cisco ccna port security
TRANSCRIPT
CISCO CCNA PORT SECURITYTO WATCH OUR CISCO CCNA VIDEO TRAININGS PLEASE CHECK OUT THE LINK BELOW:
WWW.ASMED.COM/C1ASM EDUCATIONAL CENTER INC. (ASM)WHERE TRAINING, TECHNOLOGY & SERVICE CONVERGE
PHONE: (301) 984-7400ROCKVILLE,MD
CISCO CCNA PORT SECURITY
CISCO CCNA PORT SECURITY
HERE WHAT I HAVE:PC1=10.10.10.1PC2=10.10.10.2PC3=10.10.10.3 CONNECTED TO PORT F0/3 WHICH IS LOCATED IN LOBBYHACKER=10.10.10.4 THE GOAL IS I WANT TO PROTECT THE PORT F0/3 LOCATED IN LOBBY AND MAKE SURE ONLY PC3=SALES3 BE ABLE TO CONNECT AND DO HIS WORK. HINT: YOU WILL GO INT F0/3 AND START WITH SWITCHPORT?
CISCO CCNA PORT SECURITY
STEP 1) MAKE SURE YOU ENABLE PORT-SECURITY SW1(CONFIG)#SW1(CONFIG)#INT F0/3SW1(CONFIG-IF)#SWITCHPORT ?ACCESS SET ACCESS MODE CHARACTERISTICS OF THE INTERFACEMODE SET TRUNKING MODE OF THE INTERFACENATIVE SET TRUNKING NATIVE CHARACTERISTICS WHEN INTERFACE IS INTRUNKING MODENONEGOTIATE DEVICE WILL NOT ENGAGE IN NEGOTIATION PROTOCOL ON THISINTERFACEPORT-SECURITY SECURITY RELATED COMMANDPRIORITY SET APPLIANCE 802.1P PRIORITY
CISCO CCNA PORT SECURITY
TRUNK SET TRUNKING CHARACTERISTICS OF THE INTERFACEVOICE VOICE APPLIANCE ATTRIBUTESSW1(CONFIG-IF)#SWITCHPORT PORTSW1(CONFIG-IF)#SWITCHPORT PORT-SECURITY ?MAC-ADDRESS SECURE MAC ADDRESSMAXIMUM MAX SECURE ADDRESSESVIOLATION SECURITY VIOLATION MODE<CR>SW1(CONFIG-IF)#SWITCHPORT PORT-SECURITYCOMMAND REJECTED: FASTETHERNET0/3 IS A DYNAMIC PORT.SW1(CONFIG-IF)#SW
CISCO CCNA PORT SECURITYSW1(CONFIG-IF)#SWITCHPORT MOSW1(CONFIG-IF)#SWITCHPORT MODE ACCSW1(CONFIG-IF)#SWITCHPORT MODE ?ACCESS SET TRUNKING MODE TO ACCESS UNCONDITIONALLYDYNAMIC SET TRUNKING MODE TO DYNAMICALLY NEGOTIATE ACCESS OR TRUNK MODETRUNK SET TRUNKING MODE TO TRUNK UNCONDITIONALLYSW1(CONFIG-IF)#SWITCHPORT MODE DYSW1(CONFIG-IF)#SWITCHPORT MODE DYNAMIC ?AUTO SET TRUNKING MODE DYNAMIC NEGOTIATION PARAMETER TO AUTODESIRABLE SET TRUNKING MODE DYNAMIC NEGOTIATION PARAMETER TO DESIRABLESW1(CONFIG-IF)#SWITCHPORT MODE ACCSW1(CONFIG-IF)#SWITCHPORT MODE ACCESSSW1(CONFIG-IF)#SWITCHPORT PORT-SECURITY
CISCO CCNA PORT SECURITYHINT: MAKE SURE WHEN YOU DO ABOVE; YOU HAVE MADE THE PORT MODE ACCESS; STEP 2) DEFINE HOW MANY MAC-ADDRESS CAN BE CONNECTED THE DEFAULT=1 (IF I WRITE SHOW RUN ) IT WILL NOT BE SEEN FOR DEFAULT VALUE SW1#CONFIG TENTER CONFIGURATION COMMANDS, ONE PER LINE. END WITH CNTL/Z.SW1(CONFIG)#INT F0/3SW1(CONFIG-IF)#SWSW1(CONFIG-IF)#SWITCHPORT POSW1(CONFIG-IF)#SWITCHPORT PORT-SECURITY ?MAC-ADDRESS SECURE MAC ADDRESSMAXIMUM MAX SECURE ADDRESSESVIOLATION SECURITY VIOLATION MODE<CR>SW1(CONFIG-IF)#SWITCHPORT PORT-SECURITY MAXSW1(CONFIG-IF)#SWITCHPORT PORT-SECURITY MAXIMUM ?<1-132> MAXIMUM ADDRESSESSW1(CONFIG-IF)#SWITCHPORT PORT-SECURITY MAXIMUM 2
CISCO CCNA PORT SECURITY
STEP 3) TELL WHAT IS THE MAC OF THE PC CONNECTED;
HINT: I CAN DO IN TWO WAY:
• STATICALLY
• DYNAMICALLY USING THE KEY WORD STICKY
CISCO CCNA PORT SECURITYSW1(CONFIG-IF)#SWSW1(CONFIG-IF)#SWITCHPORT POSW1(CONFIG-IF)#SWITCHPORT PORT-SECURITY ?MAC-ADDRESS SECURE MAC ADDRESSMAXIMUM MAX SECURE ADDRESSESVIOLATION SECURITY VIOLATION MODE<CR>SW1(CONFIG-IF)#SWITCHPORT PORT-SECURITY MACSW1(CONFIG-IF)#SWITCHPORT PORT-SECURITY MAC-ADDRESS ?H.H.H 48 BIT MAC ADDRESSSTICKY CONFIGURE DYNAMIC SECURE ADDRESSES AS STICKYSW1(CONFIG-IF)#SWITCHPORT PORT-SECURITY MAC-ADDRESS STSW1(CONFIG-IF)#SWITCHPORT PORT-SECURITY MAC-ADDRESS STICKY ?H.H.H 48 BIT MAC ADDRESS<CR>SW1(CONFIG-IF)#SWITCHPORT PORT-SECURITY MAC-ADDRESS STICKYSW1(CONFIG-IF)#SW1(CONFIG-IF)#SWITCHPORT PORT-SECURITY MAC-ADDRESS ?H.H.H 48 BIT MAC ADDRESSSTICKY CONFIGURE DYNAMIC SECURE ADDRESSES AS STICKYSW1(CONFIG-IF)#SWITCHPORT PORT-SECURITY MAC-ADDRESS 2222.2222.2222
CISCO CCNA PORT SECURITYSTEP 4) TELL SWITCH WHAT KIND OF ACTION TO TAKE SW1(CONFIG-IF)#SW1(CONFIG-IF)#SWSW1(CONFIG-IF)#SWITCHPORT POSW1(CONFIG-IF)#SWITCHPORT PORT-SECURITY ?MAC-ADDRESS SECURE MAC ADDRESSMAXIMUM MAX SECURE ADDRESSESVIOLATION SECURITY VIOLATION MODE<CR>SW1(CONFIG-IF)#SWITCHPORT PORT-SECURITY VIOLSW1(CONFIG-IF)#SWITCHPORT PORT-SECURITY VIOLATION ?PROTECT SECURITY VIOLATION PROTECT MODERESTRICT SECURITY VIOLATION RESTRICT MODESHUTDOWN SECURITY VIOLATION SHUTDOWN MODESW1(CONFIG-IF)#SWITCHPORT PORT-SECURITY VIOLATION SHURSW1(CONFIG-IF)#SWITCHPORT PORT-SECURITY VIOLATION SHUTSW1(CONFIG-IF)#SWITCHPORT PORT-SECURITY VIOLATION SHUTDOWN
CISCO CCNA PORT SECURITY
HINT: THE DEFAULT IS SHUTDOWN AS WE SEE IN THE SHOW RUN IT WILL NOT SHOW UP. INTERFACE FASTETHERNET0/3 SWITCHPORT MODE ACCESS SWITCHPORT PORT-SECURITY SWITCHPORT PORT-SECURITY MAXIMUM 2 SWITCHPORT PORT-SECURITY MAC-ADDRESS STICKY SWITCHPORT PORT-SECURITY MAC-ADDRESS 2222.2222.2222!
CISCO CCNA PORT SECURITYAS WE SEE THE DEFAULT SHUTDOWN IS NOT ABOVE:I GO AND I PING PC3PC>PING 10.10.10.3 PINGING 10.10.10.3 WITH 32 BYTES OF DATA: REPLY FROM 10.10.10.3: BYTES=32 TIME=109MS TTL=128REPLY FROM 10.10.10.3: BYTES=32 TIME=62MS TTL=128REPLY FROM 10.10.10.3: BYTES=32 TIME=63MS TTL=128REPLY FROM 10.10.10.3: BYTES=32 TIME=62MS TTL=128 PING STATISTICS FOR 10.10.10.3:PACKETS: SENT = 4, RECEIVED = 4, LOST = 0 (0% LOSS),APPROXIMATE ROUND TRIP TIMES IN MILLI-SECONDS:MINIMUM = 62MS, MAXIMUM = 109MS, AVERAGE = 74MS PC>
CISCO CCNA PORT SECURITY
NOW LET’S LOOK AT SHOW RUN: INTERFACE FASTETHERNET0/3 SWITCHPORT MODE ACCESS SWITCHPORT PORT-SECURITY SWITCHPORT PORT-SECURITY MAXIMUM 2 SWITCHPORT PORT-SECURITY MAC-ADDRESS STICKY SWITCHPORT PORT-SECURITY MAC-ADDRESS 2222.2222.2222 SWITCHPORT PORT-SECURITY MAC-ADDRESS STICKY 00D0.D320.E74C
CISCO CCNA PORT SECURITYHERE IS BEFORE ANY VIOLATIONS: SW1#SHOW PORTSW1#SHOW PORT-SECURITY INT F0/3PORT SECURITY : ENABLEDPORT STATUS : SECURE-UPVIOLATION MODE : SHUTDOWNAGING TIME : 0 MINSAGING TYPE : ABSOLUTESECURESTATIC ADDRESS AGING : DISABLEDMAXIMUM MAC ADDRESSES : 2TOTAL MAC ADDRESSES : 2CONFIGURED MAC ADDRESSES : 1STICKY MAC ADDRESSES : 1LAST SOURCE ADDRESS:VLAN : 00D0.D320.E74C:1SECURITY VIOLATION COUNT : 0
CISCO CCNA PORT SECURITYNOW I WILL REMOVE THE CABLE FROM PC3 AND HACKER WILL COME AND CONNECT TO THE PORT F0/3 SW1#SHOW PORT-SECURITY INT F0/3PORT SECURITY : ENABLEDPORT STATUS : SECURE-SHUTDOWNVIOLATION MODE : SHUTDOWNAGING TIME : 0 MINSAGING TYPE : ABSOLUTESECURESTATIC ADDRESS AGING : DISABLEDMAXIMUM MAC ADDRESSES : 2TOTAL MAC ADDRESSES : 2CONFIGURED MAC ADDRESSES : 1STICKY MAC ADDRESSES : 1LAST SOURCE ADDRESS:VLAN : 00E0.A38B.4828:1SECURITY VIOLATION COUNT : 1
CISCO CCNA PORT SECURITY
AS WE SEE I HAVE PORT IN SECURE SHUTDOWN MODEHERE IS ANOTHER SHOW COMMANDS: SW1#SHOW INT F0/3FASTETHERNET0/3 IS DOWN, LINE PROTOCOL IS DOWN (ERR-DISABLED)
CISCO CCNA PORT SECURITYLET’S LOOK AT PORT 1 THAT I DID NOT CONFIGURE PORT SECURITYSW1#SW1#SHOW PORT-SECURITY INT F0/1PORT SECURITY : DISABLEDPORT STATUS : SECURE-DOWNVIOLATION MODE : SHUTDOWNAGING TIME : 0 MINSAGING TYPE : ABSOLUTESECURESTATIC ADDRESS AGING : DISABLEDMAXIMUM MAC ADDRESSES : 1TOTAL MAC ADDRESSES : 0CONFIGURED MAC ADDRESSES : 0STICKY MAC ADDRESSES : 0LAST SOURCE ADDRESS:VLAN : 0000.0000.0000:0SECURITY VIOLATION COUNT : 0AS WE SEE IN THIS CASE I DID NOT ENABLE IT PORT SECURITY; SO I SEE THE FIRST LINE SAYS DISABLED HOW DO YOU FIXED IT?YOU AS ADMINISTRATOR MUST GO TO THAT PORT; GIVE SHUT AND NO SHUT
ASM EDUCATIONAL CENTER INC. (ASM)WHERE TRAINING, TECHNOLOGY & SERVICE CONVERGE
TO WATCH OUR CISCO CCNA VIDEO TRAININGS PLEASE CHECK OUT THE LINK BELOW:WWW.ASMED.COM/C1
PHONE: (301) 984-7400ROCKVILLE,MD