Then, disconnect the cable between PC0 and Switch0.

Testing Port Violation

   Step 9

After configuring the PC2 computer, connect to the Fa0/1 interface on Switch0.

Connecting the Computer to the Switch

   Step 10

When you ping from PC2 to PC1, you can see that the process failed.

After this, the Switch detected a violation in the Fa0/1 interface, matched the MAC address in its memory, and immediately closed the Port when it realized that it was different from the MAC address in the table.

Ping Test

   Step 11

After a violation on the switch, check the interface status by running the show ip interface brief command at the CLI prompt.

As you can see in the image below, the FastEthernet0/1 interface is down.

show ip interface brief

   Step 12

Likewise, when you execute the show port-security command, you may see a 1 increment in the Violation Count section.

Violation Count

   Step 13

Because the port is in the shutdown state, a system administrator must manually open this port. Therefore, you can set the Fa0/1 port to Up by executing the shutdown command, and then there is no shutdown.

Activating the Port Status of the Switch

   Step 14

After activating the FastEthernet0/1 interface, connect PC0 to the Switch again and test the network connection.

Network Connection Test with Ping Again from PC0

Show Commands

Switch#show run
Building configuration...

Current configuration : 1357 bytes
!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Switch
!
spanning-tree mode pvst
!
interface FastEthernet0/1
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0001.43EC.7639
!
interface FastEthernet0/2
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0007.EC9C.8167
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
no ip address
shutdown
!
line con 0
!
line vty 0 4
login
line vty 5 15
login
!
end
Switch#

 

Router#show running-config
Building configuration...

Current configuration : 620 bytes
!
version 15.1
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router
!
ip cef
no ipv6 cef
!
license udi pid CISCO1941/K9 sn FTX1524837C
!
spanning-tree mode pvst
!
interface GigabitEthernet0/0
ip address 192.168.5.1 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Vlan1
no ip address
shutdown
!
ip classless
!
ip flow-export version 9
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
end
Router#

 

Switch#show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
--------------------------------------------------------------------
Fa0/1 1 0 0 Shutdown
Fa0/2 1 0 0 Shutdown
----------------------------------------------------------------------
Switch#

 

Switch#show mac address-table
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----

1 0001.43ec.7639 STATIC Fa0/1
1 0001.c7a9.d501 DYNAMIC Gig0/1
1 0007.ec9c.8167 STATIC Fa0/2
Switch#

 

Switch#show port-security interface fa0/1
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 1
Last Source Address:Vlan : 0001.43EC.7639:1
Security Violation Count : 0
Switch#

   Video

Watch the video below to get a better understanding of Port Security’s working logic, and subscribe to our YouTube channel to support us!

Conclusion

Bu yazımızda, Cisco anahtarları üzerinde port güvenliği nasıl sağlanır temel olarak ele aldık. Bizi takip ettiğiniz için teşekkürler!

Add a Comment

Your email address will not be published. Required fields are marked *