Security Hardening Challenge
Lab Objectives
- Apply a basic device security hardening checklist to routers and switches in the base topology (interface hygiene, administrative descriptions, and port-security).
- Configure and verify EIGRP for basic connectivity so security changes can be tested end-to-end.
- Use switchport port-security (sticky) on access ports so MAC-to-port bindings are learned and retained in the running config.
ASCII Topology (use this EXACT topology; every interface IP shown)
[Internet]
203.0.113.1
|
R1 (Gateway)
Gi0/0: 10.10.10.1
Gi0/1: 10.10.20.1
Gi0/2: 10.10.30.1
/ | \
R2 R3 R4
Gi0/0: 10.10.10.2 | Gi0/0: 10.10.30.2
Gi0/1: 10.10.40.1 |
/ \ |
S1 S2 S3
/ \ | / \
PC1 PC2 PC3 PC4 PC5
Tip: Think of port-security sticky like "the switch memorizes the first tenant who sits in a chair and writes that tenant's name into the guest book (running-config)." That prevents unknown devices from taking the place later.
Lab Tasks (Try It Yourself First!)
Complete these tasks WITHOUT looking at the solution below. Use
?andshowcommands to figure it out.
Task 1: Configure router interfaces and basic EIGRP
Assign the IPs on R1–R4 as shown in the topology, enable the interfaces, set hostnames, and run EIGRP AS 111 so all 10.10.x.0 networks are reachable.
- R1: Gi0/0 10.10.10.1, Gi0/1 10.10.20.1, Gi0/2 10.10.30.1
- R2: Gi0/0 10.10.10.2, Gi0/1 10.10.40.1
- R3: Gi0/0 10.10.20.2
- R4: Gi0/0 10.10.30.2
(Do NOT apply any other features yet — just interfaces and EIGRP.)
Task 2: Apply interface hygiene on switches
On S1, S2 and S3:
- Add descriptive interface descriptions on each access port and uplink.
- Configure port-security sticky on all access ports connected to PCs and on the uplink to their router so MACs are learned and retained in the running-config.
Parameters:
- Limit learned MACs on PC-facing ports to 2 (typical small office).
- Use sticky learning on all access ports and uplinks.
Task 3: Verify and validate reachability
- From a router, ping a PC on another switch subnet (use simulated PCs’ connectivity after EIGRP).
- Show that sticky MAC entries appear in the running-config and that the port-security table shows learned MACs.
Think About It: Why is it important to verify network connectivity after hardening changes (for example, after enabling port-security) before you consider the device secure?
Lab Solution
Task 1 Solution: Configure router interfaces and basic EIGRP
What we are doing: We will set hostnames, configure the interface IP addresses (exactly as in the topology), bring them up with no shutdown, and enable EIGRP AS 111 using major 10.10.x.0 networks so routing is established between routers. EIGRP is used here to provide simple, fast convergence for the lab networks.
! On R1
hostname R1
interface GigabitEthernet0/0
ip address 10.10.10.1 255.255.255.0
no shutdown
!
interface GigabitEthernet0/1
ip address 10.10.20.1 255.255.255.0
no shutdown
!
interface GigabitEthernet0/2
ip address 10.10.30.1 255.255.255.0
no shutdown
!
router eigrp 111
network 10.10.10.0
network 10.10.20.0
network 10.10.30.0
What just happened:
hostname R1— sets the device identity for easier management and logging.interface Gi0/0&ip address ...— assigns the IP for the R1–R2 link and similarly for other Gi interfaces.no shutdown— administratively enables the interfaces (interfaces default to shut on many platforms).router eigrp 111/network ...— starts EIGRP with AS 111 and tells the router to advertise the listed major networks. Using major networks keeps the configuration simple and ensures adjacency and route exchange for the lab.
Verify:
R1# show ip interface brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 10.10.10.1 YES manual up up
GigabitEthernet0/1 10.10.20.1 YES manual up up
GigabitEthernet0/2 10.10.30.1 YES manual up up
R1# show ip route
Codes: C - connected, S - static, D - EIGRP, ...
C 10.10.10.0/24 is directly connected, GigabitEthernet0/0
C 10.10.20.0/24 is directly connected, GigabitEthernet0/1
C 10.10.30.0/24 is directly connected, GigabitEthernet0/2
D 10.10.40.0/24 [90/...] via 10.10.10.2, ...
WHY this matters: Without correct IPs and an IGP like EIGRP, traffic between switches and routers won't route — hardening could appear to break connectivity unless routing is in place first.
Task 2 Solution: Apply interface hygiene and port-security (sticky)
What we are doing: On each switch (S1, S2, S3) we add descriptive text on interfaces so operators know purpose, and we enable port-security with the sticky option so MACs learned on the port are written into the running-config and persist for the session. This prevents casual MAC spoofing and enforces which devices can use each access port.
Example shown for S1 (repeat same pattern for S2 and S3, adjusting interface numbers to match actual lab port mapping):
! On S1
hostname S1
interface range Ethernet1/0 - 1/2
description Uplink to R2 (Gi0/1 on R2)
switchport port-security
switchport port-security mac-address sticky
!
interface range Ethernet1/3 - 1/4
description PC access ports (PC1, PC2)
switchport port-security
switchport port-security mac-address sticky
What just happened:
interface range Ethernet1/0 - 1/2— selects the interface(s). We used ranges to configure multiple ports consistently.description ...— documents the purpose; this is important operationally so admins know what each port connects to.switchport port-security— enables the port-security feature on the port.switchport port-security mac-address sticky— tells the switch to learn the MAC addresses seen on the port and add them as secure addresses in the running-config. Sticky is useful because you do not need to pre-collect MACs for static configuration; the switch will learn and keep them until you remove them or save the config.
Verify:
S1# show running-config interface Ethernet1/3
interface Ethernet1/3
description PC access ports (PC1, PC2)
switchport port-security
switchport port-security mac-address sticky
!
S1# show mac address-table
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- ---- -----
1 00aa.11bb.01 DYNAMIC Eth1/3
1 00aa.11bb.02 DYNAMIC Eth1/4
1 00aa.22cc.01 DYNAMIC Eth1/0
S1# show port-security address
Secure Mac Address Table
-------------------------------------------
Port MAC Address VLAN Type
Eth1/3 00aa.11bb.01 1 sticky
Eth1/4 00aa.11bb.02 1 sticky
Eth1/0 00aa.22cc.01 1 sticky
WHY this matters: Sticky mode is a practical compromise — you gain the protection of port-security while letting the switch learn deployed devices automatically. In production, you typically record those MACs after deployment and copy them into a persistent config.
Task 3 Solution: Verify end-to-end reachability
What we are doing: Ensure that EIGRP formed adjacencies and that PCs (represented here by learned MACs on switches) are reachable across the network.
Commands and expected output:
R1# show ip eigrp neighbors
EIGRP-IPv4 Neighbors for AS(111)
H Address Interface Hold Uptime SRTT RTO Q Seq
0 10.10.10.2 Gi0/0 13 00:02:15 20 1000 0 12
R1# ping 10.10.40.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.40.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/3 ms
S1# show running-config | include switchport port-security
switchport port-security
switchport port-security mac-address sticky
What just happened: The EIGRP neighbor shows adjacency formed to R2, pings to a remote subnet succeed, and switch running-config indicates sticky port-security is configured. These verifications confirm that hardening did not break routing and that MAC bindings are present.
Troubleshooting Scenario
Scenario: PC1 cannot reach PC3 (on another switch)
Symptom: Ping from PC1 to PC3 fails; however pings from R1 to both switches succeed.
Your task: Find and fix the issue.
Hint: Check port-security learned addresses and ensure the correct PCs' MACs are allowed on their access ports.
Solution:
- On the switch where PC1 is attached, run:
S1# show port-security address
- If PC1's MAC is not present or is listed as a violation, remove the offending sticky entry and re-learn by disconnecting/reconnecting the PC or clear the secure address and let sticky learn:
S1(config)# interface Ethernet1/3
S1(config-if)# no switchport port-security mac-address sticky 00aa.11bb.01
! Or disable/enable the port to clear violation, then let it relearn
- Verify
show mac address-tableand retest ping.
Explanation: If the MAC recorded for that port does not match the PC's MAC (for instance, due to a move), port-security will block traffic; re-learning or updating the sticky entry fixes this.
Verification Checklist
- Router interfaces configured with correct IPs and are up (use
show ip interface brief). - EIGRP AS 111 running and neighbors formed (
show ip eigrp neighbors). - Switch access ports configured with
switchport port-securityandmac-address sticky. - Sticky MAC entries visible in running-config or via
show port-security address. - End-to-end ping tests between sample hosts succeed.
Common Mistakes
| Symptom | Cause | Fix |
|---|---|---|
| Pings fail between PCs on different switches | Router interfaces down or no EIGRP adjacency | show ip interface brief; no shutdown on down interfaces; ensure router eigrp 111 network commands include the subnets |
| Sticky MAC not learned | Port was administratively down or device not sending frames | Bring port up and generate traffic (e.g., ping) so the switch can learn the MAC |
| Port reports security violation | A device with different MAC connected after initial sticky learning | Remove the incorrect sticky MAC from running-config and allow the correct device to reconnect so it is learned |
Challenge Task
Without step-by-step guidance, extend this hardening:
- Persist the sticky MAC addresses to the startup-config and then intentionally move PC2 to another port and observe the port-security violation and how to remediate it. Document the exact commands you used to persist and to fix the violation.
Real-world insight: In production networks you often roll out sticky port-security in monitored phases — first in learn mode, then move to strict enforcement once you have an inventory of MACs. This reduces outages caused by legitimate device moves.