Lab 11: Configuring Advanced Static Switch Access Port Security

Lab Objective:

The objective of this lab exercise is for you to learn and understand how to configure static MAC entries for port security. By default, MAC entries are learned dynamically on a switchport.

Lab Purpose:

Static port security MAC entries are an advanced skill. Static MAC address entries are manually configured by the administrator. As a Cisco engineer, understanding advanced features will give you the edge over your fellow CCNAs. Certification

Level:

This lab is suitable for CCENT and CCNA certification exam preparation.

Lab Difficulty:

This lab has a difficulty rating of 8/10.

Readiness Assessment:

When you are ready for your certification exam, you should complete this lab in no more than 15 minutes.

Lab Topology:

Please use the following topology to complete this lab exercise:

Task 1:

Configure hostnames on Sw1 and R1 as illustrated in the topology. Create VLAN10 on switch Sw1 and assign port FastEthernet0/2 to this VLAN as an access port.

Task 2:

Configure IP address 172.16.0.1/27 on R1’s FastEthernet0/0 interface and IP address 172.16.0.2/27 on Sw2’s VLAN10 interface. Verify that R1 can ping Sw1, and vice versa.

Task 3:

Configure port security on port FastEthernet0/5 on Sw1 for the following static MAC addresses:

000a.1111.ab01

000b.2222.cd01

000c.3333.ef01

000d.4444.ac01

The switch should restrict access to these portsfor MACaddresses that are not known. Verify your configuration with port-security commands in Cisco IOS.

Configuration and Verification

Task 1:

For reference information on configuring hostnames, please refer to earlier labs. For reference information on Transparent mode and extended VLANs, please refer to earlier labs.

Task 2:

For reference information on configuring IP interfaces, please refer to earlier labs.

Task 3:

Sw1#conf t 
Enter configuration commands, one per line.  End with CTRL/Z. 
Sw1(config)#interface fastethernet0/2 
Sw1(config-if)#switchport port-security 
Sw1(config-if)#switchport port-security maximum 4 
Sw1(config-if)#switchport port-security mac-address 000a.1111.ab01 
Sw1(config-if)#switchport port-security mac-address 000b.2222.cd01 
Sw1(config-if)#switchport port-security mac-address 000c.3333.ef01 
Sw1(config-if)#switchport port-security mac-address 000d.4444.ac01 
Sw1(config-if)#end 
Sw1# 
Sw1#show port-security 
Secure Port MaxSecureAddr CurrentAddr SecurityViolation  Sec Action 
             (Count)        (Count)      (Count) 
---------------------------------------------------------------------- 
Fa0/2          5               4             0              Shutdown
 ---------------------------------------------------------------------- 
Total Addresses in System : 5 
Max Addresses limit in System : 1024 

Sw1#show port-security interface fastethernet0/2 
Port Security : Enabled

Port status : SecureUp 
Violation mode : Shutdown 
Maximum MAC Addresses : 4 
Total MAC Addresses : 4 
Configured MAC Addresses : 4 
Sticky MAC Addresses : 0 
Aging time : 0 mins
 Aging type : Absolute 
SecureStatic address aging : Disabled 
Security Violation count : 0

NOTE: The requirements of this task seem pretty simple; however, a common mistake is often made by people who forget that by default, the maximum number of addresses that can be secured is one. Therefore, since you were given four MAC addresses, you need to increase the port security limit to four. Otherwise, if you did not add the switchport port-security maximum 4 command, you would receive the following error when trying to add the second static MAC address for port security:

Sw1#conf t 
Enter configuration commands, one per line.  End with CTRL/Z. 
Sw1(config)#interface fastethernet0/2 
Sw1(config-if)#switchport port-security 
Sw1(config-if)#switchport port-security mac-address 000a.1111.ab01 
Sw1(config-if)#switchport port-security mac-address 000b.2222.cd01 
%Error: Cannot add secure address 000b.2222.cd01 
%Error: Total secure addresses on interface reached its max limit of 1 
%PSECURE: Internal Error in adding address

Related Articles

Leave a Reply

avatar