{"id":129,"date":"2015-08-31T04:07:06","date_gmt":"2015-08-31T04:07:06","guid":{"rendered":"http:\/\/wiki.thomasandsofia.com\/?p=129"},"modified":"2015-09-06T20:15:50","modified_gmt":"2015-09-06T20:15:50","slug":"ccent-3-s01-e14-lans-configuring-switch-security-2","status":"publish","type":"post","link":"https:\/\/wiki.thomasandsofia.com\/?p=129","title":{"rendered":"CCENT 3 S01 E14 \u2013 LANS: Configuring Switch Security 2 (Port Security)"},"content":{"rendered":"<h3>Setting up Port Security<\/h3>\n<ul>\n<li>Port security is a way to lock down what devices can plug into your switch, or how many devices can plug in.<\/li>\n<li>This prevents users from putting switches on their own lines.<\/li>\n<li>It is possible to use a specific MAC address and if a new device is plugged in, it will shut down the switch port.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<div class=\"notice\">While it is generally not recommended to lock down ALL ports (since this can cause a lot of headaches), it is strongly recommended for &#8220;Public Ports&#8221;, such as publicly accessible wall jacks, because these do allow access into your network!<\/div>\n<p>&nbsp;<\/p>\n<pre>Sw1#<span style=\"color: #00ffff;\">show ip interface brief<\/span>\r\nInterface              IP-Address      OK? Method Status                Protocol\r\n \r\nFastEthernet0\/1        unassigned      YES manual up                    up\r\nFastEthernet0\/2        unassigned      YES manual down                  down\r\nFastEthernet0\/3        unassigned      YES manual down                  down\r\nFastEthernet0\/4        unassigned      YES manual down                  down\r\nFastEthernet0\/5        unassigned      YES manual down                  down\r\nFastEthernet0\/6        unassigned      YES manual down                  down\r\nFastEthernet0\/7        unassigned      YES manual down                  down\r\nFastEthernet0\/8        unassigned      YES manual down                  down\r\nFastEthernet0\/9        unassigned      YES manual down                  down\r\nFastEthernet0\/10       unassigned      YES manual down                  down\r\nFastEthernet0\/11       unassigned      YES manual down                  down\r\nFastEthernet0\/12       unassigned      YES manual down                  down\r\nFastEthernet0\/13       unassigned      YES manual down                  down\r\nFastEthernet0\/14       unassigned      YES manual down                  down\r\nFastEthernet0\/15       unassigned      YES manual down                  down\r\nFastEthernet0\/16       unassigned      YES manual down                  down\r\nFastEthernet0\/17       unassigned      YES manual down                  down\r\nFastEthernet0\/18       unassigned      YES manual down                  down\r\nFastEthernet0\/19       unassigned      YES manual down                  down\r\nFastEthernet0\/20       unassigned      YES manual down                  down\r\nFastEthernet0\/21       unassigned      YES manual down                  down\r\nFastEthernet0\/22       unassigned      YES manual down                  down\r\nFastEthernet0\/23       unassigned      YES manual down                  down\r\nFastEthernet0\/24       unassigned      YES manual down                  down\r\nVlan1                  172.2.30.180    YES manual up                    up\r\n<\/pre>\n<h4>Terminal Monitor<\/h4>\n<p>Allows you to see all messages that come from the switch from a Telnet\/SSH session.<br \/>\n** Can see if a new device is connected in real time.<\/p>\n<pre>Sw1#terminal monitor<\/pre>\n<h4>Set the To Statically set a MAC address to a Switchport<\/h4>\n<h4>Configure Interface Mode for a Specific Switchport<\/h4>\n<pre>Sw1(config)#<span style=\"color: #00ffff;\">interface fastethernet 0\/1<\/span>\r\nSw1(config-if)#<span style=\"color: #00ffff;\">_<\/span><\/pre>\n<h4>Configure Interface Mode for a RANGE of Switchports<\/h4>\n<pre>Sw1(config)#<span style=\"color: #00ffff;\">interface range fastethernet 0\/1 - 24<\/span>\r\nSw1(config-if-range)#<span style=\"color: #00ffff;\">_<\/span><\/pre>\n<p>Set the Port as an Access Port and not a Trunk (Required before you can enable port security!!)<\/p>\n<pre>Sw1(config-if)#<span style=\"color: #00ffff;\">switchport mode access<\/span>\r\n<\/pre>\n<h4>Enable Port Security<\/h4>\n<pre>Sw1(config-if)#<span style=\"color: #00ffff;\">switchport port-security<\/span><\/pre>\n<h3>Set Maximum allowed MAC addresses to 1 (Default)<\/h3>\n<pre>Sw1(config-if)#<span style=\"color: #00ffff;\">switchport port-security maximum 1<\/span><\/pre>\n<h4>Violation Handling<\/h4>\n<ul>\n<li>Protect &#8211; Will ignore any secondary MAC addresses<\/li>\n<li>Restrict &#8211; (Recommended) Will ignore any secondary MAC addresses AND will log it<\/li>\n<li>Shutdown &#8211; Will shutdown the port if a violation is detected.\u00a0 Will require manual &#8220;no shutdown&#8221;<\/li>\n<\/ul>\n<pre>Sw1(config-if)#<span style=\"color: #00ffff;\">switchport port-security violation shutdown<\/span><\/pre>\n<h4>Define which MAC address is allowed<\/h4>\n<ul>\n<li>H.H.H 48 bit MAC Address (type it in manually)<\/li>\n<li>sticky: Will automatically hardcode all mac address currently plugged into the port.<\/li>\n<\/ul>\n<pre>Sw1(config-if)#<span style=\"color: #00ffff;\">switchport port-security mac-address sticky<\/span><\/pre>\n<h4>Check Your Results<\/h4>\n<pre>Sw1(config-if)#<span class=\"kbbtn\">Ctrl<\/span>+<span class=\"kbbtn\">Z<\/span>\r\nSw1#<span style=\"color: #00ffff;\">show port-security interface fastethernet 0\/1<\/span>\r\nPort Security              : Enabled\r\nPort Status                : Secure-up\r\nViolation Mode             : Shutdown\r\nAging Time                 : 0 mins\r\nAging Type                 : Absolute\r\nSecureStatic Address Aging : Disabled\r\nMaximum MAC Addresses      : 1\r\nTotal MAC Addresses        : 0\r\nConfigured MAC Addresses   : 0\r\nSticky MAC Addresses       : 0\r\nLast Source Address:Vlan   : 0000.0000.0000:0\r\nSecurity Violation Count   : 0\r\n<\/pre>\n<h3>How to know if there is a security violation<\/h3>\n<pre>Sw1#<span style=\"color: #00ffff;\">show port-security interface fastethernet 0\/1<\/span>\r\nPort Security              : Enabled\r\nPort Status                : <i><b>Secure shutdown<\/b><\/i>\r\nViolation Mode             : Shutdown\r\n...\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Setting up Port Security Port security is a way to lock down what devices can plug into your switch, or how many devices can plug in. This prevents users from putting switches on their own lines. It is possible to use a specific MAC address and if a new device is plugged in, it will ..<\/p>\n<div class=\"clear-fix\"><\/div>\n<p><a href=\"https:\/\/wiki.thomasandsofia.com\/?p=129\" title=\"read more...\">Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,2,6,5],"tags":[],"class_list":["post-129","post","type-post","status-publish","format-standard","hentry","category-ccent","category-networking","category-security","category-switches"],"_links":{"self":[{"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=\/wp\/v2\/posts\/129","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=129"}],"version-history":[{"count":16,"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=\/wp\/v2\/posts\/129\/revisions"}],"predecessor-version":[{"id":188,"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=\/wp\/v2\/posts\/129\/revisions\/188"}],"wp:attachment":[{"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=129"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=129"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=129"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}