port security:Learn how to secure cisco switches ports using switchport

In this article we will learn how to provide port security to cisco switches.As we all know bydeafult switches ports are on and hence there is always a risk that some intruders or someone evil minded in your department who is in physicaly in touch of your switches can do something harmful or disaster.By using port security a network admin can bind port with device mac-addresses and hence no any other device can be now connected on that port.In this way we can put a limit that only an authorised device can access the port.

Here in this article i will mention how to configure port security on cisco switches step wise.

switch security tutorial

In this diagram you can clearly see two pc connected with a cisco switch.Now in this lab i am going to bind the PC0 with switch port  fa0/1  so that except PC0 no any other PC or device can connected to that port.

Now see step wise configuration of port security on cisco swith below:

Go to switch and start as i have mentioned below.

 

Switch>enable

Switch#config t

Enter configuration commands, one per line. End with CNTL/Z.

Switch(config)#int fa0/1

Switch(config-if)#switchport mode access

Switch(config-if)#switchport access vlan 1

Switch(config-if)#switchport port-security

Switch(config-if)#switchport port-security maximum 1

Switch(config-if)#switchport port-security violation shutdown

Switch(config-if)#switchport port-security mac-address sticky

Switch(config-if)#exit

Switch(config)#exit

 

Now after configuring port security on cisco switch it’s time to troubleshoot and verify whether your switch has been properly configured or not.

Switch#show mac-address-table
Mac Address Table
——————————————-

Vlan Mac Address Type Ports

Now you can see the above table,it’s blank.

 

Switch#show port-security interface fa0/1

Port Security : Enabled

Port Status : Secure-up

Violation Mode : Shutdown

Aging Time : 0 mins

Aging Type : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses : 1

Total MAC Addresses : 0

Configured MAC Addresses : 0

Sticky MAC Addresses : 0

Last Source Address:Vlan : 0000.0000.0000:0

Security Violation Count : 0

 

Keep your eyes on colored output.

Now go to PC0 and ping with PC1

PC>ipconfig

FastEthernet0 Connection:(default port)

Link-local IPv6 Address………: FE80::205:5EFF:FEB3:6361

IP Address………………….: 1.0.0.1

Subnet Mask…………………: 255.0.0.0

Default Gateway……………..: 0.0.0.0

 

PC>ping 1.0.0.2

Pinging 1.0.0.2 with 32 bytes of data:

Reply from 1.0.0.2: bytes=32 time=1ms TTL=128

Reply from 1.0.0.2: bytes=32 time=0ms TTL=128

Reply from 1.0.0.2: bytes=32 time=0ms TTL=128

Ping statistics for 1.0.0.2:

Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 1ms, Average = 0ms

 

Now again go to switch and see the mac-address table:

Switch#show mac-address-table

Mac Address Table

——————————————-

Vlan Mac Address Type Ports

—- ———– ——– —–

1 0005.5eb3.6361 STATIC Fa0/1

1 00d0.58bc.ada2 DYNAMIC Fa0/2

 

Now to see whether port security is enabled or not using below command:

Switch#show port-security

Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action

(Count) (Count) (Count)

——————————————————————–

Fa0/1 1 1 0 Shutdown

———————————————————————-

 

Switch#show port-security address

Secure Mac Address Table

——————————————————————————-

Vlan Mac Address Type Ports Remaining Age

(mins)

—- ———– —- —– ————-

1 0005.5EB3.6361 SecureSticky FastEthernet0/1 –

——————————————————————————

Total Addresses in System (excluding one mac per port) : 0

Max Addresses limit in System (excluding one mac per port) : 1024

 

Now see port security option on port which we have provided security.

Switch#show port-security int fa0/1

Port Security : Enabled

Port Status : Secure-up

Violation Mode : Shutdown

Aging Time : 0 mins

Aging Type : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses : 1

Total MAC Addresses : 1

Configured MAC Addresses : 0

Sticky MAC Addresses : 1

Last Source Address:Vlan : 0005.5EB3.6361:1

Security Violation Count : 0

 

Now i am going to disconnect pc0 from switch and going to connect pc2 on same interface on which i have connected pc0. And then try to ping other device to check what is going to happen now.

 

Packet Tracer PC Command Line 1.0

PC>ipconfig

FastEthernet0 Connection:(default port)

Link-local IPv6 Address………: FE80::206:2AFF:FEA7:1248

IP Address………………….: 1.0.0.100

Subnet Mask…………………: 255.0.0.0

Default Gateway……………..: 0.0.0.0

 

PC>ping 1.0.0.2

Pinging 1.0.0.2 with 32 bytes of data:

Request timed out.

Request timed out.

Ping statistics for 1.0.0.2:

Packets: Sent = 3, Received = 0, Lost = 3 (100% loss),

Control-C

From above output you can clearly see the pc2 packets have been droped.And hence our port is secure.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.