Basic Port Security 1

certskills
By certskills January 21, 2012 07:35

The Cisco switch Port Security feature lets the switch monitor incoming frames, look at the source MAC address, and determine whether frames with that source address should or should not be allowed into the switch. As usual for these config labs, this one plays it straight, with straightforward requirements to configure. Details below the fold.

The Network, Initial State, and Rules

This VM piece uses the simple LAN shown in Figure 1. It shows two switches, connected by a link, with a router on the side.

Figure 1 – Lab Topology

This lab begins with the router configured correctly, but the lab ignores the router configuration, focusing on the links between the PCs and the switches. However, for this exercise, the initial config has no real impact on how you configure the switches for the new requirements.

Example 1: SW1 Initial Config

Example 2: SW2 Initial Config

And the general rules:

  • The router has been configured already, and is working.
  • The router is connected to other links, not shown; those links are completely unimportant to the lab.
  • This lab uses only ICND1/CCENT concepts, so the link between the two switches is not a VLAN trunk, and only the default VLAN (VLAN 1) is in use.

Now that you have the background, the rest of this post spells out your tasks.

Problem: Configure to Match the Requirements Table

This exercise does not match what you might do in real life, because it asks you to do a lot of different options in one small LAN. However, it does allow you to exercise the different command options. For this lab, configure the switch ports so port security does the different combinations of features listed for each of the six PCs in the figure. That’s it!  The types of configuration settings include:

  1. The action (violation mode) the switch takes when a violation occurs: shutdown, protect, and restrict
  2. Whether the one PC’s MAC should be learned dynamically or statically configured
  3. Whether the switch should make a dynamically-learned MAC be “sticky” and remember it for later
  4. The maximum number of MACs that may be associated with the port.

The MAC addresses of the six PCs should be considered to be 8 hex zeros, with the last four digits matching the PC’s number. EG, PC1’s MAC is 0000.0000.1111; PC2’s is 0000.0000.2222, and so on.

Table 1: Configuration Combinations

PC1 PC2 PC3 PC4 PC5 PC6
Number of MACs 1 1 2 2 3 3
Dynamically learn MAC? Y N Y Y N Y
Sticky? N N Y N N Y
Violation mode Shut. Prot. Rest. Shut. Prot. Rest.

As a final requirement, you should configure only the required parameters. Do not configure any commands that could be picked up by default. That’s it! Jump in, and try a few.

Answers: FR DLCI Drill #2
Upcoming OSPF Config Webcast - Feb 15th
certskills
By certskills January 21, 2012 07:35
Write a comment

7 Comments

  1. EricLenz January 23, 14:51

    The ICND1 book is a great help but I have a couple of questions about possible errors in the 3rd edition. I’m unable to find an e-mail address for either the author or publisher. If there is a best method for reporting such things please let me know. Thanks mucch

    Reply to this comment
  2. JDBoelter May 12, 15:51

    Wendell, Many thanks for adding to the value of your ICND1 book with these additional config labs. Reading the chapter, answering the DIKTA questions and going through the “lite” simulator sometimes engender a false sense of confidence. Really like the additional drill and practice there labs give.

    Reply to this comment
  3. David Alon May 3, 17:15

    Hi Wendell, Have to add my share of congrats. Your blog is well completing with the book, offering different perspectives and thus allowing to go deeper to better understand. Thx !

    Reply to this comment
  4. David Alon May 4, 10:02

    Hi Wendell, quick question high-level: if I understand correctly, statically configured MAC addresses will never trigger a violation even if that static address would pass the max value. Is it correct ?

    Following tests on Packet-Tracer confirm it:

    SW1(config)#interface fastEthernet 0/1
    SW1(config-if)#switchport port-security max 3
    SW1(config-if)#switchport port-security mac-address 00D0.FED9.A308

    SW1#show port-security interface fastEthernet 0/1
    Maximum MAC Addresses : 3
    Total MAC Addresses : 1
    Configured MAC Addresses : 1
    Sticky MAC Addresses : 0
    Last Source Address:Vlan : 00D0.FED9.A309:1
    Security Violation Count : 0

    SW1#show port-security interface fastEthernet 0/1
    Maximum MAC Addresses : 3
    Total MAC Addresses : 2
    Configured MAC Addresses : 1
    Sticky MAC Addresses : 0
    Last Source Address:Vlan : 00D0.FED9.A305:1
    Security Violation Count : 0

    SW1#show port-security interface fastEthernet 0/1
    Maximum MAC Addresses : 3
    Total MAC Addresses : 3
    Configured MAC Addresses : 1
    Sticky MAC Addresses : 0
    Last Source Address:Vlan : 00D0.FED9.A307:1
    Security Violation Count : 0

    SW1#show port-security interface fastEthernet 0/1
    Maximum MAC Addresses : 3
    Total MAC Addresses : 3
    Configured MAC Addresses : 1
    Sticky MAC Addresses : 0
    Last Source Address:Vlan : 00D0.FED9.A308:1 —–> THATS THE 4th MAC TO ENTER THE INTERFACE
    Security Violation Count : 0 —–> NO VIOLATION

    Reply to this comment
View comments

Write a comment

Comment; Identify w/ Social Media or Email

Subscribe

Subscribe to our mailing list and get interesting stuff and updates to your email inbox.

Thank you for subscribing.

Something went wrong.

Search

Categories