Activity 2.5.

1: Basic Switch Configuration

Addressing Table Device PC1 PC2 S1 Interface NIC NIC VLAN99 IP Address 172.17.99.21 172.17.99.22 172.17.99.11 Subnet Mask 255.255.255.0 255.255.255.0 255.255.255.0 Default Gateway 172.17.99.11 172.17.99.11 172.17.99.1

Learning Objectives

Clear an existing configuration on a switch. Verify the default switch configuration. Create a basic switch configuration. Manage the MAC address table. Configure port security.

Introduction
In this activity, you will examine and configure a standalone LAN switch. Although a switch performs basic functions in its default out-of-the-box condition, there are a number of parameters that a network administrator should modify to ensure a secure and optimized LAN. This activity introduces you to the basics of switch configuration.

Step 1 Switch>enable Switch#

Step 2 Switch#delete flash:vlan.dat Delete filename [vlan.dat]? Delete flash:/vlan.dat? [confirm]

Step 3

Switch#erase startup-config Erasing the nvram filesystem will remove all configuration files! Continue? [confirm] [OK] Erase of nvram: complete %SYS-7-NV_BLOCK_INIT: Initialized the geometry of nvram Switch# Switch#show vlan

VLAN Name

Status Ports

---- -------------------------------- --------- ------------------------------1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, Fa0/10, Fa0/11, Fa0/12 Fa0/13, Fa0/14, Fa0/15, Fa0/16 Fa0/17, Fa0/18, Fa0/19, Fa0/20 Fa0/21, Fa0/22, Fa0/23, Fa0/24 Gig1/1, Gig1/2 10 VLAN10 30 VLAN30 1002 fddi-default 1003 token-ring-default 1004 fddinet-default 1005 trnet-default active active act/unsup act/unsup act/unsup act/unsup

VLAN Type SAID

MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2

---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ -----1 enet 100001 1500 - 0 0

10 enet 100010 30 enet 100030 1002 fddi 101002 1003 tr 101003 1004 fdnet 101004 1005 trnet 101005

1500 1500 1500 1500 1500 1500 -

- - - - ieee ibm -

0 0 0 0

0 0 0 0 0 0 0 0

Remote SPAN VLANs ------------------------------------------------------------------------------

Primary Secondary Type

Ports

------- --------- ----------------- ----------------------------------------[OK] Erase of nvram: complete %SYS-7-NV_BLOCK_INIT: Initialized the geometry of nvram

Step 4 Switch#reload Proceed with reload? [confirm] C2960 Boot Loader (C2960-HBOOT-M) Version 12.2(25r)FX, RELEASE SOFTWARE (fc4) Cisco WS-C2960-24TT (RC32300) processor (revision C0) with 21039K bytes of memory. 2960-24TT starting... Base ethernet MAC Address: 0060.47AC.1EB8 Xmodem file system is available. Initializing Flash... flashfs[0]: 1 files, 0 directories

flashfs[0]: 0 orphaned files, 0 orphaned directories flashfs[0]: Total bytes: 32514048 flashfs[0]: Bytes used: 4414921 flashfs[0]: Bytes available: 28099127 flashfs[0]: flashfs fsck took 1 seconds. ...done Initializing Flash.

Boot Sector Filesystem (bs:) installed, fsid: 3 Parameter Block Filesystem (pb:) installed, fsid: 4

Loading "flash:/c2960-lanbase-mz.122-25.FX.bin"... ########################################################################## [OK] Restricted Rights Legend

Use, duplication, or disclosure by the Government is subject to restrictions as set forth in subparagraph (c) of the Commercial Computer Software - Restricted Rights clause at FAR sec. 52.227-19 and subparagraph (c) (1) (ii) of the Rights in Technical Data and Computer Software clause at DFARS sec. 252.227-7013.

cisco Systems, Inc. 170 West Tasman Drive San Jose, California 95134-1706

Cisco IOS Software, C2960 Software (C2960-LANBASE-M), Version 12.2(25)FX, RELEASE SOFTWARE (fc1) Copyright (c) 1986-2005 by Cisco Systems, Inc. Compiled Wed 12-Oct-05 22:05 by pt_team Image text-base: 0x80008098, data-base: 0x814129C4

Cisco WS-C2960-24TT (RC32300) processor (revision C0) with 21039K bytes of memory.

24 FastEthernet/IEEE 802.3 interface(s) 2 Gigabit Ethernet/IEEE 802.3 interface(s)

32768K bytes of flash-simulated non-volatile configuration memory. Base ethernet MAC Address Motherboard assembly number Power supply part number Motherboard serial number Power supply serial number Model revision number : 0060.47AC.1EB8 : 73-9832-06

: 341-0097-02 : FOC103248MJ : DCA102133JA : B0 : C0

Motherboard revision number Model number System serial number Top Assembly Part Number

: WS-C2960-24TT : FOC1033Z1EY : 800-26671-02

Top Assembly Revision Number : B0

Version ID CLEI Code Number

: V02 : COM3K00BRA

Hardware Board Revision Number : 0x01

Switch Ports Model ------ ----- ----* 1 26

SW Version ---------12.2 ----------

SW Image

WS-C2960-24TT

C2960-LANBASE-M

Cisco IOS Software, C2960 Software (C2960-LANBASE-M), Version 12.2(25)FX, RELEASE SOFTWARE (fc1) Copyright (c) 1986-2005 by Cisco Systems, Inc. Compiled Wed 12-Oct-05 22:05 by pt_team

Press RETURN to get started!

%LINK-5-CHANGED: Interface FastEthernet0/18, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/18, changed state to up

Task 2 Step1 Switch>enable Switch# Step2 Switch#show running-config Building configuration...

Current configuration : 1009 bytes ! version 12.2 no service timestamps log datetime msec no service timestamps debug datetime msec no service password-encryption ! hostname Switch ! ! ! interface FastEthernet0/1 ! interface FastEthernet0/2 ! interface FastEthernet0/3 ! interface FastEthernet0/4 ! interface FastEthernet0/5 ! interface FastEthernet0/6 ! interface FastEthernet0/7 ! interface FastEthernet0/8

! interface FastEthernet0/9 ! interface FastEthernet0/10 ! interface FastEthernet0/11 ! interface FastEthernet0/12 ! interface FastEthernet0/13 ! interface FastEthernet0/14 ! interface FastEthernet0/15 ! interface FastEthernet0/16 ! interface FastEthernet0/17 ! interface FastEthernet0/18 ! interface FastEthernet0/19 ! interface FastEthernet0/20 ! interface FastEthernet0/21 !

interface FastEthernet0/22 ! interface FastEthernet0/23 ! interface FastEthernet0/24 ! interface GigabitEthernet1/1 ! interface GigabitEthernet1/2 ! interface Vlan1 no ip address shutdown ! ! line con 0 ! line vty 0 4 login line vty 5 15 login ! ! End
Examine the current running configuration by issuing the show running-config command. i. 24 How many Fast Ethernet interfaces does the switch have?

ii. 2 iii.

How many Gigabit Ethernet interfaces does the switch have?

What is the range of values shown for the vty lines?

0-15

Examine the current contents of NVRAM by issuing the show startup-config command.

i.

Why does the switch give this response? Startup-config is not present

Examine the characteristics of the virtual interface VLAN1 by issuing the show interface vlan1 command.

Switch#show interface vlan1 Vlan1 is administratively down, line protocol is down Hardware is CPU Interface, address is 0060.47ac.1eb8 (bia 0060.47ac.1eb8) MTU 1500 bytes, BW 100000 Kbit, DLY 1000000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set ARP type: ARPA, ARP Timeout 04:00:00 Last input 21:40:21, output never, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 1682 packets input, 530955 bytes, 0 no buffer Received 0 broadcasts (0 IP multicast) 0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 563859 packets output, 0 bytes, 0 underruns 0 output errors, 23 interface resets 0 output buffer failures, 0 output buffers swapped out

1 Is there an IP address set on the switch?

NO
2 What is the MAC address of this virtual switch interface?

0060.47ac.1eb8 (bia 0060.47ac.1eb8)

3 Is this interface up?

Vlan1 is administratively down, line protocol is down

Now view the IP properties of the interface using the show ip interface vlan1 command.

i.

What output do you see?

Switch#show ip interface vlan1 Vlan1 is administratively down, line protocol is down Internet protocol processing disabled

Step 3. Display Cisco IOS information.

a. Display Cisco IOS information using the show version command.

Switch#show version Cisco IOS Software, C2960 Software (C2960-LANBASE-M), Version 12.2(25)FX, RELEASE SOFTWARE (fc1) Copyright (c) 1986-2005 by Cisco Systems, Inc. Compiled Wed 12-Oct-05 22:05 by pt_team

ROM: C2960 Boot Loader (C2960-HBOOT-M) Version 12.2(25r)FX, RELEASE SOFTWARE (fc4)

System returned to ROM by power-on

Cisco WS-C2960-24TT (RC32300) processor (revision C0) with 21039K bytes of memory.

24 FastEthernet/IEEE 802.3 interface(s) 2 Gigabit Ethernet/IEEE 802.3 interface(s)

32768K bytes of flash-simulated non-volatile configuration memory. Base ethernet MAC Address Motherboard assembly number Power supply part number Motherboard serial number Power supply serial number Model revision number Motherboard revision number Model number System serial number Top Assembly Part Number Top Assembly Revision Number Version ID CLEI Code Number : V02 : COM3K00BRA : 0060.47AC.1EB8 : 73-9832-06 : 341-0097-02 : FOC103248MJ : DCA102133JA : B0 : C0

: WS-C2960-24TT : FOC1033Z1EY : 800-26671-02 : B0

Hardware Board Revision Number : 0x01

Switch Ports Model ------ ----- ----* 1 26

SW Version ---------12.2 ----------

SW Image

WS-C2960-24TT

C2960-LANBASE-M

Configuration register is 0xF 1 What is the Cisco IOS version that the switch is running?

C2960 Software (C2960-LANBASE-M), Version 12.2(25)FX, RELEASE SOFTWARE (fc1) 2 What is the system image filename? C2960-LANBASE-M 3 What is the base MAC address of this switch? 0060.47AC.1EB8

Step 4. Examine the Fast Ethernet interfaces.

a. Examine the default properties of the Fast Ethernet interface used by PC1 using the show interface fastethernet 0/18 command. Switch#show interface fastethernet 0/18 FastEthernet0/18 is up, line protocol is up (connected) Hardware is Lance, address is 0060.5c36.4412 (bia 0060.5c36.4412) BW 100000 Kbit, DLY 1000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 100Mb/s input flow-control is off, output flow-control is off ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:08, output 00:00:05, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue :0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 956 packets input, 193351 bytes, 0 no buffer Received 956 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 watchdog, 0 multicast, 0 pause input 0 input packets with dribble condition detected 2357 packets output, 263570 bytes, 0 underruns 0 output errors, 0 collisions, 10 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier 0 output buffer failures, 0 output buffers swapped out

i.

Is the interface up or down? FastEthernet0/18 is up, line protocol is up (connected)

ii.

What event would make an interface go up?

iii.

What is the MAC address of the interface? .5c36.4412 (bia 0060.5c36.4412)

iv.

What is the speed and duplex setting of the interface? 100 mb/s

Step 5. Examine VLAN information.

a. Examine the default VLAN settings of the switch using the show vlan command. Switch#show vlan

VLAN Name

Status

Ports

---- -------------------------------- --------- ------------------------------1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4

Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, Fa0/10, Fa0/11, Fa0/12 Fa0/13, Fa0/14, Fa0/15, Fa0/16 Fa0/17, Fa0/18, Fa0/19, Fa0/20 Fa0/21, Fa0/22, Fa0/23, Fa0/24 Gig1/1, Gig1/2 1002 fddi-default 1003 token-ring-default 1004 fddinet-default 1005 trnet-default act/unsup act/unsup act/unsup act/unsup

VLAN Type SAID

MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2

---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ -----1 enet 100001 1500 1500 0 0 0 0

1002 fddi 101002

1003 tr

101003

1500 1500 1500 -

ieee ibm -

0 0 0

0 0 0

1004 fdnet 101004 1005 trnet 101005

Remote SPAN VLANs ------------------------------------------------------------------------------

Primary Secondary Type

Ports

------- --------- ----------------- ---------------------------------------i. What is the name of VLAN 1? default ii. Which ports are in this VLAN? Fa0/1, Fa0/2, Fa0/3, Fa0/4,Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, Fa0/10, Fa0/11, Fa0/12, Fa0/13, Fa0/14, Fa0/15, Fa0/16 Fa0/17, Fa0/18, Fa0/19, Fa0/20, Fa0/21, Fa0/22, Fa0/23, Fa0/24 Gig1/1, Gig1/2 iii. Is VLAN 1 active? YES iv. What type of VLAN is the default VLAN? Primary secondary type

Step 6. Examine flash memory.

a. There are two commands to examine flash memory: dir flash: or show flash Issue either one of the commands to examine the contents of the flash directory. Switch#show flash Directory of flash:/

1 -rw-

4414921

<no date> c2960-lanbase-mz.122-25.FX.bin

32514048 bytes total (28099127 bytes free) i. Which files or directories are found? rwii. 4414921

Files have a file extension, such as .bin, at the end of the filename. Directories do not have a file extension. What is the name of the Cisco IOS image file? c2960-lanbase-mz.122-25.FX.bin

Switch#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)#hostname kuldeepl kuldeep(config)#exit kuldeep# %SYS-5-CONFIG_I: Configured from console by console

kuldeep#

To save the contents of the running configuration file to non-volatile RAM (NVRAM), issue the copy running-config startup-config command. kuldeep#copy running-config startup-config Destination filename [startup-config]? Building configuration... [OK] kuldeep#

Task 3: Create a Basic Switch Configuration

Step 1. Assign a name to the switch.

Enter global configuration mode. Configuration mode allows you to manage the switch. Enter the configuration commands, one on each line. Notice that the command line prompt changes to reflect the current prompt and switch name. In the last step of the previous task, you configured the hostname. Here's a review of the commands used.

kuldeep#configure terminal Enter configuration commands, one per line. End with CNTL/Z. kuldeep(config)#hostname kuldeep kuldeep(config)#exit

%SYS-5-CONFIG_I: Configured from console by console kuldeep#

Step 2. Set the access passwords.

Enter config-line mode for the console. Set the login password to cisco. Also configure the vty lines 0 to 15 with the password cisco.

kuldeep#configure terminal Enter configuration commands, one per line. End with CNTL/Z. kuldeep(config)#line console 0 kuldeep(config-line)#password cisco kuldeepl(config-line)#login kuldeep(config-line)#line vty 0 15 kuldeep(config-line)#password cisco kuldeep(config-line)#login kuldeep(config-line)#exit kuldeep(config)#

Why is the login command required?

Step 3. Set the command mode passwords.

Set the enable secret password to class.

S1(config)#enable secret class

Step 4. Configure the Layer 3 address of the switch.

Set the IP address of the switch to 172.17.99.11 with a subnet mask of 255.255.255.0 on the internal virtual interface VLAN 99. The VLAN must first be created on the switch before the address can be assigned. kuldeep(config)#vlan 99 kuldeep(config-vlan)#exit kuldeep(config)#interface vlan99 kuldeep(config-if)# %LINK-5-CHANGED: Interface Vlan99, changed state to up

kuldeep(config-if)#ip address 172.17.99.11 255.255.255.0 kuldeep(config-if)#no shutdown kuldeepl(config-if)#exit kuldeep(config)#

Step 5. Assign ports to the switch VLAN.

Assign Fastethernet 0/1, 0/8, and 0/18 to ports to VLAN 99. kuldeep(config)#interface fa0/1 kuldeep(config-if)#switchport access vlan 99 kuldeep(config-if)#exit kuldeep(config)#interface fa0/8 kuldeep(config-if)#switchport access vlan 99 kuldeep(config-if)#exit kuldeep(config)#interface fa0/18 kuldeep(config-if)#switchport access vlan 99

%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan99, changed state to up

kuldeep(config-if)#exit kuldeep(config)#

Step 6. Set the switch default gateway.

S1 is a layer 2 switch, so it makes forwarding decisions based on the Layer 2 header. If multiple networks are connected to a switch, you need to specify how the switch forwards the internetwork frames, because the path must be determined at Layer three. This is done by specifying a default gateway address that points to a router or Layer 3 switch. Although this activity does not include an external IP gateway, assume that you will eventually connect the LAN to a router for external access. Assuming that the LAN interface on the router is 172.17.99.1, set the default gateway for the switch. kuldeep(config)#ip default-gateway 172.17.99.1 kuldeep(config)#exit

%SYS-5-CONFIG_I: Configured from console by console kuldeep#

Step 7. Verify the management LANs settings.

Verify the interface settings on VLAN 99 with the show interface vlan 99 command. kuldeep#show interface vlan 99 Vlan99 is up, line protocol is up Hardware is CPU Interface, address is 0060.47ac.1eb8 (bia 0060.47ac.1eb8) Internet address is 172.17.99.11/24 MTU 1500 bytes, BW 100000 Kbit, DLY 1000000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set ARP type: ARPA, ARP Timeout 04:00:00 Last input 21:40:21, output never, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max)

5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 1682 packets input, 530955 bytes, 0 no buffer Received 0 broadcasts (0 IP multicast) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 563859 packets output, 0 bytes, 0 underruns 0 output errors, 23 interface resets 0 output buffer failures, 0 output buffers swapped out

What is the bandwidth on this interface? 100000 K/bit What is the queuing strategy? Fifo

Step 8. Configure the IP address and default gateway for PC1.

Set the IP address of PC1 to 172.17.99.21, with a subnet mask of 255.255.255.0. Configure a default gateway of 172.17.99.11. Click PC1 and its Desktop tab then IP configuration to input the addressing parameters.

Step 9. Verify connectivity.

To verify the host and switch are correctly configured, ping the switch from PC1. If the ping is not successful, troubleshoot the switch and host configuration. Note that this may take a couple of tries for the pings to succeed.

Step 10. Configure the port speed and duplex settings for a Fast Ethernet interface.
Configure the duplex and speed settings on Fast Ethernet 0/18. Use the end command to return to privileged EXEC mode when finished. kuldeep#configure terminal Enter configuration commands, one per line. End with CNTL/Z. kuldeep(config)#interface fastethernet 0/18 kuldeep(config-if)#speed 100 kuldeep(config-if)#duplex full

%LINK-5-CHANGED: Interface FastEthernet0/18, changed state to down

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/18, changed state to down kuldeep(config-if)# %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan99, changed state to down

kuldeep(config-if)#end

%SYS-5-CONFIG_I: Configured from console by console Notice how the link between PC1 and S1 went down. Remove the speed 100 and duplex full commands. Now verify the settings on the Fast Ethernet interface with the show interface fa0/18 command. kuldeep#configure terminal Enter configuration commands, one per line. End with CNTL/Z. kuldeep(config)#interface fa0/18 kuldeep(config-if)#no speed 100 kuldeep(config-if)# no duplex full

%LINK-5-CHANGED: Interface FastEthernet0/18, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/18, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan99, changed state to up kuldeep(config-if)#

kuldeep#show interface fastethernet 0/18 FastEthernet0/18 is up, line protocol is up (connected) Hardware is Lance, address is 0060.5c36.4412 (bia 0060.5c36.4412) BW 100000 Kbit, DLY 1000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set

Keepalive set (10 sec) Full-duplex, 100Mb/s input flow-control is off, output flow-control is off ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:08, output 00:00:05, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue :0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 956 packets input, 193351 bytes, 0 no buffer Received 956 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 watchdog, 0 multicast, 0 pause input 0 input packets with dribble condition detected 2357 packets output, 263570 bytes, 0 underruns 0 output errors, 0 collisions, 10 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier 0 output buffer failures, 0 output buffers swapped out

Step 11. Save the configuration.

You have completed the basic configuration of the switch. Now back up the running configuration file to NVRAM to ensure that the changes made will not be lost if the system is rebooted or loses power. kuldeep#copy running-config startup-config Destination filename [startup-config]? Building configuration... [OK] kuldeep#

Step 12. Examine the startup configuration file.

To see the configuration that is stored in NVRAM, issue the show startup-config command from privileged EXEC (enable mode). Are all the changes that were entered recorded in the file? YES kuldeep#copy running-config startup-config Destination filename [startup-config]? Building configuration... [OK] kuldeep#show startup-config Using 1286 bytes ! version 12.2 no service timestamps log datetime msec no service timestamps debug datetime msec no service password-encryption ! hostname kuldeep !

enable secret 5 $1$mERr$9cTjUIEqNGurQiFU.ZeCi1 ! ! ! interface FastEthernet0/1 switchport access vlan 99 ! interface FastEthernet0/2 ! interface FastEthernet0/3 ! interface FastEthernet0/4 ! interface FastEthernet0/5 ! interface FastEthernet0/6 ! interface FastEthernet0/7 ! interface FastEthernet0/8 switchport access vlan 99 ! interface FastEthernet0/9 ! interface FastEthernet0/10 ! interface FastEthernet0/11 !

interface FastEthernet0/12 ! interface FastEthernet0/13 ! interface FastEthernet0/14 ! interface FastEthernet0/15 ! interface FastEthernet0/16 ! interface FastEthernet0/17 ! interface FastEthernet0/18 switchport access vlan 99 ! interface FastEthernet0/19 ! interface FastEthernet0/20 ! interface FastEthernet0/21 ! interface FastEthernet0/22 ! interface FastEthernet0/23 ! interface FastEthernet0/24 ! interface GigabitEthernet1/1

! interface GigabitEthernet1/2 ! interface Vlan1 no ip address shutdown ! interface Vlan99 ip address 172.17.99.11 255.255.255.0 ! ip default-gateway 172.17.99.1 ! ! line con 0 password cisco login ! line vty 0 4 password cisco login line vty 5 15 password cisco login ! ! end

Task 4: Managing the MAC Address Table

Step 1. Record the MAC addresses of the hosts.

Determine and record the Layer 2 (physical) addresses of the PC network interface cards using the following steps:

Click the PC. Select the Desktop tab. Click Command Prompt. Type the ipconfig /all command.

Step 2. Determine the MAC addresses that the switch has learned.
Display the MAC addresses using the show mac-address-table command in privileged EXEC mode. If there are no MAC addresses, ping from PC1 to S1 then check again.

susheel#show mac-address-table dynamic Mac Address Table ------------------------------------------Vlan ---Mac Address ----------Type -------Ports -----

Step 3. Clear the MAC address table.

To remove the existing MAC addresses, use the clear mac-address-table dynamic command from privileged EXEC mode. kuldeep#clear mac-address-table dynamic

Step 4. Verify the results.

Verify that the MAC address table was cleared. kuldeep#show mac-address-table dynamic Mac Address Table -------------------------------------------

Vlan ----

Mac Address ------------------

Type -----

Ports

kuldeep#clear mac-address-table dynamic kuldeep#show mac-address-table Mac Address Table -------------------------------------------

Vlan ----

Mac Address ------------------

Type -----

Ports

Step 5. Examine the MAC table again.

The table has not changed

Step 6. Set up a static MAC address.

To specify which ports a host can connect to, one option is to create a static mapping of the host MAC address to a port. Set up a static MAC address on Fast Ethernet interface 0/18 using the address that was recorded for PC1 in Step 1 of this task, 0002.16E8.C285. kuldeep#configure terminal Enter configuration commands, one per line. End with CNTL/Z. kuldeep(config)#mac-address-table static 0002.16E8.c285 vlan 99 interface fastethernet 0/18 kuldeep(config)#end

%SYS-5-CONFIG_I: Configured from console by console

Step 7. Verify the results.

Verify the MAC address table entries.

kuldeep#show mac-address-table Mac Address Table ------------------------------------------Vlan ---99 Mac Address ----------0002.16e8.c285 Type -------STATIC Ports ----Fa0/18

Step 8. Remove the static MAC entry.

Enter configuration mode and remove the static MAC by putting a no in front of the command string.

kuldeep#configure terminal Enter configuration commands, one per line. End with CNTL/Z. kuldeep(config)#no mac-address-table static 0002.16E8.c285 vlan 99 interface fastethernet 0/18 kuldeep(config)#end kuldeep# %SYS-5-CONFIG_I: Configured from console by console

Step 9. Verify the results.

Verify that the static MAC address has been cleared with the show mac-address-table static command.

kuldeep#show mac-address-table static Mac Address Table ------------------------------------------Vlan ---Mac Address ----------Type -------Ports -----

Task 5: Configuring Port Security

Step 1. Configure a second host.

A second host is needed for this task. Set the IP address of PC2 to 172.17.99.22, with a subnet mask of 255.255.255.0 and a default gateway of 172.17.99.11. Do not connect this PC to the switch yet.

Step 2. Verify connectivity.

Verify that PC1 and the switch are still correctly configured by pinging the VLAN 99 IP address of the switch from the host. If the pings were not successful, troubleshoot the host and switch configurations.

Step 3. Determine which MAC addresses that the switch has learned.
Display the learned MAC addresses using the show mac-address-table command in privileged EXEC mode. kuldeep#show mac-address-table static Mac Address Table -------------------------------------------

Vlan ----

Mac Address ------------------

Type -----

Ports

kuldeep#show mac-address-table Mac Address Table -------------------------------------------

Vlan ----

Mac Address ------------------

Type -----

Ports

99

0002.16e8.c285

DYNAMIC

Fa0/18

Step 4. List the port security options.

Explore the options for setting port security on interface Fast Ethernet 0/18. kuldeep#configure terminal Enter configuration commands, one per line. End with CNTL/Z. kuldeep(config)#interface fastethernet 0/18 kuldeep(config-if)#switchport port-security ? mac-address Secure mac address maximum violation <cr> Max secure addresses Security violation mode

Step 5. Configure port security on an access port.

Configure switch port Fast Ethernet 0/18 to accept only two devices, to learn the MAC addresses of those devices dynamically, and to shutdown the port if a violation occurs. kuldeep(config-if)#switchport mode access kuldeep(config-if)#switchport port-security kuldeep(config-if)#switchport port-security maximum 2 kuldeep(config-if)#switchport port-security mac-address sticky kuldeep(config-if)#switchport port-security violation shutdown kuldeep(config-if)#end

%SYS-5-CONFIG_I: Configured from console by console

Step 6. Verify the results.

Show the port security settings with the show port-security interface fa0/18 command.

kuldeep#show port-security interface fa0/18 Port Security Port Status Violation Mode Aging Time Aging Type : Enabled : Secure-down : Shutdown : 0 mins : Absolute

SecureStatic Address Aging : Disabled Maximum MAC Addresses Total MAC Addresses :0 :2

Configured MAC Addresses : 0 Sticky MAC Addresses :0

Last Source Address:Vlan : 0000.0000.0000:0 Security Violation Count : 0 How many secure addresses are allowed on Fast Ethernet 0/18?

What is the security action for this port?

Step 7. Examine the running configuration file.

kuldeep#show running-config Building configuration...

Current configuration : 1418 bytes ! version 12.2

no service timestamps log datetime msec no service timestamps debug datetime msec no service password-encryption ! hostname kuldeep ! enable secret 5 $1$mERr$9cTjUIEqNGurQiFU.ZeCi1 ! ! ! interface FastEthernet0/1 switchport access vlan 99 ! interface FastEthernet0/2 ! interface FastEthernet0/3 ! interface FastEthernet0/4 ! interface FastEthernet0/5 ! interface FastEthernet0/6 ! interface FastEthernet0/7 ! interface FastEthernet0/8 switchport access vlan 99 !

interface FastEthernet0/9 ! interface FastEthernet0/10 ! interface FastEthernet0/11 ! interface FastEthernet0/12 ! interface FastEthernet0/13 ! interface FastEthernet0/14 ! interface FastEthernet0/15 ! interface FastEthernet0/16 ! interface FastEthernet0/17 ! interface FastEthernet0/18 switchport access vlan 99 switchport mode access switchport port-security switchport port-security maximum 2 switchport port-security mac-address sticky ! interface FastEthernet0/19 ! interface FastEthernet0/20

! interface FastEthernet0/21 ! interface FastEthernet0/22 ! interface FastEthernet0/23 ! interface FastEthernet0/24 ! interface GigabitEthernet1/1 ! interface GigabitEthernet1/2 ! interface Vlan1 no ip address shutdown ! interface Vlan99 ip address 172.17.99.11 255.255.255.0 ! ip default-gateway 172.17.99.1 ! ! line con 0 password cisco login ! line vty 0 4

password cisco login line vty 5 15 password cisco login ! ! end

Are there statements listed that directly reflect the security implementation of the running configuration?

YES

Step 8. Modify the port security settings on a port.

On interface Fast Ethernet 0/18, change the port security maximum MAC address count to 1. kuldeepl#configure terminal Enter configuration commands, one per line. End with CNTL/Z. kuldeep(config)#interface switchport kuldeep(config)#interface fastethernet 0/18 kuldeep(config-if)#switchport port-security maximum 1 kuldeep(config-if)#end

Step 9. Verify the results.

Show the port security settings with the show port-security interface fa0/18 command. Have the port security settings changed to reflect the modifications in Step 8? Ping the VLAN 99 address of the switch from PC1 to verify connectivity and to refresh the MAC address table. kuldeep#show port-security interface fa0/18 Port Security : Enabled

Port Status Violation Mode Aging Time Aging Type

: Secure-up : Shutdown : 0 mins : Absolute

SecureStatic Address Aging : Disabled Maximum MAC Addresses Total MAC Addresses :0 :1

Configured MAC Addresses : 0 Sticky MAC Addresses :0

Last Source Address:Vlan : 0000.0000.0000:0 Security Violation Count : 0

Step 10. Introduce a rogue host.

Disconnect the PC attached to Fast Ethernet 0/18 from the switch. Connect PC2, which has been given the IP address 172.17.99.22 to port Fast Ethernet 0/18. Ping the VLAN 99 address 172.17.99.11 from the new host. What happened when you tried to ping S1?

kuldeep# %LINK-5-CHANGED: Interface FastEthernet0/18, changed state to down

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/18, changed state to down

%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan99, changed state to down

%LINK-5-CHANGED: Interface FastEthernet0/18, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/18, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan99, changed state to up Note: Convergence may take up to a minute. Switch between Simulation and Realtime mode to accelerate convergence.

Step 11. Reactivate the port.

As long as the rogue host is attached to Fast Ethernet 0/18, no traffic can pass between the host and switch. Reconnect PC1 to Fast Ethernet 0/18, and enter the following commands on the switch to reactivate the port: kuldeep# %LINK-5-CHANGED: Interface FastEthernet0/18, changed state to down

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/18, changed state to down

%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan99, changed state to down

%LINK-5-CHANGED: Interface FastEthernet0/18, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/18, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan99, changed state to up

kuldeep#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Kuldeep(config)#interface fastethernet 0/18 kuldeep(config-if)#no shutdown kuldeep(config-if)#end

%SYS-5-CONFIG_I: Configured from console by console

Step 12. Verify connectivity.

After convergence, PC1 should be able to again ping S1.