1. How to Configure Port Security in Cisco Switch?
In this article we would perform following task
Configuring the IP address and subnet mask
Setting the IP default gateway
Enable telnet session for switch
Enable Ethereal Channel
Enable port security
To perform this activity download this lab topology and load in packet tracer or
create your own topology as shown in figure
Configure IP address subnet mask and default gateway
IP address and default gateway is used to configure switch remotely via telnet or SSH.
Without this essential configurations you have connect with switch via console cable
each time. That's very tedious as you have to go near to switch each time.
Switch>enable
Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#hostname S1
S1(config)#interface vlan 1
S1(config-if)#ip address 10.0.0.10 255.0.0.0
S1(config-if)#no shutdown
%LINK-5-CHANGED: Interface Vlan1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up
S1(config-if)#exit
S1(config)#ip default-gateway 10.0.0.1
Enable Telnet and password protect the line
You can secure a switch by using passwords to restrict various levels of access. Using
passwords and assigning privilege levels are simple ways of providing both local and
remote terminal access control in a network. Passwords can be established on
2. individual lines, such as the console, and to the privileged EXEC (enable) mode.
Passwords are case sensitive. By default There are five VTY ports on the switch,
allowing five simultaneous Telnet sessions, noting that other Cisco devices might
have more than five logical VTY ports. The five total VTY ports are numbered from 0
through 4 and are referred to all at once as line vty 0 4.
S1(config)#line console 0
S1(config-line)#password vinita
S1(config-line)#login
S1(config-line)#exit
S1(config)#line vty 0 4
S1(config-line)#password vinita
S1(config-line)#login
S1(config-line)#exit
S1(config)#
Enable Switch port security
This feature set allows you (among several other options) to disable a port if more
than one MAC address is detected as being connected to the port. This feature is
commonly applied to ports that connect security-sensitive devices such as servers.
You can use the port security feature to restrict input to an interface by limiting and
identifying MAC addresses of the stations allowed to access the port. When you
assign secure MAC addresses to a secure port, the port does not forward packets
with source addresses outside the group of defined addresses.
Switch>enable
Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#hostname S2
S2(config)#interface fastEthernet 0/1
S2(config-if)#switchport mode access
S2(config-if)#switchport port-security
S2(config-if)#switchport port-security maximum 1
S2(config-if)#switchport port-security mac-address sticky
S2(config-if)#switchport port-security violation shutdown
S2(config-if)#exit
S2(config)#
You can verify port security.
Click on the red x button on the right hand portion of the PT window. This will
allow you to delete a connection in the topology. Place the x over the
connection between Server and S2 and click. The connection should
disappear.
Select the lightening bolt button on the bottom left-hand corner of the PT
window to pull up connection types. Click the“copper
3. straight-through” connection. Click the TestPC device and select the
fastethernet port. Next, click on S2 and select port Fa0/1.
From the command prompt of TestPC type the command ping 10.0.0.4. The
ping should fail.
On S3, enter the command show port-security interface fa0/1.
Port security is enabled, port-status is secure-shutdown, security violation count is
1.
Configure Ethereal channel
Ethereal Channel allows you to combine switch ports to increase more bandwidth. If
you connect switch ports without Ethereal Channel configurations STP switch’s in
built function will shut down one of these port to avoid loop. You can download this
example topology for practice of Ethereal Channel.
To enable EtherChannel on DLS1, enter the interface range mode for ports
F0/11 and F0/12 on with the command interface range f0/11 - 12.
Enter the command switchport mode trunk.
Enter the command channel-group 1 mode desirable.
Repeat steps a through c on DLS2.
DLS1>enable DLS1#configure terminal
DLS1(config)#interface range fastEthernet 0/11 - 12
DLS1(config-if-range)#switchport mode trunk
DLS1(config-if-range)#channel-group 1 mode desirable
DLS1(config-if-range)#exit
DLS1(config)#exit DLS1#
More Related Topics:
How to Know What Device is on What Port on a Cisco Switch?
Switchport Security & Configuration
Cisco Switch Port Security ---How to Configure Switch Security?
How to Set Port Security on a Cisco Catalyst Switch?