5.3.1.1 Switch Trio Instructions - Answers

Certification Answers

5.3.1.1 Switch Trio (Instructor Version – Optional Lab)

Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only. Optional activities are designed to enhance understanding and/or to provide additional practice.

Objective

Verify the Layer 2 configuration of a switch port connected to an end station.

Students will use Packet Tracer to configure the first three ports of a switch a permanent MAC address (one MAC address per port) and security shutdown feature. They will validate security implementation and explain the process to another student or the class (Instructor choice).

Scenario

You are the network administrator for a small- to medium-sized business. Corporate headquarters for your business has mandated that on all switches in all offices, security must be implemented. The memorandum delivered to you this morning states:

“By Monday, April 18, 20xx, the first three ports of all configurable switches located in all offices must be secured with MAC addresses — one address will be reserved for the PC, one address will be reserved for the laptop in the office, and one address will be reserved for the office server.

If a port’s security is breached, we ask you to shut it down until the reason for the breach can be certified.

Please implement this policy no later than the date stated in this memorandum. For questions, call 1.800.555.1212. Thank you. The Network Management Team”

Work with a partner in the class and create a Packet Tracer example to test this new security policy. Once you have created your file, test it with, at least, one device to ensure it is operational or validated.

Save your work and be prepared to share it with the entire class. (Instructor choice)

Reflection

  1. Why would one port on a switch be secured on a switch using these scenario parameters (and not all the ports on the same switch)? __________________
    Answers will vary – students may mention that securing every port on a switch would make it difficult for many users to connect to the switch, therefore limiting port use to certain pieces of equipment – laptop mobility might be compromised, as users would not be able to connect to the switch unless they knew which port they were allowed to use.
  2. Why would a network administrator use a network simulator to create, configure, and validate a security plan, instead of using the small- to medium-sized business’ actual, physical equipment? __________________
    Using a network simulator can save time and quality of network data delivery by pre-testing and validating new configurations.

Original Physical Topology (for concept representation only)

After configuring port security for the Printer, Server and Laptop – all devices are reporting to the switch on their correct ports.

Switch# show port-security address
                    Secure Mac Address Table
-------------------------------------------------------------------------------
Vlan   Mac Address   Type               Ports         Remaining Age
                                                      (mins)
----   -----------   ----               -----         -------------
1      00E0.B02B.B6BC       SecureSticky       FastEthernet0/1            -
1      00E0.F766.AC90       SecureSticky       FastEthernet0/2            -
1      00D0.BC9D.C76A       SecureSticky       FastEthernet0/3            -
------------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 1024
Output showing port security status for Fa0/1:
Switch# show port-security int fa0/1
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 1
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 1
Last Source Address:Vlan   : 00E0.B02B.B6BC:1
Security Violation Count   : 0

Topology Change with Security Violation (for concept representation only)

After exchanging the original Printer with a new one, Fa0/1 shuts down on the switch.

Instructor Note: Identify elements of the model that map to IT-related content:

  • Switches can be secured by assigning MAC addresses to any and all ports – manually or configuration-based
  • LAN switch ports can be shut down if security on the port is breached.
  • Network administrators can implement best practice policies devised by management to ensure that networks are not compromised through security attacks.