Lab 16 (Port Security) Tesah Capers

Tesah Capers IFT 266 Introduction to Network Information Communication Technology Lab 16 Port Security Configuration After you complete each step, put a ‘√’ or ‘x’ in the completed box 1. Setup the following topology in packet tracer. - It is recommended that you use a 2960 switch for this lab. - You can change the MAC address of the server and PCs by going to the particular Fast Ethernet interface on each device (config tab) and overwrite what is currently listed. - To check your PC settings run the ipconfig command to verify your connection details 2. When we perform a communication through the switch, the switch dynamically collect the MAC address information and stores it in a MAC address table. 3. Let us look at the MAC address table on the server before you do any ping communication between the PCs and the server. 4. Click on the switch, go to the CLI table and run the command show mac-address-table from enable mode. The MAC address table should be empty This P hoto by Unkn own Autho r is licens ed under CC B Y-SA This P hoto by Unkn own Autho r is licens ed under CC B Y-SA

Tesah Capers 5. Now we will perform a ping from PC0 to the Server. 6. Now go back to the switch and re-run the show mac address table command. There are now some entries in the MAC address table. My switch learned dynamically that Fa0/1 is connected to the MAC address 0000.0111.1111 on the server and 0000.AAAA.AAAA on the PCs Fa0/2 port. This P hoto by Unkn own Autho r is licens ed under CC B Y-SA This P hoto by Unkn own Autho r is licens ed under CC B Y-SA

Tesah Capers 8. Now we will set the port security on the interface. I can set the maximum mac address accept by the port. We will set the maximum to 1 (only allow one MAC address through this interface) 9. Now I can with statically assign any MAC address or use they key word ‘sticky’ which dynamically assign the port address of current connect PC to the AC address table for the port security. Use sticky when the network is in a stable mode because assigning the static MAC address for each device in a network is time consuming. 10. Nearly done with the configuration for port security. Let’s look at the violation mode. You have different violation modes i.e. protect, restrict and shutdown. Shutdown is default on Cisco devices. They put the interface into error disable mode (shutdown) when the maximum number of secure MAC addresses exceeds its limit. Restrict and protect (drop the packets when max number of secure MAC addresses exceeds the limit) are less used. 11. Do you understand the difference between the different violation modes i.e. protect, restrict and shutdown. You may to do some extra research on this point. 12. We will now show port security status. MAC security address is 1 on Fa0/2, current address count is zero as is the security violation. This P hoto by Unkn own Autho r is licens ed under CC B Y-SA This P hoto by Unkn own Autho r is licens ed under CC B Y-SA This P hoto by Unkn own Autho r is licens ed under CC B Y-SA This P hoto by Unkn own Autho r is licens ed under CC B Y-SA

Tesah Capers 13.Now use the show run and see how it works. Look down and see switchport mode as access, port security is turned on and using sticky as port-security MAC address. 14. Do the same ping again, ping PC0 → Sever and see how port security works. After the ping, re- run the show run command and this time the switch learned the sticky MAC address. Assign the PC MAC address to our port. This P hoto by Unkn own Autho r is licens ed under CC B Y-SA This P hoto by Unkn own Autho r is licens ed under CC B Y-SA

Tesah Capers 19. Run the show interfaces fa 0/2 you can see on the first line its says ‘err-disabled’ 20. Run the show port-security command and now the Security Violation is count to 1 i.e. violation occurred and interface is shutdown. This P hoto by Unkn own Autho r is licens ed under CC B Y-SA This P hoto by Unkn own Autho r is licens ed under CC B Y-SA This P hoto by Unkn own Autho r is licens ed under CC B Y-SA

Tesah Capers 21. Now bring back the interface, connect back to original PC. The port is not automatically coming up. 22. Go to the switch, go into CLI mode and then back into the interface fa 0/2. Issue the command ‘shutdown’ which will turn back on the port and then issue the command ‘no shut’ which turns on the interface. 23. Now run the command show ip int brief and see that the link has come back up 24. Port security can be basic and helpful but user can use MAC spoofing, change the other PCs MAC address. This P hoto by Unkn own Autho r is licens ed under CC B Y-SA This P hoto by Unkn own Autho