In this article we will learn how to provide port security to cisco switches.As we all know bydeafult switches ports are on and hence there is always a risk that some intruders or someone evil minded in your department who is in physicaly in touch of your switches can do something harmful or disaster.By using port security a network admin can bind port with device mac-addresses and hence no any other device can be now connected on that port.In this way we can put a limit that only an authorised device can access the port.
Here in this article i will mention how to configure port security on cisco switches step wise.
In this diagram you can clearly see two pc connected with a cisco switch.Now in this lab i am going to bind the PC0 with switch port fa0/1 so that except PC0 no any other PC or device can connected to that port.
Now see step wise configuration of port security on cisco swith below:
Go to switch and start as i have mentioned below.
Switch>enable
Switch#config t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#int fa0/1
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlan 1
Switch(config-if)#switchport port-security
Switch(config-if)#switchport port-security maximum 1
Switch(config-if)#switchport port-security violation shutdown
Switch(config-if)#switchport port-security mac-address sticky
Switch(config-if)#exit
Switch(config)#exit
Now after configuring port security on cisco switch it’s time to troubleshoot and verify whether your switch has been properly configured or not.
Switch#show mac-address-table
Mac Address Table
——————————————-
Vlan Mac Address Type Ports
Now you can see the above table,it’s blank.
Switch#show port-security interface fa0/1
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0000.0000.0000:0
Security Violation Count : 0
Keep your eyes on colored output.
Now go to PC0 and ping with PC1
PC>ipconfig
FastEthernet0 Connection:(default port)
Link-local IPv6 Address………: FE80::205:5EFF:FEB3:6361
IP Address………………….: 1.0.0.1
Subnet Mask…………………: 255.0.0.0
Default Gateway……………..: 0.0.0.0
PC>ping 1.0.0.2
Pinging 1.0.0.2 with 32 bytes of data:
Reply from 1.0.0.2: bytes=32 time=1ms TTL=128
Reply from 1.0.0.2: bytes=32 time=0ms TTL=128
Reply from 1.0.0.2: bytes=32 time=0ms TTL=128
Ping statistics for 1.0.0.2:
Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 1ms, Average = 0ms
Now again go to switch and see the mac-address table:
Switch#show mac-address-table
Mac Address Table
——————————————-
Vlan Mac Address Type Ports
—- ———– ——– —–
1 0005.5eb3.6361 STATIC Fa0/1
1 00d0.58bc.ada2 DYNAMIC Fa0/2
Now to see whether port security is enabled or not using below command:
Switch#show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
——————————————————————–
Fa0/1 1 1 0 Shutdown
———————————————————————-
Switch#show port-security address
Secure Mac Address Table
——————————————————————————-
Vlan Mac Address Type Ports Remaining Age
(mins)
—- ———– —- —– ————-
1 0005.5EB3.6361 SecureSticky FastEthernet0/1 –
——————————————————————————
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 1024
Now see port security option on port which we have provided security.
Switch#show port-security int fa0/1
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 1
Last Source Address:Vlan : 0005.5EB3.6361:1
Security Violation Count : 0
Now i am going to disconnect pc0 from switch and going to connect pc2 on same interface on which i have connected pc0. And then try to ping other device to check what is going to happen now.
Packet Tracer PC Command Line 1.0
PC>ipconfig
FastEthernet0 Connection:(default port)
Link-local IPv6 Address………: FE80::206:2AFF:FEA7:1248
IP Address………………….: 1.0.0.100
Subnet Mask…………………: 255.0.0.0
Default Gateway……………..: 0.0.0.0
PC>ping 1.0.0.2
Pinging 1.0.0.2 with 32 bytes of data:
Request timed out.
Request timed out.
Ping statistics for 1.0.0.2:
Packets: Sent = 3, Received = 0, Lost = 3 (100% loss),
Control-C
From above output you can clearly see the pc2 packets have been droped.And hence our port is secure.
Learn Linux CCNA CEH IPv6 Cyber-Security Online 