Configuring switch port security

It is important that your network infrastructure devices, such as switches and routers, are also configured with security features. In this lab, you will follow some best practices for configuring security features on LAN switches. You will also configure and verify port security to lock out any device with a MAC address not recognized by the switch. Other routers, switches, and Cisco IOS versions can be used. Depending on the model and Cisco IOS version, the commands available and output produced might vary from what is.

Refer to the Router Interface Summary Table at the end of this lab for the correct interface identifiers. Note : Make sure that the router and switch have been erased and have no startup configurations. If you are unsure, contact your instructor or refer to the previous lab for the procedures to initialize and reload devices.

Instructor Note : Refer to the Instructor Lab Manual for the procedures to initialize and reload devices. In Part 1you will set up the network topology and clear any configurations if necessary. Step 1: Cable the network as shown in the topology.

Step 2: Initialize and reload the router and switch. If configuration files were previously saved on the router or switch, initialize and reload these devices back to their default configurations. In Part 2, you will configure basic settings on the router, switch, and PC. Refer to the Topology and Addressing Table at the beginning of this lab for device names and address information. Step 2: Configure basic settings on R1.

Console into R1 and enter global configuration mode. Copy the following basic configuration and paste it to running-configuration on R1. Step 3: Configure basic settings on S1.

Console into S1 and enter global configuration mode. Copy the following basic configuration and paste it to running-configuration on S1. What is the status and protocol for management interface VLAN 99? Status is up, and protocol is down.

Why is the protocol down, even though you issued the no shutdown command for interface VLAN 99? No physical ports on the switch have been assigned to VLAN Issue the show ip interface brief command on S1. What is the status and protocol showing for interface. Step 4: Verify connectivity between devices.

From PC-A, ping the default gateway address on R1. Were your pings successful? From PC-A, ping the management address of S1. From S1, ping the default gateway address on R1. If you are prompted for a username and password, leave the username blank and use class for the password.By default there is no limit to the number of MAC addresses a switch can learn on an interface and all MAC addresses are allowed. If we want we can change this behavior with port-security.

Sometimes people like to bring an extra switch from home to the office. This is how we can do it:. Use the switchport port-security command to enable port-security. I have configured port-security so only one MAC address is allowed. Once the switch sees another MAC address on the interface it will be in violation and something will happen.

You can use this to only allow certain MAC addresses. In the example above I configured port security so it only allows MAC address aaaa. Use the switchport port-security mac-address command to define the MAC address that you want to allow. We have a security violation and as a result the port goes in err-disable state. As you can see it is now down. Here is a useful command to check your port security configuration.

Use show port-security interface to see the port security details per interface. You can see the violation mode is shutdown and that the last violation was caused by MAC address Shutting the interface after a security violation is a good idea security-wise but the problem is that the interface will stay in err-disable state. This probably means another call to the helpdesk and you bringing the interface back to the land of the living!

It might be easier if the interface could recover itself after a certain time. Explained As Simple As Possible. Full Access to our Lessons. More Lessons Added Every Week! Tags: MAC Address.

Hi Rene, I have a strange problem related to your post. We have a unmananged switch connected to a managed switch port. That port is configured as follows:. This sound silly but i want know how you can ping from the IOS command line with a packet tracer instead of the command prompt?.

Thanks, Peter. In order to clearly answer this question, we have to define two different functionalities of the switch: port security and the MAC address table. The MAC address table is a table that records MAC addresses and the corresponding interface on which they can be found.

configuring switch port security

These are the secure addresses. Now there are several ways a switch can learn these addresses: Statically or dynamically. They are permanent. These are the addresses that are configured using the command:.

Basic Switch Security Concepts and Configuration

Ask a question or join the discussion by visiting our Community Forum. Skip to content Search for: Search. You may cancel your monthly membership at any time.

No Questions Asked!By default, all interfaces on a Cisco switch are turned on. That means that an attacker could connect to your network through a wall socket and potentially threaten your network.

If you know which devices will be connected to which ports, you can use the Cisco security feature called port security.

Port security

By using port security, a network administrator can associate specific MAC addresses with the interface, which can prevent an attacker to connect his device. This way you can restrict access to an interface so that only the authorized devices can use it. If an unathorized device is connected, you can decide what action the switch will take, for example discarding the traffic and shutting down the port. All three options discards the traffic from the unauthorized device.

The restrict and shutdown options send a log messsages when a violation occurs. Shut down mode also shuts down the port. First, we need to enable port security and define which MAC addresses are allowed to send frames:.

By default, the maximum number of allowed MAC addresses are one, so if we connect another host to the same port, the security violation will occur:. The status code of err-disabled means that the security violation occured on the port.One of the best practices in network security is to try and stop security threats from the entry-point of a LAN network.

For example, port- security on Cisco switches can be used to stop MAC-flooding attacks or prevent non-authorized hosts to connect to the switch. In MAC-flooding, an attacker can connect a laptop into an empty Switch port or empty RJ45 wall socket, and he can use hacking tools to generate millions of Ethernet frames with fake source MAC addresses and send them to the switch interface.

The switch will learn these MAC addresses and once the switch reaches its MAC address learning limit it will start flooding all the traffic to all of its ports i. The solution to this kind of attacks and also to other Layer 2 attacks is easy and simple. If this interface receives any more MAC addresses it will go to err-disabled state.

Besides setting a maximum limit on the number of MAC addresses, you can also use port security to filter MAC addresses. In the following example I configured port security so it only allows MAC address f1d3.

Any device having different MAC address than this will violate the rule and the interface will go to err-disabled state. As you can see from the log message above, a device with MAC address f02d.

configuring switch port security

There is another very useful way to filter MAC addresses. With this command, switch will learn the first MAC address connected to the interface and save it for port security. TestSwitch config-if no switchport port-security mac-address f1d3. Building configuration. Current configuration : bytes! As you can see from above, the switch has learned MAC address f02d. You can see the switch ports which have entered into error-disabled state because of security violation with the following command:.

Make sure in these 15 minutes you solve the problem because otherwise it will have another violation and the interface will end up in err-disable state again. There are three actions for each port to take when there will be a violation on the interface.

Shutdown: This is the default action of the interface. If an interface receives frames from a restricted MAC address, the interface will go to err-disable state and will be practically shutdown. There will be logging and an SNMP trap will be sent.Static port security is a common configuration for printers, copiers and other devices on the network that never change.

Dynamic port security is great but what about when you connect switches to routers or other devices that need to be secured in a way to prevent unauthorized device swapping in the network. For example you have a small site location with a router and a pc switch and an end user gets the bright idea to swap the with a WRT54G because he wants wireless and wired network connectivity. In this case you can sticky the port that the wan router is connected to preventing unauthorized device swaps like such.

There are two ways to configure a sticky port. The first way being that you configure a static MAC address when configuring port-security on a specific interface. When port-security is configured this way, the first MAC address learned on the switch port will be automatically statically configured into the running-configuration as if you manually specified the MAC address.

Step 1. Upon a port security violation, protect the port. Verify your configuration. To configure the interface to sticky the MAC address dynamically learn use the switchport port-security mac sticky command in interface configuration mode as discussed at the beginning of this lab. Step 2. Afterward configure the new static MAC address using the switchport port-security mac aaaa.

Configuring Sticky Switchport Security. Establish a console session with devices R1 than configure the devices respected hostname s.

Cisco Networking Academy's Introduction to Basic Switching Concepts and Configuration

Assign the IP Address Upon a port security violation, restrict the port. However, this lab can be completed using the Stub Lab. This command is executed in interface configuration mode and statically sets a MAC address that allows traffic with the source MAC to traverse the switch.

Basic Switch Configuration

This command is executed in interface configuration mode and configures the port to dynamically learn the MAC address and automatically configure the MAC address as a static MAC address associated with the port.

This command is executed in privileged mode to erase the current secure mac-address table for a specified switch port.Hello and welcome! Switch port Security is a network security feature that associates specific MAC addresses of devices such as PCs with specific interfaces on a switch. This will enable you to restrict access to a given switch interface so that only the authorized devices can use it. If an unauthorized device is connected to the same port, you can define the action that the switch will take, such as discarding the traffic, sending an alert, or shutting down the port.

Ping should be successful here since switch port security is not violated. See the effect of doing this:.

Verify from above that port status is now Secure-shutdown upon violation of port security. How to Reset an interface that has been shut down due to Violation of Port Security:.

Then run following commands on switch and test connectivity from the authorized PC PC1 :. You are commenting using your WordPress. You are commenting using your Google account.

You are commenting using your Twitter account. You are commenting using your Facebook account. Notify me of new comments via email. Notify me of new posts via email. This site uses Akismet to reduce spam. Learn how your comment data is processed. Skip to content. Like this: Like Loading Leave a Reply Cancel reply Enter your comment here Fill in your details below or click an icon to log in:.

Email Address never made public. Post to Cancel. By continuing to use this website, you agree to their use. To find out more, including how to control cookies, see here: Cookie Policy.On switches covered in this guide, automatically invokes eavesdrop protection, see Eavesdrop prevention.

Default : Appears in the factory-default setting or when you execute no port-security. Allows the port to learn addresses from the devices to which it is connected. In this state, the port accepts traffic from any devices to which it is connected.

Addresses learned in the learn continuous mode "age out" and be automatically deleted if they are not used regularly. The default age time is five minutes. Addresses learned this way appear in the switch and port address tables and age out according to the MAC Age Interval in the System Information configuration screen of the Menu interface or the show system information listing.

For more information on the mac-age-time command see "Interface Access and System Information" in the management and configuration guide for your switch.

Enables you to use the mac-address parameter to specify the MAC addresses of the devices authorized for a port, and the address-limit parameter explained below to specify the number of MAC addresses authorized for the port.

You can authorize specific devices for the port, while still allowing the port to accept other, non-specified devices until the device limit has been reached.

That is, if you enter fewer MAC addresses than you authorized, the port authorizes the remaining addresses in the order in which it automatically learns them. For example, if you use address-limit to specify three authorized devices, but use mac-address to specify only one authorized MAC address, the port adds the one specifically authorized MAC address to its authorized-devices list and the first two additional MAC addresses it detects.

You use address-limit to allow three devices on port A4 and the port detects these MAC addresses:. The remaining MAC address detected by the port, c45a1, is not allowed and is handled as an intruder. Learned addresses that become authorized do not age-out. See also Retention of static addresses.

configuring switch port security

Using the static parameter with a device limit greater than the number of MAC addresses specified with mac-address can allow an unwanted device to become "authorized". This is because the port, to fulfill the number of devices allowed by the address-limit parameter se belowautomatically adds devices it detects until it reaches the specified limit. If Specifies which MAC addresses are allowed for this port.

Range is 1 default to 64 and addresses do not age. Addresses are saved across reboots. Also known as MAC Secure, or "limited" mode.

The limited parameter sets a finite limit to the number of learned addresses allowed per port.

configuring switch port security

You can set the range from 1, the default, to a maximum of 32 MAC addresses which may be learned by each port. All addresses age, meaning they are automatically removed from the authorized address list for that port after a certain amount of time. Limited mode and the address limit are saved across reboots, but addresses which had been learned are lost during the reboot process.

Addresses learned in the limited mode are normal addresses learned from the network until the limit is reached, but they are not configurable.


thoughts on “Configuring switch port security

Leave a Reply

Your email address will not be published. Required fields are marked *

Theme: Elation by Kaira.
Cape Town, South Africa