Packet Tracer - Configure Switch Port Security
Address Allocation Table
equipment |
interface |
IP address |
subnet mask |
S1 |
VLAN 1 |
10.10.10.2 |
255.255.255.0 |
PC1 |
NIC |
10.10.10.10 |
255.255.255.0 |
PC2 |
NIC |
10.10.10.11 |
255.255.255.0 |
illegal laptop |
NIC |
10.10.10.12 |
255.255.255.0 |
Target
Part 1: Configure Port Security
Part 2: Verify port security
Topology
Background Information
In this exercise, you will configure and verify port security on the switch. Port Security allows you to restrict ingress traffic to a port by restricting the MAC addresses that are allowed to send traffic to the port.
Part 1: Configure Port Security
- Access the command line of S1 and enable port security on Fast Ethernet ports 0/1 and 0/2.
S1(config)#interface range f0/1-2
S1(config-if-range)#switchport port-security
- Set the maximum value so that only one device can access Fast Ethernet ports 0/1 and 0/2.
S1(config-if-range)#switchport port-security maximum 1
- Secure the port to dynamically obtain the device's MAC address and add it to the running configuration.
S1(config-if-range)#switchport port-security mac-address sticky
- Set up violations so that Fast Ethernet ports 0/1 and 0/2 are not disabled when a violation occurs, but packets from unknown sources are dropped.
S1(config-if-range)#switchport port-security violation restrict
- Disable all remaining unused ports. Tip: Use the range keyword to apply this configuration to all ports simultaneously.
S1(config-if-range)#interface range fa0/3-24.,g0/1-2
S1(config-if-range)#shutdown
Part 2: Verify port security
a. Ping PC2 from PC1 .
b. Verify that port security is enabled and that the MAC addresses of PC1 and PC2 have been added to the running configuration.
c. Connect the rogue laptop to any unused switch port and notice that the link light is red.
d. Enable the port and verify that the rogue laptop can ping PC1 and PC2 . After authentication, close the port connected to the rogue laptop .
e. Disconnect PC2 and connect the illegal laptop to the port of PC2 . Verify that the rogue laptop cannot ping PC1 .
f. Displays port security violations for ports connected to rogue laptops .
S1#show port-security interface f0/2
g. Disconnect the rogue laptop and reconnect PC2 . Verify that PC2 can ping PC1 .
h. Why can PC2 ping PC1 but not the rogue laptop ? Port Security enabled on a port only allows access to the port by the device whose MAC was first learned, while blocking access to all other devices.
Experimental steps:
S1:
S1(config)#interface range f0/1-2
S1(config-if-range)#switchport port-security
S1(config-if-range)#switchport port-security maximum 1
S1(config-if-range)#switchport port-security mac-address sticky
S1(config-if-range)#switchport port-security violation restrict
S1(config-if-range)#interface range fa0/3-24.,g0/1-2
S1(config-if-range)#shutdown
S1(config)#interface f0/1
S1(config-if)#switchport port-security mac-address sticky 00E0.B027.2245
S1(config)#interface f0/2
S1(config-if)#switchport port-security mac-address sticky 0001.647C.697E
S1(config-if)#
S1(config-if)#end
S1#
%SYS-5-CONFIG_I: Configured from console by console
S1#wr
Building configuration...
[OK]
PC1:
PC2:
Experiment link: https://pan.baidu.com/s/1pd6R_p_wSuBKI_-UvNx7mQ?pwd=5227
Extraction code: 5227
--Sharing from Baidu Netdisk super member V2