You are on page 1of 11

Cisco Switches Port Security, VLAN, and VTP

Lock Down Cisco Switch Port Security

Configuring the Port Security feature is relatively easy. In its simplest form, port security
requires going to an already enabled switch port and entering the port-security Interface Mode
command. Here’s an example:

Switch)# config t
Switch(config)# int fa0/18
Switch(config-if)# switchport port-security ?
aging Port-security aging commands
mac-address Secure mac address
maximum Max secure addresses
violation Security violation mode

Switch(config-if)# switchport port-security


Switch(config-if)#^Z

By entering the most basic command to configure port security, we accepted the default settings
of only allowing one MAC address, determining that MAC address from the first device that
communicates on this switch port, and shutting down that switch port if another MAC address
attempts to communicate via the port. But you don’t have to accept the defaults.

Port-Security Options

As you can see in the example, there are a number of other port security commands that you can
configure. Here are some of your options:

• switchport port-security maximum {max # of MAC addresses


allowed}: You can use this option to allow more than the default number of
MAC addresses, which is one. For example, if you had a 12-port hub
connected to this switch port, you would want to allow 12 MAC addresses —
one for each device. The maximum number of secure MAC addresses per port
is 132.
• switchport port-security violation {shutdown | restrict | protect}:
This command tells the switch what to do when the number of MAC
addresses on the port has exceeded the maximum. The default is to shut
down the port. However, you can also choose to alert the network
administrator (i.e., restrict) or only allow traffic from the secure port and drop
packets from other MAC addresses (i.e., protect).
• switchport port-security mac-address {MAC address}: You can use this
option to manually define the MAC address allowed for this port rather than
letting the port dynamically determine the MAC address.
Of course, you can also configure port security on a range of ports. Here’s an example:

Switch)# config t
Switch(config)# int range fastEthernet 0/1 - 24
Switch(config-if)# switchport port-security

However, you need to be very careful with this option if you enter this command on an uplink
port that goes to more than one device. As soon as the second device sends a packet, the entire
port will shut down.

View the status of port security

Once you’ve configured port security and the Ethernet device on that port has sent traffic, the
switch will record the MAC address and secure the port using that address. To find out the status
of port security on the switch, you can use the show port-security address and show port-security
interface commands. Below are examples for each command’s output:

Switch# show port-security address


Secure Mac Address Table
-------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- -------------
1 0004.00d5.285d SecureDynamic Fa0/18 -
-------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 1024

Switch# show port-security interface fa0/18


Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address : 0004.00d5.285d
Security Violation Count : 0

Switch#
Select multiple ports to configure

Switch1#enable

Switch1(config)#interface range gigabitEthernet 0/1 – 20

Switch1(config-if-range)#spanning-tree portfast

Switch1(config-if-range)#switchport mode trunk

Switch1(config-if-range)#^Z

Switch1# copy running-configuration startup-configuration

Switch1#show running-configuration

Set up VLAN

VLANs are Virtual LANs. They allow you to logically divide up your switched network to
improve network speed, security, and reliability. If you have other Cisco equipment in your
network, such as Cisco wireless access points or Cisco PIX firewalls, setting up your switch
correctly will give you a big return as all the Cisco equipment is VLAN aware. What does this
mean? it means you can have two networks shared out via wireless using one access point. It also
means you can separate out sections of your network for servers, clients, VPN clients, etc.. which
will greatly improve your network efficiency.

Before you begin defining VLANs on your network, first decide what the purpose is for each
VLAN. For example, let’s say we have two offices: one in San Diego, and another in San Diego.
At each location we want to separate out Servers and clients. This means we have 4 categories:

1. SD_Servers 10.100.0.0 / 255.255.0.0


2. SD_Clients 10.150.0.0 / 255.255.0.0
3. LA_Servers 10.200.0.0 / 255.255.0.0
4. LA_Clients. 10.250.0.0 / 255.255.0.0

In our example, we will set up each VLAN with the above IP configuration. The IP configuration
tells the switch what network segments are where which will allow your switch to do routing
between VLANs.
STEP 1: Login and Setup:

1. Login to enter Enable mode:

> en
Switch#

2. Enter Configure mode:

Switch# conf t
Switch (Config) #

3. Name each VLAN (The commands below name all 4 VLANs)

Switch (config) # vlan 2


Switch (config-vlan) # name SD_Servers
Switch (config-vlan) # exit
Switch (config) # vlan 3
Switch (config-vlan) # name SD_Clients
Switch (config-vlan) # exit
Switch (config) # vlan 4
Switch (config-vlan) # name LA_Servers
Switch (config-vlan) # exit
Switch (config) # vlan 5
Switch (config-vlan) # name LA_Clients
Switch (config-vlan) # exit
Switch (config) # exit
Switch #

You have now successfully set-up the 4 VLANs. They’re not functional yet- but lets make sure
our settings took…

1. We are going to run a command that will show us what VLANs are currently configured:

Switch # show VLAN

Your output should look something like this:

Fa0/18, Fa0/20, Fa0/21, Fa0/22


1 default active
Fa0/24, Gi0/1, Gi0/2
Fa0/1, Fa0/2, Fa0/3, Fa0/4
2 SD Servers active
Fa0/5, Fa0/6, Fa0/7, Fa0/8
3 SD Clients active Fa0/13, Fa0/14, Fa0/15, Fa0/16
4 LA_Servers active Fa0/17
5 LA_Clients active

….

If you see extra vlans you do not want simply follow the step below:

Switch # conf t
Switch (Config) # no vlan XX where XX is the vlan number you want to
remove.
Switch (Config) # exit

Now run “show vlan” again and see if the vlan has been removed.

Step 2: Assign IP Address ranges to each VLAN

Now that we have the basic VLAN infrastructure in place we need to assign gateways for each
VLAN. The gateways will inform the switch what network segments each VLAN represents. In
this case, we see that SD uses 10.100.x.x and 10.150.x.x for their network and LA uses
10.200.x.x and 10.250.x.x. In order to keep things simple, we will assume that the gateways are
10.x.x.1.

1. To assign networks to each VLAN:

Switch # conf t
Switch (config) # int vlan 2
Switch (config-if) # ip address 10.100.0.1 255.255.0.0
Switch (config-if) # exit
Switch (config) # int vlan 3
Switch (config-if) # ip address 10.150.0.1 255.255.0.0
Switch (config-if) # exit
Switch (config) # int vlan 4
Switch (config-if) # ip address 10.200.0.1 255.255.0.0
Switch (config-if) # exit
Switch (config) # int vlan 5
Switch (config-if) # ip address 10.250.0.1 255.255.0.0
Switch (config-if) # exit
Switch (config) # exit
Switch #

We now have now told the switch what address range is used in each VLAN. At this point we
have not created the VLANs and assigned address ranges to them. There are still three tasks left:

1. Assign ports to VLANs


2. enable IP Routing (if it is off)
3. test.

Step 3: Assign ports to VLANs.


The next step is to assign the physical ports on your switch to specific VLANs. In our example
we will only port 0/1 to 0/10 to vlan2, 0/11 to 0/20 to vlan3, 0/21 to 0/30 to vlan4, and 0/31 to
0/40 to vlan5.

Switch # Conf t
Switch (config) # int range GigabitEthernet 0/1-10
Switch (config-if) # switchport access vlan 2
Switch (config-if) # switchport mode access
Switch (config-if) # exit
Switch (config) # int range GigabitEthernet 0/11-20
Switch (config-if) # switchport access vlan 3
Switch (config-if) # switchport mode access
Switch (config-if) # exit
Switch (config) # int range GigabitEthernet 0/21-30
Switch (config-if) # switchport access vlan 4
Switch (config-if) # switchport mode access
Switch (config-if) # exit
Switch (config) # int range GigabitEthernet 0/31-40
Switch (config-if) # switchport access vlan 5
Switch (config-if) # switchport mode access
Switch (config-if) # exit
Switch (config) # exit
Switch #

The result of the above commands is that each physical port on the switch has now been assigned
to a specific VLAN. To verify this run “show vlan” and you will now see that ports 1-4 are now
assigned to vlans 2-5.

The final step is to ensure VLAN routing is turned on. To do this run the commands below:

Switch # conf t
Switch (config) # ip routing
Switch (config) # exit
Switch #

Theoretically now, assuming you have hit no problems and got no errors when entering
commands, you are finished.

It is very important to save your changes now or they will be lost on reboot:

Switch # copy run start


Switch #

Step 5: Testing
To test, simply plug a computer into each port, assign a valid ip on the subnet (ie if the
subnet/vlan is 10.100.0.0 255.255.0.0 .. your pc would need to be 10.100.x.x / 255.255.0.0.)

• First test: See if you can ping your client from the switch using the ping command. You
can run ping directly from the Cisco interface.
o To do so, connect a client (using Ethernet cable) to GigabitEthernet 0/1 (vlan2) or
SwitchA. Assign 10.100.255.250/255.255.0.0 to this client Ethernet interface.
Turn on the ICMP ping enabled on this client. Then ping from SwitchA to
10.100.255.250.
• Second test: See if you can ping the gateway from the client.. (ie client 10.100.x.x would
ping 10.100.0.1)
o Ping 10.100.0.1 from the client.
• Third test: See if you can ping a gateway on another segment.. (ie Client 10.100.x.x
would ping 10.200.x.1)
o From the client, ping 10.200.0.1, the IP of vlan3. It should return 100%.
• Fourth test: See if you can ping a client on another segment.. (ie client on 10.100.x.x
would ping a client on 10.200.x.x)
o Add another client on vlan4 (which has 10.200.0.1/255.255.0.0)

If this works you are now finished. You now have successfully setup a basic Cisco Layer 3
Switch with VLANs and network routing.

How to configure VTP Client and Server?

VTP (VLAN Trunking Protocol) is the protocol that propagates the information about which
VLANs exist from one switch to another switch. If VTP did not provide this information,
VLANs would have to be created on all switches individually in the network.

Select multiple ports to configure

Switch1#enable

Switch1(config)#interface range gigabitEthernet 0/1 – 20

Switch1(config-if-range)#spanning-tree portfast

Switch1(config-if-range)#switchport mode trunk

Switch1(config-if-range)#^Z

Switch1# copy running-configuration startup-configuration

Switch1#show running-configuration
How to configure VTP Client and Server?

VTP (VLAN Trunking Protocol) is the protocol that propagates the information about which
VLANs exist from one switch to another switch. If VTP did not provide this information,
VLANs would have to be created on all switches individually in the network.

VTP is a Cisco proprietary protocol. The default mode of a switch is configured as VTP server.
In any case, the server services are turned off, use the following command to turn it back on as
VTP server.

SwitchA#vlan database

SwitchA(vlan)#vtp server

SwitchA(vlan)#exit

First create multiple VLANs with name, assign multiple ports to them then create 802.1q trunk
link between the two switches to allow communication between VLANs.

To create a VLAN, first enter global configuration mode to run the following commands.

Configuration to create VLAN 2 and 3 on switch A (VTP server)

SwitchA(config)#configure terminal

SwitchA(config)#vlan 2

SwitchA(config)#vlan 2 name marketing

SwitchA(config)#vlan 3

SwitchA(config)#vlan 3 name management

SwitchA(config)#exit

Now assigning the ports 2 and 3 to VLAN 2, it must be done from the interface mode. Enter the
following commands to add port 2 and 3 to VLAN 2.

SwitchA(config)#configure terminal

SwitchA(config)#interface fastethernet 0/2

SwitchA(config-if)#switchport access vlan 2


SwitchA(config-if)#exit

SwitchA(config)#interface fastethernet 0/3

SwitchA(config-if)#switchport access vlan 2

SwitchA(config-if)#exit

Now assigning the ports 4 and 5 to VLAN 3, enter the following commands to add port 4 and 5
to VLAN 3.

SwitchA(config)#configure terminal

SwitchA(config)#interface fastethernet 0/4

SwitchA(config-if)#switchport access vlan 3

SwitchA(config-if)#exit

SwitchA(config)#interface fastethernet 0/5

SwitchA(config-if)#switchport access vlan 3

SwitchA(config-if)#exit

Configuration of VTP client on switch B

SwitchB#vlan database

SwitchB(vlan)#vtp client

SwitchB(vlan)#vtp domain group1

SwitchB(vlan)#exit

Trunking with 802.1q

Now create 802.1q trunk link between the two switches to allow communication between
VLANs.

On both switches, SwitchA and SwitchB type the following command with 802.1q at the
fastethernet 0/1 interface.

SwitchA(config)#configure terminal

SwitchA(config)#interface fastethernet 0/1


SwitchA(config-if)#switchport mode trunk

SwitchA(config-if)#switchport trunk encapsulation dot1q

SwitchA(config-if)#end

SwitchB(config)#interface fastethernet 0/1

SwitchB(config-if)#switchport mode trunk

SwitchA(config-if)#switchport trunk encapsulation dot1q

SwitchB(config-if)#end

To verify that fastethernet 0/1 has been established as trunk port, type the show interface
fastethernet 0/1 switchport at the privileged EXEC mode.

Although the VLAN definitions have migrated to the switch B using VTP, but it is necessary to
assign ports to these VLANs on switch B.

Now assigning the ports 2 and 3 to VLAN 2, it must be done from the interface mode. Enter the
following commands to add port 2 and 3 to VLAN 2.

SwitchB(config)#configure terminal

SwitchB(config)#interface fastethernet 0/2

SwitchB(config-if)#switchport access vlan 2

SwitchB(config-if)#exit

SwitchB(config)#interface fastethernet 0/3

SwitchB(config-if)#switchport access vlan 2

SwitchB(config-if)#exit

Now assigning the ports 4 and 5 to VLAN 3, enter the following commands to add port 4 and 5
to VLAN 3.

SwitchB(config)#configure terminal

SwitchB(config)#interface fastethernet 0/4

SwitchB(config-if)#switchport access vlan 3

SwitchB(config-if)#exit

SwitchB(config)#interface fastethernet 0/5


SwitchB(config-if)#switchport access vlan 3

SwitchB(config-if)#exit

Reference: Cisco Switches Configuration Guide