In this article, we will examine how to use Port Security on a Switch using Packet Tracer software.
How to Enable Port Security on Cisco Switch
Setting up Port Security is a straightforward process. To do this, the interface of the port is configured as an access port with the Switchport Mode Access command.
If you do not configure the port as the access mode, the Switch will issue a Dynamic port alert. This is why the sequence of commands you implement is important. Therefore, before configuring any interface, you must switch to the access port.
After Port Security is enabled, you must specify the Violation status for the port.
Violation status consists of 3 types. These;
- Shutdown
- Restrict
- Protect
Since Violation Shutdown is the most robust method for security, in this article, we will only use Shutdown for the violated interface.
We can now proceed to enable and test port security on the Switch.
Step 1
Open the Cisco Packet Tracer and add one Router, Switch, and two computers to the workspace, then assign the IP address to the Cisco Router.
Step 2
Before enabling Port Security, test the network connection between clients. Ping the PC0 to the Router interface and PC1 to test the connection.
Step 3
Similarly, test the connection with Ping from PC1. After the connection test, click on the Cisco Switch.
Step 4
Click on the Switch to open the CLI prompt, and then execute the following commands to enable port security.
Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#interface fastethernet0/1
Switch(config-if)#switchport mode access
Switch(config-if)#switchport port-security
Switch(config-if)#switchport port-security mac-address sticky
Switch(config-if)#switchport port-security maximum 1
Switch(config-if)#switchport port-security violation shutdown
Switch(config-if)#
Switch(config-if)#exit
Switch(config)#
Switch(config)#interface fastethernet0/2
Switch(config-if)#switchport mode access
Switch(config-if)#switchport port-security
Switch(config-if)#switchport port-security mac-address sticky
Switch(config-if)#switchport port-security maximum 1
Switch(config-if)#switchport port-security violation shutdown
Switch(config-if)#
Switch(config-if)#end
Switch#
If we explain the above configuration commands,
- Port Security is activated in FastEthernet0/1 and FastEthernet0/2 interfaces on the switch.
- The interface is set to access mode with the Switchport Mode Access command.
- With the Mac-address sticky command, the MAC addresses of the computers connected to the interfaces are automatically stored.
- With a maximum of 1 command, only 1 MAC address will be stored, and Port Security will be provided.
In the event of any breach of these interfaces, the Fa0/1 or Fa0/2 interfaces will be shut down.
Step 5
In the privileged mode of the switch, execute the show port-security command. The SecurityViolation (Count) section is 0 because there are no violations on the interfaces.
Step 6
When you execute the show mac address-table command, you can see that the MAC addresses of the computers connected to the Switch are saved in the table. The MAC addresses here will be compared in case of violations.
Step 7
You can view the detailed information on the FastEthernet0/1 interface by applying the show port-security interface fa0/1 command.
Step 8
Now, add another computer to the workspace to test whether port security is working and configure the IP settings of this computer. Then, disconnect the cable between PC0 and Switch0.
Step 9
After configuring the PC2 computer, connect to the Fa0/1 interface on Switch0.
Step 10
When you ping from PC2 to PC1, you can see that the process failed.
After this, the Switch detected a violation in the Fa0/1 interface, matched the MAC address in its memory, and immediately closed the Port when it realized that it was different from the MAC address in the table.
Step 11
After a violation on the switch, check the interface status by running the show ip interface brief command at the CLI prompt.
As you can see in the image below, the FastEthernet0/1 interface is down.
Step 12
Likewise, when you execute the show port-security command, you may see a 1 increment in the Violation Count section.
Step 13
Because the port is in the shutdown state, a system administrator must manually open this port. Therefore, you can set the Fa0/1 port to Up by executing the shutdown command, and then there is no shutdown.
Step 14
After activating the FastEthernet0/1 interface, connect PC0 to the Switch again and test the network connection.
Show Commands
Switch#show run
Building configuration...
Current configuration : 1357 bytes
!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Switch
!
spanning-tree mode pvst
!
interface FastEthernet0/1
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0001.43EC.7639
!
interface FastEthernet0/2
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0007.EC9C.8167
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
no ip address
shutdown
!
line con 0
!
line vty 0 4
login
line vty 5 15
login
!
end
Switch#
Router#show running-config
Building configuration...
Current configuration : 620 bytes
!
version 15.1
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router
!
ip cef
no ipv6 cef
!
license udi pid CISCO1941/K9 sn FTX1524837C
!
spanning-tree mode pvst
!
interface GigabitEthernet0/0
ip address 192.168.5.1 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Vlan1
no ip address
shutdown
!
ip classless
!
ip flow-export version 9
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
end
Router#
Switch#show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
--------------------------------------------------------------------
Fa0/1 1 0 0 Shutdown
Fa0/2 1 0 0 Shutdown
----------------------------------------------------------------------
Switch#
Switch#show mac address-table
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
1 0001.43ec.7639 STATIC Fa0/1
1 0001.c7a9.d501 DYNAMIC Gig0/1
1 0007.ec9c.8167 STATIC Fa0/2
Switch#
Switch#show port-security interface fa0/1
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 1
Last Source Address:Vlan : 0001.43EC.7639:1
Security Violation Count : 0
Switch#
Video
Watch the video below to get a better understanding of Port Security’s working logic, and subscribe to our YouTube channel to support us!
Conclusion
Bu yazımızda, Cisco anahtarları üzerinde port güvenliği nasıl sağlanır temel olarak ele aldık. Bizi takip ettiğiniz için teşekkürler!