Lab 10
Catalyst Switch Port Security
Lab Objective:
The objective of this lab exercise is for you to learn and understand how enable the Port Security feature on Cisco IOS Catalyst switches.
Lab Purpose:
Port Security is a fundamental component of Catalyst switch security. This feature is used to provide security against CAM overflow attacks on switched networks.
Lab Difficulty:
This lab has a difficulty rating of 7/10.
Readiness Assessment:
When you are ready for your certification exam, you should complete this lab in no more than 15 minutes.
Lab Topology:
Please use the following topology to complete this lab:
NOTE:
This lab is based on a Cisco Catalyst switch with 24-10/100 FastEthernet ports and 2-1000Mbs GigabitEthernet ports. If you do NOT have a similar switch, substitute the port numbers or port ranges used in this lab with those available on your switch. For example, if you only have 12-10/100 FastEthernet ports and a Task refers to Ports 1-24, simply adjust the question to Ports 1-12 so that you can complete the lab on your switch. In a similar manner, if a Task asks for configuration on the GigabitEthernet ports, and you only have a 12-port 10/100 FastEthernet switch, simply substitute GigabitEthernet0/1 and GigabitEthernet0/2 with FastEthernet0/11 and FastEthernet0/12, for example. |
Lab 10 Configuration Tasks
Task 1:
Configure the hostname on Sw1 as illustrated in the diagram. In addition to this, configure the following VLANs on Sw1:
VLAN Number | VLAN Name | VLAN Ports |
10 | VLAN_10_SECURITY | FastEthernet0/1 – FastEthernet0/12 |
20 | VLAN_20_SECURITY | FastEthernet0/13 – FastEthernet0/24 |
Task 2:
Configure Port Security for VLAN 10 so that all learned MAC addresses are saved to the NVRAM of Sw1. In addition to this, ensure that only 1 MAC address per port is learned and if more than one is detected, the switch port(s) should be shut down. Verify your configuration.
Task 3:
Configure Port Security for VLAN 20 so that a maximum of 5 MAC addresses can be learned dynamically. If the event that more than 5 MAC addresses are detected, the switch port(s) should restrict the port(s). These dynamically learned entries should be flushed every 24 hours. Verify your configuration using the appropriate Catalyst switch show commands.
Lab 10 Configuration and Verification
Task 1:
Switch#config t
Enter configuration commands, one per line. End with CNTL/Z. Switch(config)#hostname Sw1 Sw1(config)#vlan 10 Sw1(config-vlan)#name VLAN_10_SECURITY Sw1(config-vlan)#exit Sw1(config)#vlan 20 Sw1(config-vlan)#name VLAN_20_SECURITY Sw1(config-vlan)#exit Sw1(config)#interface range fastethernet0/1 – 12 Sw1(config-if-range)#switchport mode access Sw1(config-if-range)#switchport access vlan 10 Sw1(config-if-range)#no shutdown Sw1(config-if-range)#exit Sw1(config)#interface range fastethernet0/13 – 24 Sw1(config-if-range)#switchport mode access Sw1(config-if-range)#switchport access vlan 20 Sw1(config-if-range)#no shutdown Sw1(config-if-range)#exit Sw1(config)#exit Sw1# Sw1#show vlan brief
VLAN Name Status Ports —- ——————————– ——— ——————————- 1 default active Gi0/1, Gi0/2 10 VLAN_10_SECURITY active Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, Fa0/10, Fa0/11, Fa0/12 20 VLAN_20_SECURITY active Fa0/13, Fa0/14, Fa0/15, Fa0/16 Fa0/17, Fa0/18, Fa0/19, Fa0/20 Fa0/21, Fa0/22, Fa0/23, Fa0/24 1002 fddi-default active 1003 trcrf-default active 1004 fddinet-default active 1005 trbrf-default active |
Task 2:
This Task requires the use of Host 1 for accurate validation. By configuring dynamic sticky learning, you can validate that the switch has written the learned MAC address of Host 1 to NVRAM. This means that the entry will not be flushed if the switch is rebooted.
Sw1(config)#interface range fastethernet0/1 – 12
Sw1(config-if-range)#switchport port-security maximum 1 Sw1(config-if-range)#switchport port-security mac-address sticky Sw1(config-if-range)#switchport port-security violation shutdown Sw1(config-if-range)#exit Sw1(config)#exit Sw1# Sw1#copy run start Destination filename [startup-config]? Building configuration… [OK]Sw1# Sw1#show port-security Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action (Count) (Count) (Count) ——————————————————————————- Fa0/1 1 1 0 Shutdown Fa0/2 1 0 0 Shutdown Fa0/3 1 0 0 Shutdown Fa0/4 1 0 0 Shutdown Fa0/5 1 0 0 Shutdown Fa0/6 1 0 0 Shutdown Fa0/7 1 0 0 Shutdown Fa0/8 1 0 0 Shutdown Fa0/9 1 0 0 Shutdown Fa0/10 1 0 0 Shutdown Fa0/11 1 0 0 Shutdown Fa0/12 1 0 0 Shutdown ——————————————————————————- Total Addresses in System : 1 Max Addresses limit in System : 1024 Sw1# Sw1#show port-security interface fastethernet 0/1 address Secure Mac Address Table ——————————————————————- Vlan Mac Address Type Ports Remaining Age (mins) —- ———– —- —– ————- 10 001d.09d4.0238 SecureSticky Fa0/1 – ——————————————————————- Total Addresses: 1
Sw1# Sw1#show running-config interface fastethernet 0/1 Building configuration…
Current configuration : 230 bytes ! interface FastEthernet0/1 switchport access vlan 10 switchport mode access switchport port-security switchport port-security mac-address sticky switchport port-security mac-address sticky 001d.09d4.0238 no ip address end |
Task 3:
Sw1(config)#interface range fastethernet0/12 – 24
Sw1(config-if-range)#switchport port-security Sw1(config-if-range)#switchport port-security maximum 5 Sw1(config-if-range)#switchport port-security violation restrict Sw1(config-if-range)#switchport port-security aging time 1440 Sw1(config-if-range)#exit Sw1(config)#exit Sw1# Sw1#show port-security | begin Fa0/13 Fa0/13 5 0 0 Restrict Fa0/14 5 0 0 Restrict Fa0/15 5 0 0 Restrict Fa0/16 5 0 0 Restrict Fa0/17 5 0 0 Restrict Fa0/18 5 0 0 Restrict Fa0/19 5 0 0 Restrict Fa0/20 5 0 0 Restrict Fa0/21 5 0 0 Restrict Fa0/22 5 0 0 Restrict Fa0/23 5 0 0 Restrict Fa0/24 5 0 0 Restrict ——————————————————————————- Total Addresses in System : 1 Max Addresses limit in System : 1024 Sw1# Sw1# Sw1#show port-security interface fastethernet 0/13 Port Security : Enabled Port status : SecureUp Violation mode : Restrict Maximum MAC Addresses : 5 Total MAC Addresses : 0 Configured MAC Addresses : 0 Sticky MAC Addresses : 0 Aging time : 1440 mins Aging type : Absolute SecureStatic address aging : Disabled Security Violation count : 0 |
Lab 10 Configurations
Sw1 Configuration
Sw1#show running-config
Building configuration…
Current configuration : 5684 bytes ! version 12.1 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname Sw1 ! no logging console ! ip subnet-zero ! spanning-tree mode pvst no spanning-tree optimize bpdu transmission spanning-tree extend system-id ! ! vlan 10 name VLAN_10_SECURITY ! vlan 20 name VLAN_20_SECURITY ! interface FastEthernet0/1 switchport access vlan 10 switchport mode access switchport port-security switchport port-security mac-address sticky switchport port-security mac-address sticky 001d.09d4.0238 no ip address ! interface FastEthernet0/2 switchport access vlan 10 switchport mode access switchport port-security switchport port-security mac-address sticky no ip address ! interface FastEthernet0/3 switchport access vlan 10 switchport mode access switchport port-security switchport port-security mac-address sticky no ip address ! interface FastEthernet0/4 switchport access vlan 10 switchport mode access switchport port-security switchport port-security mac-address sticky no ip address ! interface FastEthernet0/5 switchport access vlan 10 switchport mode access switchport port-security switchport port-security mac-address sticky no ip address ! interface FastEthernet0/6 switchport access vlan 10 switchport mode access switchport port-security switchport port-security mac-address sticky no ip address ! interface FastEthernet0/7 switchport access vlan 10 switchport mode access switchport port-security switchport port-security mac-address sticky no ip address ! interface FastEthernet0/8 switchport access vlan 10 switchport mode access switchport port-security switchport port-security mac-address sticky no ip address ! interface FastEthernet0/9 switchport access vlan 10 switchport mode access switchport port-security switchport port-security mac-address sticky no ip address ! interface FastEthernet0/10 switchport access vlan 10 switchport mode access switchport port-security switchport port-security mac-address sticky no ip address ! interface FastEthernet0/11 switchport access vlan 10 switchport mode access switchport port-security switchport port-security mac-address sticky no ip address ! interface FastEthernet0/12 switchport access vlan 10 switchport mode access switchport port-security switchport port-security maximum 5 switchport port-security violation restrict switchport port-security aging time 1440 switchport port-security mac-address sticky no ip address ! interface FastEthernet0/13 switchport access vlan 20 switchport mode access switchport port-security switchport port-security maximum 5 switchport port-security violation restrict switchport port-security aging time 1440 no ip address ! interface FastEthernet0/14 switchport access vlan 20 switchport mode access switchport port-security switchport port-security maximum 5 switchport port-security violation restrict switchport port-security aging time 1440 no ip address ! interface FastEthernet0/15 switchport access vlan 20 switchport mode access switchport port-security switchport port-security maximum 5 switchport port-security violation restrict switchport port-security aging time 1440 no ip address ! interface FastEthernet0/16 switchport access vlan 20 switchport mode access switchport port-security switchport port-security maximum 5 switchport port-security violation restrict switchport port-security aging time 1440 no ip address ! interface FastEthernet0/17 switchport access vlan 20 switchport mode access switchport port-security switchport port-security maximum 5 switchport port-security violation restrict switchport port-security aging time 1440 no ip address ! interface FastEthernet0/18 switchport access vlan 20 switchport mode access switchport port-security switchport port-security maximum 5 switchport port-security violation restrict switchport port-security aging time 1440 no ip address ! interface FastEthernet0/19 switchport access vlan 20 switchport mode access switchport port-security switchport port-security maximum 5 switchport port-security violation restrict switchport port-security aging time 1440 no ip address ! interface FastEthernet0/20 switchport access vlan 20 switchport mode access switchport port-security switchport port-security maximum 5 switchport port-security violation restrict switchport port-security aging time 1440 no ip address ! interface FastEthernet0/21 switchport access vlan 20 switchport mode access switchport port-security switchport port-security maximum 5 switchport port-security violation restrict switchport port-security aging time 1440 no ip address ! interface FastEthernet0/22 switchport access vlan 20 switchport mode access switchport port-security switchport port-security maximum 5 switchport port-security violation restrict switchport port-security aging time 1440 no ip address ! interface FastEthernet0/23 switchport access vlan 20 switchport mode access switchport port-security switchport port-security maximum 5 switchport port-security violation restrict switchport port-security aging time 1440 no ip address ! interface FastEthernet0/24 switchport access vlan 20 switchport mode access switchport port-security switchport port-security maximum 5 switchport port-security violation restrict switchport port-security aging time 1440 no ip address ! interface GigabitEthernet0/1 no ip address ! interface GigabitEthernet0/2 no ip address ! interface Vlan1 no ip address no ip route-cache shutdown ! ip http server ! ! line con 0 line vty 5 15 ! end |