Lab 4-19 - Configuring Dynamic Switchport Security

NOTICE
Due to the limited feature support of the NM-16ESW, this lab CANNOT be completed using the Free CCNA Workbook GNS3 topology. However, this lab can be completed using the Stub Lab.

Real World Application & Core Knowledge

It’s common knowledge that when a switch reaches the maximum limit for its mac address table it starts flooding traffic out all ports like a hub. Hackers know this and they will use this to gain access into a network. They know if they can flood the switch with thousands of fake mac addresses then the switch will become basically a hub and all traffic will be forwarded to their machine, in this case they could sniff telnet or any other insecure protocol used in the environment to gain further access into the network.

A way to prevent this “mac address table poisoning” vulnerability is to use a feature called “Port Security”

Port Security is essentially a layer 2 security mechanism that can limit the number of mac addresses that can be learned on a single switch port or perhaps be used as a security barrier to prevent anyone from unplugging a network device and plugging in a new device without authorization.

Ideally, no more then three MAC addresses should be learned at any given time on a Cisco network. Why 3? Most Networks envision a future where VoIP will be utilized on their network and when using a Cisco VoIP Solution, the Cisco VoIP Phone has a built in mini switch. When you connect a phone to the network it will advertise three MAC addresses to the switch. one MAC for the built in phone switch, another MAC for the phone its self and the last mac for the directly connected PC.

There are several configuration requirements to enable port-security correctly such as port security mac address aging which sets a timeout timer which is used to determine how long a MAC address should stay associated with a particular port. Port security mac-address which can be dynamic or sticky (Discussed in the next lab), the maximum MAC addresses that can be associated with a particular port and the violation action; rather it protect, restrict or shutdown the port once the max MAC address limit has been exceeded or a device does not match the configured MAC address on the port security configuration.

There are three different types of violation methods you can use with Port Security, the first being a protected port. A Protected port security violation will still allow permissible traffic from authorized MAC addresses but all other traffic with unknown MAC addresses will be dropped. A Restricted port security violation will restrict all traffic and generate an SNMP trap to the SNMP Server for administrative reference. The last port mode is “shutdown”, which places the port into “Err-Disabled” Mode once a port security violation has occurred.

In this lab you will familiarize yourself with the following commands;

Command Description
switchport port-security This command is executed in interface configuration mode and enables port security on the configured port.
switchport port-security aging This command is executed in interface configuration mode and sets the MAC address aging timer, which determines how long a MAC address is associated to a particular port with port-security enabled.
switchport port-security mac {hhhh.hhhh.hhhh | sticky} This command is executed in interface configuration mode and specifies a static MAC address or a converts the the learn MAC addresses into static configured MAC addresses.
switchport port-security maximum # This command is executed in interface configuration mode and specifies the maximum limit of mac addresses that can be learned on that switchport before a violation is triggered.
switchport port-security {protected | restricted | shutdown} This command is executed in interface configuration mode and specifies the action to be taken upon a port security violation.
show port-security This command is executed in privileged mode to view the current status of all ports on the switch if they are participating in port-security.
show port-security interface interfacename#/# This command is executed in privileged mode to view the details of port-security on a particular port including status, timeout, violation type, max mac addresses and other configurable options.
show port-security interface interfacename#/# address This command is executed in privileged mode to view the port’s current port-security associated mac addresses.

Lab Prerequisites

  • If you are using GNS3 than load the Free CCNA Workbook GNS3 topology than start devices; R1 and SW1.
  • Establish a console session with devices R1 than configure the devices respected hostname(s).
  • Assign the IP Address 10.1.1.1/24 to R1 Fa0/0 and the IP Address 10.1.1.10/24 to SW1′s Vlan1 interface than verify IP connectivity between R1 and SW1.

Lab Objectives

  • Enable port-security on SW1 interface Fa0/1 and allow a maximum of 3 MAC addresses.
  • Configure interface Fa0/1 on SW1 to shutdown the port if there is a port-security violation.
  • Verify your port-security configuration on SW1 by changing the MAC addresses on R1′s FastEthernet0/0 interface to aaaa.aaaa.aaaa then aaaa.aaaa.aaab and finally aaaa.aaaa.aaac to trigger a violation.

Lab Instruction

Step 1. – Enable port-security on SW1 interface Fa0/1 and allow a maximum of 3 MAC addresses

To enable port security on a specific port you use the switchport port-security command in interface configuration mode as shown below;

SW1 con0 is now available



Press RETURN to get started.



SW1>enable
SW1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
SW1(config)#interface fa0/1
SW1(config-if)#switchport port-security
SW1(config-if)#switchport port-security maximum 3
SW1(config-if)#

Step 2. – Configure interface Fa0/1 on SW1 to shutdown the port if there is a port-security violation.

To shut down a port once a violation is triggered you’ll use the switchport port-security violation shutdown command in interface configuration mode as shown below;

SW1(config-if)#switchport port-security violation shutdown

Step 3. – Verify your port-security configuration on SW1 by changing the MAC addresses on R1′s FastEthernet0/0 interface to aaaa.aaaa.aaaa then aaaa.aaaa.aaab and finally aaaa.aaaa.aaac to trigger a violation.

You can first verify your configuration by using the show port-security interface fa0/1 command in privileged mode to view current port-security configuration on a per-port basis as shown below;

SW1(config-if)#end
SW1#
%SYS-5-CONFIG_I: Configured from console by console
SW1#show port-security interface fa0/1
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 3
Total MAC Addresses        : 1
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 000f.242e.bf80:1
Security Violation Count   : 0

SW1#

As you can see from above the port status is currently “Secure-Up” meaning port security is enabled and the maximum address count is 3. You can test this port-security configuration by changing the MAC address on R1 3 times, and after the 3rd change, a violation will occur due to the MAC addresses associated with the switch port exceeding the limit of 3.

You can change the MAC address of a routers interface by using the mac-address xxxx.xxxx.xxxx command in interface configuration mode as shown below;

R1 con0 is now available



Press RETURN to get started.



R1#enable
R1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#interface fa0/0
R1(config-if)#mac-address aaaa.aaaa.aaaa
R1(config-if)#mac-address aaaa.aaaa.aaab
R1(config-if)#mac-address aaaa.aaaa.aaac
R1(config-if)#
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed
state to down
R1(config-if)#

If you were keeping track on SW1 after changing the MAC address each time on R1 then you’d see the following changes until the port was automatically placed into Err-Disabled mode as shown below;

SW1#show port-security interface fa0/1 address
          Secure Mac Address Table
------------------------------------------------------------------------
Vlan    Mac Address       Type                     Ports   Remaining Age
                                                              (mins)    
----    -----------       ----                     -----   -------------
   1    000f.242e.bf80    SecureDynamic            Fa0/1        -
------------------------------------------------------------------------
Total Addresses: 1

SW1#show port-security interface fa0/1 address
          Secure Mac Address Table
------------------------------------------------------------------------
Vlan    Mac Address       Type                     Ports   Remaining Age
                                                              (mins)    
----    -----------       ----                     -----   -------------
   1    000f.242e.bf80    SecureDynamic            Fa0/1        -
   1    aaaa.aaaa.aaaa    SecureDynamic            Fa0/1        -
------------------------------------------------------------------------
Total Addresses: 2

SW1#show port-security interface fa0/1 address
          Secure Mac Address Table
------------------------------------------------------------------------
Vlan    Mac Address       Type                     Ports   Remaining Age
                                                              (mins)    
----    -----------       ----                     -----   -------------
   1    000f.242e.bf80    SecureDynamic            Fa0/1        -
   1    aaaa.aaaa.aaaa    SecureDynamic            Fa0/1        -
   1    aaaa.aaaa.aaab    SecureDynamic            Fa0/1        -
------------------------------------------------------------------------
Total Addresses: 3

SW1#
%PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/1, putting Fa0/1 in err-disable state
SW1#
%PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address aaaa.aaaa.aaac on port FastEthernet0/1.
SW1#
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down
SW1#
%LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to down
SW1#