Professional Documents
Culture Documents
Port security features add additional layer of security in LAN network. It is used to secure the switch port. In this
article we will explain port security with examples. We will illustrate how a switch locks down the ports based on
MAC address to prevent unauthorized access. For demonstration purpose we will use packet tracer network
simulator software.
Port Security
Anyone can access unsecure network resources by simply plugging his host into one of our available switch
ports. A user can also change his physical location in LAN network without telling the admin. You can secure
layer two accesses as well as keep users in their tracks by using port security. Thus port security feature
enhances the LAN security.
Create a simple topology as illustrate in following figure
Click PC0 and Click Desktop and Click IP Configuration and select Static from radio options and assign the IP
address (10.0.0.10) and subnet mask (255.0.0.0)
Follow same process to assign IP address (10.0.0.20) and subnet mask (255.0.0.0) to PC1.
Click Server0 and click Desktop and click IP Configuration and select Static from radio options and assign IP
address (10.0.0.100) and subnet mask (255.0.0.0)
Port can be secure from interface mode. Use enable command to move in Privilege Exec mode. From Privilege
Exec mode use configure terminal command to enter in Global Configuration mode. From global configuration
mode enter in specific interface.
Port security feature will not work on three types of ports.
1.
Trunk ports
2.
Description
Switch>enable
Switch#configure terminal
Switch(config)#interface fastethernet
0/1
Switch(config-if)#switchport mode
access
Switch(config-if)#switchport portsecurity
We have successfully secured F0/1 port of switch. We used dynamic address learning feature of interface. Switch
will associate first learned mac address (on interface F0/1) with this port. You can check MAC Address table for
currently associated address.
So far no mac address is associated with F0/1 port. Switch learns mac address from incoming frames.
Check our following article to learn, how a switch learn mac address or how it build MAC address table.
One interesting thing that you may notice here is the type. Switch learns this address dynamically but it is showing
as STATIC. This is the magic of sticky option, which we used with port security command. Sticky option
automatically converts dynamically learned address in static address.
Click red X button on the right hand partition of packet tracer window and place the X over the connection between
Switch and PC0. This will remove the connection.
Click lightning bolt button on the bottom left-handed corner and click copper straightthrough connection.
Click PC1 and select FastEthernet port. Next click Switch and select the same F0/1 port.
From the command prompt of PC1 try to ping the Server IP.
What happened this time? Why ping command did not get response from server? Because switch detected the
mac address change and shutdown the port.
show port-security
This command displays port security information about all the interfaces on switch.