How to Configure Port Security on Cisco Switch in GNS3

In this article, we will examine how to enable Port-Security on Layer 2 Switch in the Network Simulator software.

Configuring Port Security on Cisco Switch in GNS3

How to Configure Port Security on Layer 2 Switch

First, it is necessary to understand the logic and importance of Port Security (PS) in Cisco Switches.
If you are using a Cisco Switch on a network, we recommend that you enable Port Security on devices for network security.

You can easily apply this security feature to any Interface on the Cisco Switch.

For example, suppose a computer in a firm’s accounting room is connected to the FastEthernet 0/ 5 port of the Switch, and only one person uses it. In that case, you can apply Port Security on the FastEthernet 0/5 interface.

An interface with Port Security is mapped to the MAC address of the computer, thus preventing another laptop from connecting to this interface to ensure security.

The interface of the Switch matches the MAC address of the computer, so the laptop having another MAC address is restricted from connecting to the network with the interface of this Switch.

A person who wants to obtain your company information without permission does not only attack through the Internet. It can also physically attack your company.

For example, you can start working as a staff member in your company so that you can access your essential data by connecting your computer to network devices in other departments.

To prevent such interference, you may need to configure Port-Security if you are using Cisco Switch in your company.

In addition, Port Security has several scenarios;

  • Close Interface [ shutdown ]

This setting closes the interface in case of violation and sends a notification on the Switch.

  • Restrict Interface [ Restrict ]

This setting does not close the interface in case of violation and only sends a notification.

  • Preserve Interface [ Protect ]

This setting does not close the interface in case of violation and does not send a notification. It only protects the port.

When any different computer is connected to a Switch interface with Port-Security configured, the Cisco Switch either closes or restricts that port.

If you only restrict, the Switch will not close the interface you have configured but will limit access.

Before configuring Port-Security, add L2 Switch on Graphical Network Simulator-3. Also, in order to use a Virtual Computer, add VPCS to the workspace.

  1. How to Add L2 SW
  2. How to Install VPCS

In this article, we will examine how to prevent the attack method mentioned by enabling Port Security on the Layer 2 Switch.

How to Configure Port Security in L2 Switch

Follow the steps below to enable the Port-Security on the Cisco L2 switch.

Step 1

After running GNS3, create a new project.

Creating a New Project in GNS3

Step 2

Add one Layer 2 switch to the GNS3 workspace.

Add Switches to Workspace

Step 3

Add 2 virtual computers VPCS to the GNS3 workspace.

Adding VPCS to the Workspace

Step 4

Right-click on Cisco Layer 2 Switch to add interfaces and improve performance.

Right-Click on Switch

Step 5

Click Configure from the options on the L2 Switch.

Switch Configuration

Step 6

Increase the RAM value of the L2 Switch as follows, and then click the HDD tab.

Increasing the RAM of the Switch

Step 7

Continue selecting SATA on the HDD tab. This option will enable Cisco Switch to perform more efficiently.

Configuring the Disk Interface as SATA

Step 8

Click the Network tab in the L2 Switch window, specify how many interfaces you will use in the Adapters section, and then click the OK button to save the settings.

Add a Network Adapter to a Switch

Step 9

To cabling network devices in the GNS3 workspace, click cabling as in the image below.

Cabling Network Devices in GNS3

Step 10

After wiring the devices in the workspace, click the Start All Nodes button.

Running All Nodes

Step 11

The devices, such as the following image, should work correctly.

Run All Network Devices

Step 12

You can enhance functionality by adding comments on the GNS3 workspace. Now run the console windows of all devices.

Opening the CLI Command Prompt

Step 13

To assign an IP address to VPCS PC1, execute the following command.

ip 192.168.5.5/24 192.168.5.1

ip 192.168.5.5/24 192.168.5.1

Step 14

To assign an IP address to the VPCS PC2, execute the following command.

ip 192.168.5.10/24 192.168.5.1

After configuring VPCS PCs, check the TCP/IP settings using the show ip command.

show ip

Step 15

The connection test from PC1 to PC2 will be successful, as in the following image.

ping 192.168.5.10

Step 16

The connection test from PC2 to PC1 will be successful, as in the following image.

ping 192.168.5.5

Step 17

Use the following commands to assign an IP address to the VLAN1 on the Layer 2 Cisco Switch.

Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#interface vlan 1
*May 26 22:55:21.080: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed s
Switch(config-if)#ip address 192.168.5.100 255.255.255.0
Switch(config-if)#no shutdown
Switch(config-if)#end
Switch#

Switch(config-if)#ip address 192.168.5.100 255.255.255.0

Step 18

In this step, execute the commands below to enable this feature on the Switch.

If you only want to restrict the Port, you can change it in the violation section.

Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#interface gigabitethernet 0/0
Switch(config-if)#switchport host
switchport mode will be set to access
spanning-tree portfast will be enabled
channel group will be disabled

Switch(config-if)#switchport port-security
Switch(config-if)#switchport port-security mac-address sticky
Switch(config-if)#switchport port-security maximum 1
Switch(config-if)#switchport port-security violation shutdown
Switch(config-if)#exit
Switch(config)#
Switch(config)#
Switch(config)#interface gigabitethernet 0/1
Switch(config-if)#switchport host
switchport mode will be set to access
spanning-tree portfast will be enabled
channel group will be disabled

Switch(config-if)#switchport port-security
Switch(config-if)#switchport port-security mac-address sticky
Switch(config-if)#switchport port-security maximum 1
Switch(config-if)#switchport port-security violation shutdown
Switch(config-if)#end
Switch#wr

Set the Cisco Switch’s interface from Dynamic mode to Access mode with the “Switchport Host” command. Otherwise, the Cisco Switch interface will not be set to Access Port!

Switch(config-if)#switchport port-security

Step 19

By running the show port-security command in privileged mode on the Cisco Switch, you can check for any violations on the interfaces.

The SecurityViolation section will appear as 0 since no attacks are currently taking place.

show port-security

Step 20

You can examine the port-related information and violations by applying the “show port-security interface gigabitethernet 0/0” command on the L2 Switch.

show port-security interface gigabitethernet 0/0

Step 21

After configuring PS, ping from PC1 to PC2 to test the connection between the PCs.

Ping Between VPCS

Step 22

Pinging from PC2 to PC1 will also be successful.

Ping Between VPCS

Step 23

After the Ping operation between computers, the MAC address table on the Cisco Switch is updated.

The switch has recorded the MAC addresses of PC1 and PC2 in the table and will compare them with the MAC addresses here in case of any violation.

show mac address-table

Step 24

The test will also be successful if you Ping the IP address of the VLAN1 from the computers.

Ping the VLAN's IP Address

Step 25

Pinging from PC2 to VLAN1 will also be successful.

Ping the VLAN's IP Address

Step 26

After enabling PS, add another VPCS to the workspace to test whether this feature works.

Adding a New VPCS

Step 27

Configure the IP settings of the VPCS PC3 as follows.

VPCS3 IP Settings

Step 28

Now, right-click to remove the cable between PC1 and L2 Switch and click Delete.

Ending Switch Connection with PC

Step 29

Click the wiring option to connect the VPCS PC3 to the L2 Switch.

Connecting the New Computer to the Switch

Step 30

When you click L2 Switch, select the Ethernet0/0 interface.

In this interface, PC1 was connected, and check what happens when you connect PC3 to it.

Ethernet0

Step 31

When you ping from PC3 to PC2, you will receive the host unreachable message as follows.

Host Unreachable Message

Step 32

Since there is a violation in the switch’s console, log records will appear as follows;

Switch#
*May 26 23:03:58.687: %PM-4-ERR_DISABLE: psecure-violation error detected on Gi0/0, putting Gi0/0 in err-disable state
*May 26 23:03:58.697: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0050.7966.6802 on port GigabitEthernet0/0.
*May 26 23:03:59.687: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to down
*May 26 23:04:00.693: %LINK-3-UPDOWN: Interface GigabitEthernet0/0, changed state to down
Switch#

In the log above, you can see that there is a security breach on GigabitEthernet0/0.

Immediately after this notification, the Switch will close the corresponding port.

Examining the Port's Violation Status

Step 33

When you run the show port-security command on the Layer 2 Switch, check for a violation on Gig0/0.

show port-security

Step 34

Likewise, when you check the interface states by running the show ip interface brief command on the L2, you can see that the GigabitEthernet0/0 interface is closed.

show ip interface brief

Step 35

PC3 could not access the network environment due to port security. Unplug the cable to connect the PC1 computer to the L2 Switch again.

Removing the Cable Between PC3 and Switch

Step 36

Reconnect the PC1 to interface 0/0 on the L2 Switch.

L2 Ethernet0

Step 37

Since the Cisco Switch closes the Gig0/0 interface, you must re-enable it. To re-activate this interface, run shutdown, and then there will be no shutdown.

Switch successfully defended itself by shutting down the interface. If the Violation option had been set to Restrict, the interface would not have been closed.

 Switch's Ethernet Interface

Step 38

When you rerun the show port-security command, you can see that the violation part is empty.

show port-security

Step 39

You can see that PC1 accessed the network environment successfully again!

Network Testing with Ping

Show Commands Related to Port Security

Switch#show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
---------------------------------------------------------------------------
Gi0/0 1 0 0 Shutdown
Gi0/1 1 0 0 Shutdown
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 4096
Switch#

 

Switch#show port-security interface gigabitethernet 0/0
PS: Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0000.0000.0000:0
Security Violation Count : 0
Switch#

 

Switch#show mac address-table
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----
1 0050.7966.6800 STATIC Gi0/0
1 0050.7966.6801 STATIC Gi0/1
Total Mac Addresses for this criterion: 2
Switch#

 

Switch# *May 26 23:03:58.687: %PM-4-ERR_DISABLE: psecure-violation error detected on Gi0/0, putting Gi0/0 in err-disable state *May 26 23:03:58.697: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0050.7966.6802 on port GigabitEthernet0/0. *May 26 23:03:59.687: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to down *May 26 23:04:00.693: %LINK-3-UPDOWN: Interface GigabitEthernet0/0, changed state to down Switch#

 

Switch#show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
---------------------------------------------------------------------------
Gi0/0 1 1 1 Shutdown
Gi0/1 1 1 0 Shutdown
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 4096

 

How to Enable Port-Security ⇒ Video

You can watch the video below to activate Port-Security and also subscribe to our YouTube channel to support us!

Conclusion

In this article, we have completed the Port Security configuration on L2 Switch. When implementing it in the actual scenario, you should configure MAC addresses as Static. Thanks for following us!

Add a Comment

Your email address will not be published. Required fields are marked *