Scribd
Upload
63 views

Lab 05

This document describes a lab experiment on configuring port security on an Ethernet switch. It involves: 1) Viewing the MAC address table and checking port status. 2) Configuring port security on ports Fa0/1-6 in access mode with sticky MAC learning and a maximum of 1 MAC. 3) Setting the violation mode to shutdown. 4) Verifying port security is enabled and checking settings. 5) Triggering a violation by changing the PC MAC and verifying the port status changes to secure-shutdown.

Uploaded by

ammar
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
63 views

Lab 05

This document describes a lab experiment on configuring port security on an Ethernet switch. It involves: 1) Viewing the MAC address table and checking port status. 2) Configuring port security on ports Fa0/1-6 in access mode with sticky MAC learning and a maximum of 1 MAC. 3) Setting the violation mode to shutdown. 4) Verifying port security is enabled and checking settings. 5) Triggering a violation by changing the PC MAC and verifying the port status changes to secure-shutdown.

Uploaded by

ammar
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 6

Computer Communication & Networks (SWE-306) SSUET/QR/114

LAB # 05
PORT  SECURITY

OBJECTIVE

Demonstration of Port Security Mechanism on Ethernet Switch of each port and define violation
methods

THEORY

PORT SECURITY

Port security can be used with dynamically learned and static MAC addresses to restrict aport's ingr
ess traffic by limiting the MAC addresses that are allowed to send traffic intothe port. When you
assign secure MAC addresses to a secure port, the port does notforward ingress traffic that has s
ource addresses outside the group of defined addresses. Ifyou limit the number of  secure MAC add
resses  to one  and assign  a single secure MACaddress, the device attached to that port has the full b
andwidth of the port.

A security violation occurs in either of these situations:

•When the maximum number of secure MAC addresses is reached on a secure portand the 
source MAC address of the ingress traffic is different from any of the identifiedsecure MAC
addresses, port security applies the configured violation mode.

•If traffic with a secure MAC address that is configured or learned on one secure portattempts to 
access another secure port in the same VLAN, applies the configured violation mode.

Fig 5.1 Port securit
y restricts por t access by MAC addr
ess

NETWORK  SETUP
Computer Communication & Networks (SWE-306) SSUET/QR/114

Fig 5.2 Network setup for applying port security

EXERCISE 5.1

Verify  MAC  table and  ports

Checking the MAC Address table first, DYNAMIC means that no MAC address has been
configured on ports. Use the privileged EXEC mode to view the MAC Address table

Switch# show mac-address-table

Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports


---- ----------- -------- -----
1 0001.4267.74a9 DYNAMIC Fa0/1
1 0002.4a20.a5ed DYNAMIC Fa0/2
1 000b.be7c.7c4b DYNAMIC Fa0/3
1 00d0.5830.a010 DYNAMIC Fa0/4
1 00e0.b0d2.49c7 DYNAMIC Fa0/5
1 0001.bc67.7469 DYNAMIC Fa0/6

It is good practice to check that all ports are up
Switch#sh ip interface brief

Interface IP-Address OK? Method Status Protocol

FastEthernet0/1 unassigned YES manual up up

FastEthernet0/2 unassigned YES manual up up


Computer Communication & Networks (SWE-306) SSUET/QR/114

FastEthernet0/3 unassigned YES manual up up

FastEthernet0/4 unassigned YES manual up up

FastEthernet0/5 unassigned YES manual up up

FastEthernet0/6 unassigned YES manual up up

--More--

EXERCISE 5.2

Step  1:  select  range  to  apply port  security


Interface configuration commands modify the operation. In order to configure a specific
interface range, you need to enter interface configuration mode, from global
configuration mode, by entering the interface interface range command. The prompt
Switch (config-if)# indicates that you are in interface configuration mode.

Switch(config)# interface range fastEthernet 0/1 - 6

Step  2: Access  mode

By default,  the  port security is  turned  off on  all  interfaces.  In  order to  turn  it  on,  a  port
must be in an access mode. Otherwise the command will be rejected. Check out the
below attempt of enabling it when the port is in a 'dynamic desirable' rather than an
access mode.

Switch(config-if-range)#switchport  mode  access

Step  3:  Applying  Mac-address-sticky


Port security with sticky MAC addresses provides many of the same benefits as port
security with static MAC addresses, but sticky MAC addresses can be learned
dynamically. Port security with sticky MAC addresses retains dynamically learned MAC
addresses during a link-down condition.

Switch(config-if-range)#switchport  port-security  mac-address  sticky

Step  4: Set  maximum  address  to  learn

How many MAC addresses can be considered secure on a given port (platform
dependent). The default is: 1.

Switch(config-if-range)#switchport  port-security  maximum  1


Computer Communication & Networks (SWE-306) SSUET/QR/114

Step   5:   violation   condition   to   shutdown

When configuring port security violation modes, note the following information:

• protect—Drops packets with unknown source addresses until you remove a
sufficient number of secure MAC addresses to drop below the maximum value.

• restrict—Drops packets with unknown source addresses until you remove a
sufficient number of secure MAC addresses to drop below the maximum value and
causes the SecurityViolation counter to increment.

• shutdown—Puts the interface into the error-disabled state immediately and sends an
SNMP trap notification

Switch(config-if-range)#  switchport  port-security  violation  shutdown

Step   6:   Applying  port  security

If this command is not performed than port security will not be applied

Switch(config-if-range)#  switchport  port-security

Step   7:   checking   port   security

Switch# show port-security interface fastEthernet 0/5

Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses :1
Total MAC Addresses :1
Configured MAC Addresses :0
Sticky MAC Addresses :1
Last Source Address:Vlan : 00d0.5830.a010
Security Violation Count :0

EXERCISE 5.3

Change the  PC  on port FastEthernet  0/5 and  verify port security


Computer Communication & Networks (SWE-306) SSUET/QR/114

Switch# show port-security interface fastEthernet 0/5

Port Security : Enabled
Port Status : Secure-shutdown
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses :1
Total MAC Addresses :1
Configured MAC Addresses :0
Sticky MAC Addresses :1
Last Source Address:Vlan : 0001.C971.1829:1
Security Violation Count :1

Check   that   Last   source   MAC   address   and   compare   it   with   MAC   address   in
last  exercise
Switch# show ip interface brief

Interface IP-Address OK? Method Status Protocol

FastEthernet0/1 unassigned YES manual up up

FastEthernet0/2 unassigned YES manual up up

FastEthernet0/3 unassigned YES manual up up

FastEthernet0/4 unassigned YES manual up up

FastEthernet0/5 unassigned YES manual down down

FastEthernet0/6 unassigned YES manual up up

Switch# show interfaces fastEthernet 0/5

FastEthernet0/5 is down, line protocol is down (err-disabled)
Hardware is Lance, address is 0030.a354.e505 (bia 0030.a354.e505)
BW 100000 Kbit, DLY 1000 usec,
Computer Communication & Networks (SWE-306) SSUET/QR/114

reliability 255/255, txload 1/255, rxload 1/255
<OUTPUT OMITTED>

HOME ASSIGNMENTS

Q1: Explain MAC address Learning.Also Perform other violation modes on other ports.

Q2: Define inbound ports, outbound ports and well known ports

Q3: Differentiate b/w these ports, open, closed, filtered, unfiltered, open filtered,

And closed filtered.

You might also like