## **Objective** Implementation of **access and port-based security** on network devices to ensure: - only **HQ1-SRV1 (10.10.100.101)** may access **IR1 and IR2 via SSH** - **Port Security** is enabled on HQ1-CLI1 and HQ2-CLI1 access ports (VoIP-ready) - **VLAN 102** cannot access **HQ1-SRV1**, without impacting existing server communication - Port Security violation modes are correctly understood and documented --- ## **1. Restrict SSH Access on IR1 and IR2** ### **Design** - Allowed source: **10.10.100.101 only** - Protocol: SSH - Enforced via VTY ACL - Telnet disabled ### **Configuration (IR1 & IR2)** Define ACL: ``` ip access-list standard SSH_ONLY_HQ1_SRV1 permit 10.10.100.101 deny any ``` Apply to VTY: ``` line vty 0 15 access-class SSH_ONLY_HQ1_SRV1 in transport input ssh login local ``` --- ## **2. Port Security (HQ1-CLI1 / HQ2-CLI1)** ### **Design** - Supports **IP Phone + PC** - Maximum MAC addresses: **2** - MAC addresses learned dynamically (sticky) - Violation mode: **shutdown** - Auto-recovery after 180 seconds - Syslog message on violation ### **Configuration Example** ``` interface GigabitEthernet0/3 switchport mode access switchport access vlan 101 switchport port-security switchport port-security maximum 2 switchport port-security violation shutdown switchport port-security mac-address sticky ``` Global recovery: ``` errdisable recovery cause psecure-violation errdisable recovery interval 180 ``` --- ## **3. Port Security Violation Modes (Overview)** Cisco supports three violation modes: ### **1. protect** - Drops traffic from unauthorized MAC addresses - No syslog message - No SNMP trap - Port remains up - Least disruptive, but limited visibility ### **2. restrict** - Drops unauthorized traffic - Generates syslog and SNMP notification - Increments violation counter - Port remains up - Good balance between security and monitoring ### **3. shutdown (used here)** - Port immediately enters err-disabled state - Syslog generated - Requires manual or automatic recovery - Highest security enforcement - Recommended for controlled environments In this design, **shutdown** is selected to ensure strict enforcement. --- ## **4. ACL: Block VLAN 102 → HQ1-SRV1** ### **Requirement** - VLAN 102 must not access 10.10.100.101 - All other traffic allowed - HQ1-SRV1 outbound traffic unaffected ### **Configuration** ``` ip access-list extended BLOCK_VLAN102_TO_SRV1 deny ip 10.10.102.0 0.0.0.255 host 10.10.100.101 permit ip any any ``` Apply: ``` interface Vlan102 ip access-group BLOCK_VLAN102_TO_SRV1 in ``` --- ## **5. Verification** ``` show access-lists show port-security interface GigabitEthernet0/3 show errdisable recovery show ip ssh ``` Expected: - SSH access to IR1/IR2 only from 10.10.100.101 - Port Security enforces max 2 MAC addresses - Port auto-recovers after 180 seconds - VLAN 102 cannot reach HQ1-SRV1 - HQ1-SRV1 communication to other networks unaffected --- ## **Status** - SSH access strictly restricted - Port Security implemented with strict violation handling - Violation modes clearly understood and documented - VLAN 102 access restriction implemented without side effects - All security requirements fully met