Scribd
Upload
14 views8 pages

CCNA Workbook port security v1.0

This document outlines a lab exercise for configuring switch port security as part of the CCNA 200-301 curriculum. The lab focuses on preventing MAC address flooding by limiting the number of MAC addresses learned on switch ports and includes detailed steps for configuration and testing. It also covers commands for verifying the port security settings and handling security violations.

Uploaded by

hoj7988
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
14 views8 pages

CCNA Workbook port security v1.0

This document outlines a lab exercise for configuring switch port security as part of the CCNA 200-301 curriculum. The lab focuses on preventing MAC address flooding by limiting the number of MAC addresses learned on switch ports and includes detailed steps for configuration and testing. It also covers commands for verifying the port security settings and handling security violations.

Uploaded by

hoj7988
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 8

CCNA 200-301

Switch Port Security

Topology

LAB : Port Security v1.0

Level: CCNA / Intermediate

Approximate time: 30 minutes

Preferred image: viosl2-adventerprisek9-m.ssa.high_iron_20200929

This LAB will cover topics of

Chapter 6: Implementing Switch port Security

For more information we suggest “CCNA 200-301, Volume 2 Official Cert Guide”

Commands Guide:
All commands in this document have this style:
# Interface gig 0/0
If any option specified with italic letters means that you must replace the key word with a desired value for example:
# ip address ip_address subnet_mask
# ip address 192.168.10.1 255.255.255.0
And finally, if we mention something in {} mean that you must use one of options
# spanning-tree vlan vlan_id root {Primary| secondary}

1
CCNA 200-301
Switch Port Security

Lab Objective:

The objective of this lab exercise is to configure basic switch security to prevent MAC
address flooding on switch ports. This is accomplished by limiting the number of MAC
entries that are allowed to be learned on a port. By default, there is no limit on MAC
addresses that can be learned on a port.

Lab Purpose:

Port security is a fundamental skill. A Common Denial of Service technique used to cripple
switched networks is MAC flooding. As a Cisco engineer, as well as in the Cisco CCNA
exam, you will be expected to know how to configure port security to mitigate MAC
flooding attacks.

2
CCNA 200-301
Switch Port Security

Detailed Steps

Task 1:
Configure a hostname of SW1 on your lab switch, and the hostname R1 on the router as
illustrated in the topology.

Enter to the SW-1 Console and issue these commands:


Switch>en
Switch#conf ter
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#hostname SW1
SW1(config)#end
SW1# wr

And next to SW-2 console:


Switch>en
Switch#conf ter
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#hostname Sw2
Sw2(config)#end
Sw2#wr

Go to All PC’s and servers and set IP address to them form 192.168.1.0/24 range:
VPCS> set pcname SRV1
SRV1> ip 192.168.1.1 24
Checking for duplicate address...
SRV1: 192.168.1.1 255.255.255.0
SRV1> save

VPCS> set pcname SRV2


SRV2> ip 192.168.1.2 24
Checking for duplicate address...
SRV2: 192.168.1.2 255.255.255.0
SRV2> save

VPCS> set pcname PC3


PC3> ip 192.168.1.3 24
Checking for duplicate address...
PC3: 192.168.1.3 255.255.255.0
PC3> save

VPCS> set pcname PC4


PC4> ip 192.168.1.4 24
Checking for duplicate address...
PC4: 192.168.1.4 255.255.255.0
PC4> save

VPCS> set pcname PC5

3
CCNA 200-301
Switch Port Security
PC5> ip 192.168.1.5 24
Checking for duplicate address...
PC5: 192.168.1.5 255.255.255.0
PC5> save

VPCS> set pcname PC6


PC6> ip 192.168.1.6 24
Checking for duplicate address...
PC6: 192.168.1.6 255.255.255.0
PC6> save
Don’t turn on PC7 until end!
Check your configuration with Ping command form Server-1 to the other devices.

Task 2:

Check Mac Address Table in SW-1:


SW1#show mac address-table
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports


---- ----------- -------- -----
1 0050.7966.6801 DYNAMIC Gi0/0
1 0050.7966.6802 DYNAMIC Gi0/1
1 0050.7966.6803 DYNAMIC Gi0/2
1 0050.7966.6804 DYNAMIC Gi0/3
1 0050.7966.6805 DYNAMIC Gi0/3
1 0050.7966.6806 DYNAMIC Gi0/3
1 5000.0008.0000 DYNAMIC Gi0/3
Total Mac Addresses for this criterion: 7
SW1#

Task 3:
Configure port security on sw-1 by this instruction:
• For server1 and 2 set static and sticky mac
• For pc3 set port security dynamic
• And limit mac address on port Gi0/3 to 4 mac address

* Note: for finding vpc host mac address, you can use show mac address-table. if there isn’t any mac in MAC
Table you just need ping from one on your host to the others!

SW1(config-if)#interface gig 0/0


SW1(config-if)#switchport mode access
SW1(config-if)#switchport port-security
SW1(config-if)#switchport port-security mac-address 0050.7966.6801
SW1(config-if)#exit
SW1(config)#interface gi0/1
SW1(config-if)#switchport mode access
SW1(config-if)#switchport port-security
SW1(config-if)#switchport port-security mac-address sticky

4
CCNA 200-301
Switch Port Security
SW1(config-if)#exit
SW1(config)#int gi0/2
SW1(config-if)#switchport mode access
SW1(config-if)#switchport port-security
SW1(config-if)#exit
SW1(config)#int gi0/3
SW1(config-if)#switchport trunk encapsulation dot1q
SW1(config-if)#switchport mode trunk
SW1(config-if)#switchport port-security
SW1(config-if)#switchport port-security maximum 4
SW1(config-if)#exit
SW1(config)#end

Task 4:
Check your configuration by these commands:

SW1#show mac address-table secure


Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports


---- ----------- -------- -----
1 0050.7966.6801 STATIC Gi0/0
1 0050.7966.6802 STATIC Gi0/1
1 0050.7966.6803 STATIC Gi0/2
1 0050.7966.6804 STATIC Gi0/3
1 0050.7966.6805 STATIC Gi0/3
1 0050.7966.6806 STATIC Gi0/3
1 5000.0008.0000 STATIC Gi0/3
Total Mac Addresses for this criterion: 7
By this command you can check all mac address that switch is learned for port security

SW1#show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
---------------------------------------------------------------------------
Gi0/0 1 1 0 Shutdown
Gi0/1 1 1 0 Shutdown
Gi0/2 1 1 0 Shutdown
Gi0/3 4 4 0 Shutdown
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 3
Max Addresses limit in System (excluding one mac per port) : 4096
This command helps you to check all port that enabled port security

SW1#show port-security address


Secure Mac Address Table
-----------------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)

5
CCNA 200-301
Switch Port Security
---- ----------- ---- ----- -------------
1 0050.7966.6801 SecureDynamic Gi0/0 -
1 0050.7966.6802 SecureSticky Gi0/1 -
1 0050.7966.6803 SecureDynamic Gi0/2 -
1 0050.7966.6804 SecureDynamic Gi0/3 -
1 0050.7966.6805 SecureDynamic Gi0/3 -
1 0050.7966.6806 SecureDynamic Gi0/3 -
1 5000.0008.0000 SecureDynamic Gi0/3 -
-----------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 3
Max Addresses limit in System (excluding one mac per port) : 4096

SW1#show port-security interface gigabitEthernet 0/0


Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0050.7966.6801:1
Security Violation Count : 0

If you need a detailed information about port security on specific interface this
command helps you.

Task 5:
Let’s show some anormal behavior!

1- Change the sticky mac address on SW1 interface Gi0/0


SW1(config-if)#shut
SW1(config-if)#switchport port-security mac-address 5000.0008.1010
SW1(config-if)#no shut
SW1(config-if)#
Now issue a ping command from server 1 to server 2 and you must receive this
error messages:
SW1#
*Sep 25 18:05:49.073: %PM-4-ERR_DISABLE: psecure-violation error
detected on Gi0/0, putting Gi0/0 in err-disable state
*Sep 25 18:05:49.077: %PORT_SECURITY-2-PSECURE_VIOLATION: Security
violation occurred, caused by MAC address 0050.7966.6801 on port
GigabitEthernet0/0.
*Sep 25 18:05:50.104: %LINEPROTO-5-UPDOWN: Line protocol on Interface
GigabitEthernet0/0, changed state to down
*Sep 25 18:05:51.077: %LINK-3-UPDOWN: Interface GigabitEthernet0/0,
changed state to down

6
CCNA 200-301
Switch Port Security
SW1#show port-security interface gi 0/0
Port Security : Enabled
Port Status : Secure-shutdown
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 1
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0050.7966.6801:1
Security Violation Count : 1

SW1#show interface status

Port Name Status Vlan Duplex Speed Type


Gi0/0 err-disabled 1 auto auto RJ45
Gi0/1 connected 1 a-full auto RJ45
Gi0/2 connected 1 a-full auto RJ45
Gi0/3 connected trunk a-full auto RJ45
Gi1/0 connected 1 a-full auto RJ45
Gi1/1 connected 1 a-full auto RJ45
Gi1/2 connected 1 a-full auto RJ45
Gi1/3 connected 1 a-full auto RJ45
SW1#

2- Turn on PC7 and assign an IP address to it. And try to ping from PC7 to Server1
We set maximum mac address for SW-1 interface gi0/3 to 4 mac addresses. (3PC
+ SW2) now you should receive this error message:

*Sep 25 18:13:21.087: %PM-4-ERR_DISABLE: psecure-violation error


detected on Gi0/3, putting Gi0/3 in err-disable state
*Sep 25 18:13:21.104: %PORT_SECURITY-2-PSECURE_VIOLATION: Security
violation occurred, caused by MAC address 0050.7966.6809 on port
GigabitEthernet0/3.
*Sep 25 18:13:21.105: %PORT_SECURITY-2-PSECURE_VIOLATION_VLAN: Security
violation on port GigabitEthernet0/3 due to MAC address 0050.7966.6809
on VLAN 1
*Sep 25 18:13:22.089: %LINEPROTO-5-UPDOWN: Line protocol on Interface
GigabitEthernet0/3, changed state to down
*Sep 25 18:13:23.101: %LINK-3-UPDOWN: Interface GigabitEthernet0/3,
changed state to down

SW1#show interface status

Port Name Status Vlan Duplex Speed Type


Gi0/0 err-disabled 1 auto auto RJ45
Gi0/1 connected 1 a-full auto RJ45
Gi0/2 connected 1 a-full auto RJ45
Gi0/3 err-disabled 1 auto auto RJ45
Gi1/0 connected 1 a-full auto RJ45
Gi1/1 connected 1 a-full auto RJ45
Gi1/2 connected 1 a-full auto RJ45

7
CCNA 200-301
Switch Port Security
Gi1/3 connected 1 a-full auto RJ45
SW1#show port-security interface gi 0/3
Port Security : Enabled
Port Status : Secure-shutdown
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 4
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0050.7966.6809:1
Security Violation Count : 1

SW1#

You might also like