Chapter 1 : Lab 1.4.6B Implementing Port Security

Task 1: Configure and Test the Switch Connectivity

Step 1: Prepare the switch for configuration

NOTE: If the PCs used in this lab are also connected to your Academy LAN or to the Internet, ensure that you record the cable connections and TCP/IP settings so these can be restored at the conclusion of the lab.

  1. Referring to the topology diagram, connect the console (or rollover) cable to the console port on the switch and the other cable end to the host computer with a DB-9 or DB-25 adapter to the COM 1 port. Ensure that power has been applied to both the host computer and switch.
  2. Establish a console terminal session from PC1 to switch S1.
  3. Prepare the switch for lab configuration by ensuring that all existing VLAN and general configurations are removed.
  4. Power cycle the switch and exit the initial configuration setup when the switch restarts.

Step 2: Configure the switch

Configure the hostname and VLAN 1 interface IP address as shown in the table.

Step 3: Configure the hosts attached to the switch

  1. Configure the two PCs to use the same IP subnet for the address and mask as shown in the table.
  2. Connect PC1 to switch port Fa0/1 and PC2 to switch port Fa0/4. The Linksys device is not connected at this stage of the lab.

Step 4: Verify host connectivity

Ping between all PCs and the switch to verify correct configuration. If any ping was not successful, troubleshoot the hosts and switch configurations.

Step 5: Record the host MAC addresses

Determine and record the Layer 2 addresses of the PC network interface cards.

(For Windows 2000, XP, or Vista, check by using Start > Run > cmd > ipconfig /all.)

PC1 MAC Address: _______________________________ e.g., 00-07-EC-93-3CD1

PC2 MAC Address: _______________________________ e.g., 00-01-C7-E4-ED-E6

Step 6: Determine what MAC addresses the switch has learned

  1. At the privileged EXEC mode prompt, issue the show mac-address-table command to display the PC MAC addresses that the switch has learned.

FC-ASW-1#show mac-address-table

Record the details displayed in the table.

____________________________________________________________________________

____________________________________________________________________________

Mac Address Table

——————————————-

Vlan Mac Address Type Ports

—- ———– ——– —–

1 0001.c7e4.ede6 DYNAMIC Fa0/1

1 0007.ec93.3cd1 DYNAMIC Fa0/4

NOTE: The MAC addresses above are examples only.

  1. Note the MAC addresses shown and the associated switch ports. Confirm that these addresses

 

Task 2 Configure and Test the Switch for Dynamic Port Security

Step 1: Set port security options

  1. Disconnect all PCs Ethernet cables from the switch ports.
  2. Ensure that the MAC address table is clear of entries. To confirm this, issue the clear macaddress-

table dynamic and show mac-address-table commands.

a. Clear the MAC address table entries.

FC-ASW-1#clear mac-address-table dynamic

b. Issue the show mac-address-table command.

Record the table entries.

Mac Address Table

Vlan Mac Address Type Ports

  1. Determine the options for setting port security on interface FastEthernet 0/4. From the global configuration mode, enter interface fastethernet 0/4.

FC-ASW-1(config)#interface fa 0/4

Enabling switch port security provides options, such as specifying what happens when a security setting is violated.

  1. To configure the switch port FastEthernet 0/4 to accept only the first device connected to the port, issue the following commands from the configuration mode:

FC-ASW-1(config-if)#switchport mode access

FC-ASW-1(config-if)#switchport port-security

  1. In the event of a security violation, the interface should be shut down. Set the port security action to shutdown:

FC-ASW-1(config-if)#switchport port-security violation shutdown

FC-ASW-1(config-if)#switchport port-security mac-address sticky

What other action options are available with port security?Jawaban: protect, restrict

  1. Exit the configuration mode.

Step 2: Verify the configuration

  1. Display the running configuration.

What statements in the configuration directly reflect the security implementation?

  1. Show the port security settings. FC-ASW-1#show port-security interface fastethernet 0/4

Record the details displayed in the table.

 

Port Security : Enabled

Port Status : Secure-down

Violation Mode : Shutdown

Aging Time : 0 mins

Aging Type : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses : 1

Total MAC Addresses : 0

Configured MAC Addresses : 0

Sticky MAC Addresses : 0

Last Source Address:Vlan : 0000.0000.0000:0

Security Violation Count : 0

Step 3: Verify the port security

  1. Connect PC1 to switch port Fa0/1 and PC2 to switch port Fa0/4.
  2. From the command prompt ping from PC1 to PC2.
  3. From the command prompt ping from PC2 to PC1.
  4. From the console terminal session, issue the show mac-address-table command.
  5. Show the port security settings.

FC-ASW-1#show port-security interface fastethernet 0/4

Record the details displayed in the table.

Port Security : Enabled

Port Status : Secure-down

Violation Mode : Shutdown

Aging Time : 0 mins

Aging Type : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses : 1

Total MAC Addresses : 0

Configured MAC Addresses : 0

Sticky MAC Addresses : 0

Last Source Address:Vlan : 0000.0000.0000:0

Security Violation Count : 0

Step 4: Test the port security

  1. Disconnect PC2 from Fa0/4
  2. Connect PC2 to the Linksys using one of the ports on the Linksys LAN switch.
  3. Use the Basic Setup tab to configure the Internet IP address on the Linksys device to the address and mask, as shown in the table.

Step 5: Reactivate the port

  1. If a security violation occurs and the port is shut down, enter interface Fa0/4 configuration mode, disconnect the offending device, and use the shutdown command to temporarily disable the port.
  2. Disconnect the Linksys and reconnect PC2 to port Fa0/4. Issue the no shutdown command on the

Step 6: Discuss switch port security using dynamic MAC address assignment

Step 7: Clean up

Erase the configurations and reload the switches. Disconnect and store the cabling. For PC hosts that are normally connected to other networks (such as the school LAN or to the Internet), reconnect the appropriate cabling and restore the TCP/IP settings.

Task 3: Reflection

When considering designing a typical enterprise network, it is necessary to think about points of security vulnerability at the Access Layer. Discuss which Access Layer switches should have port security and those for which it may not be appropriate. Include possible future issues in regard to wireless and guest access to the network.

Jawaban:

  • What types of hosts are connected to the switch; e.g., general PCs, IP phones, printers, servers.
  • The type of users – employees or guests
  • Where access is made – in secure office or in public area
  • Type of access – wired or wireless
  • Investigating the security features available on different switch platforms
  • How port security policies can be implemented and managed.
  • Static versus dynamic port security

 



Tinggalkan Balasan

Isikan data di bawah atau klik salah satu ikon untuk log in:

Logo WordPress.com

You are commenting using your WordPress.com account. Logout / Ubah )

Gambar Twitter

You are commenting using your Twitter account. Logout / Ubah )

Foto Facebook

You are commenting using your Facebook account. Logout / Ubah )

Foto Google+

You are commenting using your Google+ account. Logout / Ubah )

Connecting to %s