Date post: | 03-Jan-2016 |
Category: |
Documents |
Upload: | tumojitekato |
View: | 12 times |
Download: | 0 times |
Activity 2.5.1: Basic Switch Configuration
Addressing Table
Device Interface IP Address Subnet MaskDefault
Gateway
PC1 NIC 172.17.99.21 255.255.255.0 172.17.99.11
PC2 NIC 172.17.99.22 255.255.255.0 172.17.99.11
S1 VLAN99 172.17.99.11 255.255.255.0 172.17.99.1
Learning Objectives
Clear an existing configuration on a switch. Verify the default switch configuration. Create a basic switch configuration. Manage the MAC address table. Configure port security.
Introduction
In this activity, you will examine and configure a standalone LAN switch. Although a switch performs basic functions in its default out-of-the-box condition, there are a number of parameters that a network administrator should modify to ensure a secure and optimized LAN. This activity introduces you to the basics of switch configuration.
Step 1
Switch>enable
Switch#
Step 2
Switch#delete flash:vlan.dat
Delete filename [vlan.dat]?
Delete flash:/vlan.dat? [confirm]
Step 3
Switch#erase startup-config
Erasing the nvram filesystem will remove all configuration files! Continue? [confirm]
[OK]
Erase of nvram: complete
%SYS-7-NV_BLOCK_INIT: Initialized the geometry of nvram
Switch#
Switch#show vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Fa0/24
Gig1/1, Gig1/2
10 VLAN10 active
30 VLAN30 active
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 0 0
10 enet 100010 1500 - - - - - 0 0
30 enet 100030 1500 - - - - - 0 0
1002 fddi 101002 1500 - - - - - 0 0
1003 tr 101003 1500 - - - - - 0 0
1004 fdnet 101004 1500 - - - ieee - 0 0
1005 trnet 101005 1500 - - - ibm - 0 0
Remote SPAN VLANs
------------------------------------------------------------------------------
Primary Secondary Type Ports
------- --------- ----------------- -----------------------------------------
[OK]
Erase of nvram: complete
%SYS-7-NV_BLOCK_INIT: Initialized the geometry of nvram
Step 4
Switch#reload
Proceed with reload? [confirm]
C2960 Boot Loader (C2960-HBOOT-M) Version 12.2(25r)FX, RELEASE SOFTWARE (fc4)
Cisco WS-C2960-24TT (RC32300) processor (revision C0) with 21039K bytes of memory.
2960-24TT starting...
Base ethernet MAC Address: 0060.47AC.1EB8
Xmodem file system is available.
Initializing Flash...
flashfs[0]: 1 files, 0 directories
flashfs[0]: 0 orphaned files, 0 orphaned directories
flashfs[0]: Total bytes: 32514048
flashfs[0]: Bytes used: 4414921
flashfs[0]: Bytes available: 28099127
flashfs[0]: flashfs fsck took 1 seconds.
...done Initializing Flash.
Boot Sector Filesystem (bs:) installed, fsid: 3
Parameter Block Filesystem (pb:) installed, fsid: 4
Loading "flash:/c2960-lanbase-mz.122-25.FX.bin"...
########################################################################## [OK]
Restricted Rights Legend
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.
cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706
Cisco IOS Software, C2960 Software (C2960-LANBASE-M), Version 12.2(25)FX, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2005 by Cisco Systems, Inc.
Compiled Wed 12-Oct-05 22:05 by pt_team
Image text-base: 0x80008098, data-base: 0x814129C4
Cisco WS-C2960-24TT (RC32300) processor (revision C0) with 21039K bytes of memory.
24 FastEthernet/IEEE 802.3 interface(s)
2 Gigabit Ethernet/IEEE 802.3 interface(s)
32768K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address : 0060.47AC.1EB8
Motherboard assembly number : 73-9832-06
Power supply part number : 341-0097-02
Motherboard serial number : FOC103248MJ
Power supply serial number : DCA102133JA
Model revision number : B0
Motherboard revision number : C0
Model number : WS-C2960-24TT
System serial number : FOC1033Z1EY
Top Assembly Part Number : 800-26671-02
Top Assembly Revision Number : B0
Version ID : V02
CLEI Code Number : COM3K00BRA
Hardware Board Revision Number : 0x01
Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
* 1 26 WS-C2960-24TT 12.2 C2960-LANBASE-M
Cisco IOS Software, C2960 Software (C2960-LANBASE-M), Version 12.2(25)FX, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2005 by Cisco Systems, Inc.
Compiled Wed 12-Oct-05 22:05 by pt_team
Press RETURN to get started!
%LINK-5-CHANGED: Interface FastEthernet0/18, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/18, changed state to up
Task 2
Step1
Switch>enable
Switch#
Step2
Switch#show running-config
Building configuration...
Current configuration : 1009 bytes
!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Switch
!
!
!
interface FastEthernet0/1
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface GigabitEthernet1/1
!
interface GigabitEthernet1/2
!
interface Vlan1
no ip address
shutdown
!
!
line con 0
!
line vty 0 4
login
line vty 5 15
login
!
!
End
Examine the current running configuration by issuing the show running-config command.
i. How many Fast Ethernet interfaces does the switch have?
24
ii. How many Gigabit Ethernet interfaces does the switch have?
2
iii. What is the range of values shown for the vty lines?
0-15
Examine the current contents of NVRAM by issuing the show startup-config command.
i. Why does the switch give this response?
Startup-config is not present
Examine the characteristics of the virtual interface VLAN1 by issuing the show interface vlan1 command.
Switch#show interface vlan1
Vlan1 is administratively down, line protocol is down
Hardware is CPU Interface, address is 0060.47ac.1eb8 (bia 0060.47ac.1eb8)
MTU 1500 bytes, BW 100000 Kbit, DLY 1000000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
ARP type: ARPA, ARP Timeout 04:00:00
Last input 21:40:21, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
1682 packets input, 530955 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicast)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
563859 packets output, 0 bytes, 0 underruns
0 output errors, 23 interface resets
0 output buffer failures, 0 output buffers swapped out
1 Is there an IP address set on the switch?
NO
2 What is the MAC address of this virtual switch interface?
0060.47ac.1eb8 (bia 0060.47ac.1eb8)
3 Is this interface up?
Vlan1 is administratively down, line protocol is down
Now view the IP properties of the interface using the show ip interface vlan1 command.
i. What output do you see?
Switch#show ip interface vlan1
Vlan1 is administratively down, line protocol is down
Internet protocol processing disabled
Step 3. Display Cisco IOS information.
a. Display Cisco IOS information using the show version command.
Switch#show version
Cisco IOS Software, C2960 Software (C2960-LANBASE-M), Version 12.2(25)FX, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2005 by Cisco Systems, Inc.
Compiled Wed 12-Oct-05 22:05 by pt_team
ROM: C2960 Boot Loader (C2960-HBOOT-M) Version 12.2(25r)FX, RELEASE SOFTWARE (fc4)
System returned to ROM by power-on
Cisco WS-C2960-24TT (RC32300) processor (revision C0) with 21039K bytes of memory.
24 FastEthernet/IEEE 802.3 interface(s)
2 Gigabit Ethernet/IEEE 802.3 interface(s)
32768K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address : 0060.47AC.1EB8
Motherboard assembly number : 73-9832-06
Power supply part number : 341-0097-02
Motherboard serial number : FOC103248MJ
Power supply serial number : DCA102133JA
Model revision number : B0
Motherboard revision number : C0
Model number : WS-C2960-24TT
System serial number : FOC1033Z1EY
Top Assembly Part Number : 800-26671-02
Top Assembly Revision Number : B0
Version ID : V02
CLEI Code Number : COM3K00BRA
Hardware Board Revision Number : 0x01
Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
* 1 26 WS-C2960-24TT 12.2 C2960-LANBASE-M
Configuration register is 0xF
1 What is the Cisco IOS version that the switch is running?
C2960 Software (C2960-LANBASE-M), Version 12.2(25)FX, RELEASE SOFTWARE (fc1)
2 What is the system image filename?
C2960-LANBASE-M
3 What is the base MAC address of this switch?
0060.47AC.1EB8
Step 4. Examine the Fast Ethernet interfaces.
a. Examine the default properties of the Fast Ethernet interface used by PC1 using the show interface fastethernet 0/18 command.
Switch#show interface fastethernet 0/18FastEthernet0/18 is up, line protocol is up (connected) Hardware is Lance, address is 0060.5c36.4412 (bia 0060.5c36.4412) BW 100000 Kbit, DLY 1000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 100Mb/s input flow-control is off, output flow-control is off ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:08, output 00:00:05, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue :0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec 956 packets input, 193351 bytes, 0 no buffer Received 956 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 watchdog, 0 multicast, 0 pause input 0 input packets with dribble condition detected 2357 packets output, 263570 bytes, 0 underruns 0 output errors, 0 collisions, 10 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier 0 output buffer failures, 0 output buffers swapped out
i. Is the interface up or down?
FastEthernet0/18 is up, line protocol is up (connected)
ii. What event would make an interface go up?
iii. What is the MAC address of the interface?
.5c36.4412 (bia 0060.5c36.4412)
iv. What is the speed and duplex setting of the interface?
100 mb/s
Step 5. Examine VLAN information.
a. Examine the default VLAN settings of the switch using the show vlan command.
Switch#show vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Fa0/24
Gig1/1, Gig1/2
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 0 0
1002 fddi 101002 1500 - - - - - 0 0
1003 tr 101003 1500 - - - - - 0 0
1004 fdnet 101004 1500 - - - ieee - 0 0
1005 trnet 101005 1500 - - - ibm - 0 0
Remote SPAN VLANs
------------------------------------------------------------------------------
Primary Secondary Type Ports
------- --------- ----------------- ----------------------------------------
i. What is the name of VLAN 1?
default
ii. Which ports are in this VLAN?
Fa0/1, Fa0/2, Fa0/3, Fa0/4,Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12, Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20, Fa0/21, Fa0/22, Fa0/23, Fa0/24 Gig1/1, Gig1/2
iii. Is VLAN 1 active?
YES
iv. What type of VLAN is the default VLAN?
Primary secondary type
Step 6. Examine flash memory.
a. There are two commands to examine flash memory:dir flash: orshow flashIssue either one of the commands to examine the contents of the flash directory.
Switch#show flash
Directory of flash:/
1 -rw- 4414921 <no date> c2960-lanbase-mz.122-25.FX.bin
32514048 bytes total (28099127 bytes free)
i. Which files or directories are found?
rw- 4414921
ii. Files have a file extension, such as .bin, at the end of the filename. Directories do not have a file extension. What is the name of the Cisco IOS image file?
c2960-lanbase-mz.122-25.FX.bin
Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#hostname kuldeepl
kuldeep(config)#exit
kuldeep#
%SYS-5-CONFIG_I: Configured from console by console
kuldeep#
To save the contents of the running configuration file to non-volatile RAM (NVRAM), issue the copy running-config startup-config command.
kuldeep#copy running-config startup-config
Destination filename [startup-config]?
Building configuration...
[OK]
kuldeep#
Task 3: Create a Basic Switch Configuration
Step 1. Assign a name to the switch.
Enter global configuration mode. Configuration mode allows you to manage the switch. Enter the configuration commands, one on each line. Notice that the command line prompt changes to reflect the current prompt and switch name. In the last step of the previous task, you configured the hostname. Here's a review of the commands used.
kuldeep#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
kuldeep(config)#hostname kuldeep
kuldeep(config)#exit
%SYS-5-CONFIG_I: Configured from console by console
kuldeep#
Step 2. Set the access passwords.
Enter config-line mode for the console. Set the login password to cisco. Also configure the vty lines 0 to 15 with the password cisco.
kuldeep#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
kuldeep(config)#line console 0
kuldeep(config-line)#password cisco
kuldeepl(config-line)#login
kuldeep(config-line)#line vty 0 15
kuldeep(config-line)#password cisco
kuldeep(config-line)#login
kuldeep(config-line)#exit
kuldeep(config)#
Why is the login command required?
Step 3. Set the command mode passwords.
Set the enable secret password to class.
S1(config)#enable secret class
Step 4. Configure the Layer 3 address of the switch.
Set the IP address of the switch to 172.17.99.11 with a subnet mask of 255.255.255.0 on the internal virtual interface VLAN 99. The VLAN must first be created on the switch before the address can be assigned.
kuldeep(config)#vlan 99
kuldeep(config-vlan)#exit
kuldeep(config)#interface vlan99
kuldeep(config-if)#
%LINK-5-CHANGED: Interface Vlan99, changed state to up
kuldeep(config-if)#ip address 172.17.99.11 255.255.255.0
kuldeep(config-if)#no shutdown
kuldeepl(config-if)#exit
kuldeep(config)#
Step 5. Assign ports to the switch VLAN.
Assign Fastethernet 0/1, 0/8, and 0/18 to ports to VLAN 99.
kuldeep(config)#interface fa0/1
kuldeep(config-if)#switchport access vlan 99
kuldeep(config-if)#exit
kuldeep(config)#interface fa0/8
kuldeep(config-if)#switchport access vlan 99
kuldeep(config-if)#exit
kuldeep(config)#interface fa0/18
kuldeep(config-if)#switchport access vlan 99
%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan99, changed state to up
kuldeep(config-if)#exit
kuldeep(config)#
Step 6. Set the switch default gateway.
S1 is a layer 2 switch, so it makes forwarding decisions based on the Layer 2 header. If multiple networks are connected to a switch, you need to specify how the switch forwards the internetwork frames, because the path must be determined at Layer three. This is done by specifying a default gateway address that points to a router or Layer 3 switch. Although this activity does not include an external IP gateway, assume that you will eventually connect the LAN to a router for external access. Assuming that the LAN interface on the router is 172.17.99.1, set the default gateway for the switch.
kuldeep(config)#ip default-gateway 172.17.99.1
kuldeep(config)#exit
%SYS-5-CONFIG_I: Configured from console by console
kuldeep#
Step 7. Verify the management LANs settings.
Verify the interface settings on VLAN 99 with the show interface vlan 99 command.
kuldeep#show interface vlan 99
Vlan99 is up, line protocol is up
Hardware is CPU Interface, address is 0060.47ac.1eb8 (bia 0060.47ac.1eb8)
Internet address is 172.17.99.11/24
MTU 1500 bytes, BW 100000 Kbit, DLY 1000000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
ARP type: ARPA, ARP Timeout 04:00:00
Last input 21:40:21, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
1682 packets input, 530955 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicast)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
563859 packets output, 0 bytes, 0 underruns
0 output errors, 23 interface resets
0 output buffer failures, 0 output buffers swapped out
What is the bandwidth on this interface?
100000 K/bit
What is the queuing strategy?
Fifo
Step 8. Configure the IP address and default gateway for PC1.
Set the IP address of PC1 to 172.17.99.21, with a subnet mask of 255.255.255.0. Configure a default gateway of 172.17.99.11. Click PC1 and its Desktop tab then IP configuration to input the addressing parameters.
Step 9. Verify connectivity.
To verify the host and switch are correctly configured, ping the switch from PC1.
If the ping is not successful, troubleshoot the switch and host configuration. Note that this may take a couple of tries for the pings to succeed.
Step 10. Configure the port speed and duplex settings for a Fast Ethernet interface.
Configure the duplex and speed settings on Fast Ethernet 0/18. Use the end command to return to privileged EXEC mode when finished.
kuldeep#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
kuldeep(config)#interface fastethernet 0/18
kuldeep(config-if)#speed 100
kuldeep(config-if)#duplex full
%LINK-5-CHANGED: Interface FastEthernet0/18, changed state to down
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/18, changed state to down
kuldeep(config-if)#
%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan99, changed state to down
kuldeep(config-if)#end
%SYS-5-CONFIG_I: Configured from console by console
Notice how the link between PC1 and S1 went down. Remove the speed 100 and duplex full commands. Now verify the settings on the Fast Ethernet interface with the show interface fa0/18 command.
kuldeep#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
kuldeep(config)#interface fa0/18
kuldeep(config-if)#no speed 100
kuldeep(config-if)# no duplex full
%LINK-5-CHANGED: Interface FastEthernet0/18, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/18, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan99, changed state to up
kuldeep(config-if)#
kuldeep#show interface fastethernet 0/18
FastEthernet0/18 is up, line protocol is up (connected)
Hardware is Lance, address is 0060.5c36.4412 (bia 0060.5c36.4412)
BW 100000 Kbit, DLY 1000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s
input flow-control is off, output flow-control is off
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:08, output 00:00:05, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue :0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
956 packets input, 193351 bytes, 0 no buffer
Received 956 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 watchdog, 0 multicast, 0 pause input
0 input packets with dribble condition detected
2357 packets output, 263570 bytes, 0 underruns
0 output errors, 0 collisions, 10 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
Step 11. Save the configuration.
You have completed the basic configuration of the switch. Now back up the running configuration file to NVRAM to ensure that the changes made will not be lost if the system is rebooted or loses power.
kuldeep#copy running-config startup-config
Destination filename [startup-config]?
Building configuration...
[OK]
kuldeep#
Step 12. Examine the startup configuration file.
To see the configuration that is stored in NVRAM, issue the show startup-config command from privileged EXEC (enable mode).
Are all the changes that were entered recorded in the file?
YES
kuldeep#copy running-config startup-config
Destination filename [startup-config]?
Building configuration...
[OK]
kuldeep#show startup-config
Using 1286 bytes
!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname kuldeep
!
enable secret 5 $1$mERr$9cTjUIEqNGurQiFU.ZeCi1
!
!
!
interface FastEthernet0/1
switchport access vlan 99
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
switchport access vlan 99
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
switchport access vlan 99
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface GigabitEthernet1/1
!
interface GigabitEthernet1/2
!
interface Vlan1
no ip address
shutdown
!
interface Vlan99
ip address 172.17.99.11 255.255.255.0
!
ip default-gateway 172.17.99.1
!
!
line con 0
password cisco
login
!
line vty 0 4
password cisco
login
line vty 5 15
password cisco
login
!
!
end
Task 4: Managing the MAC Address Table
Step 1. Record the MAC addresses of the hosts.
Determine and record the Layer 2 (physical) addresses of the PC network interface cards using the following steps:
Click the PC. Select the Desktop tab. Click Command Prompt. Type the ipconfig /all command.
Step 2. Determine the MAC addresses that the switch has learned.
Display the MAC addresses using the show mac-address-table command in privileged EXEC mode. If there are no MAC addresses, ping from PC1 to S1 then check again.
susheel#show mac-address-table dynamic Mac Address Table-------------------------------------------
Vlan Mac Address Type Ports---- ----------- -------- -----
Step 3. Clear the MAC address table.
To remove the existing MAC addresses, use the clear mac-address-table dynamic command from privileged EXEC mode.
kuldeep#clear mac-address-table dynamic
Step 4. Verify the results.
Verify that the MAC address table was cleared.
kuldeep#show mac-address-table dynamic
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
kuldeep#clear mac-address-table dynamic
kuldeep#show mac-address-table
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
Step 5. Examine the MAC table again.
The table has not changed
Step 6. Set up a static MAC address.
To specify which ports a host can connect to, one option is to create a static mapping of the host MAC address to a port.
Set up a static MAC address on Fast Ethernet interface 0/18 using the address that was recorded for PC1 in Step 1 of this task, 0002.16E8.C285.
kuldeep#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
kuldeep(config)#mac-address-table static 0002.16E8.c285 vlan 99 interface fastethernet 0/18
kuldeep(config)#end
%SYS-5-CONFIG_I: Configured from console by console
Step 7. Verify the results.
Verify the MAC address table entries.
kuldeep#show mac-address-table Mac Address Table-------------------------------------------
Vlan Mac Address Type Ports---- ----------- -------- -----
99 0002.16e8.c285 STATIC Fa0/18
Step 8. Remove the static MAC entry.
Enter configuration mode and remove the static MAC by putting a no in front of the command string.
kuldeep#configure terminalEnter configuration commands, one per line. End with CNTL/Z.kuldeep(config)#no mac-address-table static 0002.16E8.c285 vlan 99 interface fastethernet 0/18kuldeep(config)#endkuldeep#%SYS-5-CONFIG_I: Configured from console by console
Step 9. Verify the results.
Verify that the static MAC address has been cleared with the show mac-address-table static command.
kuldeep#show mac-address-table static Mac Address Table-------------------------------------------
Vlan Mac Address Type Ports---- ----------- -------- -----
Task 5: Configuring Port Security
Step 1. Configure a second host.
A second host is needed for this task. Set the IP address of PC2 to 172.17.99.22, with a subnet mask of 255.255.255.0 and a default gateway of 172.17.99.11. Do not connect this PC to the switch yet.
Step 2. Verify connectivity.
Verify that PC1 and the switch are still correctly configured by pinging the VLAN 99 IP address of the switch from the host. If the pings were not successful, troubleshoot the host and switch configurations.
Step 3. Determine which MAC addresses that the switch has learned.
Display the learned MAC addresses using the show mac-address-table command in privileged EXEC mode.
kuldeep#show mac-address-table static
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
kuldeep#show mac-address-table
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
99 0002.16e8.c285 DYNAMIC Fa0/18
Step 4. List the port security options.
Explore the options for setting port security on interface Fast Ethernet 0/18.
kuldeep#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
kuldeep(config)#interface fastethernet 0/18
kuldeep(config-if)#switchport port-security ?
mac-address Secure mac address
maximum Max secure addresses
violation Security violation mode
<cr>
Step 5. Configure port security on an access port.
Configure switch port Fast Ethernet 0/18 to accept only two devices, to learn the MAC addresses of those devices dynamically, and to shutdown the port if a violation occurs.
kuldeep(config-if)#switchport mode access
kuldeep(config-if)#switchport port-security
kuldeep(config-if)#switchport port-security maximum 2
kuldeep(config-if)#switchport port-security mac-address sticky
kuldeep(config-if)#switchport port-security violation shutdown
kuldeep(config-if)#end
%SYS-5-CONFIG_I: Configured from console by console
Step 6. Verify the results.
Show the port security settings with the show port-security interface fa0/18 command.
kuldeep#show port-security interface fa0/18
Port Security : Enabled
Port Status : Secure-down
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 2
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0000.0000.0000:0
Security Violation Count : 0
How many secure addresses are allowed on Fast Ethernet 0/18?
What is the security action for this port?
Step 7. Examine the running configuration file.
kuldeep#show running-config
Building configuration...
Current configuration : 1418 bytes
!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname kuldeep
!
enable secret 5 $1$mERr$9cTjUIEqNGurQiFU.ZeCi1
!
!
!
interface FastEthernet0/1
switchport access vlan 99
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
switchport access vlan 99
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
switchport access vlan 99
switchport mode access
switchport port-security
switchport port-security maximum 2
switchport port-security mac-address sticky
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface GigabitEthernet1/1
!
interface GigabitEthernet1/2
!
interface Vlan1
no ip address
shutdown
!
interface Vlan99
ip address 172.17.99.11 255.255.255.0
!
ip default-gateway 172.17.99.1
!
!
line con 0
password cisco
login
!
line vty 0 4
password cisco
login
line vty 5 15
password cisco
login
!
!
end
Are there statements listed that directly reflect the security implementation of the running configuration?
YES
Step 8. Modify the port security settings on a port.
On interface Fast Ethernet 0/18, change the port security maximum MAC address count to 1.
kuldeepl#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
kuldeep(config)#interface switchport
kuldeep(config)#interface fastethernet 0/18
kuldeep(config-if)#switchport port-security maximum 1
kuldeep(config-if)#end
Step 9. Verify the results.
Show the port security settings with the show port-security interface fa0/18 command.
Have the port security settings changed to reflect the modifications in Step 8?
Ping the VLAN 99 address of the switch from PC1 to verify connectivity and to refresh the MAC address table.
kuldeep#show port-security interface fa0/18
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0000.0000.0000:0
Security Violation Count : 0
Step 10. Introduce a rogue host.
Disconnect the PC attached to Fast Ethernet 0/18 from the switch. Connect PC2, which has been given the IP address 172.17.99.22 to port Fast Ethernet 0/18. Ping the VLAN 99 address 172.17.99.11 from the new host.
What happened when you tried to ping S1?
kuldeep#
%LINK-5-CHANGED: Interface FastEthernet0/18, changed state to down
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/18, changed state to down
%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan99, changed state to down
%LINK-5-CHANGED: Interface FastEthernet0/18, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/18, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan99, changed state to up
Note: Convergence may take up to a minute. Switch between Simulation and Realtime mode to accelerate convergence.
Step 11. Reactivate the port.
As long as the rogue host is attached to Fast Ethernet 0/18, no traffic can pass between the host and switch. Reconnect PC1 to Fast Ethernet 0/18, and enter the following commands on the switch to reactivate the port:
kuldeep#
%LINK-5-CHANGED: Interface FastEthernet0/18, changed state to down
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/18, changed state to down
%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan99, changed state to down
%LINK-5-CHANGED: Interface FastEthernet0/18, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/18, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan99, changed state to up
kuldeep#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Kuldeep(config)#interface fastethernet 0/18
kuldeep(config-if)#no shutdown
kuldeep(config-if)#end
%SYS-5-CONFIG_I: Configured from console by console
Step 12. Verify connectivity.
After convergence, PC1 should be able to again ping S1.