Configuring Switch Access Port Security on Cisco Catalyst Switches
Objective
The objective of this lab exercise is to configure basic switch security to prevent MAC address flooding on switch ports. This is accomplished by limiting the number of MAC entries that are allowed to be learned on a port. By default, there is no limit on MAC addresses that can be learned on a port.
Purpose
Port security is a fundamental skill. A common Denial of Service technique used to cripple switched networks is MAC flooding. As a Cisco engineer, as well as in the Cisco CCNA exam, you will be expected to know how to configure port security to mitigate MAC flooding attacks.
Lab Topology
Use the following topology to complete this lab exercise:
Task 1: Configure Hostname
Objective: In preparation for port security configuration, configure a hostname on SW1 and R1 as illustrated in the topology.
Configuration Steps:
SW1#config t Enter configuration commands, one per line. End with CTRL/Z. SW1(config)#hostname SW1 SW1(config)# R1#config t Enter configuration commands, one per line. End with CTRL/Z. R1(config)#hostname R1 R1(config)#
Task 2: Create VLAN10 on SW1
Objective: Create VLAN10 on SW1 and assign port FastEthernet0/1 to this VLAN as an access port.
Configuration Steps:
SW1#config t Enter configuration commands, one per line. End with CTRL/Z. SW1(config)#vlan 10 SW1(config-vlan)#name SALES SW1(config-vlan)#exit SW1(config)#interface fastethernet0/1 SW1(config-if)#switchport mode access SW1(config-if)#switchport access vlan 10 SW1(config-if)#end SW1#
Task 3: Configure IP Addresses and Verify Connectivity
Objective: Configure IP address 10.0.0.1/30 on R1’s FastEthernet0/0 interface and IP address 10.0.0.2/30 on SW1’s VLAN10 interface. Verify that R1 can ping SW1, and vice versa.
Verification Commands:
R1#config t Enter configuration commands, one per line. End with CTRL/Z. R1(config)#interface fastethernet0/0 R1(config-if)#ip address 10.0.0.1 255.255.255.252 R1(config-if)#no shut R1(config-if)#end R1# SW1#config t Enter configuration commands, one per line. End with CTRL/Z. SW1(config)#interface vlan10 %LINK-5-CHANGED: Interface Vlan10, changed state to up SW1(config-if)#ip address 10.0.0.2 255.255.255.252 SW1(config-if)#no shut SW1(config-if)#end SW1#ping 10.0.0.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 0/2/9 ms
Task 4: Configure Port Security on SW1
Objective: Configure port security on port FastEthernet0/1 on SW1 so that only one MAC address is allowed to be learned on that interface. In the event of port security configuration violations, where more than one MAC address is observed on that interface, the switch should shut the interface down. Verify your configuration with port-security commands in Cisco IOS.
Verification Commands:
SW1#config t
Enter configuration commands, one per line. End with CTRL/Z.
SW1(config)#interface FastEthernet0/1
SW1(config-if)#switchport port-security
SW1(config-if)#switchport port-security maximum 1
SW1(config-if)#switchport port-security violation shutdown
SW1(config-if)#end
SW1#show port-security
SW1#copy running-config startup-config
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
--------------------------------------------------------------------
Fa0/1 1 0 0 Shutdown
----------------------------------------------------------------------
Testing Port Security Violation:
changing the MAC address to 000a.bc01.2300 would result in a violation because this new MAC address is not permitted by the port security configuration.
R1#config t
Enter configuration commands, one per line. End with CTRL/Z.
R1(config)#interface fastethernet0/0
R1(config-if)#mac-address 000a.bc01.2300
R1(config)#end
R1#copy running-config startup-config
SW1#show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
--------------------------------------------------------------------
Fa0/1 1 0 1 Shutdown
----------------------------------------------------------------------
SW1#show interfaces FastEthernet0/1
FastEthernet0/1 is down, line protocol is down (err-disabled)
Hardware is Lance, address is 0060.476e.1701 (bia 0060.476e.1701)
BW 100000 Kbit, DLY 1000 usec,
reliability 255/255, txload 1/255, rxload 1/255
[Output Truncated]
As can be seen in the output above, the violation counter has incremented and the interface is now in an errdisabled mode, which basically means it has been shut down due to a port security violation. To bring this interface back up, you need to issue a shutdown command and then a no shutdown command under the interface.
Cisco Packet Tracer file:
Load and open the .pkt Lab file in Cisco Packet Tracer from here: Configuring_Switch_Access_Port_Security.pkt