Join Lazaro Diaz for an in-depth discussion in this video Configuring port security, part of Cisco Certified Entry Networking Technician Essential Training.
- Alright, everybody. Let's take a look at this particular, very small, little network here. We have John and Susan that are attached to one switch. So, John and Susan wanna communicate with each other and we need to put IP addresses on their computers we haven't done just yet. You can see there behind John and Susan, we have an intruder that is just waiting to see, the chance to get inside and get onto that switch. Well, there's something that we can do manually that's called switch port security.
Alright, switch port security, and let me show you what that's all about. Lemme go inside the switch and lemme go to global configuration, config T. And when we do this, when we're configuring this port security, what it does is that you're going to limit the number of MAC addresses that are permissible on the switch. So, you determine how many end devices or computers can be attached to this particular switch. And also, you can decide what type of violation. So, if they did something or they connected, they're not supposed to be there, you can just shut down that port altogether, which is really called pulling the port in an error disable state.
So, when we are configuring it, we're gonna do it based on a range command so we don't have to do it port, by port, by port. So, we're gonna go interface, range, f0/1- let's say the first 15 ports, alright? And now you see we're in config-if-range. Now, wherever I type in this prompt is gonna affect all those ports. So, one of the first things in order to enable port security, you must turn these ports into what's called access ports.
The ports, by default, in a switch are set to dynamic auto, that's automatically gonna learn what the other port's state is and then assesses all the information. Well here, we're deliberately turning this into an access port that is mainly used for end devices, printers, computers, phones, and the such. So, let's go ahead and do that first. Switchport, TCH, port. Mode access. Once we do that, now we can enable switch port security.
So, switch... Port, port-security. And that command, all it does is turns on a switch so you can now start doing your commands for port security. So, I'm gonna up arrow switch port security and I wanna question mark it. Well, what do you wanna do? Well, the first thing is how are we gonna learn these MAC addresses? Okay, well MAC-address, and then what we're gonna do, we can do it manually, which is not very feasible, we're gonna do something called sticky, and what that does is it learns the MAC addresses dynamically, like it normally would, but once it puts it into the MAC address table, it's there to stay.
It looks like if it's static because it even tells you, hey, this is a statically assigned MAC address to this port. So, it's like permanent. That's what the sticky command does, you learn dynamically, but it puts it in like if it was a static and we'll look at that. Then next, I'm gonna up arrow to save on typing. Instead of MAC address now, now we wanna put in the maximum. Right, so you just put max. What's the maximum number of MAC addresses you wanna allow? Well, I'm just gonna allow one. I'm a rough and tough administrator, so I'll only allow one MAC address, no one needs to be bringing in any other equipment.
So, that's it. And then the next one, I'm gonna up arrow, and we're gonna do a violation. So, if somebody violates that rule of one MAC address, what's gonna happen is I'm gonna shut down their part. Oops. Violation, and I'm gonna put shut. And we're gonna see that now, so if they do unplug my machine after the MAC address has been learned and placed on the MAC address table, if they unplug it and plug theirs in, that part should shut down.
So, let's see if this is going to work. Now, the way you look, before we do that, I'm gonna exit out, exit out, I'm gonna do a copy run start. And the way you can look at that, you can do show switch port, switch, TCH, port, port. Or you can use the rule, you do switch port security. You can just do that, show port security. I believe, yeah. Show port security, that will be the best way. And you can see here that on all 15 ports, your only maximum addresses is one, currently there is none.
There is no violation and this is what's going to happen if it's violated, so, let's go ahead and go to John, let's put some IP addresses in there. Basic, 192.168.1.1. We don't need a gateway because we're not going outside our own segment. 192.168.1.2. Alright. So now, we're going to ping Susan. So, let's ping 192.168.1.2.
And we got connectivity Susan, great. So, Susan can see us. Let's go back to the switch and let's see what happened. Let's do the same command again, let's do an up arrow. And what do we see? Oh, look, now port one and port two, there's two MAC addresses that have been learned. So, let's take a look at the MAC address table. Show MAC-address-table, and yes, I did tab that. Okay, which you cannot do on the test. And you see that the type is static.
Not dynamic. Normally, the switch learns everything dynamic, which it did, but since we used the sticky command, it comes off like it's static. So, let's put this to the test. Here comes our intruder. He disconnects Susan from the network, puts himself in the network, and he has already spoofed what IP address she had. So, let's even give him the same IP address that Susan had so they think it's Susan.
Let's see what's going to happen, let's bring him out here, here's the intruder, Susan got cut off, she doesn't know what's going on, she can't get access to the network. Or maybe she's out to lunch, he waited 'til she went out to lunch. Let's see, we gotta wait for that amber light to turn green before we see what's going on. Okay, so apparently, he's in the network. So, let's see what happens if he pings somebody. Lemme see if I can ping John. 192.168.1.1. Oh, look at that.
It turned red. What does that mean? Let's take a look, you see that? Changed state to down. All sorts of things are happening here. Let's up arrow. Let's take a look at our show port-security. Now we see a violation on port two that happened. And that's our intruder, he's on port two. So, we go to F0/2, show int, f0/2, and what we see is that the port is an err-disabled.
That throws up a flag that says, hey, there's an actual person that does not need to be there. So, we need to find out what's going on. So, we find the intruder, we saw it, we get him outta there or her outta there. We put Susan back in, into her port. And let's cheat a little bit using the lightning bolt. But, her port is still down, so what we need to do to bring that back up, we go inside the port. Interface, f0/2, and we do a shut, and then a no shut.
And that'll bring back, it's like cycling her port, and that'll bring her right back up into a working environment. But that is switch port security and you wanna do this to make sure that nobody, especially internal employees, can go in and just start putting in whatever device onto your network that could cause an issue. There's your switch port security.
- The basics of networking
- The TCP/IP model vs. OSI model
- Understanding the Cisco three-layer model
- Collision and binary domains
- Converting binary to decimal and hexadecimal
- IP addressing
- Diagramming summarization
- Working Cisco IOS
- Managing Cisco internetworks
- IP routing
- Security with ACLs
- Configuring and verifying NAT
- IPv6 addressing