How to Configure Port Security on Cisco Switch in GNS3

In this article, we will examine how to enable Port-Security on Layer 2 Switch in the Network Simulator software.

How to Configure Port Security on Cisco Switch in GNS3

How to Configure Port Security on Layer 2 Switch

First, it is necessary to understand the logic and importance of Port Security (PS) in Cisco Switches.
If you are using a Cisco Switch on a network, we recommend that you enable Port Security on devices for network security.

You can easily apply this security feature to any Interface on the Cisco Switch.

For example, if a computer in a firm’s accounting room connected to the FastEthernet0/ 5 port of the Switch, and only one person uses it, you can apply Port Security on the FastEthernet 0/5 interface.

An interface with Port Security is mapped to the MAC address of the computer, thus preventing another computer from connecting to this interface to ensure security.

The interface of the Switch matches the MAC address of the computer so that the computer having another MAC address is restricted from connecting to the network with the interface of this Switch.

A person who wants to obtain your company information without permission does not the only attack through the Internet. It can also physically attack your company.

For example, you can start working as a staff member in your company so that you can access your important data by connecting your own computer to network devices in other departments.

To prevent such interference, you may need to configure Port-Security if you are using Cisco Switch in your company.

In addition, Port Security has several scenarios;

1. Close Interface [ shutdown ]

This setting closes the interface in case of violation and sends a notification on the Switch.

2. Restrict Interface [ Restrict ]

This setting does not close the interface in case of violation and only sends a notification.

3. Preserve Interface [ Protect ]

This setting does not close the interface in case of violation and does not send a notification. It only protects the port.

When any different computer connected to a Switch interface with Port-Security configured, Cisco Switch either closes or restricts that port.

If you only restrict, the Switch will not close the interface you have configured but will restrict access.

Before configuring Port-Security, add L2 Switch on Graphical Network Simulator-3. Also, in order to use a Virtual Computer, add VPCS to the workspace.

How to Add L2 SW
How to Install VPCS

In this article, we will examine how to prevent the attack method mentioned by enabling Port Security on Layer 2 Switch.

How to Configure Port Security in L2 Switch

Follow the steps below to enable Port-Security on the Cisco L2 switch.

   Step 1

After running GNS3, create a new project.

Creating a New Project in GNS3

   Step 2

Add one Layer 2 switch to the GNS3 workspace.

Add Switches to Workspace

   Step 3

Add 2 virtual computers VPCS to the GNS3 workspace.

Adding VPCS to the Workspace

   Step 4

Right-click on Cisco Layer 2 Switch to add interfaces and improve performance.

Right-Click on Switch

   Step 5

Click Configure from the options on the L2 Switch.

Switch Configuration

   Step 6

Increase the RAM value of the L2 Switch as follows, and then click the HDD tab.

Increasing the RAM of the Switch

   Step 7

Continue selecting SATA on the HDD tab. This option will enable Cisco Switch to perform more efficiently.

Configuring the Disk Interface as SATA

   Step 8

Click the Network tab in the L2 Switch window and specify how many interfaces you will use in the Adapters section, and then click the OK button to save the settings.

Add a Network Adapter to a Switch

   Step 9

To cabling network devices in the GNS3 workspace, click cabling as in the image below.

Cabling Network Devices in GNS3

   Step 10

After wiring the devices in the workspace, click the Start All Nodes button.

Running All Nodes

   Step 11

The devices such as the following image should work properly.

Run All Network Devices

   Step 12

You can enhance functionality by adding comments on the GNS3 workspace. Now run the console windows of all devices.

Opening the CLI Command Prompt

   Step 13

To assign an IP address to VPCS PC1, execute the following command.

ip 192.168.5.5/24 192.168.5.1

 
ip 192.168.5.5/24 192.168.5.1

   Step 14

To assign an IP address to the VPCS PC2, execute the following command.

ip 192.168.5.10/24 192.168.5.1

After configuring VPCS PCs, check the TCP/IP settings with the show ip command.

show ip

   Step 15

The connection test from PC1 to PC2 will be successful as in the following image.

ping 192.168.5.10

   Step 16

The connection test from PC2 to PC1 will be successful as in the following image.

ping 192.168.5.5

   Step 17

Use the following commands to assign an IP address to the VLAN1 on the Layer 2 Cisco Switch.

Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#interface vlan 1
*May 26 22:55:21.080: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed s
Switch(config-if)#ip address 192.168.5.100 255.255.255.0
Switch(config-if)#no shutdown
Switch(config-if)#end
Switch#

 
Switch(config-if)#ip address 192.168.5.100 255.255.255.0

   Step 18

In this step, execute the commands below to enable this feature on the Switch.

If you only want to restrict the Port, you can change it in the violation section.

Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#interface gigabitethernet 0/0
Switch(config-if)#switchport host
switchport mode will be set to access
spanning-tree portfast will be enabled
channel group will be disabled

Switch(config-if)#switchport port-security
Switch(config-if)#switchport port-security mac-address sticky
Switch(config-if)#switchport port-security maximum 1
Switch(config-if)#switchport port-security violation shutdown
Switch(config-if)#exit
Switch(config)#
Switch(config)#
Switch(config)#interface gigabitethernet 0/1
Switch(config-if)#switchport host
switchport mode will be set to access
spanning-tree portfast will be enabled
channel group will be disabled

Switch(config-if)#switchport port-security
Switch(config-if)#switchport port-security mac-address sticky
Switch(config-if)#switchport port-security maximum 1
Switch(config-if)#switchport port-security violation shutdown
Switch(config-if)#end
Switch#wr

 
Set the Cisco Switch’s interface from Dynamic mode to Access mode with the “Switchport Host” command. Otherwise, the Cisco Switch interface will not be set to Access Port!

Switch(config-if)#switchport port-security

   Step 19

By running the show port-security command in privileged mode on the Cisco Switch, you can check for any violations on the interfaces.

The SecurityViolation section will appear as 0 since no attacks are currently taking place.

show port-security

   Step 20

You can examine the Port related information and violations by applying the “show port-security interface gigabitethernet 0/0” command on the L2 Switch.

show port-security interface gigabitethernet 0/0

   Step 21

After configuring PS, ping from PC1 to PC2 to test the connection between the PCs.

Ping Between VPCS

   Step 22

Pinging from PC2 to PC1 will also be successful.

Ping Between VPCS

   Step 23

After the Ping operation between computers, the MAC address table on the Cisco Switch updated.

The switch has recorded the MAC addresses of PC1 and PC2 in the table and will compare it with the MAC addresses here in case of any violation.

show mac address-table

   Step 24

The test will also be successful if you Ping the IP address of the VLAN1 from the computers.

Ping the VLAN's IP Address

   Step 25

Pinging from PC2 to VLAN1 will also be successful.

Ping the VLAN's IP Address

   Step 26

After enabling PS, add another VPCS to the workspace to test whether this feature works.

Adding a New VPCS

   Step 27

Configure the IP settings of the VPCS PC3 as follows.

VPCS3 IP Settings

   Step 28

Now, right-click to remove the cable between PC1 and L2 Switch and click Delete.

Ending Switch Connection with PC

   Step 29

Click the wiring option to connect the VPCS PC3 to the L2 Switch.

Connecting the New Computer to the Switch

   Step 30

When you click L2 Switch, select the Ethernet0/0 interface.

In this interface, PC1 was connected, and check what happens when you connect PC3 to it.

Ethernet0

   Step 31

When you ping from PC3 to PC2, you will receive the host unreachable message as follows.

Host Unreachable Message

   Step 32

Since there is a violation in the switch’s console, log records will appear as follows;

Switch#
*May 26 23:03:58.687: %PM-4-ERR_DISABLE: psecure-violation error detected on Gi0/0, putting Gi0/0 in err-disable state
*May 26 23:03:58.697: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0050.7966.6802 on port GigabitEthernet0/0.
*May 26 23:03:59.687: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to down
*May 26 23:04:00.693: %LINK-3-UPDOWN: Interface GigabitEthernet0/0, changed state to down
Switch#

In the log above you can see that there is a security breach on GigabitEthernet0/0.

Immediately after this notification, the Switch will close the corresponding port.

Examining the Port's Violation Status

   Step 33

When you run the show port-security command on the Layer 2 Switch, check for a violation on Gig0/0.

show port-security

   Step 34

Likewise, when you check the interface states by running the show ip interface brief command on the L2, you can see that the GigabitEthernet0/0 interface closed.

show ip interface brief

   Step 35

PC3 could not access the network environment due to Port-Security. Unplug the cable to connect the PC1 computer to the L2 Switch again.

Removing the Cable Between PC3 and Switch

   Step 36

Reconnect the PC1 to interface 0/0 on the L2 Switch.

L2 Ethernet0

   Step 37

Since Cisco Switch closes the Gig0/0 interface, you must re-enable it. To re-activate this interface, run shutdown and then no shutdown.

Switch successfully defended itself by shutting down the interface. If the Violation option had set to Restrict, the interface would not be closed.

 Switch's Ethernet Interface

   Step 38

When you run the show port-security command again, you can see that the violation part is empty.

show port-security

   Step 39

You can see that PC1 accessed the network environment successfully again!

Network Testing with Ping

Show Commands

Switch#show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
---------------------------------------------------------------------------
Gi0/0 1 0 0 Shutdown
Gi0/1 1 0 0 Shutdown
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 4096
Switch#

 

Switch#show port-security interface gigabitethernet 0/0
PS: Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0000.0000.0000:0
Security Violation Count : 0
Switch#

 

Switch#show mac address-table
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----
1 0050.7966.6800 STATIC Gi0/0
1 0050.7966.6801 STATIC Gi0/1
Total Mac Addresses for this criterion: 2
Switch#

 

Switch# *May 26 23:03:58.687: %PM-4-ERR_DISABLE: psecure-violation error detected on Gi0/0, putting Gi0/0 in err-disable state *May 26 23:03:58.697: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0050.7966.6802 on port GigabitEthernet0/0. *May 26 23:03:59.687: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to down *May 26 23:04:00.693: %LINK-3-UPDOWN: Interface GigabitEthernet0/0, changed state to down Switch#

 

Switch#show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
---------------------------------------------------------------------------
Gi0/0 1 1 1 Shutdown
Gi0/1 1 1 0 Shutdown
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 4096

 

How to Enable Port-Security ⇒ Video

You can watch the video below to activate Port-Security and also subscribe to our YouTube channel to support us!

   Final Word


In this article, we have completed the Port Security configuration on L2 Switch. When implementing it in the real scenario, you should configure MAC addresses as Static. Thanks for following us!

   Related Articles


How to Install Cisco IOU
How to Configure VLAN
How to Use L3 SW in GNS3
How to Backup IOS to TFTP
♦ How to Use TFTP Server in GNS3

Add a Comment

Your email address will not be published. Required fields are marked *

shares
error: