port security:Learn how to secure cisco switches ports using switchport

Posted: April 4, 2015 in Network Security
Tags: , , ,

In this article we will learn how to provide port security to cisco switches.As we all know bydeafult switches ports are on and hence there is always a risk that some intruders or someone evil minded in your department who is in physicaly in touch of your switches can do something harmful or disaster.By using port security a network admin can bind port with device mac-addresses and hence no any other device can be now connected on that port.In this way we can put a limit that only an authorised device can access the port.

Here in this article i will mention how to configure port security on cisco switches step wise.

switch security tutorial

In this diagram you can clearly see two pc connected with a cisco switch.Now in this lab i am going to bind the PC0 with switch port  fa0/1  so that except PC0 no any other PC or device can connected to that port.

Now see step wise configuration of port security on cisco swith below:

Go to switch and start as i have mentioned below.

 

Switch>enable

Switch#config t

Enter configuration commands, one per line. End with CNTL/Z.

Switch(config)#int fa0/1

Switch(config-if)#switchport mode access

Switch(config-if)#switchport access vlan 1

Switch(config-if)#switchport port-security

Switch(config-if)#switchport port-security maximum 1

Switch(config-if)#switchport port-security violation shutdown

Switch(config-if)#switchport port-security mac-address sticky

Switch(config-if)#exit

Switch(config)#exit

 

Now after configuring port security on cisco switch it’s time to troubleshoot and verify whether your switch has been properly configured or not.

Switch#show mac-address-table
Mac Address Table
——————————————-

Vlan Mac Address Type Ports

Now you can see the above table,it’s blank.

 

Switch#show port-security interface fa0/1

Port Security : Enabled

Port Status : Secure-up

Violation Mode : Shutdown

Aging Time : 0 mins

Aging Type : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses : 1

Total MAC Addresses : 0

Configured MAC Addresses : 0

Sticky MAC Addresses : 0

Last Source Address:Vlan : 0000.0000.0000:0

Security Violation Count : 0

 

Keep your eyes on colored output.

Now go to PC0 and ping with PC1

PC>ipconfig

FastEthernet0 Connection:(default port)

Link-local IPv6 Address………: FE80::205:5EFF:FEB3:6361

IP Address………………….: 1.0.0.1

Subnet Mask…………………: 255.0.0.0

Default Gateway……………..: 0.0.0.0

 

PC>ping 1.0.0.2

Pinging 1.0.0.2 with 32 bytes of data:

Reply from 1.0.0.2: bytes=32 time=1ms TTL=128

Reply from 1.0.0.2: bytes=32 time=0ms TTL=128

Reply from 1.0.0.2: bytes=32 time=0ms TTL=128

Ping statistics for 1.0.0.2:

Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 1ms, Average = 0ms

 

Now again go to switch and see the mac-address table:

Switch#show mac-address-table

Mac Address Table

——————————————-

Vlan Mac Address Type Ports

—- ———– ——– —–

1 0005.5eb3.6361 STATIC Fa0/1

1 00d0.58bc.ada2 DYNAMIC Fa0/2

 

Now to see whether port security is enabled or not using below command:

Switch#show port-security

Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action

(Count) (Count) (Count)

——————————————————————–

Fa0/1 1 1 0 Shutdown

———————————————————————-

 

Switch#show port-security address

Secure Mac Address Table

——————————————————————————-

Vlan Mac Address Type Ports Remaining Age

(mins)

—- ———– —- —– ————-

1 0005.5EB3.6361 SecureSticky FastEthernet0/1 –

——————————————————————————

Total Addresses in System (excluding one mac per port) : 0

Max Addresses limit in System (excluding one mac per port) : 1024

 

Now see port security option on port which we have provided security.

Switch#show port-security int fa0/1

Port Security : Enabled

Port Status : Secure-up

Violation Mode : Shutdown

Aging Time : 0 mins

Aging Type : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses : 1

Total MAC Addresses : 1

Configured MAC Addresses : 0

Sticky MAC Addresses : 1

Last Source Address:Vlan : 0005.5EB3.6361:1

Security Violation Count : 0

 

Now i am going to disconnect pc0 from switch and going to connect pc2 on same interface on which i have connected pc0. And then try to ping other device to check what is going to happen now.

 

Packet Tracer PC Command Line 1.0

PC>ipconfig

FastEthernet0 Connection:(default port)

Link-local IPv6 Address………: FE80::206:2AFF:FEA7:1248

IP Address………………….: 1.0.0.100

Subnet Mask…………………: 255.0.0.0

Default Gateway……………..: 0.0.0.0

 

PC>ping 1.0.0.2

Pinging 1.0.0.2 with 32 bytes of data:

Request timed out.

Request timed out.

Ping statistics for 1.0.0.2:

Packets: Sent = 3, Received = 0, Lost = 3 (100% loss),

Control-C

From above output you can clearly see the pc2 packets have been droped.And hence our port is secure.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s