Config Lab: Basic Port Security 1

Wendell Odom
By Wendell Odom October 5, 2021 09:05

Cisco’s Port Security feature just happens to be one of those switch features that can confuse people until they’ve configured and tested it a few times. One challenge comes from the fact that you can enable port security with one command on an interface (switchport port-security), with many default settings, but then you can also re-configure a variety of other settings. Understanding each setting, and remembering them all (and when to use each) poses a challenge.

In this post, you’ll get to enable port security with some basic features, just to get more exercise with choosing which options to leave as defaults, and which to configure.

Config-Lab-V2-w300
More about Config Labs

All about Config Labs

The blog has a series of lab exercises called “Config Labs.” Each lab presents a topology with the relevant initial configuration for each device. The lab also lists new requirements, after which you should create the additional configuration to meet those requirements. You can do the lab on paper, in a text editor, or use software tools like Cisco Packet Tracer or Cisco Modeling Labs.

Once you have created your answer, you can click various tabs at the bottom of this post to see the lab answers, comments about the lab, and other helpful information.

The Lab Exercise

Requirements

Your job: configure port security on SW3 so that both devices off port F0/3 can send data through the switch, but that no other devices can send data through SW3’s F0/1 port. To begin the lab, all switches work, all interfaces shown are up and working, and none of the switches have been configured with port security.

The specific rules for this lab are as follows:

  1. Allow traffic from PC3 and PC4 into SW3’s F0/1 port, but disallow traffic from other sources
  2. Pre-define all MAC addresses for port security
  3. All other port security settings unnecessary to the above should be left as defaults
  4. If choosing a numeric parameter, and many values would work, choose the smallest number that would work.

On that last point about choosing numbers, in case it is unclear, consider this example. If a number could be set to a value between 1 and 1000, pick 1. That way, your answer will likely look more like my answer.

Figure 1: Switch Triangle

 

Initial Configuration

While you might be able to configure port security based on the information supplied so far, the initial configurations of the three switches can also be helpful. Examples 1, 2, and 3 show the beginning configuration state of SW1, SW2, and SW3.

 

hostname SW1
!
interface GigabitEthernet0/1
 no shutdown
!
interface GigabitEthernet0/2
 no shutdown
!
interface FastEthernet0/1
 no shutdown
 switchport mode access

Example 1: SW1 Config

hostname SW2
!
interface GigabitEthernet0/1
 no shutdown
!
interface GigabitEthernet0/2
 no shutdown
!
interface FastEthernet0/1
 no shutdown
 switchport mode access

Example 2: SW2 Config

 

hostname SW3
!
interface GigabitEthernet0/1
 no shutdown
!
interface GigabitEthernet0/2
 no shutdown
!
interface FastEthernet0/1
 no shutdown
 switchport mode access

Example 3: SW3 Config

Answer Options - Click Tabs to Reveal

Option 1: Paper/Editor

You can learn a lot and strengthen real learning of the topics by creating the configuration – even without a router or switch CLI. In fact, these labs were originally built to be used solely as a paper exercise!

To answer, just think about the lab. Refer to your primary learning material for CCNA, your notes, and create the configuration on paper or in a text editor. Then check your answer versus the answer post, which is linked at the bottom of the lab, just above the comments section.

Option 2: Cisco Packet Tracer

You can also implement the lab using the Cisco Packet Tracer network simulator. With this option, you use Cisco’s free Packet Tracer simulator. You open a file that begins with the initial configuration already loaded. Then you implement your configuration and test to determine if it met the requirements of the lab.

(Use this link for more information about Cisco Packet Tracer.)

Use this workflow to do the labs in Cisco Packet Tracer:

  1. Download the .pkt file linked below.
  2. Open the .pkt file, creating a working lab with the same topology and interfaces as the lab exercise.
  3. Add your planned configuration to the lab.
  4. Test the configuration using some of the suggestions below.

Download this lab’s Packet Tracer File

Option 3: Cisco Modeling Labs

You can also implement the lab using Cisco Modeling Labs – Personal (CML-P). CML-P (or simply CML) replaced Cisco Virtual Internet Routing Lab (VIRL) software in 2020, in effect serving as VIRL Version 2.

If you prefer to use CML, use a similar workflow as you would use if using Cisco Packet Tracer, as follows:

  1. Download the CML file (filetype .yaml) linked below.
  2. Import the lab’s CML file into CML and then start the lab.
  3. Compare the lab topology and interface IDs to this lab, as they may differ (more detail below).
  4. Add your planned configuration to the lab.
  5. Test the configuration using some of the suggestions below.

Download this lab’s CML file!

 

Network Device Info:

This table lists the interfaces listed in the lab exercise documentation versus those used in the sample CML file.

Device Lab Port  CML Port
SW1 F0/1 G0/3
SW2 F0/1 G0/3
SW3 F0/1 G0/3

Lab Answers Below: Spoiler Alert

Lab Answers: Configuration (Click Tab to Reveal)

Lab Configuration

Answers

interface FastEthernet0/1
 switchport port-security
 switchport port-security maximum 2
 switchport port-security mac-address 0200.0000.3333
 switchport port-security mac-address 0200.0000.4444

Example 4: SW3 Config

Commentary, Issues, and Verification Tips (Click Tabs to Reveal)

Lab Commentary

Commentary

First, port security feature only works on static ports. That is, the switch port must be statically configured as an access port or a trunk port. The initial configuration showed SW3’s F0/1 as a static access port, so the only command needed to enable port security on the port was the switchport port-security command.

With that one subcommand configured, SW3 would implement port security on that port. However, with all default settings, the switch would also be operating the wrong way in comparison with the requirements. In particular:

  • By default, only one MAC address is allowed
  • By default, the allowed MAC address is not predefined. Rather, it’s the MAC address of the first frame received once the port comes up.

As a result, the last three commands in the answer are required: one to bump the number of allowed MAC addresses from 1 to 2, and the other two commands to pre-define the MAC addresses that can be used as source MACs in frames that enter SW3’s port F0/1.

Known Packet Tracer Issues

Known Issues in this Lab

This section of each Config Lab Answers post hopes to help with those issues by listing any known issues with Packet Tracer related to this lab. In this case, the issues are:

# Summary Detail
1 None No known issues related to this lab.

 

Why Would Cisco Packet Tracer Have Issues?

(Note: The below text is the same in every Config Lab.)

Cisco Packet Tracer (CPT) simulates Cisco routers and switches. However, CPT does not run the same software that runs in real Cisco routers and switches. Instead, developers wrote CPT to predict the output a real router or switch would display given the same topology and configuration – but without performing all the same tasks, an actual device has to do. On a positive note, CPT requires far less CPU and RAM than a lab full of devices so that you can run CPT on your computer as an app. In addition, simulators like CPT help you learn about the Cisco router/switch user interface – the Command Line Interface (CLI) – without having to own real devices.

CPT can have issues compared to real devices because CPT does not run the same software as Cisco devices. CPT does not support all commands or parameters of a command. CPT may supply output from a command that differs in some ways from what an actual device would give. Those differences can be a problem for anyone learning networking technology because you may not have experience with that technology on real gear – so you may not notice the differences. So this section lists differences and issues that we have seen when using CPT to do this lab.

Verification Tips for CPT/CML

Beyond comparing your answers to this lab’s Answers post, you can test in Cisco Packet Tracer (CPT) or Cisco Modeling Labs (CML). In fact, you can and should explore the lab once configured. For this lab, once you have completed the configuration, try these verification steps. 

  1. If you do attempt this lab on a real OS, you can test by setting your hosts to use the same MAC addresses shown in the figure, seeing them work, and then setting the MAC addresses to different values, and hopefully seeing port-security filtering the traffic.

More Labs with Related Content!

Explore Same Topic w/ Book Examples

More Config Labs from Same Book Part

Config Lab: Extended Named ACLs 1
Config Lab: Basic Port Security 2
Wendell Odom
By Wendell Odom October 5, 2021 09:05
TAGS: Config Labconfig museumport security
Subscribe
Notify of

Your e-mail address will not be published.
Required fields are marked*

guest

11 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
almeidajoaodealmeida
almeidajoaodealmeida
November 13, 2021 9:05 am

Hello Mr, Wendell, the requirements text state that the interfaces to be configured are F0/3 & F0/0, but the diagram shows otherwise.

0
Reply
certskills
certskills
Admin
Reply to  almeidajoaodealmeida
November 17, 2021 1:44 pm

Hi,
Yep, all true. Several mistakes in the lab. I’ve reviewed it, and I think I caught them all. All text, examples, etc should refer to the various switches’ F0/1 ports. Thanks for letting me know.
Wendell

0
Reply
Davood
Davood
November 29, 2021 9:35 pm

Hi sir,

I downloaded CPT version but, it was incompatible with the ver I’m using(7.2.0.0226). Paper/editor & Cisco modeling labs versions don’t work as well. I recommend to type commands in .txt file and upload for us.

Thanks

0
Reply
certskills
certskills
Admin
Reply to  Davood
November 30, 2021 2:01 pm

Hi Davood,
Thanks for the input and suggestion. Two responses:
1) What would you like to see in the text file you suggested that’s not already available on the page? This page includes all the initial config for each device as well as the configuration needed to answer the lab. I’m not sure what else I could supply for you to do the lab – please clarify.
2) If you update to a more recent version of Packet Tracer, you can do the labs in packet tracer. I believe you’d have a much more useful experience doing that rather than making these a paper exercise. Here’s a page that details how to get the latest Packet Tracer for free. https://blog.certskills.com/ptinstall/

Hope this helps,
Wendell

0
Reply
Rob
Rob
January 18, 2022 7:13 pm

When I try to add the mac-addresses as a maxium of 2 it does not let me enter two mac addresses. I have to raise the max to 3 to enter the mac address. Why does this happen?

0
Reply
certskills
certskills
Admin
Reply to  Rob
January 18, 2022 7:16 pm

Hi Rob,
I am wondering if you bumped into a Packet Tracer bug/feature. I’ll take a look in a few days – teaching for the next few. In the mean time, on a hunch:
First shutdown the port (that is, get into config mode, then interface mode, and issue the “shutdown” command.
Then configure port security.
Then issue a “no shutdown” command.

I’m wondering if the switch is learning the attached PC’s MAC, and then PT is not letting you configure the 3rd MAC address.
More in a few days.

0
Reply
Carlos Mauricio Borgonovi Garcia Tejeda
Carlos Mauricio Borgonovi Garcia Tejeda
August 1, 2022 3:48 pm

Hi Mr Wendell,

I think using protect (or restrict, despite nothing was told about syslog and SNMP messages) violation police would better achieve the requirements of the stem of allowing PC2 and PC3 traffic while disallowing traffic from other sources. Cause with the default port-security violation mode (shutdown), in case of other traffic, a security violation wil occur and Fa0/1 port will be put in err-disable state and will not allow traffic from PC2 and PC3 as the requirement. Thats why I’ve included the sucommand

swicthpor pot-security violation protect

to your answer. Do I thinking right or I missing the point?

Thank you for your time,
Mauricio.

0
Reply
certskills
certskills
Admin
Reply to  Carlos Mauricio Borgonovi Garcia Tejeda
August 5, 2022 5:00 pm

Hi Mauricio,
Thanks for the note.
I agree with your logic and configuration.
The lab, as worded, is at best silent in guiding us to a decision about the port security violation mode. Without any specific direction, your logic makes sense.
My goal with the labs, given that we can discuss such things here, is to give you all a chance to explore and think. As long as you understand the options for violation mode, and know them better now as a result, then the lab did its job. (Clearly, you understand the topic well from your question.)
I’ll give some thought to whether I want to be more specific in lab or leave the lab without those directions, so that others can learn from the same sort of analysis you went through. Thoughts?
Wendell

0
Reply
Mauricio
Mauricio
Reply to  certskills
August 10, 2022 5:03 pm

Hi Mr. Wendell,

Your labs are very interesting and I learn a lot with them. Sometimes I have a different interpretation of the question, that causes me diverting from the final answer. In those cases is very important to have your comments. It helps me be confident about may understanding or correct my interpretation.Thank you for your explanations, I appreciate a lot.

Regards,
Mauricio

0
Reply
Jared
Jared
February 14, 2023 2:53 pm

Hello,

I hope all is well.

Thank you for your efforts, one sort of issue I wanted to ask the lab require to only allow the PCs hence the command switchport port-security maximum 2 however, should it not be 3 since we need to allow for the mac address of sw4 fa0/1? Or when we enabled switport port-security it already added it in?

0
Reply
Wendell Odom
Wendell Odom
Author
Reply to  Jared
March 2, 2023 8:25 am

Hi Jared,
Yeah, I think I’d agree, if I’m understanding your question. As drawn, the LAN to the right of SW3 leaves some ambiguity. If there is a switch SW4 there, it will likely send some overhead frames, like STP/RSTP, CDP, and LLDP, so SW3’s F0/1 port will learn SW4’s interface MAC address. So yes, 3 would be more appropriate in that case.
Wendell

0
Reply

Search

Categories

Tag Cloud

100-105 200-105 200-125 Acing2018-01 ACL ARP Career CCENT CCNA CCNP certification Config Lab DevNet DHCP EIGRP Encapsulation Frame relay ICND1 ICND2 IP Address IPsec IPv6 IPv6 address Lab Gear MAC Table OSPF OSPFv3 Packet Tracer port security PPP RIPv2 Root Switch RSTP SNMP SSH static route STP Study Tips subnet summary route switching Telnet VLAN VLSM VPN