In this activity, you will configure and verify port security on a switch. Port security allows you to restrict a port’s ingress traffic by limiting the MAC addresses that are allowed to send traffic into the port. Part 1: Configure Port Security. Access the command line for S1 and enable port security on Fast Ethernet ports 0/1 and 0/2. Packet Tracer - Troubleshooting Switch Port Security Scenario The employee who normally uses PC1 brought his laptop from home, disconnected PC1 and connected the laptop to the telecommunication outlet. After reminding him of the security policy that does not allow personal devices on the network, you now must reconnect PC1 and re-enable the port.
5.2.2.8 Packet Tracer – Troubleshooting Switch Port Security
[TABS_R id=5611]
Cisco Switch Port Security Commands
![Packet Tracer Troubleshooting Switch Port Security Packet Tracer Troubleshooting Switch Port Security](/uploads/1/1/7/9/117936266/551566144.png)
Packet Tracer – Troubleshooting Switch Port Security (Answer Version)
Answer Note: Red font color or Gray highlights indicate text that appears in the Answer copy only.
Topology
5.2.2.8 Packet Tracer – Troubleshooting Switch Port Security
Scenario
The employee who normally uses PC1 brought his laptop from home, disconnected PC1 and connected the laptop to the telecommunication outlet. After reminding him of the security policy that does not allow personal devices on the network, you now must reconnect PC1 and re-enable the port.
Requirements
- Disconnect Home Laptop and reconnect PC1 to the appropriate port.
- When PC1 was reconnected to the switch port, did the port status change? No
- Enter the command to view the port status. What is the state of the port?
- S1# sh int fa0/1
- FastEthernet0/1 is administratively down, line protocol is down (disabled)
- Which port security command enabled this feature? switchport port-security violation shutdown
- Enable the port using the necessary command.
- S1(config)# int fa0/1
- S1(config-if)# no shut
- Verify connectivity. PC1 should now be able to ping PC2.
[TABS_R id=5611]
Suggested Scoring Rubric
Packet Tracer scores 90 points. Answers to the questions are worth 10 points.
Overview:
Port security can be used on an interface to identify and limit the MAC addresses of clients that are allowed to access that port.
Study Notes:
- Port security identifies the MAC addresses of clients allowed to forward traffic through an interface
- Port security is applied to access ports
- Port security cannot be applied to a trunk port
- Port security cannot be applied to the destination port for a SPAN port
- Port security cannot be applied to an EtherChannel/Port-Channel interface
- Port security and static MAC configuration are mutually exclusive
- By default
- Port security is turned off
- The maximum number of secure MAC addresses is 1
- When a violation occurs the port gets shutdown
- Aging is disabled
- Aging type is absolute
- Static aging is disabled
- Sticky is disabled
- If the number of MAC addresses configured on a port is less than the maximum then the remaining MAC addresses are able to be learned dynamically
- If a port shuts down, all dynamically learned MAC addresses are removed
- A sticky MAC lets an interface retain dynamically learned MAC addresses when the switch is restarted or if the interface goes down and is brought back online
- To recover a port from err-disabled, you must shut and no shut it
- Port-security violation modes:
protect | Drops all the packets from the insecure hosts at the port-security process level but does not increment the security-violation count |
restrict | Drops all the packets from the insecure hosts at the port-security process level and increments the security-violation count |
shutdown | Shuts down the port if there is a security violation |
Required
Optional
6.1.a Static/6.1.b Dynamic
Set the MAC addresses that are allowed to use the port. If less than the maximum are set than the remaining are learned dynamically.
6.1.a Static/6.1.b Dynamic
Set the MAC addresses that are allowed to use the port. If less than the maximum are set than the remaining are learned dynamically.
6.1.c Sticky
Enable sticky learning on the interface
Enable sticky learning on the interface
6.1.d Maximum MAC Addresses
Set the number of MAC addresses allowed to use this port
Set the number of MAC addresses allowed to use this port
6.1.e Violation Actions
Set the action to be taken when port-security is violated
Set the action to be taken when port-security is violated
6.1.f Err-disabled recovery
Once port security is violated on an interface, the interface will go to err-disabled. To return it to normal, do the following:
Once port security is violated on an interface, the interface will go to err-disabled. To return it to normal, do the following:
Verification commands
8.2.2.7 Packet Tracer Answers
PacketTracer Lab:CCNA-6.1-Configure-verify-and-troubleshoot-port-security.pkt