CISCO Port Security at work | Commands and tutorial for beginners (Packet Tracer)

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello guys welcome back to the channel and for today's video we are going to be talking about switch Port Security in this video we are going to be talking about how Port security is applied in the workplace and also what the best practices are when using Port security at work I'm also going to show you the port security Cisco commands and a home lab example so you can try it out in Packet Tracer at home and also the verification commands that we can use to test out that Port security works so if you're interested in today's video please keep on watching and without further Ado let's get started of course implementing Network Port security is essential in the workplace it's not enough to just set up our switches at work with configurations but we also have to secure our Network as well first of all we would like to protect our network from unauthorized access and we don't want users to be bringing in some Rogue devices that they just can plug into the network and risk the security of our Network and also in my workplace we apply Port security because we don't want the users to be moving around the computers just anywhere they like because it's really hard to keep track of the assets because where I work the host name of the computer is usually the room number so if users swap the computers because something is not working which happens a lot of times it'll be really hard to track those devices so we would like to lock our port to just one machine that is assigned to the room and there's a lot of ways in how we can secure our Network we can Implement vlans which segments the network access and resources based on user control and permissions we can also encrypt Network traffic and enforce strong authentication but but in this case we are going to be talking about enabling Port Security in our switch ports and disabling unused ports okay so for best practices for Port security at work so let's start with the simplest one to implement is to disable unused ports for example if there's empty offices or cubicles in the workplace that is not being occupied for a long time also another example at work is when we set up an access point for guest or visitors when we're not using the access point we usually just shut down the port and then when we set up the access point we just reenable the port and disable it again after we use it also to prevent unauthorized access and that's the easiest and simplest way you can Implement Port security so the way to do it is just go onto the port interface and get the interface number and to just do a shutdown command on the switch Port that way even if they plug anything any Rogue devices or any company assets you'll still not have access because the port is down next best practice is to enable Port security which we can use the features like mac filtering and Port lockdown so this is a more complicated process because you have to configure more commands to it compared to just disabling the unused ports so let's get started talking about enabling Port security okay so moving on if you're going to enable Port Security in your switch ports you should know which security mode you're going to use so there's three security modes or Port security modes it's shut down protect and restrict so the shutdown mode is the default mode and in this mode if there's an an authorized device that was plugged into the switch Port the port will immediately be disabled or shut down and it won't be re-enabled unless you manually reenable it okay so next will be the protect mode so in this mode mode the switch Port will permit the traffic from known Mac address the MAC address from your network and it will drop the traffic from a known Mac address and in this mode there's no notification messages that will be sent if the violation happens and for the restrict mode it's the same with protect mode where it will permit the known Mac address and drop the known Mac address but the difference is that it will send a notification if a violation happens also Port security has a Mac filtering feature that allows you to specify how many devices that you can allow on the switch port and also specify and assign the specific Mac address for the device that you're going to allow in the port so you can set the maximum number of ports that you can allow to 132 so in setting up Mac address to your port for Port security there are also different ways to do it and the three ways are doing it statically dynamically and doing and using Mac address sticky okay so for static you can type in the actual Mac address of the machine that you wanted to be allowed on the switch port and that static Mac address will be stored in the running configuration and you can save it to the save it to the Startup configuration if you wanted to save it permanently for a dynamic this is learned by connecting the device to the switch Port so the first one that you plug into the switch Port is the one that will be dynamically learned by the switch so you won't have to type in the actual exact uh Mac address for the machine the switch will just learn it dynamically so these Mac address will only be saved to the MAC address table and then when the switch reboots you will lose everything that's stored in that address table okay so for the third one it's the MAC address sticky so this is a hybrid and this is like a combination of dynamic and static the difference is that you don't have to type it the MAC address statically or manually the MAC address will be learned dynamically and then the address will be saved onto the address table and the running config that you can save later on permanently if you want on the static on the Startup configuration so most companies especially in my company we use Mac address sticky because it is more tedious to do the static way when you have to type in everything manually so at least this is dynamically learned and then we can just save on the configuration in the startup config if you wanted to store it there permanently okay so this is an example of a home lab that you can do in Packet Tracer to practice Port security so it's very simple we just need a switch and a few computers in here to connect and enable the port security and also we need some extra computers like a laptop for example or PC in here that can act as a rogue device so before we enable pity and configure the switch with the commands I just want to show you the default what the default Port security looks like so I'm just going to go on the switch and get into our privilege exact mode and type in a type in a command to verify Port security which is show Port security and if you type in enter nothing will show because because we haven't enabled Port Security on any ports in here yet and another way to see what the defaults are like we can add an interface in here and then interface number for example f01 is our first Port so as you can see in here the violation mode is shut down because Port security violation mode default is shut down so you really don't have to set that up or enable it so for this lab we are going to have a few different scenarios or situation where we can use the port security features and when we are configuring this we are going to use a different parameters like the maximum value that you can allow on a switch port and then the switch Port security mode which are the violation like shut down protect and restrict and of course how we will set up the MAC address and different ways like statically dynamically or using Mac address sticky so for the first scenario we are going to set up the device Mac address as static and then the violation mode would be protect so just to take note before we start configuring the switch with Port security that Port security is disabled by default so you have to manually enable it by using commands and also you can only configure Port Security on access ports you can't do this on trunk ports or ether Channel ports okay so for the first scenario we would need to set up the MAC address statically here and we can do it on this first PC and on this first interface fa01 so the first step is for us to find out what the MAC address of this computer is so we can click on the computer and go to the config tab in here and on left side there's fast ethernet and when you click on that that's where you can see the MAC address and that's how you can find the MAC address for the PC okay so let's do the commands now so let's go to the switch and then type in enable get into configure terminal and then type in the interface number and that would be F a01 and now that we're here just make sure to type in switch mode switch Port mode access first just setting up our interface as an access port and then we the next command is to enable Port security so you should type in switch Port Port security and press enter there we have enabled Port security and then the next parameter that we are going to do is to specify how many maximum machines we're going to allow on the switch Port so the command will be switch Port Port security maximum and you can type in from numbers 1 to 132 which is the maximum so for here let's just say two we are allowing two and press enter so for the next parameter we can specify what kind of violation mode we want so since shutdown is the default we really don't have to type in shutdown if that's what we're going to use but since we're using protect we have to explic itly type it in so type in switch Port Port security and violation and then type in protect because we wanted to specify that we want to protect and press enter so that's for the security mode so next is since we're going to do a static method in here for the MAC address let's type in the command switch Port Port security Mac address and the MAC address of the machine so earlier we looked it up and let's open it up again so it should be in the config fast ethernet and let's just look at it side by side so what you can do is copy and paste it here just to make it easier all right and press enter so I think I've already tried setting it up earlier I just wanted to show you how but yeah if there is a duplicate it would tell you but that should work now for this port and what we can do next is to verify if our Command works so we have switch Port Port security verification commands as well so we can exit out on this modes and when we're back to the privilege exact mode we can type in show and Port security interface and the interface number F a01 and it should show us that Port security is now enabled Port status is secure up and we have set up protect for the violation mode and also the maximum Mac address now is two earlier the default violation mode was shut down and maximum Mac address was one so now it has changed because we have enabled Port security okay so I also assigned IP address on the these machines because we're going to be pinging them just to see if they can communicate with each other so there's no reason why they can't so they should be able to talk to each other for now because we they're not violating any security mode in here okay so another verification command aside from the one that I showed you earlier is to do a show Port security okay so just show Port security and press enter and it will show you how many Port security was set up so for now we only have one for the first port and it will show you the details like how many Mac address is allowed how many violation happen and what security action or security mode that it's using so for now for this port it's the protect mode so it will show in there and okay so another verification command that we can use in here is show Port security address and it will show you the MAC address that was saved on the Mac address table so you can see in here the MAC address and which Port it's configured with so those are the three verification commands we can check if for security is working okay so let's now move on to the next scenario for example we want to use Mac address sticky instead of typing the MAC address manually and we also want to do a shutdown shutdown violation in here so we're going to do it on this next PC in here and on this interface should be the second interface so what we are going to do is the first step to enable Port security so let's go and oops to confy type in the interface number which is fa02 and then just make sure that this is an access port so I'm going to type Tye in switch Port mode access and then type in switch Port Port security enter to enable Port Security in here and then we want to do a switch Port Mac address sticky so switch Port Port security then type in Mac address and then just type in the word sticky and this is what we are going to type instead of actual Mac address of the machine and press enter in here and since shutdown is the default for Port security we don't really have to type it in the violation mode okay so what we can do is to do the verification commands so if we type in show Port security interface and the port number which is fa02 we can see that the port security is now enabled and violation mode is shut down even if we didn't explicitly type it it should be the default so we don't really have to do that command and maximum Mac address is one okay so that's accurate and then we can also use the other verification commands next is show Port security and as you can see now we do have two ports in here that are enabled with Port security earlier it was just one now we have one for the first and second interface and as you can see there's a difference with the security action or security mode in here and the maximum address so that's how you can check if you have enabled Port security and it works okay so we're just going to Ping the other machine just so that the switch can learn what the MAC address of that machine is so after pinging let's go back to the switch and type in the next verification command which is show switch Port I mean show Port Security address and as you can see there are now two Mac address in here and you can see the type which is how we have entered the MAC address so in here if it's secured configure it means that it's static and you can see that this one is sticky because it was dynamically learned so that's the three verification commands that you can use to check Port [Music] security all right so let's test it out now if our Port Security in here Works after verifying it so we do have like different machines in here that can act as like Rogue machines for example so what I'm going to do is to connect this PC in here into the second port and see what's going to happen because in this PC we only only allowed one device to permit traffic in the switch Port so okay so let's see what's going to happen if I'm going to connect a different machine to the second interface in here so I removed it from this computer now let's plug it in and connect it to interface two and as you can see the indicator light becomes red immediately because our violation mode in here is shut down so it won't be able to to talk to any computers Port is automatically shut down because that is the violation mode so let's go and check on the switch in here so we can use the verification command show oh show a port security interface and then the interface number fa02 and as you can see here we have security violation count number one because this is the first time that that was violated and it has a record in here now that there's a violation that happened so that's how you can check in it on it and I think that's how you can really test that Port security works okay so what if we plug in the actual machine that we have allowed in here and see what's going to happen to the second Port so as you can see it is still showing the red indicator light which means that like what we talked about earlier if the port was shut down because of the violation mode we have to reenable the switch the switch Port manually okay so we have to manually enable and re-enabled it so let's do a shot in here and then a no shot okay so if that happens that someone has plugged it into a port that has Port security set to shut down that's what you're going to do set it manually to shutdown down first and then change it back to no shot after and as you can see the light is changing in here to Green it means that it has been re-enabled okay so what you can also do if you are trying to enable Port Security on multiple ports in the switch is to do a range so if you go to configure terminal type in interface range and the port where you will start enabling the portr for example fa03 until the last port that you want to enable Port security for example 10 so that's it you can enable it on multiple ports with just one single command so you don't have to do it on all of the ports especially if you have a lot of ports like 72 ports in the building or more at least in here you can do it all at once so just type in the same commands switch Port Port security violation protect for example and then switch Port Port security Mac address sticky cuz you want it the same for all of the ports so that's an easy way to enable Port security okay so that would be it for today's video I hope you learned something I hope you learned the different commands that you can use in enabling Port security and also the different methods and setting up the MAC address the different security modes and the different parameters that you can use in Port security and also verification commands so if you have any questions please don't hesitate to leave it on the comment section below and I hope to see you guys in my next videos thank you so much for watching
Info
Channel: East Charmer
Views: 20,161
Rating: undefined out of 5
Keywords:
Id: xEDXzhRuq5k
Channel Id: undefined
Length: 21min 39sec (1299 seconds)
Published: Sun Feb 11 2024
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.