Lab 4-20 - Configuring Sticky Switchport Security

NOTICE
Due to the limited feature support of the NM-16ESW, this lab CANNOT be completed using the Free CCNA Workbook GNS3 topology. However, this lab can be completed using the Stub Lab.

Real World Application & Core Knowledge

If you completed the previous lab; Lab 4-19 – Configuring Dynamic Switchport Security then you’ll be pretty much up to speed in this lab.

Dynamic port security is great but what about when you connect switches to routers or other devices that need to be secured in a way to prevent unauthorized device swapping in the network. For example you have a small site location with a 1841 router and a 3560-8pc switch and an end user gets the bright idea to swap the 1841 with a WRT54G because he wants wireless and wired network connectivity.

In this case you can sticky the port that the wan router is connected to preventing unauthorized device swaps like such.

There are two ways to configure a sticky port. The first way being that you configure a static MAC address when configuring port-security on a specific interface. The next way which is more convenient is to configure a “Sticky” MAC address and leave the max MAC addresses to its default value of one. When port-security is configured this way, the first MAC address learned on the switch port will be automatically statically configured into the running-configuration as if you manually specified the MAC address.

In this lab you will familiarize yourself with the following new commands;

Command Description
switchport port-security mac-address h.h.h This command is executed in interface configuration mode and statically sets a MAC address that allows traffic with the source MAC to traverse the switch.
switchport port-security mac-address sticky This command is executed in interface configuration mode and configures the port to dynamically learn the MAC address and automatically configure the MAC address as a static MAC address associated with the port.
clear port-security all interface interfacename#/# This command is executed in privileged mode to erase the current secure mac-address table for a specified switch port.

Lab Prerequisites

  • If you are using GNS3 than load the Free CCNA Workbook GNS3 topology than start devices; R1 and SW1.
  • Establish a console session with devices R1 than configure the devices respected hostname(s).
  • Assign the IP Address 10.1.1.1/24 to R1 Fa0/0 and the IP Address 10.1.1.10/24 to SW1′s Vlan1 interface than verify that you have IP connectivity between R1 and SW1.

Lab Objectives

  • Enable port-security on SW1′s Fa0/1 interface and configure the interface to sticky the MAC address learned. Upon a port security violation, restrict the port. Verify your configuration.
  • Change the MAC address on R1′s Fa0/0 to aaaa.aaaa.abcd then configure the same MAC address as a static MAC in port-security on SW1′s Fa0/1 interface. Verify your configuration.

Lab Instruction

Step 1. – Enable port-security on SW1′s Fa0/1 interface and configure the interface to sticky the MAC address learned. Upon a port security violation, protect the port. Verify your configuration.

To enable port-security you’ll execute the switchport port-security command as previously learned in Lab 4-19. To configure the interface to sticky the MAC address dynamically learn use the switchport port-security mac sticky command in interface configuration mode as discussed at the beginning of this lab.

SW1 con0 is now available



Press RETURN to get started.



SW1>enable
SW1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
SW1(config)#interface fa0/1
SW1(config-if)#switchport port-security
SW1(config-if)#switchport port-security mac sticky
SW1(config-if)#switchport port-security violation protect
SW1(config-if)#end
SW1#
%SYS-5-CONFIG_I: Configured from console by console
SW1#

To verify your configuration you can use the following commands shown below;

SW1#show port-security interface fa0/1
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Restrict
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 1
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 1
Last Source Address:Vlan   : 000f.242e.bf80:1
Security Violation Count   : 0

SW1#show port-security interface fa0/1 address
          Secure Mac Address Table
------------------------------------------------------------------------
Vlan    Mac Address       Type                     Ports   Remaining Age
                                                              (mins)    
----    -----------       ----                     -----   -------------
   1    000f.242e.bf80    SecureSticky             Fa0/1        -
------------------------------------------------------------------------
Total Addresses: 1

SW1#show run int fa0/1
Building configuration...

Current configuration : 245 bytes
!
interface FastEthernet0/1
 switchport mode access
 switchport port-security
 switchport port-security violation restrict
 switchport port-security mac-address sticky
 switchport port-security mac-address sticky 000f.242e.bf80 vlan access
end

SW1#

Step 2. – Change the MAC address on R1’s Fa0/0 to aaaa.aaaa.abcd then configure the same MAC address as a static MAC in port-security on SW1’s Fa0/1 interface. Verify your configuration.

Keep in mind as soon as you change the MAC address on R1′s Fa0/0 interface, R1 will no longer be able to communicate to any resources on the network as the MAC address is not in the secure mac-address table on SW1 Fa0/1, thus any received frames will be dropped.

R1 con0 is now available



Press RETURN to get started.



R1#enable
R1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#interface fa0/0
R1(config-if)#mac-address aaaa.aaaa.aaab
R1(config-if)#end
R1#

To resolve communication issue between R1 and SW1 due to the port-security violation after the MAC address on R1 has changed you’ll need to shutdown Fa0/1 and clear the secure mac-address table on that interface using the clear port-security all interface Fa0/1 command in privileged mode or configuration mode with the do command prefix. Afterward configure the new static MAC address using the switchport port-security mac aaaa.aaaa.aaab command.

SW1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
SW1(config)#interface fa0/1
SW1(config-if)#shutdown
%LINK-5-CHANGED: Interface FastEthernet0/1, changed state
to administratively down
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed
state to down
SW1(config-if)#do clear port-security all interface fa0/1
SW1(config-if)#switchport port-security mac-address aaaa.aaaa.aaab
SW1(config-if)#no shut
SW1(config-if)#end
SW1#
%LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed
state to up
SW1#
%SYS-5-CONFIG_I: Configured from console by console
SW1#

To verify that connectivity has been restored between R1 and SW1, ping SW1′s Vlan1 interface from R1;

R1#ping 10.1.1.10

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.10, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms
R1#