{"id":2369,"date":"2019-08-14T23:04:25","date_gmt":"2019-08-14T23:04:25","guid":{"rendered":"http:\/\/wiki.thomasandsofia.com\/?p=2369"},"modified":"2020-07-30T01:08:01","modified_gmt":"2020-07-30T01:08:01","slug":"section-23-switch-security","status":"publish","type":"post","link":"https:\/\/wiki.thomasandsofia.com\/?p=2369","title":{"rendered":"Section 23: Switch Security"},"content":{"rendered":"<p><a href=\"http:\/\/wiki.thomasandsofia.com\/?p=2333\">&lt; Section 22<\/a> | <a href=\"\/course-introduction\/\">Home<\/a> | <a href=\"\/section-24-acls-access-control-lists\/\">Section 24 &gt;<\/a><\/p>\n<p>71% Complete<\/p>\n<h1><span style=\"color: #ff0000;\">ICND1 Exam Topic!<\/span><\/h1>\n<p>Know this section for the exam!<\/p>\n<p>&nbsp;<\/p>\n<h1>Resources:<\/h1>\n<p><a href=\"http:\/\/www.firewall.cx\/cisco-technical-knowledgebase\/cisco-switches\/1215-understanding-dhcp-snooping-concepts-and-how-it-works.html\" target=\"_blank\" rel=\"noopener\">http:\/\/www.firewall.cx\/cisco-technical-knowledgebase\/cisco-switches\/1215-understanding-dhcp-snooping-concepts-and-how-it-works.html<\/a><\/p>\n<h1><\/h1>\n<h1>144. Introduction<\/h1>\n<p><a href=\"https:\/\/www.udemy.com\/cisco-icnd1\/learn\/lecture\/8676906#content\" target=\"_blank\" rel=\"noopener\">https:\/\/www.udemy.com\/cisco-icnd1\/learn\/lecture\/8676906#content<\/a><\/p>\n<p>Access Layer Switch Security Mechanisms<\/p>\n<h1>145. DHCP Snooping<\/h1>\n<p><a href=\"https:\/\/www.udemy.com\/course\/cisco-icnd1\/learn\/lecture\/8676916#content\" target=\"_blank\" rel=\"noopener\">https:\/\/www.udemy.com\/course\/cisco-icnd1\/learn\/lecture\/8676916#content<\/a><\/p>\n<h2>Access Layer Switch Security Mechanisms<\/h2>\n<ul>\n<li>DHCP Snooping<\/li>\n<li>DAI Dynamic ARP Inspection<\/li>\n<li>802.1X Identity Based Networking<\/li>\n<li>Port Security &#8211; MOST IMPORTANT<\/li>\n<\/ul>\n<h2>Rogue DHCP Server<\/h2>\n<p><a href=\"http:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2019\/08\/a1-26.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-2374\" src=\"http:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2019\/08\/a1-26.png\" alt=\"\" width=\"806\" height=\"323\" srcset=\"https:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2019\/08\/a1-26.png 806w, https:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2019\/08\/a1-26-300x120.png 300w, https:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2019\/08\/a1-26-768x308.png 768w, https:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2019\/08\/a1-26-150x60.png 150w\" sizes=\"auto, (max-width: 806px) 100vw, 806px\" \/><\/a><\/p>\n<ul>\n<li>The rogue server would catch the DHCP request before it reaches the external one and will assign itself as the router to receive all traffic from the hijacked PCs.\n<ul>\n<li>This would knock the PCs off the primary network.<\/li>\n<\/ul>\n<\/li>\n<li>Odds are this was not a malicious attack, but someone connecting a server that had a DHCP server running on it.<\/li>\n<\/ul>\n<h2>DHCP Snooping<\/h2>\n<ul>\n<li>When DHCP Snooping is enabled, DHCP server responses are dropped if they don&#8217;t arrive on a trusted port<\/li>\n<li><span style=\"color: #ff0000;\">I had difficulty configuring this on my lab. It appears trust only works on trunk interfaces and not on access.\u00a0 Additionally, once DHCP was blocked by disabling the trust on the trunk, re-enabling it would sometimes still not allow that traffic through.<\/span><\/li>\n<li><span style=\"color: #ff0000;\"><strong>I FINALLY GOT THIS TO WORK!!!<\/strong>\u00a0 For my switches, I had to use one final global command: no ip dhcp snooping information option<\/span><\/li>\n<\/ul>\n<pre>SW1(config)#ip dhcp snooping\r\nSW1(config)#ip dhcp snooping vlan 10\r\n# Add the following command to disable Option 82, which prevents this from working!\r\nSW1(config)#no ip dhcp snooping information option\r\nSW1(config)#int f\/01\r\nSW1(config-if)#ip dhcp snooping trust<\/pre>\n<h1><\/h1>\n<h1>146. DAI Dynamic ARP Inspection<\/h1>\n<p><a href=\"https:\/\/www.udemy.com\/course\/cisco-icnd1\/learn\/lecture\/8676920#questions\" target=\"_blank\" rel=\"noopener\">https:\/\/www.udemy.com\/course\/cisco-icnd1\/learn\/lecture\/8676920#questions<\/a><\/p>\n<h2>ARP Address Resolution Protocol<\/h2>\n<p><a href=\"http:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2019\/08\/a1-27.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-2388\" src=\"http:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2019\/08\/a1-27.png\" alt=\"\" width=\"542\" height=\"261\" srcset=\"https:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2019\/08\/a1-27.png 542w, https:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2019\/08\/a1-27-300x144.png 300w, https:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2019\/08\/a1-27-150x72.png 150w\" sizes=\"auto, (max-width: 542px) 100vw, 542px\" \/><\/a><\/p>\n<ul>\n<li>PC1 wants to send a request to its Default Gateway at 10.10.10.1<\/li>\n<li>PC1 send an broadcast ARP request.\n<ul>\n<li>This is seen by PC2 and R1<\/li>\n<\/ul>\n<\/li>\n<li>R1 sees the request is for its IP:\n<ul>\n<li>R1 caches PC1&#8217;s MAC<\/li>\n<li>R1 replies with its MAC address<\/li>\n<\/ul>\n<\/li>\n<li>PC1 receives the reply\n<ul>\n<li>PC1 caches R1&#8217;s MAC<\/li>\n<li>PC1 sends its packet.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Man in the Middle ARP Spoofing<\/h2>\n<ul>\n<li>This is almost always malicious!<\/li>\n<li>Can be used for packet sniffing\/manipulation<\/li>\n<li>Can be used for denial of service: Drops the packet after it is received.<\/li>\n<\/ul>\n<p><a href=\"http:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2019\/08\/a1-28.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-2389\" src=\"http:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2019\/08\/a1-28.png\" alt=\"\" width=\"594\" height=\"310\" srcset=\"https:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2019\/08\/a1-28.png 594w, https:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2019\/08\/a1-28-300x157.png 300w, https:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2019\/08\/a1-28-150x78.png 150w\" sizes=\"auto, (max-width: 594px) 100vw, 594px\" \/><\/a><\/p>\n<ul>\n<li>Attacker sends unrequested ARP reply with R1&#8217;s IP and Attacker&#8217;s MAC\n<ul>\n<li>All traffic from PC1 to R1 will flow through the Attacker.<\/li>\n<\/ul>\n<\/li>\n<li>Attacker sends unrequested ARP reply with PC1&#8217;s IP and Attacker&#8217;s MAC\n<ul>\n<li>All traffic from R1 to PC1 will flow through the Attacker.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Dynamic ARP Inspection DAI<\/h2>\n<ul>\n<li>When you enable DHCP snooping, the switch inspects the DHCP traffic and keeps track of which IP addresses were assigned to which MAC addresses\n<ul>\n<li>Example: PC1 with MAC 1.1.1 was assigned 10.10.10.10<\/li>\n<li>If invalid ARP traffic tries to pass through the switch, for example, 3.3.3 says it is 10.10.10.10, the switch will drop the traffic.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>DAI Configuration<\/h2>\n<p><a href=\"http:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2019\/08\/a1-29.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-2390\" src=\"http:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2019\/08\/a1-29.png\" alt=\"\" width=\"1007\" height=\"303\" srcset=\"https:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2019\/08\/a1-29.png 1007w, https:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2019\/08\/a1-29-300x90.png 300w, https:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2019\/08\/a1-29-768x231.png 768w, https:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2019\/08\/a1-29-150x45.png 150w\" sizes=\"auto, (max-width: 1007px) 100vw, 1007px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<ul>\n<li>Enable IP DHCP Snooping Trust on all non-DHCP clients\n<ul>\n<li>Servers, switches, routers, anything with a static IP.<\/li>\n<\/ul>\n<\/li>\n<li>Do not set any ports that require DHCP as trusted<\/li>\n<\/ul>\n<pre>SW1(config)#interface FastEthernet 0\/1\r\nSW1(config-if)#ip arp inspection trust\r\nSW1(config-if)#exit\r\nSW1(config)#ip arp inspection vlan 10<\/pre>\n<h1><\/h1>\n<h1>147. 802.1X Identity Based Networking<\/h1>\n<p><a href=\"https:\/\/www.udemy.com\/course\/cisco-icnd1\/learn\/lecture\/8676940#content\" target=\"_blank\" rel=\"noopener\">https:\/\/www.udemy.com\/course\/cisco-icnd1\/learn\/lecture\/8676940#content<\/a><\/p>\n<ul>\n<li>When 802.1X is enabled, only authentication traffic is allowed on the switch ports until the host and user are authenticated.<\/li>\n<li>When the user has entered a valid username and password, the switch port transitions to a normal access port in the relevant VLAN<\/li>\n<\/ul>\n<p><a href=\"http:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2019\/08\/a1-30.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-2391\" src=\"http:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2019\/08\/a1-30.png\" alt=\"\" width=\"574\" height=\"372\" srcset=\"https:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2019\/08\/a1-30.png 574w, https:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2019\/08\/a1-30-300x194.png 300w, https:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2019\/08\/a1-30-150x97.png 150w\" sizes=\"auto, (max-width: 574px) 100vw, 574px\" \/><\/a><\/p>\n<ul>\n<li>The PC (Supplicant) must have 802.1X authentication enabled in its Operating System.<\/li>\n<li>The PC will only have access to the Authentication Server until it has been authenticated.\n<ul>\n<li>The authentication server is connected to (or might be?) an Active Directory server.<\/li>\n<\/ul>\n<\/li>\n<li>Once authenticated, the switch will grant access to the other ports on its relevant VLAN.<\/li>\n<\/ul>\n<h1><\/h1>\n<h1>148. Preventing Unauthorized Devices with Port Security<\/h1>\n<p><a href=\"https:\/\/www.udemy.com\/cisco-icnd1\/learn\/lecture\/8676960#content\" target=\"_blank\" rel=\"noopener\">https:\/\/www.udemy.com\/cisco-icnd1\/learn\/lecture\/8676960#content<\/a><\/p>\n<h2>Shut Down Unused Interfaces<\/h2>\n<ul>\n<li>Best practice is to administratively shut down unused switch ports<\/li>\n<li>This stops somebody from getting access to the network if they physically connect to the port.<\/li>\n<\/ul>\n<pre>SW1(config)#int f0\/1\r\nSW1(config-if)#shutdown<\/pre>\n<h2>Port Security<\/h2>\n<p><a href=\"http:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2019\/08\/a1-31.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-2392\" src=\"http:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2019\/08\/a1-31.png\" alt=\"\" width=\"398\" height=\"164\" srcset=\"https:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2019\/08\/a1-31.png 398w, https:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2019\/08\/a1-31-300x124.png 300w, https:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2019\/08\/a1-31-150x62.png 150w\" sizes=\"auto, (max-width: 398px) 100vw, 398px\" \/><\/a><\/p>\n<p><a href=\"http:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2019\/08\/a1-32.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-2393\" src=\"http:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2019\/08\/a1-32.png\" alt=\"\" width=\"386\" height=\"186\" srcset=\"https:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2019\/08\/a1-32.png 386w, https:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2019\/08\/a1-32-300x145.png 300w, https:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2019\/08\/a1-32-150x72.png 150w\" sizes=\"auto, (max-width: 386px) 100vw, 386px\" \/><\/a><\/p>\n<ul>\n<li>Port Security enables an administrator to specify which MAC address or addresses can send traffic in to an individual switch port.<\/li>\n<li>This can be used to lock a port down to a particular host or hosts.<\/li>\n<li>Unfortunately, it is easy to spoof a MAC address, so locking ports down to a specific host is not usually Port Security&#8217;s main role in production networks.<\/li>\n<li>Port Security can also configure individual switch ports to allow only a specific number of source MAC addresses so send traffic in to the port\n<ul>\n<li>This prevents users from adding Wireless Access Points or other shared devices.<\/li>\n<li>If you allow only a single MAC, you would not be able to connect a switch to that port.<\/li>\n<\/ul>\n<\/li>\n<li>It can learn connected MAC addresses.<\/li>\n<\/ul>\n<p><a href=\"http:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2019\/08\/a1-33.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-2394\" src=\"http:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2019\/08\/a1-33.png\" alt=\"\" width=\"402\" height=\"161\" srcset=\"https:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2019\/08\/a1-33.png 402w, https:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2019\/08\/a1-33-300x120.png 300w, https:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2019\/08\/a1-33-150x60.png 150w\" sizes=\"auto, (max-width: 402px) 100vw, 402px\" \/><\/a><\/p>\n<p><a href=\"http:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2019\/08\/a1-35.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-2396\" src=\"http:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2019\/08\/a1-35.png\" alt=\"\" width=\"515\" height=\"314\" srcset=\"https:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2019\/08\/a1-35.png 515w, https:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2019\/08\/a1-35-300x183.png 300w, https:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2019\/08\/a1-35-150x91.png 150w\" sizes=\"auto, (max-width: 515px) 100vw, 515px\" \/><\/a><\/p>\n<h2>Port Security Configuration<\/h2>\n<ul>\n<li>Configured at the Interface level<\/li>\n<\/ul>\n<pre>SW1(config)#int f0\/2\r\nSW1(config-if)#switchport port-security<\/pre>\n<h2>Port Security Default Behavior<\/h2>\n<ul>\n<li>If you configure Port Security with no additional parameters then only one MAC address is allowed to transmit on the port.<\/li>\n<li>The current MAC address can be disconnected and replaced.\u00a0 The port is NOT locked down to a particular MAC address.<\/li>\n<li>If a shared device is connected and multiple hosts try to transmit, the port will be shut down.<\/li>\n<\/ul>\n<h2>Port Security Verification &#8211; Defaults<\/h2>\n<pre>SW1#show port-security interface f0\/2\r\nPort Security              : Enabled                                            \r\nPort Status                : Secure-up                                          \r\nViolation Mode             : Shutdown                                           \r\nAging Time                 : 0 mins                                             \r\nAging Type                 : Absolute                                           \r\nSecureStatic Address Aging : Disabled                                           \r\nMaximum MAC Addresses      : 1                                                  \r\nTotal MAC Addresses        : 1                                                  \r\nConfigured MAC Addresses   : 0                                                  \r\nSticky MAC Addresses       : 0                                                  \r\nLast Source Address        : b827.eb62.35b2                                     \r\nSecurity Violation Count   : 0<\/pre>\n<h2>Security Violation Actions<\/h2>\n<ul>\n<li>There are 3 options when an unauthorized MAC address tries to send traffic in to a protected port:<\/li>\n<li>Shutdown (Default): The interface is placed into the error-disabled state, blocking all traffic.<\/li>\n<li>Protect: Traffic from unauthorized addresses is dropped.\u00a0 Traffic from allowed addresses is forwarded.<\/li>\n<li>Restrict: Traffic from unauthorized addresses is dropped, logged and the violation counter incremented.\u00a0 Traffic from allowed address is forwarded.<\/li>\n<\/ul>\n<p>Violation Action Configuration<\/p>\n<pre>SW1(config)#int f0\/1\r\nSW1(config-if)#switchport port-security violation protect\r\nSW1(config-if)#switchport port-security violation ?\r\nSW1(config-if)#switchport port-security violation shutdown<\/pre>\n<p>protect Security violation protect mode<br \/>\nrestrict Security violation restrict mode<br \/>\nshutdown Security violation shutdown mode&gt;\/pre&gt;<\/p>\n<h2>Error-Disabled Interfaces<\/h2>\n<ul>\n<li>If the Violation Action is set to Shutdown and a violation occurs, the port will move to an error-disabled state.<\/li>\n<li>To bring an error-disabled interface back into service:\n<ul>\n<li>Remove the host with the offending MAC address<\/li>\n<li>Manually shutdown, then &#8216;no shutdown&#8217; the interface.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3>Error-Disabled Auto Recovery<\/h3>\n<p>Notice these are executed at the Global Configuration level and NOT on the interface!<\/p>\n<pre>SW1(config)#errdisable recovery cause psecure-violation\r\nSW1(config)#errdisable recovery interval 600<\/pre>\n<h1><\/h1>\n<h1>149. Preventing Unauthorized Devices with Port Security Lab Demo<\/h1>\n<p><a href=\"https:\/\/www.udemy.com\/cisco-icnd1\/learn\/lecture\/8676970#content\" target=\"_blank\" rel=\"noopener\">ps:\/\/www.udemy.com\/cisco-icnd1\/learn\/lecture\/8676970#content<\/a><\/p>\n<p><a href=\"http:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2019\/08\/Port-Security-2.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-2413\" src=\"http:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2019\/08\/Port-Security-2.png\" alt=\"\" width=\"463\" height=\"466\" srcset=\"https:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2019\/08\/Port-Security-2.png 463w, https:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2019\/08\/Port-Security-2-150x150.png 150w, https:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2019\/08\/Port-Security-2-298x300.png 298w, https:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2019\/08\/Port-Security-2-300x302.png 300w\" sizes=\"auto, (max-width: 463px) 100vw, 463px\" \/><\/a><\/p>\n<h2>A: Port Security Enabled<\/h2>\n<pre>SW1(config)#int range f0\/1 - 3\r\nSW1(config-if-range)#switchport mode access\r\nSW1(config-if-range)#switchport port-security<\/pre>\n<p>Verify PCs can talk<\/p>\n<pre>Pi2b $ ping 10.10.10.10\r\nPING! PING! PING!<\/pre>\n<pre>Pi3b $ ping 10.10.10.20\r\nPING! PING! PING!<\/pre>\n<p>Verify SW1 Ports up<\/p>\n<pre>SW1#show ip int brief\r\nFastEthernet0\/1            unassigned      YES unset  up                    up      \r\nFastEthernet0\/2            unassigned      YES unset  down                  down    \r\nFastEthernet0\/3            unassigned      YES unset  up                    up<\/pre>\n<h2>B. FastEthernet 0\/3 replaced with switch connecting to both Pi2B and PC3<\/h2>\n<p>Verify PCs can no longer talk<\/p>\n<pre>Pi3b $ ping 10.10.10.20\r\nDestination host unreachable<\/pre>\n<p>Verify Pi2B can reach PC3<\/p>\n<pre>Pi2b $ ping 10.10.10.30\r\nPING! PING! PING!<\/pre>\n<p>Verify Port F0\/3 now shut down<\/p>\n<pre>SW1#show ip int brief\r\nFastEthernet0\/1            unassigned      YES unset  up                    up      \r\nFastEthernet0\/2            unassigned      YES unset  down                  down    \r\nFastEthernet0\/3            unassigned      YES unset  down                  down<\/pre>\n<h2>C: Remove Pi2b and Re-enable SW1-F0\/3 to show new PC3 MAC can replace Pi2B&#8217;s MAC<\/h2>\n<p>Re-enable Sw1 F0\/3<\/p>\n<pre>SW1(config)#int f0\/3\r\nSW1(config-if)#shutdown\r\nSW1(config-if)#no shutdown<\/pre>\n<p>Verify Pi3b can talk to PC3<\/p>\n<pre>Pi3b $ ping 10.10.10.30\r\nPING! PING! PING!<\/pre>\n<h1>150. Locking Ports to Hosts with Port Security<\/h1>\n<p><a href=\"https:\/\/www.udemy.com\/cisco-icnd1\/learn\/lecture\/8676988#content\" target=\"_blank\" rel=\"noopener\">https:\/\/www.udemy.com\/cisco-icnd1\/learn\/lecture\/8676988#content<\/a><\/p>\n<h2>Maximum MAC Addresses<\/h2>\n<ul>\n<li>When Port Security is enabled the maximum number of MAC addresses allowed to send traffic into the interface is 1 by default<\/li>\n<li>This can be increased if multiple hosts share the port, for example, an IP phone with a PC plugged into the back of it.<\/li>\n<\/ul>\n<pre>SW1(config)#int f0\/1\r\nSW1(config-if)#switchport port-security maximum 2<\/pre>\n<h2>Manually adding MAC Addresses<\/h2>\n<ul>\n<li>You can statically configure allowed MAC addresses if you want to lock the port down to a particular host<\/li>\n<\/ul>\n<pre>SW1(config)#int f0\/1\r\nSW1(config-if)#switchport port-security\r\nSW1(config-if)#switchport port-security mac-address 1111.2222.3333\r\nSW1(config-if)#switchport port-security maximum 1<\/pre>\n<h2>MAC Address Learning<\/h2>\n<ul>\n<li>Scenario: You have 1000 authorized hosts connected to the network. You want to lock the ports down to these particular hosts.<\/li>\n<li>Manually adding hosts is not a scalable solution<\/li>\n<li>Sticky MAC address add the learned MAC address to the running configuration.\u00a0 Save to the startup config to make them permanent.<\/li>\n<\/ul>\n<pre>SW1(config)#int f0\/1\r\nSW1(config-if)#switchport port-security\r\nSW1(config-if)#switchport port-security mac-address sticky<\/pre>\n<p>&nbsp;<\/p>\n<h1>151. Locking Ports to Hosts with Port Security Lab Demo<\/h1>\n<p><a href=\"https:\/\/www.udemy.com\/course\/cisco-icnd1\/learn\/lecture\/8676990#content\" target=\"_blank\" rel=\"noopener\">https:\/\/www.udemy.com\/course\/cisco-icnd1\/learn\/lecture\/8676990#content<\/a><\/p>\n<p><a href=\"https:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2019\/08\/port-security-lab.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-3095\" src=\"https:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2019\/08\/port-security-lab.png\" alt=\"\" width=\"597\" height=\"441\" srcset=\"https:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2019\/08\/port-security-lab.png 597w, https:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2019\/08\/port-security-lab-300x222.png 300w, https:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2019\/08\/port-security-lab-150x111.png 150w\" sizes=\"auto, (max-width: 597px) 100vw, 597px\" \/><\/a><\/p>\n<h2>1. Lock down f0\/1<\/h2>\n<p>Will use absolute address<\/p>\n<p><strong>SW1<\/strong><\/p>\n<pre>configure terminal\r\nint f0\/1\r\nswitchport mode access\r\nswitchport port-security\r\nswitchport port-security mac-address 0000.1111.1111\r\n! Following command is optional. 1 is the default\r\nswitchport port-security maximum 1<\/pre>\n<p>&nbsp;<\/p>\n<h2>2. Lock down f0\/2<\/h2>\n<p>Use sticky<\/p>\n<p><strong>SW1<\/strong><\/p>\n<pre>int f0\/2\r\nswitchport mode access\r\nswitchport port-security\r\nswitchport port-security mac-address sticky\r\n! Put some traffic on the port to add the address\r\nend<\/pre>\n<p><strong>PC2<\/strong><\/p>\n<pre>ping 10.10.10.10\r\nping! ping! ping!<\/pre>\n<p>&nbsp;<\/p>\n<h1>152. Port Security Configuration &#8211; Lab Exercises<\/h1>\n<p><a href=\"https:\/\/www.udemy.com\/course\/cisco-icnd1\/learn\/lecture\/8677000#content\" target=\"_blank\" rel=\"noopener\">https:\/\/www.udemy.com\/course\/cisco-icnd1\/learn\/lecture\/8677000#content<\/a><\/p>\n<p><a href=\"https:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2019\/08\/28-1-Port-Security-Configuration.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-3098\" src=\"https:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2019\/08\/28-1-Port-Security-Configuration.png\" alt=\"\" width=\"556\" height=\"299\" srcset=\"https:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2019\/08\/28-1-Port-Security-Configuration.png 556w, https:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2019\/08\/28-1-Port-Security-Configuration-300x161.png 300w, https:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2019\/08\/28-1-Port-Security-Configuration-150x81.png 150w\" sizes=\"auto, (max-width: 556px) 100vw, 556px\" \/><\/a><\/p>\n<p><strong>1) Disable all unused ports on SW1. This prevents unauthorized hosts plugging in to them to gain access to the network.<\/strong><\/p>\n<pre>conf t\r\nint range f0\/3 - 24\r\nshut\r\nint range g0\/1 - 2\r\nshut<\/pre>\n<p>&nbsp;<\/p>\n<p>2) Configure port security on interface FastEthernet 0\/1. Allow a maximum of two MAC addresses and manually add PC1\u2019s MAC address to the configuration.<\/p>\n<pre>int f0\/1\r\nswitchport mode access\r\nswitchport port-security\r\nswitchport port-security maximum 2\r\nswitchport port-security mac-address 0000.1111.1111<\/pre>\n<p>&nbsp;<\/p>\n<p><strong>3) Enable Port Security on interface FastEthernet 0\/2 with the default <\/strong><strong>settings.<\/strong><\/p>\n<pre>int f0\/2\r\nswitchport mode access\r\nswitchport port-security<\/pre>\n<p>&nbsp;<\/p>\n<p><strong>4) Use a \u2018show port-security\u2019 command to verify the MAC address on PC2.<\/strong><\/p>\n<pre>end\r\nshow port-security int f0\/2\r\n...\r\nLast Source Address: Vlan : 0000.0000.0000:0\r\n! Did not.  Need to see some traffic.\r\nPC2&gt; ping 10.10.10.10\r\nping! ping! ping!\r\n! Try again\r\nshow port-security int f0\/2\r\n...\r\nLast Source Address: Vlan : 0000.2222.2222:1<\/pre>\n<p>&nbsp;<\/p>\n<p><strong>5) Verify the full Port Security configuration on both interfaces.<\/strong><\/p>\n<pre>SW1#show port-security interface f0\/1\r\nPort Security              : Enabled\r\nPort Status                : Secure-up\r\nViolation Mode             : Shutdown\r\nAging Time                 : 0 mins\r\nAging Type                 : Absolute\r\nSecureStatic Address Aging : Disabled\r\nMaximum MAC Addresses      : 2\r\nTotal MAC Addresses        : 1\r\nConfigured MAC Addresses   : 0\r\nSticky MAC Addresses       : 0\r\nLast Source Address:Vlan   : 0000.1111.1111:1\r\nSecurity Violation Count   : 0\r\n\r\nSW1#show port-security interface f0\/2\r\nPort Security              : Enabled\r\nPort Status                : Secure-up\r\nViolation Mode             : Shutdown\r\nAging Time                 : 0 mins\r\nAging Type                 : Absolute\r\nSecureStatic Address Aging : Disabled\r\nMaximum MAC Addresses      : 1\r\nTotal MAC Addresses        : 1\r\nConfigured MAC Addresses   : 0\r\nSticky MAC Addresses       : 0\r\nLast Source Address:Vlan   : 0000.2222.2222:1\r\nSecurity Violation Count   : 0<\/pre>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>&lt; Section 22 | Home | Section 24 &gt; 71% Complete ICND1 Exam Topic! Know this section for the exam! &nbsp; Resources: http:\/\/www.firewall.cx\/cisco-technical-knowledgebase\/cisco-switches\/1215-understanding-dhcp-snooping-concepts-and-how-it-works.html 144. Introduction https:\/\/www.udemy.com\/cisco-icnd1\/learn\/lecture\/8676906#content Access Layer Switch Security Mechanisms 145. DHCP Snooping https:\/\/www.udemy.com\/course\/cisco-icnd1\/learn\/lecture\/8676916#content Access Layer Switch Security Mechanisms DHCP Snooping DAI Dynamic ARP Inspection 802.1X Identity Based Networking Port Security &#8211; MOST IMPORTANT ..<\/p>\n<div class=\"clear-fix\"><\/div>\n<p><a href=\"https:\/\/wiki.thomasandsofia.com\/?p=2369\" title=\"read more...\">Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[45],"tags":[],"class_list":["post-2369","post","type-post","status-publish","format-standard","hentry","category-icnd1-ccent"],"_links":{"self":[{"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=\/wp\/v2\/posts\/2369","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2369"}],"version-history":[{"count":20,"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=\/wp\/v2\/posts\/2369\/revisions"}],"predecessor-version":[{"id":3102,"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=\/wp\/v2\/posts\/2369\/revisions\/3102"}],"wp:attachment":[{"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2369"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2369"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2369"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}