Cisco CCNA 200-301 – Switch Security Part 3

  1. Preventing Unauthorised Devices with Port Security Lab Demo

In this lecture you’ll learn about how to configure port security to prevent unauthorized devices like switches and wireless access points on your network. And we’ll use our lab demo to show this. So I’ve got packet tracer open here. I’ve got switch one with a couple of PCs plugged in, PC One and PC Two, they’ve got IP addresses, ten 1010 and 1010. 1011, they’re on ports fast, zero one and zero two. Ignore PC three for now. That’s the villain. That’s going to show up in a minute.

Okay, so if I have a look at my config on switch one, I don’t have any configuration on here yet. I’ve just added a hostname and I’ve also configured spanning three portfast and all the ports just so they’ll come up quicker so you can see what’s going on more quickly. And what I’m going to do here is I’ve got a global config and then on all of my interfaces the end hosts are going to be plugged in.

So that would be interface range fast zero, slash one to 24. I’m going to say switch port part security and then that is going to give me an error message because I can’t put it on a port which is a dynamic port. I need to configure them as access ports first so I’ve still got the range selected so I can say switch port, mode access to make them access ports and then I can try the command again, switch port, port security.

And it takes the command now so I haven’t added any parameters. It’s just going to have all of the default settings. So let’s have a look and see what that does. So I will do a show port security interface fast zero one, but all going to have the same config and you can see that the maximum Mac addresses allowed is one and if there’s a violation, the port is going to be shut down. So right now I’ve only got one host plugged into any port.

So the port shouldn’t get shut down, they should have connectivity to each other. Let’s check that. I’ll go on to PC Two and I’ll ping PC One at ten 1010 and the ping works just fine. Okay, so when you’ve got the network set up as normal with just one end host plugged into your ports, then everything is going to work. Okay, if I go back to the packet tracer front end again and let’s say that in the part of the building where PC Two is, they’ve hired some additional staff there and there’s not enough wallports. So what they should do is get in touch with the It department and say, can you put some more wall ports in please? But you know that sometimes users do things that they shouldn’t do and take things into their own hands.

So let’s say that the users down here, what they do is they remove the cable connected to PC Two. So let’s take that out and then so that they can get additional hosts plugged in there, they add an additional switch in that part of the network. So they put a switch in here and then the host, it was there already, they cable that into the switch and the new host, they cable that into the switch as well. And then they’ve still got the network cable that was plugged into PC Two. Before that they know was live on the network. So they plug that into the switch. So that was on fast zero two on our switch one and they plug that into their new switch. And I think great, we’ve got all of our new hosts are on the network now. But if we go on to PC Three and from PC three we ping ten 1010, the ping is going to fail because port security on switch one sees that that is an additional Mac address there’s now two Mac addresses trying to send traffic in fast to zero two.

It’s going to shut the port down. Let’s verify that by going on to switch two again and I will do the same command again. Show port security interface fast zero one. Notice before the status was secure up and there was no violations. Now I can see that I’m looking at the wrong part. I’m looking at fast 01502 would be exactly the same as that. So let’s go into the correct one which is zero two. And then here before it was secured up.

Now I can see that it is secure shut down because there is a security violation. And if I do a Show IP interface brief I can see that it is showing as down on here now. Okay? So to get the interface back up again I need to remove the offending host. So the reason we’ve done this now is that the port is going to be down. The users are going to get in touch with it and say, hey, they won’t tell you what they did. You’re going to hear about it now anyway because we’ve lost connectivity in that part of the network. So you will discover this.

You’ll go down there, if a rogue switch is still plugged in you will go and cable everything back as it was. Possibly the users will have set things back anyway. So let’s have a look. So back on here, let’s say you go down there and the users haven’t fixed anything. They’ve left it as it is. So we need to set things back as they were. So we’re going to remove that rogue switch and then cable fast zero two back in the PC Two as it was originally.

We’ll also get a new wall port put in that part of the building so that we can also cable switch one into PC Three as well. Now at this point PC Three was put into interface fast three which is not shut down. So if I go into PC three now and ping 1010. This ping is going to work. Okay? But if I go back onto PC two and they were able to ping 1010 before they started messing with the network, if I try pinging now, it still won’t work because the interface is still error disabled.

To bring the interface back up again, an administrator has to go onto the switch and go onto that interface. So I go config t interface fast two, do a shutdown and then a no shutdown and that will bring the interface back into service. So if I now do a show port security interface fast zero two, I can see that it is back to secure up again now and I show IP interface brief, I can see that it is being back to up up. So now if I go back onto my host, which was PC two and try pinging again, the ping works again. Okay? So that was port security and how we can use it to stop users putting unauthorized wireless access points and switches onto the network.

  1. Locking Ports to Hosts with Port Security

Lectures you learned how you can use port security to prevent unauthorized devices like wireless access points and switches on your network. In this lecture, you learn how you can use port security to lock interfaces down to a particular host based on its Mac address. Before we get to that, this works in conjunction with the maximum Mac addresses setting of port security. When you enable port security on an interface, this defaults to one. So a maximum of one Mac address is allowed to send traffic into the port. You can increase that if you need to if multiple hosts share that one physical port. For example, if you’ve got an IP phone plugged in there with a PC plugged into the back of the IP phone, and both the phone and the PC need to use that one physical port on the switch. To do that, go to the interface. So that example interface fast zero two switch port security maximum two. It will now allow two Mac addresses to send traffic into that port.

To verify this, the same command as usual show port security interface. It was fast zero two. And this shows you the difference between the maximum Mac address and the total Mac address output that you see here. Maximum Mac addresses is the total that is allowed to send traffic into the port. Total Mac addresses is how many are currently detected on the port. So here we’ve allowed two, but it’s only discovered one Mac address so far. Okay, so let’s talk about how to lock the port down to particular hosts based on their Mac address. We can manually add the Mac address that is allowed on a particular port. To do that, the configuration here, we’ve said interface fast zero 10 switch port security to enable port security, switch port security, Mac address 1112-222-2333 for example, and then switch port, port security, maximum one.

Once we’ve done this, it’s only that one Mac address that is allowed to send traffic into this port. If any other Mac address tries to send traffic in, it’s going to get blocked and it will take the violation action, which by default is to shut down the port. But let’s look at another scenario. So the reason you would do this would be a highly secure environment. Let’s say it’s a bank, but let’s say for this example that it’s the headquarters and there’s 1000 PCs there. So we’ve currently got those 1000 PCs which are authorized hosts already connected to the network and we want to lock it down that it’s only those PCs that are allowed on the network and only on the ports that they’re already connected to.

Well, obviously it wouldn’t be scalable for us to find out those 1000 Mac addresses and then go and configure all the switches. Locking that one Mac address down to that one particular port, that just isn’t really feasible from an administrative point of view. But thankfully there’s an easy way that we can get the same effect, and that’s by using sticky Mac addresses. Sticky Mac addresses add the learned Mac address to the running configuration. So you saw already from the earlier lessons that when a host starts transmitting on the port, the switch will learn the Mac address. With sticky Mac addresses, it can learn the Mac address that is already connected to the port. When it does this, it adds that Mac address to the running configuration, associating it with the port for port security. You can then save that to the startup config, and that will make it permanent. So that locks the port down to the PC that is currently plugged into the port without you having to manually specify what the Mac address is. The configuration. To do this interface faster, two switch port port security and then switch port port security Mac address sticky.

Now, there is a lot of confusion with this and people get confused between what’s the difference between when I say Mac address sticky and when I just don’t mention the Mac address? I’ll show you that when we do the lab demo, and it’s going to make it clear. Okay, once we’ve configured this to verify the Mac addresses that are associated with the different interfaces, you can do a show port security address. Here I can see on Fast ethernet two, there’s a Mac address that was dynamically configured. So this was automatically learned the same with the Mac address on fast zero three, the Mac address on zero 10, I can see secure configured. It was manually added the Mac address one, two, three.

That’s so you can check the Mac addresses associated with your different interfaces for port security. And finally, we can also put in a command to view a summary of all the ports on the switch. This is useful if you want to see if any parts have been shut down, because we’re violating all in one output with a single command. To do that, it is show port security. Okay, so that was the theory and also the command examples of how to configure port security to lock your ports down to particular hosts. In the next lecture, I’ll show you how to configure this as well. And like I said, it’s going to clear up any confusion you had about having no Mac address specified, having a manually set Mac address, or using Mysticy addresses. See you in the next lecture.

  1. Locking Ports to Hosts with Port Security Lab Demo

This lecture, you’ll learn how to lock parts down to particular Mac addresses with port security. So looking at our topology here, I’ve got switch one, and right now PC One and PC Two are plugged into parts one and two. I’ve set the Mac addresses manually for this lab so that we can keep track of things a bit more easily. The PC one has got Mac o one. PC two is o two and PC three. The villain is O three. So let’s say that this is a bank and we want to lock our ports down to particular hosts. So first up, I’ll lock portfast zero one down to Mac O one. So I’ll go onto the switch and go to Global Comfit and then it’s interface fast zero one. I need to set switchport mode access first and then switch port security. So that’s just enable genetic default port security on there. Next up, I want to lock it down to this particular Mac address.

So the command is switchport port security Mac address and it was okay, done. And I’m also going to manually set it to one Mac address as well to switch port port security. Let’s check the command and it’s maximum of one. That was the default anyway. And if I now do a Show port security for interface fast zero one, I can see that port security is enabled and it does have a configured Mac address and that the Mac address has not been learned yet. If I want to check what the Mac address is, I can do a show port security address. And I can see there’s the Mac address there that is locked to interface fast one. So it hasn’t seen the Mac address yet because there hasn’t been any traffic coming in yet.

So let’s go on to PC One. And I’ll ping over a PC too. So ping ten 1011 to generate some traffic. And if I now do my Showport security interface again, I can see that yes, there is the Mac address and the traffic went through. Okay, so it’s all good. Now let’s say that the next thing that happens is we have an attacker that’s trying to get onto the network. And what they do is they disconnect the cable that’s connected to PC One and they hook that up to their PC instead. So that was interface fast one. They connect their PC in, which has got a different Mac address, which is zero three. In this example, IP address is already configured on here, 1010 1012.

So let’s see if port security is going to work or not. I’ll try pinging PC two from PC three. So I will ping 1010 1011 from here and the ping fails because port security locks down the port because it was not the correct Mac address. If I look back on the switch again and do my Show Port Security interface command, I can see that I’ve had a violation and that it didn’t actually change the Mac address. And it’s such a Mac address, it’s on PC Three, which is violating, it’s not O One because it’s violating port security to shut down the interface. So to fix this I need to walk down there and then take that PC off the network. I didn’t mean to delete the whole thing.

Let’s try to delete just the link so I’ll unable it and then cablefast zero one back up to PC One. PC One is not back on the network yet. I need to do a shut and a no shot to take it out of error disabled. So I go to configte interface fast zero one, shut down, no shut down. And then I will check the state of the interface. Now for port security a, I can see that it is back up with the correct address of O One one. And let’s just check connectivity as well. So from PC one, I’ll ping PC Two again. We’re all good, we’re back where we started. So that’s how you can manually configure the Mac address on the interface to lock it down to that one Mac address. Next thing to look at is using a sticky address. But before I show you how your sticky address works, I want to demonstrate how this is different to not putting a Mac address at all on the interface.

So let’s go on to switch one. And I’m just going to enable default port security on here. So I’ll go to Global Config, interface fast zero two and then switch port security. And as usual I forgot to say switch port mode access first. So I’ll do that and then try the command again and it’ll work. Okay, we now do our show port security for Interface fast zero Two. It’s going to have the default settings because I didn’t configure any other parameters and by default it only allows one Mac address. But it doesn’t care what that Mac address is because I didn’t manually set the Mac address and I haven’t said Mac address sticky. So you saw in the last couple of lectures that if I plug a harbor, a switch or a wireless access point in here, then there’s going to be more hosts try to transmit and it’s going to lock the port down then.

So what this does is it stops unauthorized devices from getting put on your network, but it doesn’t lock it down to a particular host. To demonstrate that, let’s delete the interface. The link going to PC Two and then hook it up to PC Three instead. So first you finish two, connect it to PC Three instead. And if I now go on to PC Three, let me just open up. So I go into PC three and I will ping Ten 1010. Which is PC One. The ping succeeds. So it would work from PC Two, it’ll work from PC Three, it’ll work from any PC the switch doesn’t care which host is plugged in as long as it’s only one host at a time. So let’s say that now I do actually want to lock it down to this particular PC, which is PC Two. So let’s move the cable back over again without deleting that whole host accidentally.

So I’ll take my cable from fast Ethernet zero two in the switch, plug it back into PC Two. I’ve already got port security configured on the interface, but now I’m going to set Mac address sticky. So I’ll go to Global config interfacefast zero two switch port security. Mac address. Sticky. And what will happen now is it will learn the Mac address that is plugged in there. So let’s generate some traffic first. So I’ll go into PC two and I will ping over to PC one. The ping will work just fine. And now if I go back onto the switch and I do a Show Port security for Interface fast zero two, I’ll see that I’ve allowed my one Mac address and I can see that it is a sticky Mac address now.

And here is the Mac address. It was learned two two. So by using sticky, it saves me having to manually figure out what the Mac addresses and manually type it in and all my interfaces, which would be a heap of work, it automatically learns it. But it does lock it down to this one port. Now, so you saw that PC Two is able to communicate. But if we go back and do the same thing that we did earlier, which was unplug PC Two, and then move the network cable over to PC Three well, because I said sticky, it’s saying that it’s only zero two three Mac address that is allowed to talk on this port.

So if I go on to PC Three and I try to ping PC One now, so ping 1010, the ping is going to fail. And then if I go on to switch one and do a Show Port security for Interface fast zero Two, I see that there was a violation. It’s not the sticky Mac address that was learned. So the port has been shut down. Okay, so that’s it. That’s everything about port security. You’ve seen how we can use it to prevent unauthorized devices on the network. Also how we can use it to lock the port down to a particular Mac address, how we can do that by manually adding Mac addresses, how we can do it more conveniently by using sticky. And also the difference between using a sticky Mac address and not configuring a Mac address at all. So that’s everything. See you in the next section.