Cisco CCNA Training/Exam Tips that are helpful for your Certification Exam!
To be Cisco Certified please Check out:
http://asmed.com/information-technology-it/
Seal of Good Local Governance (SGLG) 2024Final.pptx
Cisco CCNA Port Security
1. CISCO CCNA PORT SECURITY
TO WATCH OUR CISCO CCNA VIDEO TRAININGS PLEASE CHECK OUT THE LINK BELOW:
WWW.ASMED.COM/C1
ASM EDUCATIONAL CENTER INC. (ASM)
WHERE TRAINING, TECHNOLOGY & SERVICE CONVERGE
PHONE: (301) 984-7400
ROCKVILLE,MD
3. CISCO CCNA PORT SECURITY
HERE WHAT I HAVE:
PC1=10.10.10.1
PC2=10.10.10.2
PC3=10.10.10.3 CONNECTED TO PORT F0/3 WHICH IS LOCATED IN LOBBY
HACKER=10.10.10.4
THE GOAL IS I WANT TO PROTECT THE PORT F0/3 LOCATED IN LOBBY AND
MAKE SURE ONLY PC3=SALES3 BE ABLE TO CONNECT AND DO HIS WORK.
HINT: YOU WILL GO INT F0/3 AND START WITH SWITCHPORT?
4. CISCO CCNA PORT SECURITY
STEP 1) MAKE SURE YOU ENABLE PORT-SECURITY
SW1(CONFIG)#
SW1(CONFIG)#INT F0/3
SW1(CONFIG-IF)#SWITCHPORT ?
ACCESS SET ACCESS MODE CHARACTERISTICS OF THE INTERFACE
MODE SET TRUNKING MODE OF THE INTERFACE
NATIVE SET TRUNKING NATIVE CHARACTERISTICS WHEN INTERFACE IS IN
TRUNKING MODE
NONEGOTIATE DEVICE WILL NOT ENGAGE IN NEGOTIATION PROTOCOL ON THIS
INTERFACE
PORT-SECURITY SECURITY RELATED COMMAND
PRIORITY SET APPLIANCE 802.1P PRIORITY
5. CISCO CCNA PORT SECURITY
TRUNK SET TRUNKING CHARACTERISTICS OF THE INTERFACE
VOICE VOICE APPLIANCE ATTRIBUTES
SW1(CONFIG-IF)#SWITCHPORT PORT
SW1(CONFIG-IF)#SWITCHPORT PORT-SECURITY ?
MAC-ADDRESS SECURE MAC ADDRESS
MAXIMUM MAX SECURE ADDRESSES
VIOLATION SECURITY VIOLATION MODE
<CR>
SW1(CONFIG-IF)#SWITCHPORT PORT-SECURITY
COMMAND REJECTED: FASTETHERNET0/3 IS A DYNAMIC PORT.
SW1(CONFIG-IF)#SW
6. CISCO CCNA PORT SECURITY
SW1(CONFIG-IF)#SWITCHPORT MO
SW1(CONFIG-IF)#SWITCHPORT MODE ACC
SW1(CONFIG-IF)#SWITCHPORT MODE ?
ACCESS SET TRUNKING MODE TO ACCESS UNCONDITIONALLY
DYNAMIC SET TRUNKING MODE TO DYNAMICALLY NEGOTIATE ACCESS OR TRUNK MODE
TRUNK SET TRUNKING MODE TO TRUNK UNCONDITIONALLY
SW1(CONFIG-IF)#SWITCHPORT MODE DY
SW1(CONFIG-IF)#SWITCHPORT MODE DYNAMIC ?
AUTO SET TRUNKING MODE DYNAMIC NEGOTIATION PARAMETER TO AUTO
DESIRABLE SET TRUNKING MODE DYNAMIC NEGOTIATION PARAMETER TO DESIRABLE
SW1(CONFIG-IF)#SWITCHPORT MODE ACC
SW1(CONFIG-IF)#SWITCHPORT MODE ACCESS
SW1(CONFIG-IF)#SWITCHPORT PORT-SECURITY
7. CISCO CCNA PORT SECURITY
HINT: MAKE SURE WHEN YOU DO ABOVE; YOU HAVE MADE THE PORT MODE ACCESS;
STEP 2) DEFINE HOW MANY MAC-ADDRESS CAN BE CONNECTED THE
DEFAULT=1 (IF I WRITE SHOW RUN ) IT WILL NOT BE SEEN FOR DEFAULT VALUE
SW1#CONFIG T
ENTER CONFIGURATION COMMANDS, ONE PER LINE. END WITH CNTL/Z.
SW1(CONFIG)#INT F0/3
SW1(CONFIG-IF)#SW
SW1(CONFIG-IF)#SWITCHPORT PO
SW1(CONFIG-IF)#SWITCHPORT PORT-SECURITY ?
MAC-ADDRESS SECURE MAC ADDRESS
MAXIMUM MAX SECURE ADDRESSES
VIOLATION SECURITY VIOLATION MODE
<CR>
SW1(CONFIG-IF)#SWITCHPORT PORT-SECURITY MAX
SW1(CONFIG-IF)#SWITCHPORT PORT-SECURITY MAXIMUM ?
<1-132> MAXIMUM ADDRESSES
SW1(CONFIG-IF)#SWITCHPORT PORT-SECURITY MAXIMUM 2
8. CISCO CCNA PORT SECURITY
STEP 3) TELL WHAT IS THE MAC OF THE PC CONNECTED;
HINT: I CAN DO IN TWO WAY:
• STATICALLY
• DYNAMICALLY USING THE KEY WORD STICKY
9. CISCO CCNA PORT SECURITY
SW1(CONFIG-IF)#SW
SW1(CONFIG-IF)#SWITCHPORT PO
SW1(CONFIG-IF)#SWITCHPORT PORT-SECURITY ?
MAC-ADDRESS SECURE MAC ADDRESS
MAXIMUM MAX SECURE ADDRESSES
VIOLATION SECURITY VIOLATION MODE
<CR>
SW1(CONFIG-IF)#SWITCHPORT PORT-SECURITY MAC
SW1(CONFIG-IF)#SWITCHPORT PORT-SECURITY MAC-ADDRESS ?
H.H.H 48 BIT MAC ADDRESS
STICKY CONFIGURE DYNAMIC SECURE ADDRESSES AS STICKY
SW1(CONFIG-IF)#SWITCHPORT PORT-SECURITY MAC-ADDRESS ST
SW1(CONFIG-IF)#SWITCHPORT PORT-SECURITY MAC-ADDRESS STICKY ?
H.H.H 48 BIT MAC ADDRESS
<CR>
SW1(CONFIG-IF)#SWITCHPORT PORT-SECURITY MAC-ADDRESS STICKY
SW1(CONFIG-IF)#
SW1(CONFIG-IF)#SWITCHPORT PORT-SECURITY MAC-ADDRESS ?
H.H.H 48 BIT MAC ADDRESS
STICKY CONFIGURE DYNAMIC SECURE ADDRESSES AS STICKY
SW1(CONFIG-IF)#SWITCHPORT PORT-SECURITY MAC-ADDRESS 2222.2222.2222
10. CISCO CCNA PORT SECURITY
STEP 4) TELL SWITCH WHAT KIND OF ACTION TO TAKE
SW1(CONFIG-IF)#
SW1(CONFIG-IF)#SW
SW1(CONFIG-IF)#SWITCHPORT PO
SW1(CONFIG-IF)#SWITCHPORT PORT-SECURITY ?
MAC-ADDRESS SECURE MAC ADDRESS
MAXIMUM MAX SECURE ADDRESSES
VIOLATION SECURITY VIOLATION MODE
<CR>
SW1(CONFIG-IF)#SWITCHPORT PORT-SECURITY VIOL
SW1(CONFIG-IF)#SWITCHPORT PORT-SECURITY VIOLATION ?
PROTECT SECURITY VIOLATION PROTECT MODE
RESTRICT SECURITY VIOLATION RESTRICT MODE
SHUTDOWN SECURITY VIOLATION SHUTDOWN MODE
SW1(CONFIG-IF)#SWITCHPORT PORT-SECURITY VIOLATION SHUR
SW1(CONFIG-IF)#SWITCHPORT PORT-SECURITY VIOLATION SHUT
SW1(CONFIG-IF)#SWITCHPORT PORT-SECURITY VIOLATION SHUTDOWN
11. CISCO CCNA PORT SECURITY
HINT: THE DEFAULT IS SHUTDOWN AS WE SEE IN THE SHOW RUN IT WILL NOT
SHOW UP.
INTERFACE FASTETHERNET0/3
SWITCHPORT MODE ACCESS
SWITCHPORT PORT-SECURITY
SWITCHPORT PORT-SECURITY MAXIMUM 2
SWITCHPORT PORT-SECURITY MAC-ADDRESS STICKY
SWITCHPORT PORT-SECURITY MAC-ADDRESS 2222.2222.2222
!
12. CISCO CCNA PORT SECURITY
AS WE SEE THE DEFAULT SHUTDOWN IS NOT ABOVE:
I GO AND I PING PC3
PC>PING 10.10.10.3
PINGING 10.10.10.3 WITH 32 BYTES OF DATA:
REPLY FROM 10.10.10.3: BYTES=32 TIME=109MS TTL=128
REPLY FROM 10.10.10.3: BYTES=32 TIME=62MS TTL=128
REPLY FROM 10.10.10.3: BYTES=32 TIME=63MS TTL=128
REPLY FROM 10.10.10.3: BYTES=32 TIME=62MS TTL=128
PING STATISTICS FOR 10.10.10.3:
PACKETS: SENT = 4, RECEIVED = 4, LOST = 0 (0% LOSS),
APPROXIMATE ROUND TRIP TIMES IN MILLI-SECONDS:
MINIMUM = 62MS, MAXIMUM = 109MS, AVERAGE = 74MS
PC>
13. CISCO CCNA PORT SECURITY
NOW LET’S LOOK AT SHOW RUN:
INTERFACE FASTETHERNET0/3
SWITCHPORT MODE ACCESS
SWITCHPORT PORT-SECURITY
SWITCHPORT PORT-SECURITY MAXIMUM 2
SWITCHPORT PORT-SECURITY MAC-ADDRESS STICKY
SWITCHPORT PORT-SECURITY MAC-ADDRESS 2222.2222.2222
SWITCHPORT PORT-SECURITY MAC-ADDRESS STICKY 00D0.D320.E74C
14. CISCO CCNA PORT SECURITY
HERE IS BEFORE ANY VIOLATIONS:
SW1#SHOW PORT
SW1#SHOW PORT-SECURITY INT F0/3
PORT SECURITY : ENABLED
PORT STATUS : SECURE-UP
VIOLATION MODE : SHUTDOWN
AGING TIME : 0 MINS
AGING TYPE : ABSOLUTE
SECURESTATIC ADDRESS AGING : DISABLED
MAXIMUM MAC ADDRESSES : 2
TOTAL MAC ADDRESSES : 2
CONFIGURED MAC ADDRESSES : 1
STICKY MAC ADDRESSES : 1
LAST SOURCE ADDRESS:VLAN : 00D0.D320.E74C:1
SECURITY VIOLATION COUNT : 0
15. CISCO CCNA PORT SECURITY
NOW I WILL REMOVE THE CABLE FROM PC3 AND HACKER WILL COME AND CONNECT TO THE PORT
F0/3
SW1#SHOW PORT-SECURITY INT F0/3
PORT SECURITY : ENABLED
PORT STATUS : SECURE-SHUTDOWN
VIOLATION MODE : SHUTDOWN
AGING TIME : 0 MINS
AGING TYPE : ABSOLUTE
SECURESTATIC ADDRESS AGING : DISABLED
MAXIMUM MAC ADDRESSES : 2
TOTAL MAC ADDRESSES : 2
CONFIGURED MAC ADDRESSES : 1
STICKY MAC ADDRESSES : 1
LAST SOURCE ADDRESS:VLAN : 00E0.A38B.4828:1
SECURITY VIOLATION COUNT : 1
16. CISCO CCNA PORT SECURITY
AS WE SEE I HAVE PORT IN SECURE SHUTDOWN MODE
HERE IS ANOTHER SHOW COMMANDS:
SW1#SHOW INT F0/3
FASTETHERNET0/3 IS DOWN, LINE PROTOCOL IS DOWN (ERR-DISABLED)
17. CISCO CCNA PORT SECURITY
LET’S LOOK AT PORT 1 THAT I DID NOT CONFIGURE PORT SECURITY
SW1#
SW1#SHOW PORT-SECURITY INT F0/1
PORT SECURITY : DISABLED
PORT STATUS : SECURE-DOWN
VIOLATION MODE : SHUTDOWN
AGING TIME : 0 MINS
AGING TYPE : ABSOLUTE
SECURESTATIC ADDRESS AGING : DISABLED
MAXIMUM MAC ADDRESSES : 1
TOTAL MAC ADDRESSES : 0
CONFIGURED MAC ADDRESSES : 0
STICKY MAC ADDRESSES : 0
LAST SOURCE ADDRESS:VLAN : 0000.0000.0000:0
SECURITY VIOLATION COUNT : 0
AS WE SEE IN THIS CASE I DID NOT ENABLE IT PORT SECURITY; SO I SEE THE FIRST LINE SAYS DISABLED
HOW DO YOU FIXED IT?
YOU AS ADMINISTRATOR MUST GO TO THAT PORT; GIVE SHUT AND NO SHUT
18. ASM EDUCATIONAL CENTER INC. (ASM)
WHERE TRAINING, TECHNOLOGY & SERVICE CONVERGE
TO WATCH OUR CISCO CCNA VIDEO TRAININGS PLEASE CHECK OUT THE LINK
BELOW:
WWW.ASMED.COM/C1
PHONE: (301) 984-7400
ROCKVILLE,MD