Network diagram

 

Lab instructions

This lab will test your ability to configure port security on CiscoTM 2960 switch interfaces.

1. Configure port security on interface Fa 0/1 of the switch with the following settings :

- Port security enabled

- Mode : restrict

- Allowed mac addresses : 3

- Dynamic mac address learning.

 

2. Configure port security on interface Fa 0/2 of the switch with the following settings :

- Port security enabled

- Mode : shutdown

- Allowed mac addresses : 3

- Dynamic mac address learning.

 

3. Configure port security on interface Fa 0/3 of the switch with the following settings :

- Port security enabled

- Mode : protect

- Static mac address entry : 00E0.A3CE.3236

 

4. From LAPTOP 1 :

Try to ping 192.168.1.2 and 192.168.1.3. It should work.

Try to ping 192.168.1.4 and 192.168.1.5. It should work.

 

5. Connect ROGUE laptop to the hub.

Try to ping 192.168.1.1. It should work.

Try to ping 192.168.1.4. It should fail.

  

Solution

Interface FastEthernet 0/1 configuration - Restrict mode

The port-security restrict mode drops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value and causes the SecurityViolation counter to increment.

Port security with sticky MAC addresses provides many of the same benefits as port security with static MAC addresses, but sticky MAC addresses can be learned dynamically. Port security with sticky MAC addresses retains dynamically learned MAC addresses during a link-down condition.

interface FastEthernet0/1
 switchport mode access
 switchport port-security
 switchport port-security maximum 3
 switchport port-security mac-address sticky 
 switchport port-security violation restrict

When the rogue laptop is connected to the hub and tries to communicate with 192.168.1.4, the number of mac-addresses learned ont the fastethernet 0/1 interface exceeds 3. The interface drops traffic with the new mac-address (not learned by the switch because 3 mac addresses have already been registered on the fa0/1 interface) and increases the security viloation counter based on the 'restrict' port-security configuration of the interface.

Switch#show port-security 
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
               (Count)       (Count)        (Count)
--------------------------------------------------------------------
        Fa0/1        3          3                 5         Restrict
        Fa0/2        3          1                 0         Shutdown
        Fa0/3        1          1                 0          Protect
----------------------------------------------------------------------

Interface FastEthernet 0/2 configuration - Shutdown mode (default)

The port-security shutdown mode puts the interface into the error-disabled state immediately and sends an SNMP trap notification.

interface FastEthernet0/2
 switchport mode access
 switchport voice vlan 20
 switchport port-security
 switchport port-security maximum 3
 switchport port-security mac-address sticky 


Interface FastEthernet 0/3 configuration - Protect mode

The port-security protect mode silently drops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses todrop below the maximum value. No counter is incremented

interface FastEthernet0/3
 switchport mode access
 switchport port-security
 switchport port-security violation protect