Connect & Configure Cisco Networking Devices: Part 2

Table of Contents

1. Main Menu
2. Part 2: Basic Switch Operation and Configuration
3. 2.1: LAN Switching
4. LAN Switching Continued
5. 2.2: Basic Configuration Commands
6. 2.2.1: Privilege Exec Mode Commands
7. 2.2.1: Global Configuration Mode Commands
8. 2.2.3: Line Mode Commands
9. 2.3: Displaying the contents of the MAC Address Table
10. 2.4: Switch Interfaces
11. Switch Interface Configuration Continued
12. 2.5: Assigning an IP Address & Default Gateway to a 2950 Switch
13. 2.6: Configuring Port Security
14. Video: Basic Switch and Port Security Configuration
15. 2.7: The Spanning Tree Protocol (STP)
16. 2.7.2: STP Port States
17. 2.7.3: STP Configuration
18. Review Questions for Part 2

2.6: Configuring Port Security

By default any device connected to a Switch interface will have its MAC Address detected automatically, a network engineer can freely move devices as the need arises to different interfaces, this however is a security risk as an intruder could in theory connect to an interface with their laptop and access the network.

To help secure the network, port security can be enabled. This is where an interface on a Switch can be configured to restrict connected devices by using their MAC address and enabling port security. Any unknown device connected with an incorrect MAC address will be detected and the port shut down preventing network communication and access

With a 2950 Switch up to 132 MAC addresses can be assigned to each interface with Port Security. By default a single MAC address is allowed

To understand this further we will look at an example:

We want to ensure that the only device connected to interface fa 0/1 on our Switch is a company Server with the MAC address of 000d.6077.7fd9. Any other device connected to this interface will be disallowed and the port will be shutdown automatically

From Global Configuration mode Switch(config)# we must enter the relevant interface in this case fa 0/1:

INTERFACE FASTETHERNET 0/1

This will enter the Fast Ethernet Interface 0/1. The prompt will change to reflect that you are now standing in interface mode : Switch(config-if)#

SWITCHPORT MODE ACCESS

This designates the interface as not connecting to another Switch

SWITCHPORT PORT-SECURITY

Enables port security on the interface

SWITCHPORT PORT-SECURITY MAC-ADDRESS 000d.6077.7fd9

This configures the MAC address of 000d.6077.7fd9 to this interface. ALL other MAC addresses will shut down the interface

As an alternative following command can be used

SWITCHPORT PORT-SECURITY MAC-ADDRESS STICKY

The switch will learn the MAC address of the connected device and make this into the secure MAC address

SWITCHPORT PORT-SECURITY VIOLATION SHUTDOWN

This command sets the violation mode for this interface when configured for port security, in this example this is set to SHUTDOWN so that when a violation arises the port is automatically shutdown. Alternatives include PROTECT and RESTRICT modes

SWITCHPORT PORT-SECURITY MAXIMUM

This increases the number of MAC addresses that can be used with Port Security to the maximum of 132

END

To return to Privilege Exec mode

 

From Privilege Exec mode: Switch# the port security information can be reviewed

SHOW PORT-SECURITY INTERFACE FASTETHERNET 0/1

This command shows the interface port security status. The screen shot below shows the results of the command when the Server with the correct MAC address is connected

This shows that the Port status is SECUREUP with one MAC address configured and the violation mode has been configured to shutdown, no violation errors have occurred

The Server is removed and an alternative computer connected (this has a different MAC address) to the same interface. The following command is then retyped

SHOW PORT-SECURITY INTERFACE FASTETHERNET 0/1

The light above the port will go out as the port is shutdown. The following screen shot shows the results

The Port status has been changed to ERR-DISABLED with a security violation count of 1 so that no communication will occur through this interface