CISCO CCNA PORT SECURITYTO WATCH OUR CISCO CCNA VIDEO TRAININGS PLEASE CHECK OUT THE LINK BELOW:

WWW.ASMED.COM/C1ASM EDUCATIONAL CENTER INC. (ASM)WHERE TRAINING, TECHNOLOGY & SERVICE CONVERGE

PHONE: (301) 984-7400ROCKVILLE,MD

CISCO CCNA PORT SECURITY

CISCO CCNA PORT SECURITY

HERE WHAT I HAVE:PC1=10.10.10.1PC2=10.10.10.2PC3=10.10.10.3 CONNECTED TO PORT F0/3 WHICH IS LOCATED IN LOBBYHACKER=10.10.10.4  THE GOAL IS I WANT TO PROTECT THE PORT F0/3 LOCATED IN LOBBY AND MAKE SURE ONLY PC3=SALES3 BE ABLE TO CONNECT AND DO HIS WORK. HINT: YOU WILL GO INT F0/3 AND START WITH SWITCHPORT?

CISCO CCNA PORT SECURITY

STEP 1) MAKE SURE YOU ENABLE PORT-SECURITY SW1(CONFIG)#SW1(CONFIG)#INT F0/3SW1(CONFIG-IF)#SWITCHPORT ?ACCESS         SET ACCESS MODE CHARACTERISTICS OF THE INTERFACEMODE           SET TRUNKING MODE OF THE INTERFACENATIVE         SET TRUNKING NATIVE CHARACTERISTICS WHEN INTERFACE IS INTRUNKING MODENONEGOTIATE    DEVICE WILL NOT ENGAGE IN NEGOTIATION PROTOCOL ON THISINTERFACEPORT-SECURITY  SECURITY RELATED COMMANDPRIORITY       SET APPLIANCE 802.1P PRIORITY

CISCO CCNA PORT SECURITY

TRUNK          SET TRUNKING CHARACTERISTICS OF THE INTERFACEVOICE          VOICE APPLIANCE ATTRIBUTESSW1(CONFIG-IF)#SWITCHPORT PORTSW1(CONFIG-IF)#SWITCHPORT PORT-SECURITY ?MAC-ADDRESS  SECURE MAC ADDRESSMAXIMUM      MAX SECURE ADDRESSESVIOLATION    SECURITY VIOLATION MODE<CR>SW1(CONFIG-IF)#SWITCHPORT PORT-SECURITYCOMMAND REJECTED: FASTETHERNET0/3 IS A DYNAMIC PORT.SW1(CONFIG-IF)#SW

CISCO CCNA PORT SECURITYSW1(CONFIG-IF)#SWITCHPORT MOSW1(CONFIG-IF)#SWITCHPORT MODE ACCSW1(CONFIG-IF)#SWITCHPORT MODE ?ACCESS   SET TRUNKING MODE TO ACCESS UNCONDITIONALLYDYNAMIC  SET TRUNKING MODE TO DYNAMICALLY NEGOTIATE ACCESS OR TRUNK MODETRUNK    SET TRUNKING MODE TO TRUNK UNCONDITIONALLYSW1(CONFIG-IF)#SWITCHPORT MODE DYSW1(CONFIG-IF)#SWITCHPORT MODE DYNAMIC ?AUTO       SET TRUNKING MODE DYNAMIC NEGOTIATION PARAMETER TO AUTODESIRABLE  SET TRUNKING MODE DYNAMIC NEGOTIATION PARAMETER TO DESIRABLESW1(CONFIG-IF)#SWITCHPORT MODE ACCSW1(CONFIG-IF)#SWITCHPORT MODE ACCESSSW1(CONFIG-IF)#SWITCHPORT PORT-SECURITY

CISCO CCNA PORT SECURITYHINT: MAKE SURE WHEN YOU DO ABOVE; YOU HAVE MADE THE PORT MODE ACCESS; STEP 2) DEFINE HOW MANY MAC-ADDRESS CAN BE CONNECTED THE        DEFAULT=1 (IF I WRITE SHOW RUN ) IT WILL NOT BE SEEN FOR DEFAULT  VALUE SW1#CONFIG TENTER CONFIGURATION COMMANDS, ONE PER LINE.  END WITH CNTL/Z.SW1(CONFIG)#INT F0/3SW1(CONFIG-IF)#SWSW1(CONFIG-IF)#SWITCHPORT POSW1(CONFIG-IF)#SWITCHPORT PORT-SECURITY ?MAC-ADDRESS  SECURE MAC ADDRESSMAXIMUM      MAX SECURE ADDRESSESVIOLATION    SECURITY VIOLATION MODE<CR>SW1(CONFIG-IF)#SWITCHPORT PORT-SECURITY MAXSW1(CONFIG-IF)#SWITCHPORT PORT-SECURITY MAXIMUM ?<1-132>  MAXIMUM ADDRESSESSW1(CONFIG-IF)#SWITCHPORT PORT-SECURITY MAXIMUM 2

CISCO CCNA PORT SECURITY

STEP 3) TELL WHAT IS THE MAC OF THE PC CONNECTED;

HINT: I CAN DO IN TWO WAY:

•  STATICALLY

• DYNAMICALLY USING THE KEY WORD STICKY

CISCO CCNA PORT SECURITYSW1(CONFIG-IF)#SWSW1(CONFIG-IF)#SWITCHPORT POSW1(CONFIG-IF)#SWITCHPORT PORT-SECURITY ?MAC-ADDRESS  SECURE MAC ADDRESSMAXIMUM      MAX SECURE ADDRESSESVIOLATION    SECURITY VIOLATION MODE<CR>SW1(CONFIG-IF)#SWITCHPORT PORT-SECURITY MACSW1(CONFIG-IF)#SWITCHPORT PORT-SECURITY MAC-ADDRESS ?H.H.H   48 BIT MAC ADDRESSSTICKY  CONFIGURE DYNAMIC SECURE ADDRESSES AS STICKYSW1(CONFIG-IF)#SWITCHPORT PORT-SECURITY MAC-ADDRESS STSW1(CONFIG-IF)#SWITCHPORT PORT-SECURITY MAC-ADDRESS STICKY ?H.H.H  48 BIT MAC ADDRESS<CR>SW1(CONFIG-IF)#SWITCHPORT PORT-SECURITY MAC-ADDRESS STICKYSW1(CONFIG-IF)#SW1(CONFIG-IF)#SWITCHPORT PORT-SECURITY MAC-ADDRESS ?H.H.H   48 BIT MAC ADDRESSSTICKY  CONFIGURE DYNAMIC SECURE ADDRESSES AS STICKYSW1(CONFIG-IF)#SWITCHPORT PORT-SECURITY MAC-ADDRESS 2222.2222.2222

CISCO CCNA PORT SECURITYSTEP 4) TELL SWITCH WHAT KIND OF ACTION TO TAKE SW1(CONFIG-IF)#SW1(CONFIG-IF)#SWSW1(CONFIG-IF)#SWITCHPORT POSW1(CONFIG-IF)#SWITCHPORT PORT-SECURITY ?MAC-ADDRESS  SECURE MAC ADDRESSMAXIMUM      MAX SECURE ADDRESSESVIOLATION    SECURITY VIOLATION MODE<CR>SW1(CONFIG-IF)#SWITCHPORT PORT-SECURITY VIOLSW1(CONFIG-IF)#SWITCHPORT PORT-SECURITY VIOLATION ?PROTECT   SECURITY VIOLATION PROTECT MODERESTRICT  SECURITY VIOLATION RESTRICT MODESHUTDOWN  SECURITY VIOLATION SHUTDOWN MODESW1(CONFIG-IF)#SWITCHPORT PORT-SECURITY VIOLATION SHURSW1(CONFIG-IF)#SWITCHPORT PORT-SECURITY VIOLATION SHUTSW1(CONFIG-IF)#SWITCHPORT PORT-SECURITY VIOLATION SHUTDOWN

CISCO CCNA PORT SECURITY

HINT: THE DEFAULT IS SHUTDOWN AS WE SEE IN THE SHOW RUN IT WILL NOT SHOW UP. INTERFACE FASTETHERNET0/3 SWITCHPORT MODE ACCESS SWITCHPORT PORT-SECURITY SWITCHPORT PORT-SECURITY MAXIMUM 2 SWITCHPORT PORT-SECURITY MAC-ADDRESS STICKY SWITCHPORT PORT-SECURITY MAC-ADDRESS 2222.2222.2222!

CISCO CCNA PORT SECURITYAS WE SEE THE DEFAULT SHUTDOWN IS NOT ABOVE:I GO AND I PING PC3PC>PING 10.10.10.3 PINGING 10.10.10.3 WITH 32 BYTES OF DATA: REPLY FROM 10.10.10.3: BYTES=32 TIME=109MS TTL=128REPLY FROM 10.10.10.3: BYTES=32 TIME=62MS TTL=128REPLY FROM 10.10.10.3: BYTES=32 TIME=63MS TTL=128REPLY FROM 10.10.10.3: BYTES=32 TIME=62MS TTL=128 PING STATISTICS FOR 10.10.10.3:PACKETS: SENT = 4, RECEIVED = 4, LOST = 0 (0% LOSS),APPROXIMATE ROUND TRIP TIMES IN MILLI-SECONDS:MINIMUM = 62MS, MAXIMUM = 109MS, AVERAGE = 74MS PC>

CISCO CCNA PORT SECURITY

NOW LET’S LOOK AT SHOW RUN: INTERFACE FASTETHERNET0/3 SWITCHPORT MODE ACCESS SWITCHPORT PORT-SECURITY SWITCHPORT PORT-SECURITY MAXIMUM 2 SWITCHPORT PORT-SECURITY MAC-ADDRESS STICKY SWITCHPORT PORT-SECURITY MAC-ADDRESS 2222.2222.2222 SWITCHPORT PORT-SECURITY MAC-ADDRESS STICKY 00D0.D320.E74C

CISCO CCNA PORT SECURITYHERE IS BEFORE ANY VIOLATIONS: SW1#SHOW PORTSW1#SHOW PORT-SECURITY INT F0/3PORT SECURITY              : ENABLEDPORT STATUS                : SECURE-UPVIOLATION MODE             : SHUTDOWNAGING TIME                 : 0 MINSAGING TYPE                 : ABSOLUTESECURESTATIC ADDRESS AGING : DISABLEDMAXIMUM MAC ADDRESSES      : 2TOTAL MAC ADDRESSES        : 2CONFIGURED MAC ADDRESSES   : 1STICKY MAC ADDRESSES       : 1LAST SOURCE ADDRESS:VLAN   : 00D0.D320.E74C:1SECURITY VIOLATION COUNT   : 0

CISCO CCNA PORT SECURITYNOW I WILL REMOVE THE CABLE FROM PC3 AND HACKER WILL COME AND CONNECT TO THE PORT F0/3 SW1#SHOW PORT-SECURITY INT F0/3PORT SECURITY              : ENABLEDPORT STATUS                : SECURE-SHUTDOWNVIOLATION MODE             : SHUTDOWNAGING TIME                 : 0 MINSAGING TYPE                 : ABSOLUTESECURESTATIC ADDRESS AGING : DISABLEDMAXIMUM MAC ADDRESSES      : 2TOTAL MAC ADDRESSES        : 2CONFIGURED MAC ADDRESSES   : 1STICKY MAC ADDRESSES       : 1LAST SOURCE ADDRESS:VLAN   : 00E0.A38B.4828:1SECURITY VIOLATION COUNT   : 1

CISCO CCNA PORT SECURITY

AS WE SEE I HAVE PORT IN SECURE SHUTDOWN MODEHERE IS ANOTHER SHOW COMMANDS: SW1#SHOW INT F0/3FASTETHERNET0/3 IS DOWN, LINE PROTOCOL IS DOWN (ERR-DISABLED)

CISCO CCNA PORT SECURITYLET’S LOOK AT PORT 1 THAT I DID NOT CONFIGURE PORT SECURITYSW1#SW1#SHOW PORT-SECURITY INT F0/1PORT SECURITY              : DISABLEDPORT STATUS                : SECURE-DOWNVIOLATION MODE             : SHUTDOWNAGING TIME                 : 0 MINSAGING TYPE                 : ABSOLUTESECURESTATIC ADDRESS AGING : DISABLEDMAXIMUM MAC ADDRESSES      : 1TOTAL MAC ADDRESSES        : 0CONFIGURED MAC ADDRESSES   : 0STICKY MAC ADDRESSES       : 0LAST SOURCE ADDRESS:VLAN   : 0000.0000.0000:0SECURITY VIOLATION COUNT   : 0AS WE SEE IN THIS CASE I DID NOT ENABLE IT PORT SECURITY; SO I SEE THE FIRST LINE SAYS DISABLED HOW DO YOU FIXED IT?YOU AS ADMINISTRATOR MUST GO TO THAT PORT; GIVE SHUT AND NO SHUT

ASM EDUCATIONAL CENTER INC. (ASM)WHERE TRAINING, TECHNOLOGY & SERVICE CONVERGE

TO WATCH OUR CISCO CCNA VIDEO TRAININGS PLEASE CHECK OUT THE LINK BELOW:WWW.ASMED.COM/C1

PHONE: (301) 984-7400ROCKVILLE,MD