PAF- KARACHI INSTITUTE OF ECONOMICS & TECHNOLOGY

College Of Engineering

(Department of Electrical Engineering)

EE4414 – Computer Communication Network

Semester: ______________________ Date of Experiment: _____________________

Student name: __________________ Faculty Signature: ______________________
Student ID: ____________________ Remarks/Comments: ____________________
Class ID: ____________________

Lab09 Configuring Switch Security

PLO2 – Problem Analysis C4- Analyze

PLOs
PLO8 – Ethics
CLO’s Aspects of Assessments
Problem Analysis Apply
knowledge of various routing
protocols and infer a suitable
one and understanding IP
CLO4 addresses and Subnetting.
90% Moreover, to be able to apply
appropriate engineering
techniques to enable switch
security and VLAN and
understand the working of hub.
Lab Safety Properly handle
CLO6
10%
lab infrastructure/safety
precautions
LAB TASK PERFORMANCE
Excellent
(75-100%)
Properly and appropriately
infer a suitable routing
protocol and implement done
subnetting and it correctly.
Moreover, VALNs and switch
security should be
implemented according to the
requirements given in a task.
Properly handle lab equipment
& obey safety measures.
Bloom’s Taxonomy
Average
(50-75%)
Infer the proper routing protocol
and implement subnetting and
that protocol with minor error
that will be corrected easily.
Move over, implement VLANs
and switch security slightly
differ from the required
conditions given in a task.
Moderate level lab handling
and safety measurements
P2 – Set
Poor
Marks
(<50%)
Does not able to infer a suitable or
proper protocol and not able to do
subnetting and don’t implement it
correctly and have no idea how to
implement VLANs and switch
security.
Minor or no safety measurements
has been considered.
Total Marks: 10
Objective:
• Familiar with the Implementation of Switch Security.

Switch Security:

Conventional network security often focuses more on routers and blocking traffic from the outside.
Switches are internal to the organization and designed to allow ease of connectivity, therefore only
limited or no security measures are applied.
The following basic security features can be used to secure your switches and network:

▪ Physically secure the device

▪ Use secure passwords
▪ Enable port security
▪ Disable unused ports
The configuration of switch port security is not overly complex; the following commands are used when
initially configuring a switchport with security

Let’s look at how to implement and configure some of the features of switch security.

1. Name Can Be Set From Global Configuration Mode. Use Hostname [Desired Hostname]
Command To Set Name On Switch

2. How to Configure the Privileged Exec Password

Use the enable secret command to set the password. For this activity, set the password to orbit.

SW1#configure terminal
SW1(config)#enable secret orbit
SW1(config)#
3. How to Configure Virtual Terminal (Telnet) and Console Passwords and Require Users to
Login

Passwords are used to restrict physical access to switch. Cisco switch supports console line for local
login and VTYs for remote login. All supported lines need be secure for User Exec mode. For example
if you have secured VTYs line leaving console line insecure. An intruder can take advantage of it to
connect with device. Once you are connected with device, all remaining authentication are same. No
separate configuration is required for further modes.
Use the following commands to secure the console and telnet:

SW1(config)#line console 0
SW1(config-line)#password cisco
SW1(config-line)#login
SW1(config-line)#line vty 0 15
SW1(config-line)#password cisco
SW1(config-line)#login
SW1(config-line)#exit
SW1(config)#

4. How to Configure Password Encryption

At this stage, the privileged EXEC password is already encrypted. To encrypt the line passwords that
you just configured, enter the service password-encryption command in global configuration mode.

SW1(config)#service password-encryption
SW1(config)#

5. How to Configure and Test the Motd Banner

Configure the message-of-the-day (MOTD) using Authorized Access Only as the text. Follow these
guidelines:
1. The banner text is case sensitive. Make sure you do not add any spaces before or after the banner
text.
2. Use a delimiting character before and after the banner text to indicate where the text begins and
ends. The delimiting character used in the example below is %, but you can use any character that
is not used in the banner text.

3. After you have configured the MOTD, log out of the switch to verify that the banner displays when
you log back in.

SW1(config)#banner motd %Authorized Access Only%

SW1(config)#end
SW1#exit

6. How to Configure Port Security

Enter interface configuration mode for Fast Ethernet 0/11 and enable port security.
Before any other port security commands can be configured on the interface, port security must be
enabled.

SW1(config-if)#interface fa0/11
Switch(config-if)#switchport mode access
SW1(config-if)#switchport port-security

* Notice that you do not have to exit back to global configuration mode before entering interface
configuration mode for fa0/11.

7. How to Configure the Maximum Number of Mac Addresses

To configure the port to learn only one MAC address, set the maximum to 1:

SW1(config-if)#switchport port-security maximum 1

8. How to Configure the Port to Add the Mac Address to the Running Configuration

The MAC address learned on the port can be added to (“stuck” to) the running configuration for that
port.

SW1(config-if)#switchport port-security mac-address sticky

9. How to Configure the Port to Automatically Shut Down if Port Security is Violated

If you do not configure the following command, SW1 only logs the violation in the port security statistics
but does not shut down the port.

SW1(config-if)#switchport port-security violation shutdown

Use the show-mac-address- table command to confirm that SW1 has learned the MAC address for the
intended devices, in this case PC1.
SW1#show mac-address-table
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
20 0060.5c4b.cd22 STATIC Fa0/11

You can use the show port-security interface fa0/11 command to also verify a security violation with
the command.

SW1#show port-security interface fa0/11

Port Security : Enabled

Port Status : Secure-shutdown
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 1
Sticky MAC Addresses : 0
Last Source Address:Vlan : 00E0.F7B0.086E:20
Security Violation Count : 1

10. How to Secure Unused Ports

Disabling unused switch ports a simple method many network administrators use to help secure their
network from unauthorized access. Disabling an unused port stops traffic from flowing through the
port(s)

Step 1: Disable Interface Fa0/10 on Sw1.

Enter interface configuration mode for FastEthernet 0/17 and shut down the port.
SW1(config)#interface fa0/10
SW1(config-if)#shutdown

Step 2: Disable Interfaces Fa0/1 to Fa0/24 on Sw1

SW1(config)#interface range fa0/1-24

SW1(config-if)#shutdown
Lab Task:

1. Implement the switch security using 2 PCs connect to a single switch. (Marks: 5)

Home task:
1. Implement the switch security in a network given below: (Marks: 3)

2. What basic measures take to secure the router? (write any 8 of it) (Marks: 1)