1.Command set port fa0/1 immediately up of switch1
Switch1
Switch>enable
Switch#configure terminal
Switch(config)#int f0/1
Switch(config-if)#spanning-tree portfast
Switch(config-if)#end
2.Command disable port fa0/2 of switch1
Switch1
Switch>enable
Switch#configure terminal
Switch(config)#int f0/2
Switch(config-if)#shutdown
3. Command disable port fa0/1 to f0/5
Switch1
Switch>enable
Switch#configure terminal
Switch(config)#int range fa0/1-5
Switch(config-if)#shutdown
4. Command disable port fa0/1, fa0/2, fa0/2 to fa0/15, fa0/20
Switch1
Switch>enable
Switch#configure terminal
Switch(config)#interface range fa0/1 , fa0/2 , fa0/5 - 15 , fa0/20
Switch(config-if)#shutdown
5. Command set port-security port fa0/2 for can connect only Laptop1(Mac:00E0.B058.B1B8)
other device connect to this port will disable
(Default: maximum 1, violation shutdown )
Switch1
switch>enable
switch#configure terminal
switch(config)#interface fa0/2
switch(config-if)#switchport mode access
Switch(config-if)#switchport port-security
Switch(config-if)#switchport port-security maximum 1
Switch(config-if)#switchport port-security mac-address 00E0.B058.B1B8
Switch(config-if)#switchport port-security violation shutdown
6.Command reset port fa0/2 to enable state
Switch1
switch>enable
switch#configure terminal
switch(config)#interface fa0/2
switch(config-if)#shutdown
switch(config-if)#no shutdown
switch(config-if)#end
7. Command set port-security port fa0/2 for can connect only Laptop1(Mac:00E0.B058.B1B8),
Laptop2(Mac:000C.8573.8E44) other device connect to this port will disable
Note: violation occurr is restrict
Switch1
switch>enable
switch#configure terminal
switch(config)#interface fa0/2
switch(config-if)#switchport mode access
Switch(config-if)#switchport port-security
Switch(config-if)#switchport port-security maximum 2
Switch(config-if)#switchport port-security mac-address 00E0.B058.B1B8
Switch(config-if)#switchport port-security mac-address 000C.8573.8E44
Switch(config-if)#switchport port-security violation restrict
Switch(config-if)#end
8. Command remove port-security from fa0/2 of switch1
swtich1
switch>enable
swtich#configure terminal
swtich(config)#int fa0/2
switch(config-if)#no switchport mode access
switch(config-if)#no switchport port-security
switch(config-if)#end
9. Command show port security of switch1
switch1
switch>enable
switch#show port-security
10. Command show port security on fa0/2 of switch1
switch1
switch>enable
Switch#show port-security interface fastEthernet 0/2
******** Lesson Switchport Hardening of Cisco ***************
CISCO SWITCH
------to set port fa0/2 immediately up
interface fa0/2
spanning-tree portfast
# show ip interface brief : check status of all interface on the cisco device
------to disable port number 2 of cisco switch
interface fa0/2
shutdown
------to disable port number 1 to port number 5 of cisco switch
interface range fastEthernet 0/1 - 5
shutdown
------to disable port number 1, port number 2 and from port number 5 to 15
and port number 20
interface range fa0/1 , fa0/2 , fa0/5 - 15 , fa0/20
shutdown
=======================================
LAPTOP1: 0004.9AC6.EBA0
LAPTOP4: 00E0.B058.B1B8
LAPTOP5: 000C.8573.8E44
1) PORT SECURITY : Dynamic Learn MAC Address from PC
interface fa0/2
switchport mode access
switchport port-security
switchport port-security maximum 1 : (default= 1)
switchport port-security mac-address sticky
switchport port-security violation shutdown : (default=shutdown) មានន័យថា ពេលមាន PC ណាមកដោតភ្ជាប់ គឺ Port shutdown
switchport port-security violation restrict : មានន័យថាពេលមាន PC មកដោតគឺ Port has green-light normal but it cannot access and it count when they try log
switchport port-security violation protect : this port can not use when they try to log but no count
-------------In case the port in violation mode Shutdown ( when we use option 1 violation shutdown )
interface fa0/2
shutdown
no shutdown
========================================
1) PORT SECURITY : Static Learn MAC Address from PC
interface fa0/2
switchport mode access
switchport port-security
switchport port-security mac-address 00E0.B058.B1B8
switchport port-security mac-address 000C.8573.8E44
switchport port-security violation restrict
------------Verify which port setting port security
show port-security
show port-security interface fa0/2 :check the last MAC of PC connect to this port.
============================ web posting==========================================
1.Command set port fa0/1 immediately up of switch1
Switch1
Switch>enable
Switch#configure terminal
Switch(config)#int f0/1
Switch(config-if)#spanning-tree portfast
Switch(config-if)#end
2.Command disable port fa0/2 of switch1
Switch1
Switch>enable
Switch#configure terminal
Switch(config)#int f0/2
Switch(config-if)#shutdown
3. Command disable port fa0/1 to f0/5
Switch1
Switch>enable
Switch#configure terminal
Switch(config)#int range fa0/1-5
Switch(config-if)#shutdown
4. Command disable port fa0/1, fa0/2, fa0/2 to fa0/15, fa0/20
Switch1
Switch>enable
Switch#configure terminal
Switch(config)#interface range fa0/1 , fa0/2 , fa0/5 - 15 , fa0/20
Switch(config-if)#shutdown
5. Command set port-security port fa0/2 for can connect only Laptop1(Mac:00E0.B058.B1B8)
other device connect to this port will disable port
(Default: maximum 1, violation shutdown )
Switch1
switch>enable
switch#configure terminal
switch(config)#interface fa0/2
switch(config-if)#switchport mode access
Switch(config-if)#switchport port-security
Switch(config-if)#switchport port-security maximum 1
Switch(config-if)#switchport port-security mac-address 00E0.B058.B1B8
Switch(config-if)#switchport port-security violation shutdown
6.Command reset port fa0/2 to enable state
Switch1
switch>enable
switch#configure terminal
switch(config)#interface fa0/2
switch(config-if)#shutdown
switch(config-if)#no shutdown
switch(config-if)#end
7. Command set port-security port fa0/2 for can connect only Laptop1(Mac:00E0.B058.B1B8),
Laptop2(Mac:000C.8573.8E44) other device connect to this port will disable
Note: violation occurr is restrict
Switch1
switch>enable
switch#configure terminal
switch(config)#interface fa0/2
switch(config-if)#switchport mode access
Switch(config-if)#switchport port-security
Switch(config-if)#switchport port-security maximum 2
Switch(config-if)#switchport port-security mac-address 00E0.B058.B1B8
Switch(config-if)#switchport port-security mac-address 000C.8573.8E44
Switch(config-if)#switchport port-security violation restrict
Switch(config-if)#end
8. Command remove port-security from fa0/2 of switch1
swtich1
switch>enable
swtich#configure terminal
swtich(config)#int fa0/2
switch(config-if)#no switchport mode access
switch(config-if)#no switchport port-security
switch(config-if)#end
9. Command show port security of switch1
switch1
switch>enable
switch#show port-security
10. Command show port security on fa0/2 of switch1
switch1
switch>enable
Switch#show port-security interface fastEthernet 0/2
**************** Exercise Switchport Hardening **************
CISCO SWITCH lab:
1) to set port fa0/3 immediately up ?????
interface fa0/3
spanning-tree portfast
2) to disable port number 3 ?????
interface fa0/3
shutdown
3) to enable port number 3 ?????
interface fa0/3
no shutdown
4) to disable port number 1 to port number 3 ?????
interface range fa0/1 - 3
shutdown
5) to disable port number 1 to port number 3 and port number 5 ????
interface range fa0/1 - 3 , fa0/5
shutdown
=======================================
PORT SECURITY : Static Learn MAC Address from PC
7) Allow the Web Server only can connect to port number 3. if violation occurred, this port should be changed to error disable state. ????
(if web-server has Mac: 0060.471D.CA4E )
interface fa0/3
switchport mode access
switchport port-security
switchport port-security maximum 1
switchport port-security mac-address 0060.471D.CA4E
switchport port-security violation shutdown
( # show port-security ; show port-security interface fa0/2 )
( Note: when use this please don't connect to PC that have this Mac Address: 0060.471D.CA4E )
+ disable port-security
interface fa0/3
no switchport port-security
8) How to reset this port to enable state: ?????
interface fa0/3
shutdown
no shutdown
9) Allow one computer only can connect to port number 3. if violation occurred,
this port should be changed to restrict state. ????
interface fa0/3
switchport port-security violation restrict
EmoticonEmoticon