CCNA Study Notes - Port Security

Port security on a Cisco IOS switch is a security feature that restricts input to an interface by limiting and identifying MAC addresses that are allowed to access the port. This helps prevent unauthorized devices from connecting to your network.

Key Concepts:

• MAC Address Learning: The switch learns the MAC addresses of devices connected to the port.
• Maximum MAC Addresses: You can configure the maximum number of MAC addresses allowed on a port.
• Violation Modes: You can configure how the switch handles a security violation (when an unauthorized MAC address tries to connect).
• Sticky MAC Addresses: This feature allows the switch to dynamically learn MAC addresses and add them to the running configuration.

Violation Modes:

• Protect: Packets from unknown MAC addresses are dropped, but no notification is sent.
• Restrict: Packets from unknown MAC addresses are dropped, and a notification (syslog message) is sent.
• Shutdown: The port is placed in an error-disabled state, effectively shutting it down.

Cisco IOS Configuration Examples:

Here are some examples of how to configure port security on a Cisco IOS switch:

1. Basic Port Security:

Cisco CLI

interface GigabitEthernet0/1
 switchport mode access
 switchport port-security
 switchport port-security maximum 1
 switchport port-security violation shutdown

• switchport mode access: Configures the port as an access port.
• switchport port-security: Enables port security.
• switchport port-security maximum 1: Limits the number of allowed MAC addresses to 1.
• switchport port-security violation shutdown: Configures the port to shut down if a violation occurs.

2. Configuring Specific MAC Addresses:

Cisco CLI

interface GigabitEthernet0/2
 switchport mode access
 switchport port-security
 switchport port-security mac-address 000A.95BD.6842
 switchport port-security mac-address 000B.96CE.7953
 switchport port-security violation restrict

• switchport port-security mac-address <MAC address>: Specifies the allowed MAC addresses.
• switchport port-security violation restrict: Configures the port to restrict traffic and send a notification upon violation.

3. Using Sticky MAC Addresses:

Cisco CLI

interface GigabitEthernet0/3
 switchport mode access
 switchport port-security
 switchport port-security mac-address sticky
 switchport port-security violation protect

• switchport port-security mac-address sticky: 1 Enables sticky MAC addresses. The switch will dynamically learn the MAC address of the first device that connects and add it to the running configuration. 
  1. forum.ciscoinpersian.com
• switchport port-security violation protect: Configures the port to protect traffic upon violation.

4. Configuring Maximum MAC addresses with sticky MAC addresses:

Cisco CLI

interface GigabitEthernet0/4
 switchport mode access
 switchport port-security
 switchport port-security maximum 3
 switchport port-security mac-address sticky
 switchport port-security violation shutdown

• This configuration will allow the first 3 mac addresses to connect to the port, and will add them to the running configuration.

Verification Commands:

• show port-security interface <interface>: Displays port security settings for a specific interface.
• show port-security address: Displays all secure MAC addresses on the switch.
• show running-config interface <interface>: Shows the configuration of a specific interface, including sticky MAC addresses.

Important Considerations:

• Port security is most effective on access ports.
• Carefully plan your violation mode based on your security requirements.
• Use sticky MAC addresses with caution, as they can lead to configuration issues if devices are frequently moved.
• Regularly monitor port security logs and alerts.
• When using sticky mac addresses, remember to use the copy run start command to save the mac addresses to the startup configuration, so that they are reloaded after a switch reboot.
• If you are using voice vlan, ensure that you configure port security for the voice vlan as well as the data vlan.

Port security is a valuable tool for enhancing network security by controlling device access at the port level.

Checkout free CCNA study notes at tutorialsweb.com

Various CCNA Certs Offered by Cisco

Cisco offers various flavors of CCNA Certification. These are given below:

• CCNA Routing and Switching: It is basic CCNA certification that has been around since the inception of CCNA certification.
• CCNA Cloud -- Focused on provisioning and management of cloud environments along with cloud administration and reporting. Candidates should possess a basic understanding of cloud based infrastructure as well as skills required to manage infrastructure as a service (IaaS) deployments.
• CCNA Collaboration -- Skills include collaboration and video, including integration with mobile apps and data, video, and voice.
• CCNA Data Center -- Learn to work in data centers, to support, maintain and manage data center networks and services.
• CCNA Industrial -- Suitable to professionals in the industrial roles (process control or manufacturing) where IT and industrial networks converge.
• CCNA Security -- Tests the candidate's ability to develop security infrastructures, identify and mitigate security risks, and maintain integrity and availability of the LAN/WAN networks and network devices.
• CCNA Service Provider -- The certified pros' will able to act as Tier 1 support engineers in a troubleshooting role within carrier-class NGN core network infrastructures, including incident handling, plus fault, configuration, change and performance management procedures, in an environment where network management systems (NMS) and ticketing tools are in everyday use.
• CCNA Wireless -- The certificate holder will be able to support and manage WLAN systems

CCNA Security 640-554 Retiring Soon!

As per Cisco website, CCNA Security (640-554 IINS) is retiring soon! (30th Nov. 2015). The new version exam code is 210-260 IINS. Those preparing with the older objectives may need to pass the exam before the specified date. For practice tests, checkout CCNA Security Practice Tests Home for more information. You may download the free demo version here.
Available products -
Network Simulators: CCNA NetSim, CCENT NetSim, Juniper NetSim, and others
Exam Simulators: CCNA, CCDA, CCENT, ICND2, CCNP Route CCNP Switch, and others.

SimulationExams Releases CCNA Security Practice Tests

SimulationExams.com released Cisco Certified Network Associate Security, Cisco CCNA Security practice tests for thorough exam preparation. The practice tests consist of 250+ questions with detailed answers. The question types offered by the simulator include Multiple Choice Single Answer (SA), Multiple Choice Multi Answer (MA), Drag and Drop (DnD), and testlets. Router simulations will be added soon. Upgrades are free for one year from the date of purchase.

The Cisco CCNA Security Certification simulator mimics the actual exam with similar difficulty level, and exam environment. Further, the test engine offers two modes: Learn mode, and Exam mode. Learn mode is useful for candidates to step through the questions and learn the concepts behind each question. Exam mode is useful for candidates preparing for final exam preparation.

The CCNA Security practice exam objectives include the following:

1. Common Security Threats
2. Security and Cisco Routers
3. IOS Access Control Lists
4. Auth, Athorization, and Accounting on Cisco Devices
5. Secure Network Management and Reporting
6. Common Layer 2 Attacks
7. Cisco Firewall Technologies
8. Cisco Intursion Prevention System
9. Virtual Private Network Technologies

Category wise scoring is available, and candidates will be able to repeat the exam with bookmarked questions.
CCDA practice tests home page: http://www.simulationexams.com/exam-details/ccda.htm
CCDA practice questions: http://www.simulationexams.com/SampleQuestions/ccda_q1.htm
CCDA exam simulator download: http://www.simulationexams.com/downloads/cisco-tests/ccda/ccda-practicetest-download.htm

About CCNA Security: Cisco CCNA Security is among the most widely recognised certifications in the field of computer network security using routers and switches. CCNA Security candidates will be able to harden networks for small and large organizations.
Prerequisites: A valid CCENT or a valid CCNA Routing and Switching or any CCIE certification can act as a prerequisite.
Other practice tests available from CertExams include CCNA, CCENT, CCDA, CCNP, ICND2, A+ Essentials, and Network+. Please visit the website for complete list of available practice tests.
SimulationExams.com is a group website of Anand Software and Training, a privately held company, based in Bangalore, India.