Port Security Configuration - Lab Exercise

Port Security Configuration - Lab Exercise


Pada lab ini anda akan mengkonfigurasi Port Security di jaringan kampus kecil.


Lab Topology


Disable Unused Ports

1) Disable all unused ports on SW1. This prevents unauthorised hosts plugging in to them to gain access to the network.

Untuk melihat port-port mana saja yang tidak digunakan kita masukan command show ip interface brief.


SW1#sh ip int brief

Interface              IP-Address      OK? Method Status                Protocol 

FastEthernet0/1        unassigned      YES manual up                    up 

FastEthernet0/2        unassigned      YES manual up                    up 

FastEthernet0/3        unassigned      YES manual down                  down 

FastEthernet0/4        unassigned      YES manual down                  down 

FastEthernet0/5        unassigned      YES manual down                  down 

FastEthernet0/6        unassigned      YES manual down                  down 

FastEthernet0/7        unassigned      YES manual down                  down 

FastEthernet0/8        unassigned      YES manual down                  down 

FastEthernet0/9        unassigned      YES manual down                  down 

FastEthernet0/10       unassigned      YES manual down                  down 

FastEthernet0/11       unassigned      YES manual down                  down 

FastEthernet0/12       unassigned      YES manual down                  down 

FastEthernet0/13       unassigned      YES manual down                  down 

FastEthernet0/14       unassigned      YES manual down                  down 

FastEthernet0/15       unassigned      YES manual down                  down 

FastEthernet0/16       unassigned      YES manual down                  down 

FastEthernet0/17       unassigned      YES manual down                  down 

FastEthernet0/18       unassigned      YES manual down                  down 

FastEthernet0/19       unassigned      YES manual down                  down 

FastEthernet0/20       unassigned      YES manual down                  down 

FastEthernet0/21       unassigned      YES manual down                  down 

FastEthernet0/22       unassigned      YES manual down                  down 

FastEthernet0/23       unassigned      YES manual down                  down 

FastEthernet0/24       unassigned      YES manual down                  down 

GigabitEthernet0/1     unassigned      YES manual down                  down 

GigabitEthernet0/2     unassigned      YES manual down                  down 

Vlan1                  unassigned      YES manual administratively down down

Port yang tidak digunakan adalah FastEthernet 0/3-0/24 dan GigabitEthernet 0/1-0/2.

Maka kita shutdown port tersebut.


SW1#conf

Configuring from terminal, memory, or network [terminal]? t

Enter configuration commands, one per line.  End with CNTL/Z.

SW1(config)#int range f0/3-24

SW1(config-if-range)#shutdown


%LINK-5-CHANGED: Interface FastEthernet0/3, changed state to administratively down


%LINK-5-CHANGED: Interface FastEthernet0/4, changed state to administratively down


%LINK-5-CHANGED: Interface FastEthernet0/5, changed state to administratively down


%LINK-5-CHANGED: Interface FastEthernet0/6, changed state to administratively down


%LINK-5-CHANGED: Interface FastEthernet0/7, changed state to administratively down


%LINK-5-CHANGED: Interface FastEthernet0/8, changed state to administratively down


%LINK-5-CHANGED: Interface FastEthernet0/9, changed state to administratively down


%LINK-5-CHANGED: Interface FastEthernet0/10, changed state to administratively down


%LINK-5-CHANGED: Interface FastEthernet0/11, changed state to administratively down


%LINK-5-CHANGED: Interface FastEthernet0/12, changed state to administratively down


%LINK-5-CHANGED: Interface FastEthernet0/13, changed state to administratively down


%LINK-5-CHANGED: Interface FastEthernet0/14, changed state to administratively down


%LINK-5-CHANGED: Interface FastEthernet0/15, changed state to administratively down


%LINK-5-CHANGED: Interface FastEthernet0/16, changed state to administratively down


%LINK-5-CHANGED: Interface FastEthernet0/17, changed state to administratively down


%LINK-5-CHANGED: Interface FastEthernet0/18, changed state to administratively down


%LINK-5-CHANGED: Interface FastEthernet0/19, changed state to administratively down


%LINK-5-CHANGED: Interface FastEthernet0/20, changed state to administratively down


%LINK-5-CHANGED: Interface FastEthernet0/21, changed state to administratively down


%LINK-5-CHANGED: Interface FastEthernet0/22, changed state to administratively down


%LINK-5-CHANGED: Interface FastEthernet0/23, changed state to administratively down


%LINK-5-CHANGED: Interface FastEthernet0/24, changed state to administratively down

SW1(config-if-range)#exit

SW1(config)#int range g0/1-2

SW1(config-if-range)#shutdown


%LINK-5-CHANGED: Interface GigabitEthernet0/1, changed state to administratively down


%LINK-5-CHANGED: Interface GigabitEthernet0/2, changed state to administratively down

SW1(config-if-range)#exit

SW1(config)#exit

SW1#

%SYS-5-CONFIG_I: Configured from console by console


Untuk memastikan port tersebut apakah sudah di-shutdown atau belum kita gunakan lagi command show ip interface brief.


SW1#show ip int brief

Interface              IP-Address      OK? Method Status                Protocol 

FastEthernet0/1        unassigned      YES manual up                    up 

FastEthernet0/2        unassigned      YES manual up                    up 

FastEthernet0/3        unassigned      YES manual administratively down down 

FastEthernet0/4        unassigned      YES manual administratively down down 

FastEthernet0/5        unassigned      YES manual administratively down down 

FastEthernet0/6        unassigned      YES manual administratively down down 

FastEthernet0/7        unassigned      YES manual administratively down down 

FastEthernet0/8        unassigned      YES manual administratively down down 

FastEthernet0/9        unassigned      YES manual administratively down down 

FastEthernet0/10       unassigned      YES manual administratively down down 

FastEthernet0/11       unassigned      YES manual administratively down down 

FastEthernet0/12       unassigned      YES manual administratively down down 

FastEthernet0/13       unassigned      YES manual administratively down down 

FastEthernet0/14       unassigned      YES manual administratively down down 

FastEthernet0/15       unassigned      YES manual administratively down down 

FastEthernet0/16       unassigned      YES manual administratively down down 

FastEthernet0/17       unassigned      YES manual administratively down down 

FastEthernet0/18       unassigned      YES manual administratively down down 

FastEthernet0/19       unassigned      YES manual administratively down down 

FastEthernet0/20       unassigned      YES manual administratively down down 

FastEthernet0/21       unassigned      YES manual administratively down down 

FastEthernet0/22       unassigned      YES manual administratively down down 

FastEthernet0/23       unassigned      YES manual administratively down down 

FastEthernet0/24       unassigned      YES manual administratively down down 

GigabitEthernet0/1     unassigned      YES manual administratively down down 

GigabitEthernet0/2     unassigned      YES manual administratively down down 

Vlan1                  unassigned      YES manual administratively down down

SW1#




Port Security Configuration

2) Configure port security on interface FastEthernet 0/1. Allow a maximum of two MAC addresses and manually add PC1’s MAC address to the configuration.

SW1#show mac-address-table 

          Mac Address Table

-------------------------------------------


Vlan    Mac Address       Type        Ports

----    -----------       --------    -----

Salah satu cara untuk mengetahui MAC address dari PC1, caranya adalah dengan PC1 ping ke PC2. Saat PC1 melakukan test ping, switch membaca MAC address dari PC1, lalu melakukan broadcast ke seluruh device yang terhubung pada switch. 

SW1#show mac-address-table 

          Mac Address Table

-------------------------------------------


Vlan    Mac Address       Type        Ports

----    -----------       --------    -----


   1    0000.1111.1111    DYNAMIC     Fa0/1

   1    0000.2222.2222    DYNAMIC     Fa0/2


Switch sudah dapat membaca MAC address dari PC1 dan PC2. Selanjutnya adalah mengkonfigurasikan interface f0/1 dengan port security. Namun sebelumnya pastikan dahulu untuk mengubah port tersebut ke mode access dengan command switchport mode access. Lalu masukkan command switchport port-security untuk meng-enable mode port security. Dilanjutkan dengan switchport port-security maximum 2. Dan switchport port-security mac address 0000.1111.1111 untuk MAC address dari PC1.

SW1#conf

Configuring from terminal, memory, or network [terminal]? t

Enter configuration commands, one per line.  End with CNTL/Z.

SW1(config)#int f0/1

SW1(config-if)#switchport mode access

SW1(config-if)#switchport port-security

SW1(config-if)#switchport port-security maximum 2

SW1(config-if)#switchport port-security mac-address 0000.1111.1111



3) Enable Port Security on interface FastEthernet 0/2 with the default settings.

SW1(config)#int f0/2

SW1(config-if)#switch mode access

SW1(config-if)#switchport port-security


4) Use a ‘show port-security address’ command to verify the MAC address on PC2.

Ping PC1 dari PC2 terlebih dahulu untuk men-generate traffic.


SW1#show port-security address

Secure Mac Address Table

-------------------------------------------------------------------------------

Vlan Mac Address Type Ports Remaining Age

(mins)

---- ----------- ---- ----- -------------

1 0000.1111.1111 SecureConfigured FastEthernet0/1 -

1 0000.2222.2222 DynamicConfigured FastEthernet0/2 -

------------------------------------------------------------------------------

Total Addresses in System (excluding one mac per port)     : 0

Max Addresses limit in System (excluding one mac per port) : 1024



5) Verify the full Port Security configuration on both interfaces.

SW1#show port-security int f0/1

Port Security              : Enabled

Port Status                : Secure-up

Violation Mode             : Shutdown

Aging Time                 : 0 mins

Aging Type                 : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses      : 2

Total MAC Addresses        : 1

Configured MAC Addresses   : 1

Sticky MAC Addresses       : 0

Last Source Address:Vlan   : 0000.0000.0000:0

Security Violation Count   : 0


SW1#show port-security int f0/2

Port Security              : Enabled

Port Status                : Secure-up

Violation Mode             : Shutdown

Aging Time                 : 0 mins

Aging Type                 : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses      : 1

Total MAC Addresses        : 0

Configured MAC Addresses   : 0

Sticky MAC Addresses       : 0

Last Source Address:Vlan   : 0000.0000.0000:0

Security Violation Count   : 0

Comments

Post a Comment

Popular posts from this blog

Cisco Device Management - Lab Exercise

Image
  Cisco Device Management - Lab Exercise Pada lab ini anda akan mengerjakan factory reset, password recovery, configuration backup, dan system image backup and recovery pada router Cisco. Anda juga akan mengerjakan upgrade IOS pada switch Cisco. Gunakan Packet Tracer Cisco untuk latihan ini. Server generic pada Packet Tracer sudah built-in dengan TFTP server software. Lab Topology Factory Reset 1) View the running configuration on R1. Note that the hostname and interface have been configured R1#conf t Enter configuration commands, one per line.  End with CNTL/Z. R1(config)#exit R1# %SYS-5-CONFIG_I: Configured from console by console R1#show run Building configuration... Current configuration : 698 bytes ! version 15.1 no service timestamps log datetime msec no service timestamps debug datetime msec no service password-encryption ! hostname R1 ! ! ! ! ! ! ! ! ip cef no ipv6 cef ! ! ! ! license udi pid CISCO2911/K9 sn FTX152447Z1 ! ! ! ! ! ! ! ! ! ! ! spanning-tree mode pvst !...
Read more

Configuring DHCP

Image
  23-1 DHCP Configuration – Lab Exercise Pada LAB Exercise ini, saya masih mengutip dari buku Flackbox oleh Niel Andersen. Buku ini dapat diakses secara gratis melalui www.Flackbox.com . In this lab you will perform a DHCP configuration for a small campus network. You will configure a router’s outside interface as a DHCP client. You will then set up DCHP services, using a Cisco router first and then an external DHCP server. The external DHCP server is inside the campus LAN but outside the router. Note that the external DHCP server at 10.10.20.10 will not be used until the last part of the lab. Lab Topology Load the Startup Configurations Download the ‘23-1 DHCP Configuration.zip’ file here. Extract the project .pkt file then open it in Packet Tracer. Do not try to open the project from directly inside the zip file. Cisco DHCP Client You have not acquired a static public IP address from the Internet service provider. Configure the outside interface FastEthernet 0/0 on R1 to receive...
Read more