In a world where hackers and crackers are getting more and more aggressive than ever before, securing your network infrastructure is a necessity. Security measures like restricting physical access to your network is very valuable.
Port-security is one of the basic security being implemented to a switch particularly in Cisco. Though basic, its value is great than having no security at all. It is particularly necessary especially in places where interface ports are just around the place where people can simply plug their devices and go on with their own businesses.
There are also instances where employees of companies bring their own hubs and replace their host with those hubs and connect even more hosts and unwittingly damage the network and stop their whole production. Port-security is a front-line measure of preventing unknown hosts from connecting to your network so making these measure known to you is very useful.
In this tutorial, I will be demonstrating how port-security is implemented in the simplest way possible, again using Cisco Packet Tracer. If you still don't know how to setup a basic network please see my previous tutorial on how to setup a "Basic Switched Network using Cisco Packet Tracer.
Here is the step-by-step tutorial of how it is implemented:
First, setup the network as seen in the illustration above. Four hosts and a switch at the center. Also, supply the indicated IP addresses and Subnet Masks on the respective hosts. If you still don't know how to set up this network, see my previous tutorial entitled: "Basic Switched Network using Cisco Packet Tracer". Click on the switch and you will see a window popping-up and choose the "CLI" tab to see the interface shown above.
Next, get into the CLI of the switch and you will see "Switch>" prompt. This prompt is called the user exec mode. In this mode, limited commands and processes are present so we need to turn to another mode which is the privilege exec mode. How do we do this?
1. To turn to privilege exec mode of the switch, simply supply the command on the user exec mode "enable" then hit enter.
2. From the figure, after the "enable" command, you will notice the "Switch#" prompt appearing. This means you are in the privilege exec mode. And, enter commands that will configure and affect the whole switch, you need to go to the global configuration mode. To get to the global configuration mode, supply the "configure terminal" command on the privilege exec mode then hit enter.
3. Next is we need to go to the interface(s) of the switch. There are two ways to do this. We can go to interfaces one-by-one or altogether. To go to the interfaces one-by-one, for example in fastethernet 0/1, supply the command on the global configuration mode, interface fastethernet 0/1. If you want to go to the next interface, same command will be used but instead of using 0/1, you should use 0/2, 0/3, 0/4 and so on. Another way of getting into these interfaces altogether, use the command: interface range fastethernet 0/1 - 4
4. Notice that your prompt changed to "Switch(config-if-range)#" means you are now inside the fastethernet 0/1 - 0/4 interfaces. Next, use the command switchport mode access making all the affected interfaces an access port. An access port is a port that is connected to any hosts but not another switch or router.
5. Next we turn on the port-security. How do we do that? Simply supply the command switchport port-security. This is like telling your switch to turn on its security measures.
6. After turning on the port-security, you can tell the switch that in its ports, they can have only one host per port by issuing the command switchport port-security maximum 1. Therefore, if there are two host connected to one port, say using a hub, the switch will be notified of that and take the necessary action.
7. You can also tell the switch that if someone violated the restriction of a maximum of one host per port is allowed, shutdown that port or interface. You can do this by issuing the command: switchport port-security violation shutdown. This will automatically shut the port down and they can never use that port again, unless you as a network administrator will put it up again.
From PC0, you can test your network if it is working. By clicking the PC0 and going to Desktop and choosing Command prompt, you will see the window shown above. By pinging, the different host from PC0 you will see that your network is working properly.
8. Using the Command prompt, ping the other host by issuing a command PC>ping 192.168.1.2 and also 192.168.1.3, 192.168.1.1. And you will see that it is really working.
9. To see that the network is really working, you will see the reply from these hosts as seen in the figure.
Our job is done here, because we have are already configured the port-security. Now is the time to experiment a little bit on this network if our security measure is working. How do we do that?
10. First, we disconnect the PC0 from the switch and connect the hub to interface Fa0/4 (Fastethernet 0/4) as shown in the figure.
11. From the hub, connect the PC0 and another host and name it PC4 (in the figure, it is named PC5, it is an typo-error). Now, it is a clear violation of our security measure that only 1 host should be connected to a single port. It is now time to test our security.
12. You may also see from the switch point-of-view that the port is up and running and ready to use, it may not have seen the violation, yet.
It is very obvious that we have a security violation as shown in the figure. From PC4 we will ping the other host, in this example, the 192.168.1.2
13. Issue a ping command from PC4 "ping 192.168.1.2"
14. A reply from 192.168.1.2 is seen in the figure, meaning the switch has recognized this host as 1 host on its port.
15. Now, let's try to use PC0 and ping any host by using ping 192.168.1.2 or any other host besides PC4.
16. And, as expected, "Request Time Out" is seen. This clearly shows that the switch has recognized that in the interface fa0/4, there are two hosts present using a hub. And it is a clear violation of the restriction. In this case we are successful in configuring the port-security of the switch.
17. The figure clearly shows that the port is already down as indicated by red lights on the ports of the switch and the hub.
18. From the switch perspective, you can also verify that this interface is down. From the privilege exec mode, supply the command: show ip interface brief then press enter.
19. You will see the output of different interfaces, actually all 24 of them. But our concern is the Fastethernet 0/4 where the shutdown occurred. If you look at its status, it says "down". That is because of the violation made on the port.
Is there a way to put the down interface back up?
Yes there is! And as a network administrator, you have this advantage of personnel coming up to you apologizing that they don't know that there is security on that port and they're the one who put those down and that you don't have to find it yourself because they're already the one telling you that.
The question is how you put that up?
20. On the privilege exec mode, we go to the global configuration mode by issuing the command: configure terminal.
21. From the global configuration mode, go the interface that was shutdown, in this case the fastethernet 0/4. Supply the command: interface fastethernet 0/4.
22. Because of the violation on fastethernet 0/4, this interface was shutdown. But what we're going to do, is to manually shut it down before is get it back up. We do that by issuing the command: shutdown.
23. Then, on the same interface, turn the interface on its up state by issuing the command: no shutdown.
24. You will notice that the interface fastethernet 0/4 is already up and ready to be used again as can be seen by a notification given by the switch.
25. And the port or fa0/4 in the topology changed it color from red to green indicating that the port or interface is already up.
But, if this topology is not changed and the hub is still there connected with two or more hosts, the switch will again recognize the violation and the port will be shut down again and again until you change the topology.
I hope that this has been helpful for you, and I will see you next time!.
Created by: Engr. Melvin Arceo, ECE, CCNA
No comments:
Post a Comment