Port Security Configuration - Lab Exercise

Port Security Configuration - Lab Exercise


Pada lab ini anda akan mengkonfigurasi Port Security di jaringan kampus kecil.


Lab Topology


Disable Unused Ports

1) Disable all unused ports on SW1. This prevents unauthorised hosts plugging in to them to gain access to the network.

Untuk melihat port-port mana saja yang tidak digunakan kita masukan command show ip interface brief.


SW1#sh ip int brief

Interface              IP-Address      OK? Method Status                Protocol 

FastEthernet0/1        unassigned      YES manual up                    up 

FastEthernet0/2        unassigned      YES manual up                    up 

FastEthernet0/3        unassigned      YES manual down                  down 

FastEthernet0/4        unassigned      YES manual down                  down 

FastEthernet0/5        unassigned      YES manual down                  down 

FastEthernet0/6        unassigned      YES manual down                  down 

FastEthernet0/7        unassigned      YES manual down                  down 

FastEthernet0/8        unassigned      YES manual down                  down 

FastEthernet0/9        unassigned      YES manual down                  down 

FastEthernet0/10       unassigned      YES manual down                  down 

FastEthernet0/11       unassigned      YES manual down                  down 

FastEthernet0/12       unassigned      YES manual down                  down 

FastEthernet0/13       unassigned      YES manual down                  down 

FastEthernet0/14       unassigned      YES manual down                  down 

FastEthernet0/15       unassigned      YES manual down                  down 

FastEthernet0/16       unassigned      YES manual down                  down 

FastEthernet0/17       unassigned      YES manual down                  down 

FastEthernet0/18       unassigned      YES manual down                  down 

FastEthernet0/19       unassigned      YES manual down                  down 

FastEthernet0/20       unassigned      YES manual down                  down 

FastEthernet0/21       unassigned      YES manual down                  down 

FastEthernet0/22       unassigned      YES manual down                  down 

FastEthernet0/23       unassigned      YES manual down                  down 

FastEthernet0/24       unassigned      YES manual down                  down 

GigabitEthernet0/1     unassigned      YES manual down                  down 

GigabitEthernet0/2     unassigned      YES manual down                  down 

Vlan1                  unassigned      YES manual administratively down down

Port yang tidak digunakan adalah FastEthernet 0/3-0/24 dan GigabitEthernet 0/1-0/2.

Maka kita shutdown port tersebut.


SW1#conf

Configuring from terminal, memory, or network [terminal]? t

Enter configuration commands, one per line.  End with CNTL/Z.

SW1(config)#int range f0/3-24

SW1(config-if-range)#shutdown


%LINK-5-CHANGED: Interface FastEthernet0/3, changed state to administratively down


%LINK-5-CHANGED: Interface FastEthernet0/4, changed state to administratively down


%LINK-5-CHANGED: Interface FastEthernet0/5, changed state to administratively down


%LINK-5-CHANGED: Interface FastEthernet0/6, changed state to administratively down


%LINK-5-CHANGED: Interface FastEthernet0/7, changed state to administratively down


%LINK-5-CHANGED: Interface FastEthernet0/8, changed state to administratively down


%LINK-5-CHANGED: Interface FastEthernet0/9, changed state to administratively down


%LINK-5-CHANGED: Interface FastEthernet0/10, changed state to administratively down


%LINK-5-CHANGED: Interface FastEthernet0/11, changed state to administratively down


%LINK-5-CHANGED: Interface FastEthernet0/12, changed state to administratively down


%LINK-5-CHANGED: Interface FastEthernet0/13, changed state to administratively down


%LINK-5-CHANGED: Interface FastEthernet0/14, changed state to administratively down


%LINK-5-CHANGED: Interface FastEthernet0/15, changed state to administratively down


%LINK-5-CHANGED: Interface FastEthernet0/16, changed state to administratively down


%LINK-5-CHANGED: Interface FastEthernet0/17, changed state to administratively down


%LINK-5-CHANGED: Interface FastEthernet0/18, changed state to administratively down


%LINK-5-CHANGED: Interface FastEthernet0/19, changed state to administratively down


%LINK-5-CHANGED: Interface FastEthernet0/20, changed state to administratively down


%LINK-5-CHANGED: Interface FastEthernet0/21, changed state to administratively down


%LINK-5-CHANGED: Interface FastEthernet0/22, changed state to administratively down


%LINK-5-CHANGED: Interface FastEthernet0/23, changed state to administratively down


%LINK-5-CHANGED: Interface FastEthernet0/24, changed state to administratively down

SW1(config-if-range)#exit

SW1(config)#int range g0/1-2

SW1(config-if-range)#shutdown


%LINK-5-CHANGED: Interface GigabitEthernet0/1, changed state to administratively down


%LINK-5-CHANGED: Interface GigabitEthernet0/2, changed state to administratively down

SW1(config-if-range)#exit

SW1(config)#exit

SW1#

%SYS-5-CONFIG_I: Configured from console by console


Untuk memastikan port tersebut apakah sudah di-shutdown atau belum kita gunakan lagi command show ip interface brief.


SW1#show ip int brief

Interface              IP-Address      OK? Method Status                Protocol 

FastEthernet0/1        unassigned      YES manual up                    up 

FastEthernet0/2        unassigned      YES manual up                    up 

FastEthernet0/3        unassigned      YES manual administratively down down 

FastEthernet0/4        unassigned      YES manual administratively down down 

FastEthernet0/5        unassigned      YES manual administratively down down 

FastEthernet0/6        unassigned      YES manual administratively down down 

FastEthernet0/7        unassigned      YES manual administratively down down 

FastEthernet0/8        unassigned      YES manual administratively down down 

FastEthernet0/9        unassigned      YES manual administratively down down 

FastEthernet0/10       unassigned      YES manual administratively down down 

FastEthernet0/11       unassigned      YES manual administratively down down 

FastEthernet0/12       unassigned      YES manual administratively down down 

FastEthernet0/13       unassigned      YES manual administratively down down 

FastEthernet0/14       unassigned      YES manual administratively down down 

FastEthernet0/15       unassigned      YES manual administratively down down 

FastEthernet0/16       unassigned      YES manual administratively down down 

FastEthernet0/17       unassigned      YES manual administratively down down 

FastEthernet0/18       unassigned      YES manual administratively down down 

FastEthernet0/19       unassigned      YES manual administratively down down 

FastEthernet0/20       unassigned      YES manual administratively down down 

FastEthernet0/21       unassigned      YES manual administratively down down 

FastEthernet0/22       unassigned      YES manual administratively down down 

FastEthernet0/23       unassigned      YES manual administratively down down 

FastEthernet0/24       unassigned      YES manual administratively down down 

GigabitEthernet0/1     unassigned      YES manual administratively down down 

GigabitEthernet0/2     unassigned      YES manual administratively down down 

Vlan1                  unassigned      YES manual administratively down down

SW1#




Port Security Configuration

2) Configure port security on interface FastEthernet 0/1. Allow a maximum of two MAC addresses and manually add PC1’s MAC address to the configuration.

SW1#show mac-address-table 

          Mac Address Table

-------------------------------------------


Vlan    Mac Address       Type        Ports

----    -----------       --------    -----

Salah satu cara untuk mengetahui MAC address dari PC1, caranya adalah dengan PC1 ping ke PC2. Saat PC1 melakukan test ping, switch membaca MAC address dari PC1, lalu melakukan broadcast ke seluruh device yang terhubung pada switch. 

SW1#show mac-address-table 

          Mac Address Table

-------------------------------------------


Vlan    Mac Address       Type        Ports

----    -----------       --------    -----


   1    0000.1111.1111    DYNAMIC     Fa0/1

   1    0000.2222.2222    DYNAMIC     Fa0/2


Switch sudah dapat membaca MAC address dari PC1 dan PC2. Selanjutnya adalah mengkonfigurasikan interface f0/1 dengan port security. Namun sebelumnya pastikan dahulu untuk mengubah port tersebut ke mode access dengan command switchport mode access. Lalu masukkan command switchport port-security untuk meng-enable mode port security. Dilanjutkan dengan switchport port-security maximum 2. Dan switchport port-security mac address 0000.1111.1111 untuk MAC address dari PC1.

SW1#conf

Configuring from terminal, memory, or network [terminal]? t

Enter configuration commands, one per line.  End with CNTL/Z.

SW1(config)#int f0/1

SW1(config-if)#switchport mode access

SW1(config-if)#switchport port-security

SW1(config-if)#switchport port-security maximum 2

SW1(config-if)#switchport port-security mac-address 0000.1111.1111



3) Enable Port Security on interface FastEthernet 0/2 with the default settings.

SW1(config)#int f0/2

SW1(config-if)#switch mode access

SW1(config-if)#switchport port-security


4) Use a ‘show port-security address’ command to verify the MAC address on PC2.

Ping PC1 dari PC2 terlebih dahulu untuk men-generate traffic.


SW1#show port-security address

Secure Mac Address Table

-------------------------------------------------------------------------------

Vlan Mac Address Type Ports Remaining Age

(mins)

---- ----------- ---- ----- -------------

1 0000.1111.1111 SecureConfigured FastEthernet0/1 -

1 0000.2222.2222 DynamicConfigured FastEthernet0/2 -

------------------------------------------------------------------------------

Total Addresses in System (excluding one mac per port)     : 0

Max Addresses limit in System (excluding one mac per port) : 1024



5) Verify the full Port Security configuration on both interfaces.

SW1#show port-security int f0/1

Port Security              : Enabled

Port Status                : Secure-up

Violation Mode             : Shutdown

Aging Time                 : 0 mins

Aging Type                 : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses      : 2

Total MAC Addresses        : 1

Configured MAC Addresses   : 1

Sticky MAC Addresses       : 0

Last Source Address:Vlan   : 0000.0000.0000:0

Security Violation Count   : 0


SW1#show port-security int f0/2

Port Security              : Enabled

Port Status                : Secure-up

Violation Mode             : Shutdown

Aging Time                 : 0 mins

Aging Type                 : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses      : 1

Total MAC Addresses        : 0

Configured MAC Addresses   : 0

Sticky MAC Addresses       : 0

Last Source Address:Vlan   : 0000.0000.0000:0

Security Violation Count   : 0

Comments

Post a Comment

Popular posts from this blog

Cisco Device Management - Lab Exercise

Image
  Cisco Device Management - Lab Exercise Pada lab ini anda akan mengerjakan factory reset, password recovery, configuration backup, dan system image backup and recovery pada router Cisco. Anda juga akan mengerjakan upgrade IOS pada switch Cisco. Gunakan Packet Tracer Cisco untuk latihan ini. Server generic pada Packet Tracer sudah built-in dengan TFTP server software. Lab Topology Factory Reset 1) View the running configuration on R1. Note that the hostname and interface have been configured R1#conf t Enter configuration commands, one per line.  End with CNTL/Z. R1(config)#exit R1# %SYS-5-CONFIG_I: Configured from console by console R1#show run Building configuration... Current configuration : 698 bytes ! version 15.1 no service timestamps log datetime msec no service timestamps debug datetime msec no service password-encryption ! hostname R1 ! ! ! ! ! ! ! ! ip cef no ipv6 cef ! ! ! ! license udi pid CISCO2911/K9 sn FTX152447Z1 ! ! ! ! ! ! ! ! ! ! ! spanning-tree mode pvst ! ! ! ! !
Read more

Configuring OSPF + RIP + EIGRP

Image
  Pada kesempatan kali ini saya diminta untuk menyelesaikan suatu scenario sebagai berikut: - jumlah router 8, masing2 router konek ke 1 pc - topology dan routing lihat gambar - objective semua pc bisa saling ping - silahkan design ip address yg proper dengan network tsb. Berikut Topologinya: Untuk menyelesaikan persoalan tersebut, saya susun topologinya pada Packet Tracer seperti pada gambar di bawah. Untuk Design IP Address antar Router saya gunakan IP 172.16.10.x/29 karena yang dibutuhkan masing-masing hanya 2 host per subnet.  Lalu untuk Ethernet LAN saya gunakan IP network 192.168.x.x/24 yang memuat 255 host per subnet. Agar kedepannya bila ada penambahan device pada LAN tersebut, IP-nya masih tersedia. Network Address Usable Host Range Start End 172.16.10.0 172.16.10.1 172.16.10.6 172.16.10.8 172.16.10.9 172.16.10.14 172.16.10.16 172.16.10.17 172.16.10.22 172.16.10.24 172.16.10.25 172.16.10.30 172.16.10.32 172.16.10.33 172.16.10.38 172.16.10.40 172.16.10.41 172.16.10.46 172.16.10
Read more