--------- ----------
| switch 1|----------| switch 2 |
--------- Fa0/16 ----------
|
PC1 = 00-0C-F1-xx-xx-xx
PC2 = 00-1D-09-yy-yy-yy
Step 1: (Base configuration)
Switch 2(Edge switch):
Uplink interface: Fa0/16
Fa0/16 config:
switchport access vlan 10
switchport mode access
speed 100
duplex full
spanning-tree portfast disable
Switch 1(Mobile switch):
Uplink interface: Fa0/16
Fa0/16 config:
switchport access vlan 10
switchport mode access
speed 100
duplex full
User interface for PC: Fa0/1, Fa0/2, Fa0/3
Config:
switchport access vlan 10
switchport mode access
speed 100
duplex full
spanning-tree portfast
spanning-tree bpduguard enable
Step 2: (Added port-security on uplink interface of Switch 2)
Added command below on Fa0/16
(config-if)#sw port-security
(config-if)#sw port-security violation shut
(config-if)#sw port-security mac-address sticky
(config-if)#sw port-security maximum 2
Switch 2(Edge switch):
Fa0/16 config:
switchport access vlan 10
switchport mode access
switchport port-security
switchport port-security maximum 2
switchport port-security mac-address sticky
speed 100
duplex full
spanning-tree portfast disable
Step 3: (Connect PC1 to Fa0/1 of Switch1)
PC1----------Fa0/1 Switch1
Findings:
Switch1:
1. Log shows that int Fa0/1 of Swtich1 change status to up
2. sh int status fa0/1 shows that the PC is connected
Switch2:
3. sh run int fa0/16 - added --> switchport port-security mac-address sticky 000c.f1xx.xxxx
4. sh port-security address
-------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
---- ----------- ---- ----- -------------
10 000c.f1xx.xxxx SecureSticky Fa0/16 -
5. sh port-security int fa0/16
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 2
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 1
Last Source Address : 000c.f1xx.xxxx
Security Violation Count : 0
Step 4: (Connect PC1 and PC2 on Fa0/1 and Fa0/2 respectively)
PC1----------Fa0/1 Switch1
PC2----------Fa0/2 Switch1
Findings:
Switch1:
1. Log shows that int Fa0/2 of Swtich1 change status to up
2. sh int status fa0/2 - shows that the PC is connected
Switch2:
3. sh run int fa0/16 - added --> switchport port-security mac-address sticky 001d.09yy.yyyy
4. sh port-security address
Vlan Mac Address Type Ports Remaining Age
---- ----------- ---- ----- -------------
10 000c.f1xx.xxxx SecureSticky Fa0/16 -
10 001d.09yy.yyyy SecureSticky Fa0/16 -
5. sh port-security int fa0/16
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 2
Total MAC Addresses : 2
Configured MAC Addresses : 0
Sticky MAC Addresses : 2
Last Source Address : 001d.09yy.yyyy
Security Violation Count : 0
Step 5: (Connect rouged PC with MAC = 00-1D-09-zz-zz-zz on Fa0/3 of Switch1)
PC1----------Fa0/1 Switch1
PC2----------Fa0/2 Switch1
PC3----------Fa0/3 Switch1
Findings:
Switch1:
1. Log shows that int Fa0/3 of Swtich1 change status to up
2. Log shows that int Fa0/16 of Swtich1 change status to down
3. sh int status fa0/3 - shows that the PC is connected
Switch2:
4. Log shows:
02:19:51: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/16, putting Fa0/16 in err-disable state
02:19:51: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 001d.09zz.zzzz on port FastEthernet0/16.
02:19:52: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/16, changed state to down
02:19:53: %LINK-3-UPDOWN: Interface FastEthernet0/16, changed state to down
5. sh int fa0/16 status - Uplink interface goes to err-disabled state
Port Name Status Vlan Duplex Speed Type
Fa0/16 err-disabled 10 full 100 10/100BaseTX
Step 6: (Add errdisable auto recovery on switch2 then remove PC3)
(config)#errdisable recovery cause psecure-violation
(config)#errdisable recovery interval 30
Findings:
Switch1:
1. Log shows that int Fa0/3 of Swtich1 change status to down
2. Log shows that int Fa0/16 of Swtich1 change status to up
3. sh int status fa0/16 - shows that the PC is connected
Switch2:
4. Log shows:
02:29:07: %PM-4-ERR_RECOVER: Attempting to recover from psecure-violation err-di
sable state on Fa0/16
02:29:10: %LINK-3-UPDOWN: Interface FastEthernet0/16, changed state to up
02:29:11: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/16, chan
ged state to up
5. sh int fa0/16 status - Uplink interface goes to connected state
Port Name Status Vlan Duplex Speed Type
Fa0/16 connected 10 full 100 10/100BaseTX
-------------- ---------------
| switch 1|----------| switch 2 |
-------------- ---------------
PC1 = 00-0C-F1-95-08-73
PC2 = 00-1D-09-05-6A-CD
Step 1: (Base configuration)
Switch 2(Edge switch):
Uplink interface: Fa0/16
Fa0/16 config:
switchport access vlan 10
switchport mode access
speed 100
duplex full
spanning-tree portfast disable
Switch 1(Mobile switch):
Uplink interface: Fa0/16
Fa0/16 config:
switchport access vlan 10
switchport mode access
speed 100
duplex full
User interface for PC: Fa0/1, Fa0/2, Fa0/3
Config:
switchport access vlan 10
switchport mode access
speed 100
duplex full
spanning-tree portfast
spanning-tree bpduguard enable
++++++++++++++++++++++++++++++++++++
Step 2: (Added port-security on uplink interface of Switch 2)
Added command below on Fa0/16
(config-if)#sw port-security
(config-if)#sw port-security violation shut
(config-if)#sw port-security mac-address sticky
(config-if)#sw port-security maximum 2
Switch 2(Edge switch):
Fa0/16 config:
switchport access vlan 10
switchport mode access
switchport port-security
switchport port-security maximum 2
switchport port-security mac-address sticky
speed 100
duplex full
spanning-tree portfast disable
++++++++++++++++++++++++++++++++++++
Step 3: (Connect PC1 to Fa0/1 of Switch1)
PC1----------Fa0/1 Switch1
Findings:
Switch1:
1. Log shows that int Fa0/1 of Swtich1 change status to up
2. sh int status fa0/1 shows that the PC is connected
Switch2:
3. sh run int fa0/16 - added --> switchport port-security mac-address sticky 000c.f195.0873
4. sh port-security address
-------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
---- ----------- ---- ----- -------------
10 000c.f195.0873 SecureSticky Fa0/16 -
5. sh port-security int fa0/16
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 2
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 1
Last Source Address : 000c.f195.0873
Security Violation Count : 0
++++++++++++++++++++++++++++++++++++
Step 4: (Connect PC1 and PC2 on Fa0/1 and Fa0/2 respectively)
PC1----------Fa0/1 Switch1
PC2----------Fa0/2 Switch1
Findings:
Switch1:
1. Log shows that int Fa0/2 of Swtich1 change status to up
2. sh int status fa0/2 - shows that the PC is connected
Switch2:
3. sh run int fa0/16 - added --> switchport port-security mac-address sticky 001d.0905.6acd
4. sh port-security address
Vlan Mac Address Type Ports Remaining Age
---- ----------- ---- ----- -------------
10 000c.f195.0873 SecureSticky Fa0/16 -
10 001d.0905.6acd SecureSticky Fa0/16 -
5. sh port-security int fa0/16
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 2
Total MAC Addresses : 2
Configured MAC Addresses : 0
Sticky MAC Addresses : 2
Last Source Address : 001d.0905.6acd
Security Violation Count : 0
++++++++++++++++++++++++++++++++++++
Step 5: (Connect rouged PC with MAC = 00-1D-09-0D-C4-21 on Fa0/3 of Switch1)
PC1----------Fa0/1 Switch1
PC2----------Fa0/2 Switch1
PC3----------Fa0/3 Switch1
Findings:
Switch1:
1. Log shows that int Fa0/3 of Swtich1 change status to up
2. Log shows that int Fa0/16 of Swtich1 change status to down
3. sh int status fa0/3 - shows that the PC is connected
Switch2:
4. Log shows:
02:19:51: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/16, putting Fa0/16 in err-disable state
02:19:51: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 001d.090d.c421 on port FastEthernet0/16.
02:19:52: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/16, changed state to down
02:19:53: %LINK-3-UPDOWN: Interface FastEthernet0/16, changed state to down
5. sh int fa0/16 status - Uplink interface goes to err-disabled state
Port Name Status Vlan Duplex Speed Type
Fa0/16 err-disabled 10 full 100 10/100BaseTX
++++++++++++++++++++++++++++++++++++
Step 6: (Add errdisable auto recovery on switch2 then remove PC3)
(config)#errdisable recovery cause psecure-violation
(config)#errdisable recovery interval 30
Findings:
Switch1:
1. Log shows that int Fa0/3 of Swtich1 change status to down
2. Log shows that int Fa0/16 of Swtich1 change status to up
3. sh int status fa0/16 - shows that the PC is connected
Switch2:
4. Log shows:
02:29:07: %PM-4-ERR_RECOVER: Attempting to recover from psecure-violation err-di
sable state on Fa0/16
02:29:10: %LINK-3-UPDOWN: Interface FastEthernet0/16, changed state to up
02:29:11: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/16, chan
ged state to up
5. sh int fa0/16 status - Uplink interface goes to connected state
Port Name Status Vlan Duplex Speed Type
Fa0/16 connected 10 full 100 10/100BaseTX
Super-Duper site! I am loving it!! Will come back again - taking your feeds too now, Thanks.
ReplyDelete