The lab teaches how to restrict network access using port security on a switch. It includes steps to allow only authorized MAC addresses and shut down unauthorized ones.
Solutions:
To limit number of MAC addresses on a Cisco switchport, we can apply a port security mechanism that prevents any unauthorized host from connecting to the switch. In this particular task, we are asked to perform two types of port security configuration. The first task asks us to configure a static MAC entry for port security, and the second task asks us to configure sticky MAC address configuration. A sticky MAC entry can be considered as a static MAC address binding by the switch, which converts the dynamically learned MAC address to a static mac configuration.
First we need to discover the mac address of interface Gig0/1 on router R2. This can be done using a couple of methods but what we'll do is log into this router and issue the command, "show interface". Below is an example of this:
Router#show interface gig0/1
GigabitEthernet0/1 is administratively down, line protocol is down
Hardware is iGbE, address is 0c1e.d91b.0001 (bia 0c1e.d91b.0001)
Now we'll configure Switch-2 for Port Security:
Sw2:
interface Gig0/1
switchport port-security
switchport port-security maximum 1 --> This is the default value so technically you don't have to configure it.
switchport port-security violation shutdown
switchport port-security mac-address 0c1e.d91b.0001
!
interface Gig0/0
switchport port-security
switchport port-security maximum 1
switchport port-security violation shutdown
switchport port-security mac-address sticky
Verification
First, verify port-security in the interface.
Sw2#show port-security interface gig0/1
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 1
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0c1e.d91b.0001:100
Security Violation Count : 0
Sw2#
Sw2#show port-security interface gig0/0
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 1
Last Source Address:Vlan : 0cfd.7d9b.0001:300
Security Violation Count : 0
!
Sw2#show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
---------------------------------------------------------------------------
Gig0/1 1 1 0 Shutdown
Gig0/0 1 1 0 Shutdown
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 5120
In the above output, we can see the configured parameters of port security. The violation mode is "shutdown" and the Maximum MAC address is up to 1 by default.
Now configure the Gig0/1 interfaces of R1 and R4 with some different MAC address.
R2:
interface Gig0/1
mac-address 1234.1234.1234
!
R4
interface Gig0/1
mac-address 1234.1234.1234
The Gig0/1 and Gig0/0 interfaces on Sw2 have gone to the "err-disable" state because of port security violation. Take a look at the log messages.
Sw2#
*Mar 8 15:16:55.346: %PM-4-ERR_DISABLE: psecure-violation error detected on Gig0/1, putting Gig0/1 in err-disable state
*Mar 8 15:16:55.354: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 1234.1234.1234 on port GigabitEthernet0/1.
*Mar 8 15:16:56.346: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to down
*Mar 8 15:16:57.354: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to down
!
*Mar 8 15:19:01.894: %PM-4-ERR_DISABLE: psecure-violation error detected on Gig0/0, putting Gig0/0 in err-disable state
*Mar 8 15:19:01.898: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 1234.1234.1234 on port GigabitEthernet0/0.
*Mar 8 15:19:02.894: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to down
*Mar 8 15:19:03.898: %LINK-3-UPDOWN: Interface GigabitEthernet0/0, changed state to down
Sw2#show port-security interface Gig0/1
Port Security : Enabled
Port Status : Secure-shutdown
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 1
Sticky MAC Addresses : 0
Last Source Address:Vlan : 1234.1234.1234:100
Security Violation Count : 1
!
Sw2#show port-security interface Gig0/0
Port Security : Enabled
Port Status : Secure-shutdown
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 1
Last Source Address:Vlan : 1234.1234.1234:300
Security Violation Count : 1
!
Sw2#show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
---------------------------------------------------------------------------
Gig0/1 1 1 1 Shutdown
Gig0/0 1 1 1 Shutdown
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 5120
Optionally, we can tell the switchport not to shut the ports down, but rather, just restrict or protect the ports which prevents unauthorized access without shutting the ports down. The restrict mode also sends an SNMP trap if an unauthorized MAC address is seen on the secure port.