How to configure port security in Cisco switch

3/28/2013 10:21:00 AM    

In this article we would perform following task
  • Configuring the IP address and subnet mask
  • Setting the IP default gateway
  • Enable telnet session for switch
  • Enable Ethereal Channel
  • Enable port security
To perform this activity download this lab topology and load in packet tracer or create your own topology as shown in figure

Configure IP address subnet mask and default gateway

IP address and default gateway is used to configure switch remotely via telnet or SSH. Without this essential configurations you have connect with switch via console cable each time. That's very tedious as you have to go near to switch each time.

Switch>enable



Switch#configure terminal



Enter configuration commands, one per line.  End with CNTL/Z.



Switch(config)#hostname S1



S1(config)#interface vlan 1



S1(config-if)#ip address 10.0.0.10 255.0.0.0



S1(config-if)#no shutdown



%LINK-5-CHANGED: Interface Vlan1, changed state to up



%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up



S1(config-if)#exit



S1(config)#ip default-gateway 10.0.0.1

Enable Telnet and password protect the line

You can secure a switch by using passwords to restrict various levels of access. Using passwords and assigning privilege levels are simple ways of providing both local and remote terminal access control in a network. Passwords can be established on individual lines, such as the console, and to the privileged EXEC (enable) mode. Passwords are case sensitive. By default There are five VTY ports on the switch, allowing five simultaneous Telnet sessions, noting that other Cisco devices might have more than five logical VTY ports. The five total VTY ports are numbered from 0 through 4 and are referred to all at once as line vty 0 4.

S1(config)#line console 0



S1(config-line)#password vinita



S1(config-line)#login



S1(config-line)#exit



S1(config)#line vty 0 4



S1(config-line)#password vinita



S1(config-line)#login



S1(config-line)#exit



S1(config)#

Enable Switch port security

this feature set allows you (among several other options) to disable a port if more than one MAC address is detected as being connected to the port. This feature is commonly applied to ports that connect security-sensitive devices such as servers. You can use the port security feature to restrict input to an interface by limiting and identifying MAC addresses of the stations allowed to access the port. When you assign secure MAC addresses to a secure port, the port does not forward packets with source addresses outside the group of defined addresses.

Switch>enable



Switch#configure terminal



Enter configuration commands, one per line.  End with CNTL/Z.



Switch(config)#hostname S2



S2(config)#interface fastEthernet 0/1



S2(config-if)#switchport mode access



S2(config-if)#switchport port-security



S2(config-if)#switchport port-security maximum 1



S2(config-if)#switchport port-security mac-address sticky



S2(config-if)#switchport port-security violation shutdown



S2(config-if)#exit



S2(config)#
You can verify port security.
  • Click on the red x button on the right hand portion of the PT window. This will allow you to delete a connection in the topology. Place thex over the connection between Server and S2 and click. The connection should disappear.
  • Select the lightening bolt button on the bottom left-hand corner of the PT window to pull up connection types. Click the “copper straight-through” connection. Click the TestPC device and select the fastethernet port. Next, click on S2 and select port Fa0/1.
  • From the command prompt of TestPC type the command ping 10.0.0.4. The ping should fail.
  • On S3, enter the command show port-security interface fa0/1.
Port security is enabled, port-status is secure-shutdown, security violation count is 1.

Configure Ethereal channel

Ethereal Channel allows you to combine switch ports to increase more bandwidth. If you connect switch ports without Ethereal Channel configurations STP switch’s in built function will shutdown one of these port to avoid loop. You can download this example topology for practice of Ethereal Channel .
  • To enable EtherChannel on DLS1, enter the interface range mode for ports F0/11 and F0/12 on with the command interface range f0/11 - 12.
  • Enter the command switchport mode trunk.
  • Enter the command channel-group 1 mode desirable.
  • Repeat steps a through c on DLS2.

DLS1>enable DLS1#configure terminal



DLS1(config)#interface range fastEthernet 0/11 - 12



DLS1(config-if-range)#switchport mode trunk



DLS1(config-if-range)#channel-group 1 mode desirable



DLS1(config-if-range)#exit



DLS1(config)#exit DLS1#