Lab 7.

1 – VLAN and MAC Table Security

Topology

Addressing Table
Device Interface / VLAN IP Address Subnet Mask

S1 VLAN 10 192.168.10.201 255.255.255.0

S2 VLAN 10 192.168.10.202 255.255.255.0
PC – A NIC 192.168.10.11 255.255.255.0
PC – B NIC 192.168.10.12 255.255.255.0
Laptop NIC 192.168.10.200 255.255.255.0

Objectives
Part 1: Configure the Network Devices.
Part 2: Configure VLANs on Switches.
Part 3: Configure VLAN Security.
Part 3: Configure Port Security Features.

Background / Scenario
It is quite common to lock down access and install strong security features on PCs and servers. It is important
that your network infrastructure devices, such as switches and routers, are also configured with security
features.
In this lab, you will follow some best practices for securing a switch against VLAN hopping attacks. You will
also configure and verify port security to lock out any device with a MAC address not recognized by the
switch.

♥ 2019 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 1 of 10 www.netacad.com
Lab 7.1 – VLAN and MAC Table Security

Required Resources
● 2 Switches

● 2 PCs, 1 laptop

● Cabling as shown in the topology

Instructions

Part 1: Configure the Network Devices.

Step 1: Cable the network.

a. Set up the test topology in Packet Tracer as illustrated in the diagram
b. Initialize the devices.

Step 2: Configure and verify basic switch settings.

a. Configure the hostname for switches S1 and S2.
Open configuration window
Open configuration window

b. Prevent unwanted DNS lookups on both switches.

c. Configure interface descriptions for the ports that are in use in S1 and S2.
d. Set the default-gateway for the Management VLAN to 192.168.10.1 on both switches.

Step 3: Configure end devices.

a. Configure the PC and loptop hosts according to the IP addressing table

Part 2: Configure VLANs on Switches.

Step 1: Configure VLAN 10.

Add VLAN 10 to S1 and S2 and name the VLAN Management.

Step 2: Configure the SVI for VLAN 10.

Configure the IP address according to the Addressing Table for SVI for VLAN 10 on S1 and S2. Enable the
SVI interfaces and provide a description for the interface.

Step 3: Configure VLAN 333 with the name Native on S1 and S2.

Step 4: Configure VLAN 999 with the name ParkingLot on S1 and S2.

Part 3: Configure Switch VLAN Security.

Step 1: Implement 802.1Q trunking.

a. On both switches, configure trunking on G0/1 and set the port to use VLAN 333 as the native VLAN.
What command/s is needed to do so?

♥ 2019 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 2 of 10 www.netacad.com
Lab 7.1 – VLAN and MAC Table Security

vfi Switch(config)int g0/1

S Switch (config-if)switchport mode trunk

Switch (config-if)switchport trunk native vlan 333

b. Verify that trunking is configured on both switches.

S1# show interface trunk

Port Mode Encapsulation Status Native vlan

Gig0/1 on 802.1q trunking 333

Port Vlans allowed on trunk

Gig0/1 1-4094

Port Vlans allowed and active in management domain

Gig0/1 1,10,333,999

Port Vlans in spanning tree forwarding state and not pruned

Gig0/1 1,10,333,999

S2# show interface trunk

Port Mode Encapsulation Status Native vlan

Gig0/1 on 802.1q trunking 333

Port Vlans allowed on trunk

Gig0/1 1-4094

Port Vlans allowed and active in management domain

Gig0/1 1,10,333,999

Port Vlans in spanning tree forwarding state and not pruned

Gig0/1 1,10,333,999

c. Disable DTP negotiation on G0/1 on S1 and S2.

What command is needed to do so?

♥ 2019 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 3 of 10 www.netacad.com
Lab 7.1 – VLAN and MAC Table Security

int g0/1

switchport nonegotiate

d. Verify with the show interfaces command.

S1# show interfaces g0/1 switchport | include Negotiation
Negotiation of Trunking: Off

S2# show interfaces g0/1 switchport | include Negotiation

Negotiation of Trunking: Off

Step 2: Configure access ports.

a. On S1, configure F0/6 as access ports that are associated with VLAN 10.
b. On S2, configure F0/18 as an access port that is associated with VLAN 10.
c. Verify the status of unused ports by issuing the show command.
S1# show interfaces status
What is the status and VLAN assignment of unused ports as indicated in the show command output?

the status is not connected .

Vlan assignment 1

Step 3: Secure and disable unused switchports.

a. On S1 and S2, move ALL unused ports from VLAN 1 to VLAN 999 and disable the unused ports.
On which ports does this step need to be done for S1 and S2?

S1, all ports excepts f0/6 and g0/1

S2, all ports except f0/18 and g0/1

b. Verify that unused ports are disabled and associated with VLAN 999 by issuing the show command.
S1# show interfaces status

♥ 2019 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 4 of 10 www.netacad.com
Lab 7.1 – VLAN and MAC Table Security

Port Name Status Vlan Duplex Speed Type

Fa0/1 disabled 999 auto auto 10/100BaseTX
Fa0/2 disabled 999 auto auto 10/100BaseTX
Fa0/3 disabled 999 auto auto 10/100BaseTX
Fa0/4 disabled 999 auto auto 10/100BaseTX
Fa0/5 disabled 999 auto auto 10/100BaseTX
Fa0/6 Link to PC-A connected 10 a-full a-100 10/100BaseTX
Fa0/7 disabled 999 auto auto 10/100BaseTX
Fa0/8 disabled 999 auto auto 10/100BaseTX
Fa0/9 disabled 999 auto auto 10/100BaseTX
Fa0/10 disabled 999 auto auto 10/100BaseTX
<output omitted>
S2# show interfaces status

Port Name Status Vlan Duplex Speed Type

Fa0/1 disabled 999 auto auto 10/100BaseTX
Fa0/2 disabled 999 auto auto 10/100BaseTX
Fa0/3 disabled 999 auto auto 10/100BaseTX
<output omitted>
Fa0/14 disabled 999 auto auto 10/100BaseTX
Fa0/15 disabled 999 auto auto 10/100BaseTX
Fa0/16 disabled 999 auto auto 10/100BaseTX
Fa0/17 disabled 999 auto auto 10/100BaseTX
Fa0/18 Link to PC-B connected 10 a-full a-100 10/100BaseTX
Fa0/19 disabled 999 auto auto 10/100BaseTX
Fa0/20 disabled 999 auto auto 10/100BaseTX
Fa0/21 disabled 999 auto auto 10/100BaseTX
Fa0/22 disabled 999 auto auto 10/100BaseTX
Fa0/23 disabled 999 auto auto 10/100BaseTX
Fa0/24 disabled 999 auto auto 10/100BaseTX
Gi0/1 Link to S1 connected trunk a-full a-1000 10/100/1000BaseTX
Gi0/2 disabled 999 auto auto 10/100/1000BaseTX

Part 4: Configure Port Security Features

Step 1: Verify port security features.

The interfaces F0/6 on S1 and F0/18 on S2 are configured as access ports.
On S1, issue the show port-security interface f0/6 command to display the default port security settings for
interface F0/6. Record your answers in the table below.

Default Port Security Configuration

¹Feature Default Setting

Port Security Disabled

Maximum number of MAC addresses 1
Violation Mode Shutdown
Aging Time 0 mins

♥ 2019 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 5 of 10 www.netacad.com
Lab 7.1 – VLAN and MAC Table Security

Default Port Security Configuration

¹Feature Default Setting

Aging Type Absolute

Secure Static Address Aging 0
Sticky MAC Address 0

Step 2: Configure and verify port security with static secure address.
a. Note the MAC addresses of PC-A as recorded by S1 by issuing a show mac address-table command
from privileged EXEC mode. Find the dynamic entries for ports F0/6 and record them below. If there is no
entry yet, you may issue a ping between PC-A and PC-B in order to allow S1 to learn the address.

PC-A MAC Address 98-EE-CB-A0-35-B5

b. Access the command line for S1 and enable port security on Fa0/6.
Open Configuration Window

S1(config)# interface f0/6

S1(config-if)# switchport port-security
c. Set the maximum so that only one device can access the port.
S1(config-if)# switchport port-security maximum 1
d. Secure the ports so that only the MAC address of PC-A is allowed on the port. Use the address recorded
in Step 2a in place of xxxx.xxxx.xxxx in the command sample below.
S1(config-if)# switchport port-security mac-address xxxx.xxxx.xxxx
e. Set the violation mode so that the Fa0/6 is disabled when a violation occurs and a notification of the
security violation is generated
S1(config-if)# switchport port-security violation shutdown
f. Verify port security on S1 F0/6 by issuing a show port-security interface command.
S1# show port-security interface f0/6
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 1
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0000.0000.0000:0
Security Violation Count : 0

What is the port status of F0/6? Secure-up

g. Generate some traffic by using PC-A to ping S1 and verify that PC-A is allowed to communicate while
connected to Fa0/6.

♥ 2019 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 6 of 10 www.netacad.com
Lab 7.1 – VLAN and MAC Table Security

h. You will now violate security by attaching a different host to the switchport. Disconnect PC-A from S1
Fa0/6 and connect the Laptop in its place.
From the Laptop, ping S1. You will eventually see messages displayed on the CLI of S1 indicating a security
violation.
Was the ping successful? Why or why not?

No, because the mac address configured in the switch is not the same with the pc.

i. On the switch, verify port security with the following commands.

S1# show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
--------------------------------------------------------------------
Fa0/6 1 1 1 Shutdown
----------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) :0
Max Addresses limit in System (excluding one mac per port) :8192

S1# show port-security interface f0/6

Port Security : Enabled
Port Status : Secure-shutdown
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 1
Sticky MAC Addresses : 0
Last Source Address:Vlan : aaaa.bbbb.cccc:10
Security Violation Count : 1

S1# show port-security address

Secure Mac Address Table
------------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- -------------
10 30f7.0da3.1821 SecureConfigured Fa0/6 -
-----------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) :0
Max Addresses limit in System (excluding one mac per port) :8192

j. Disconnect the Laptop from S1 and reconnect PC-A.

k. From PC-A, ping S1 again

Was the ping successful? no

♥ 2019 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 7 of 10 www.netacad.com
Lab 7.1 – VLAN and MAC Table Security

l. On the switch, issue the show interface f0/6 command to determine the cause of ping failure.
Record your findings.

The port was shut off (err-disable). And the mac address is different from or not comparable to the PC-
A.

m. Clear the S1 F0/6 error disabled status.

S1# config t
S1(config)# interface f0/6
S1(config-if)# shutdown
S1(config-if)# no shutdown
Note: There may be a delay while the port states converge.
n. Issue the show interface f0/6 command on S1 to verify F0/6 is no longer in error disabled mode.
S1# show interface f0/6
FastEthernet0/6 is up, line protocol is up (connected)
Hardware is Fast Ethernet, address is 0023.5d59.9185 (bia 0023.5d59.9185)
MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255

o. From the PC-A ping S1 again. The ping should be successful.

Step 3: Configure and verify port security with sticky learning.

a. Access the command line for S2, enable port security on Fa0/18 and set the maximum addresses to 1.
What are the commands to do so?

int f0/18

switchport port-security

switchport port-securtiy maximum 1

Open Configuration Window

b. Secure the port so that the MAC address of a device is dynamically learned and added to the running
configuration.
S2(config-if)# switchport port-security mac-address sticky
c. Set the violation mode so that the Fa0/6 are not disabled when a violation occurs, but a notification of the
security violation is generated and packets from the unknown source are dropped.
S2(config-if)# switchport port-security violation restrict
d. Generate some traffic by using PC-B to ping S2 then verify that the address of PC-B was learned.
S2# show port-security interface f0/18
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Restrict

♥ 2019 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 8 of 10 www.netacad.com
Lab 7.1 – VLAN and MAC Table Security

Aging Time : 0 mins

Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 1
Last Source Address:Vlan : 0022.5646.3411:10
Security Violation Count : 0

S2# show port-security address

Secure Mac Address Table
-----------------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- -------------
10 0022.5646.3411 SecureSticky Fa0/18 -
-----------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 8192

e. Verify that the Sticky Secure MAC address was also recorded in the running configuration of S2.
S2# show running-config

Is the address of PC-B recorded under the configurations of Fa0/18? yes

f. Disconnect PC-B and connect the Laptop to S2 F0/18, which is the port to which PC-B was originally
connected. Using the Laptop’s command line, ping S2.
What is the result of the ping?

Laptop: PING: transmit failed. General Failure.

S2: Security violation occurred caused by MAC address 98ee. 33ba on port FastEthernet0/18.

g. Display the port security violations for the port to which Rogue Laptop is connected.
S2# show port-security interface f0/18
Close Configuration Window

How many violations have occurred? 54

h. Disconnect the Laptop and reconnect PC-B. Verify PC-B can ping S2.
Why is PC-B able to ping S2, but the Laptop is not?

Due to the fact that PC-B is the only PC that can connect to $2, Laptop is a rogue laptop and violates
the port security of switch S2.

Close configuration window

♥ 2019 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 9 of 10 www.netacad.com
Lab 7.1 – VLAN and MAC Table Security

Reflection Questions
1. Why is it important that unused ports be reassigned to an unused VLAN and disabled especially on access
layer switches? Discuss your answer by describing what type of attack/s can be performed and their
consequences on the network if these practices are not implemented.

On access layer switches, it is crucial to shut unused ports and reassign them to an unused VLAN in order
to prevent security risks and intrusions that could jeopardize the integrity and confidentiality of the network.
Failing to do so may result in rogue device or port attacks, as well as VLAN hopping attacks, which may
allow third parties to access critical data without authorization, cause a network outage, or interfere with
company operations. Network security can be preserved and the network can be shielded from potential
security risks by putting these best practices into practice.

2. Should port security be enabled on ports connected by trunk links? Why or why not?

For ports connected by trunk links, port security is normally disabled because it can interfere with the
network's regular operation. Trunk links transport traffic for numerous VLANs, and turning on port security
may lead the switch to deny genuine data from various VLANs discovered on the same port, resulting in
connectivity issues.

3. What is the difference between static secure and sticky secure addresses; and if you were to design a
network, why would you choose 1 method over the other?

A switch's ports can be secured using either static secure addresses or sticky secure addresses. Sticky
secure addresses automatically determine the MAC address of the first device to connect to a port, as
opposed to static secure addresses, which require manual setup of MAC addresses. Sticky secure
addresses are advised when creating a network because they lessen the administrative burden of manually
changing MAC addresses and enable more dynamic network modifications. To counter security risks like
MAC address spoofing, sticky secure addresses must be properly configured and monitored.

4. What is the difference between the reaction of a switch to a port security violation when using shutdown mode
compared to restrict mode; and if you were to design a network, why would you choose 1 mode over the
other?

A switch can respond to a port security violation in one of two ways: shutdown or restrict. By turning off the
port, shutdown mode stops the offending device from posing any future network security risks. Contrarily,
limit mode drops more frames from the offending device while leaving the port open. It keeps unauthorized
devices from posing new security risks while still enabling approved devices to continue operating on the
network. Restrict mode is suggested when creating a network since it offers a less severe response, albeit
it might not always be enough.

Type your answers here.

End of Document

♥ 2019 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 10 of 10 www.netacad.com