Activity 2.5.

1: 
Basic Switch Configuration

Addressing Table
Default
Device Interface IP Address Subnet Mask
Gateway

PC1 NIC 172.17.99.21 255.255.255.0 172.17.99.11

PC2 NIC 172.17.99.22 255.255.255.0 172.17.99.11

S1 VLAN99 172.17.99.11 255.255.255.0 172.17.99.1

Learning Objectives

 Clear an existing configuration on a switch.

 Verify the default switch configuration.
 Create a basic switch configuration.
 Manage the MAC address table.
 Configure port security.

Introduction

In this activity, you will examine and configure a standalone LAN switch. Although a switch performs basic
functions in its default out-of-the-box condition, there are a number of parameters that a network
administrator should modify to ensure a secure and optimized LAN. This activity introduces you to the
basics of switch configuration.

Step 1

Switch>enable

Switch#

Step 2

Switch#delete flash:vlan.dat

Delete filename [vlan.dat]?

Delete flash:/vlan.dat? [confirm]

Step 3

Switch#erase startup-config
Erasing the nvram filesystem will remove all configuration files! Continue? [confirm]

[OK]

Erase of nvram: complete

%SYS-7-NV_BLOCK_INIT: Initialized the geometry of nvram

Switch#

Switch#show vlan

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------

1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4

Fa0/5, Fa0/6, Fa0/7, Fa0/8

Fa0/9, Fa0/10, Fa0/11, Fa0/12

Fa0/13, Fa0/14, Fa0/15, Fa0/16

Fa0/17, Fa0/18, Fa0/19, Fa0/20

Fa0/21, Fa0/22, Fa0/23, Fa0/24

Gig1/1, Gig1/2

10 VLAN10 active

30 VLAN30 active

1002 fddi-default act/unsup

1003 token-ring-default act/unsup

1004 fddinet-default act/unsup

1005 trnet-default act/unsup

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2

---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------

1 enet 100001 1500 - - - - - 0 0

10 enet 100010 1500 - - - - - 0 0

30 enet 100030 1500 - - - - - 0 0

1002 fddi 101002 1500 - - - - - 0 0

1003 tr 101003 1500 - - - - - 0 0

1004 fdnet 101004 1500 - - - ieee - 0 0

1005 trnet 101005 1500 - - - ibm - 0 0

Remote SPAN VLANs

------------------------------------------------------------------------------

Primary Secondary Type Ports

------- --------- ----------------- -----------------------------------------

[OK]

Erase of nvram: complete

%SYS-7-NV_BLOCK_INIT: Initialized the geometry of nvram

Step 4

Switch#reload

Proceed with reload? [confirm]

C2960 Boot Loader (C2960-HBOOT-M) Version 12.2(25r)FX, RELEASE SOFTWARE (fc4)

Cisco WS-C2960-24TT (RC32300) processor (revision C0) with 21039K bytes of memory.

2960-24TT starting...

Base ethernet MAC Address: 0060.47AC.1EB8

Xmodem file system is available.

Initializing Flash...

flashfs[0]: 1 files, 0 directories

flashfs[0]: 0 orphaned files, 0 orphaned directories

flashfs[0]: Total bytes: 32514048

flashfs[0]: Bytes used: 4414921

flashfs[0]: Bytes available: 28099127

flashfs[0]: flashfs fsck took 1 seconds.

...done Initializing Flash.

Boot Sector Filesystem (bs:) installed, fsid: 3

Parameter Block Filesystem (pb:) installed, fsid: 4

Loading "flash:/c2960-lanbase-mz.122-25.FX.bin"...

########################################################################## [OK]

Restricted Rights Legend

Use, duplication, or disclosure by the Government is

subject to restrictions as set forth in subparagraph

(c) of the Commercial Computer Software - Restricted

Rights clause at FAR sec. 52.227-19 and subparagraph

(c) (1) (ii) of the Rights in Technical Data and Computer

Software clause at DFARS sec. 252.227-7013.

cisco Systems, Inc.

170 West Tasman Drive

San Jose, California 95134-1706

Cisco IOS Software, C2960 Software (C2960-LANBASE-M), Version 12.2(25)FX, RELEASE SOFTWARE
(fc1)

Copyright (c) 1986-2005 by Cisco Systems, Inc.

Compiled Wed 12-Oct-05 22:05 by pt_team

Image text-base: 0x80008098, data-base: 0x814129C4

Cisco WS-C2960-24TT (RC32300) processor (revision C0) with 21039K bytes of memory.

24 FastEthernet/IEEE 802.3 interface(s)

2 Gigabit Ethernet/IEEE 802.3 interface(s)

32768K bytes of flash-simulated non-volatile configuration memory.

Base ethernet MAC Address : 0060.47AC.1EB8

Motherboard assembly number : 73-9832-06

Power supply part number : 341-0097-02

Motherboard serial number : FOC103248MJ

Power supply serial number : DCA102133JA

Model revision number : B0

Motherboard revision number : C0

Model number : WS-C2960-24TT

System serial number : FOC1033Z1EY

Top Assembly Part Number : 800-26671-02

Top Assembly Revision Number : B0

Version ID : V02
CLEI Code Number : COM3K00BRA

Hardware Board Revision Number : 0x01

Switch Ports Model SW Version SW Image

------ ----- ----- ---------- ----------

* 1 26 WS-C2960-24TT 12.2 C2960-LANBASE-M

Cisco IOS Software, C2960 Software (C2960-LANBASE-M), Version 12.2(25)FX, RELEASE SOFTWARE
(fc1)

Copyright (c) 1986-2005 by Cisco Systems, Inc.

Compiled Wed 12-Oct-05 22:05 by pt_team

Press RETURN to get started!

%LINK-5-CHANGED: Interface FastEthernet0/18, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/18, changed state to up

Task 2

Step1

Switch>enable

Switch#

Step2

Switch#show running-config

Building configuration...
Current configuration : 1009 bytes

version 12.2

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

hostname Switch

interface FastEthernet0/1

interface FastEthernet0/2

interface FastEthernet0/3

interface FastEthernet0/4

interface FastEthernet0/5

interface FastEthernet0/6

interface FastEthernet0/7

interface FastEthernet0/8

!
interface FastEthernet0/9

interface FastEthernet0/10

interface FastEthernet0/11

interface FastEthernet0/12

interface FastEthernet0/13

interface FastEthernet0/14

interface FastEthernet0/15

interface FastEthernet0/16

interface FastEthernet0/17

interface FastEthernet0/18

interface FastEthernet0/19

interface FastEthernet0/20

interface FastEthernet0/21

interface FastEthernet0/22
!

interface FastEthernet0/23

interface FastEthernet0/24

interface GigabitEthernet1/1

interface GigabitEthernet1/2

interface Vlan1

no ip address

shutdown

line con 0

line vty 0 4

login

line vty 5 15

login

End

Examine the current running configuration by issuing the show running-config command.

i. How many Fast Ethernet interfaces does the switch have?

24

ii. How many Gigabit Ethernet interfaces does the switch have?
 2

iii. What is the range of values shown for the vty lines?

0-15

Examine the current contents of NVRAM by issuing the show startup-config command.

i. Why does the switch give this response?

Startup-config is not present

Examine the characteristics of the virtual interface VLAN1 by issuing the show interface vlan1 command.

Switch#show interface vlan1

Vlan1 is administratively down, line protocol is down

Hardware is CPU Interface, address is 0060.47ac.1eb8 (bia 0060.47ac.1eb8)

MTU 1500 bytes, BW 100000 Kbit, DLY 1000000 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation ARPA, loopback not set

ARP type: ARPA, ARP Timeout 04:00:00

Last input 21:40:21, output never, output hang never

Last clearing of "show interface" counters never

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

Queueing strategy: fifo

Output queue: 0/40 (size/max)

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

1682 packets input, 530955 bytes, 0 no buffer

Received 0 broadcasts (0 IP multicast)

0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

 563859 packets output, 0 bytes, 0 underruns

0 output errors, 23 interface resets

1 output buffer failures, 0 output buffers swapped out

1 Is there an IP address set on the switch?

NO

2 What is the MAC address of this virtual switch interface?

0060.47ac.1eb8 (bia 0060.47ac.1eb8)

3 Is this interface up?

Vlan1 is administratively down, line protocol is down

Now view the IP properties of the interface using the show ip interface vlan1 command.

i. What output do you see?

Switch#show ip interface vlan1

Vlan1 is administratively down, line protocol is down

Internet protocol processing disabled

Step 3. Display Cisco IOS information.

a. Display Cisco IOS information using the show version command.

Switch#show version

Cisco IOS Software, C2960 Software (C2960-LANBASE-M), Version 12.2(25)FX, RELEASE SOFTWARE
(fc1)

Copyright (c) 1986-2005 by Cisco Systems, Inc.

Compiled Wed 12-Oct-05 22:05 by pt_team

ROM: C2960 Boot Loader (C2960-HBOOT-M) Version 12.2(25r)FX, RELEASE SOFTWARE (fc4)

System returned to ROM by power-on

Cisco WS-C2960-24TT (RC32300) processor (revision C0) with 21039K bytes of memory.
24 FastEthernet/IEEE 802.3 interface(s)

2 Gigabit Ethernet/IEEE 802.3 interface(s)

32768K bytes of flash-simulated non-volatile configuration memory.

Base ethernet MAC Address : 0060.47AC.1EB8

Motherboard assembly number : 73-9832-06

Power supply part number : 341-0097-02

Motherboard serial number : FOC103248MJ

Power supply serial number : DCA102133JA

Model revision number : B0

Motherboard revision number : C0

Model number : WS-C2960-24TT

System serial number : FOC1033Z1EY

Top Assembly Part Number : 800-26671-02

Top Assembly Revision Number : B0

Version ID : V02

CLEI Code Number : COM3K00BRA

Hardware Board Revision Number : 0x01

Switch Ports Model SW Version SW Image

------ ----- ----- ---------- ----------

* 1 26 WS-C2960-24TT 12.2 C2960-LANBASE-M

Configuration register is 0xF

2 What is the Cisco IOS version that the switch is running?

 C2960 Software (C2960-LANBASE-M), Version 12.2(25)FX, RELEASE SOFTWARE (fc1)

3 What is the system image filename?

C2960-LANBASE-M

4 What is the base MAC address of this switch?

0060.47AC.1EB8

Step 4. Examine the Fast Ethernet interfaces.

a. Examine the default properties of the Fast Ethernet interface used by PC1 using the show
interface fastethernet 0/18 command.

Switch#show interface fastethernet 0/18

FastEthernet0/18 is up, line protocol is up (connected)
Hardware is Lance, address is 0060.5c36.4412 (bia 0060.5c36.4412)
BW 100000 Kbit, DLY 1000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s
input flow-control is off, output flow-control is off
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:08, output 00:00:05, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue :0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

956 packets input, 193351 bytes, 0 no buffer
Received 956 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 watchdog, 0 multicast, 0 pause input
0 input packets with dribble condition detected
2357 packets output, 263570 bytes, 0 underruns
0 output errors, 0 collisions, 10 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out

i. Is the interface up or down?

FastEthernet0/18 is up, line protocol is up (connected)

ii. What event would make an interface go up?

iii. What is the MAC address of the interface?

 .5c36.4412 (bia 0060.5c36.4412)

iv. What is the speed and duplex setting of the interface?

100 mb/s

Step 5. Examine VLAN information.

a. Examine the default VLAN settings of the switch using the show vlan command.

Switch#show vlan

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------

1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4

Fa0/5, Fa0/6, Fa0/7, Fa0/8

Fa0/9, Fa0/10, Fa0/11, Fa0/12

Fa0/13, Fa0/14, Fa0/15, Fa0/16

Fa0/17, Fa0/18, Fa0/19, Fa0/20

Fa0/21, Fa0/22, Fa0/23, Fa0/24

Gig1/1, Gig1/2

1002 fddi-default act/unsup

1003 token-ring-default act/unsup

1004 fddinet-default act/unsup

1005 trnet-default act/unsup

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2

---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------

1 enet 100001 1500 - - - - - 0 0

1002 fddi 101002 1500 - - - - - 0 0

1003 tr 101003 1500 - - - - - 0 0

1004 fdnet 101004 1500 - - - ieee - 0 0

 1005 trnet 101005 1500 - - - ibm - 0 0

Remote SPAN VLANs

------------------------------------------------------------------------------

Primary Secondary Type Ports

------- --------- ----------------- ----------------------------------------

i. What is the name of VLAN 1?

default

ii. Which ports are in this VLAN?

Fa0/1, Fa0/2, Fa0/3, Fa0/4,Fa0/5, Fa0/6, Fa0/7, Fa0/8

Fa0/9, Fa0/10, Fa0/11, Fa0/12, Fa0/13, Fa0/14, Fa0/15, Fa0/16

Fa0/17, Fa0/18, Fa0/19, Fa0/20, Fa0/21, Fa0/22, Fa0/23, Fa0/24

Gig1/1, Gig1/2

iii. Is VLAN 1 active?

YES

iv. What type of VLAN is the default VLAN?

Primary secondary type

Step 6. Examine flash memory.

a. There are two commands to examine flash memory:

dir flash:      or
show flash
Issue either one of the commands to examine the contents of the flash directory.

Switch#show flash

Directory of flash:/

1 -rw- 4414921 <no date> c2960-lanbase-mz.122-25.FX.bin

32514048 bytes total (28099127 bytes free)

 i. Which files or directories are found?

rw- 4414921

ii. Files have a file extension, such as .bin, at the end of the filename. Directories do not
have a file extension. What is the name of the Cisco IOS image file?

c2960-lanbase-mz.122-25.FX.bin

Switch#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Switch(config)#hostname kuldeepl

kuldeep(config)#exit

kuldeep#

%SYS-5-CONFIG_I: Configured from console by console

kuldeep#

To save the contents of the running configuration file to non-volatile RAM (NVRAM), issue the copy
running-config startup-config command.

kuldeep#copy running-config startup-config

Destination filename [startup-config]?

Building configuration...

[OK]

kuldeep#

Task 3: Create a Basic Switch Configuration

Step 1. Assign a name to the switch.

Enter global configuration mode. Configuration mode allows you to manage the switch. Enter the
configuration commands, one on each line. Notice that the command line prompt changes to reflect the
current prompt and switch name. In the last step of the previous task, you configured the hostname. Here's
a review of the commands used.

kuldeep#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

 kuldeep(config)#hostname kuldeep

kuldeep(config)#exit

%SYS-5-CONFIG_I: Configured from console by console

kuldeep#

Step 2. Set the access passwords.

Enter config-line mode for the console. Set the login password to cisco. Also configure the vty lines 0 to
15 with the password cisco.

kuldeep#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

kuldeep(config)#line console 0

kuldeep(config-line)#password cisco

kuldeepl(config-line)#login

kuldeep(config-line)#line vty 0 15

kuldeep(config-line)#password cisco

kuldeep(config-line)#login

kuldeep(config-line)#exit

kuldeep(config)#

Why is the login command required?

Step 3. Set the command mode passwords.

Set the enable secret password to class.

S1(config)#enable secret class

Step 4. Configure the Layer 3 address of the switch.

Set the IP address of the switch to 172.17.99.11 with a subnet mask of 255.255.255.0 on the internal virtual
interface VLAN 99. The VLAN must first be created on the switch before the address can be assigned.

kuldeep(config)#vlan 99

kuldeep(config-vlan)#exit

kuldeep(config)#interface vlan99

kuldeep(config-if)#

%LINK-5-CHANGED: Interface Vlan99, changed state to up

kuldeep(config-if)#ip address 172.17.99.11 255.255.255.0

kuldeep(config-if)#no shutdown

kuldeepl(config-if)#exit

kuldeep(config)#

Step 5. Assign ports to the switch VLAN.

Assign Fastethernet 0/1, 0/8, and 0/18 to ports to VLAN 99.

kuldeep(config)#interface fa0/1

kuldeep(config-if)#switchport access vlan 99

kuldeep(config-if)#exit

kuldeep(config)#interface fa0/8

kuldeep(config-if)#switchport access vlan 99

kuldeep(config-if)#exit

kuldeep(config)#interface fa0/18

kuldeep(config-if)#switchport access vlan 99

%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan99, changed state to up

kuldeep(config-if)#exit

kuldeep(config)#
Step 6. Set the switch default gateway.

S1 is a layer 2 switch, so it makes forwarding decisions based on the Layer 2 header. If multiple networks
are connected to a switch, you need to specify how the switch forwards the internetwork frames, because
the path must be determined at Layer three. This is done by specifying a default gateway address that
points to a router or Layer 3 switch. Although this activity does not include an external IP gateway, assume
that you will eventually connect the LAN to a router for external access. Assuming that the LAN interface on
the router is 172.17.99.1, set the default gateway for the switch.

kuldeep(config)#ip default-gateway 172.17.99.1

kuldeep(config)#exit

%SYS-5-CONFIG_I: Configured from console by console

kuldeep#

Step 7. Verify the management LANs settings.

Verify the interface settings on VLAN 99 with the show interface vlan 99 command.

kuldeep#show interface vlan 99

Vlan99 is up, line protocol is up

Hardware is CPU Interface, address is 0060.47ac.1eb8 (bia 0060.47ac.1eb8)

Internet address is 172.17.99.11/24

MTU 1500 bytes, BW 100000 Kbit, DLY 1000000 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation ARPA, loopback not set

ARP type: ARPA, ARP Timeout 04:00:00

Last input 21:40:21, output never, output hang never

Last clearing of "show interface" counters never

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

Queueing strategy: fifo

Output queue: 0/40 (size/max)

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

 1682 packets input, 530955 bytes, 0 no buffer

Received 0 broadcasts (0 IP multicast)

0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

563859 packets output, 0 bytes, 0 underruns

0 output errors, 23 interface resets

0 output buffer failures, 0 output buffers swapped out

What is the bandwidth on this interface?

100000 K/bit

What is the queuing strategy?

Fifo

Step 8. Configure the IP address and default gateway for PC1.

Set the IP address of PC1 to 172.17.99.21, with a subnet mask of 255.255.255.0. Configure a default
gateway of 172.17.99.11. Click PC1 and its Desktop tab then IP configuration to input the addressing
parameters.

Step 9. Verify connectivity.

To verify the host and switch are correctly configured, ping the switch from PC1.

If the ping is not successful, troubleshoot the switch and host configuration. Note that this may take a
couple of tries for the pings to succeed.
Step 10. Configure the port speed and duplex settings for a Fast Ethernet
interface.

Configure the duplex and speed settings on Fast Ethernet 0/18. Use the end command to return to
privileged EXEC mode when finished.

kuldeep#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

kuldeep(config)#interface fastethernet 0/18

kuldeep(config-if)#speed 100

kuldeep(config-if)#duplex full

%LINK-5-CHANGED: Interface FastEthernet0/18, changed state to down

 %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/18, changed state
to down

kuldeep(config-if)#

%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan99, changed state to down

kuldeep(config-if)#end

%SYS-5-CONFIG_I: Configured from console by console

Notice how the link between PC1 and S1 went down. Remove the speed 100 and duplex full commands.
Now verify the settings on the Fast Ethernet interface with the show interface fa0/18 command.

kuldeep#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

kuldeep(config)#interface fa0/18

kuldeep(config-if)#no speed 100

kuldeep(config-if)# no duplex full

%LINK-5-CHANGED: Interface FastEthernet0/18, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/18, changed state

to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan99, changed state to up

kuldeep(config-if)#

kuldeep#show interface fastethernet 0/18

FastEthernet0/18 is up, line protocol is up (connected)

Hardware is Lance, address is 0060.5c36.4412 (bia 0060.5c36.4412)

BW 100000 Kbit, DLY 1000 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation ARPA, loopback not set

Keepalive set (10 sec)

Full-duplex, 100Mb/s

input flow-control is off, output flow-control is off

ARP type: ARPA, ARP Timeout 04:00:00

Last input 00:00:08, output 00:00:05, output hang never

Last clearing of "show interface" counters never

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

Queueing strategy: fifo

Output queue :0/40 (size/max)

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

956 packets input, 193351 bytes, 0 no buffer

Received 956 broadcasts, 0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 watchdog, 0 multicast, 0 pause input

0 input packets with dribble condition detected

2357 packets output, 263570 bytes, 0 underruns

0 output errors, 0 collisions, 10 interface resets

0 babbles, 0 late collision, 0 deferred

0 lost carrier, 0 no carrier

0 output buffer failures, 0 output buffers swapped out

Step 11. Save the configuration.

You have completed the basic configuration of the switch. Now back up the running configuration file to
NVRAM to ensure that the changes made will not be lost if the system is rebooted or loses power.

kuldeep#copy running-config startup-config

Destination filename [startup-config]?

Building configuration...

[OK]

kuldeep#

Step 12. Examine the startup configuration file.

To see the configuration that is stored in NVRAM, issue the show startup-config command from
privileged EXEC (enable mode).

Are all the changes that were entered recorded in the file?

YES

kuldeep#copy running-config startup-config

Destination filename [startup-config]?

Building configuration...

[OK]

kuldeep#show startup-config

Using 1286 bytes

version 12.2

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

hostname kuldeep

!
enable secret 5 $1$mERr$9cTjUIEqNGurQiFU.ZeCi1

interface FastEthernet0/1

switchport access vlan 99

interface FastEthernet0/2

interface FastEthernet0/3

interface FastEthernet0/4

interface FastEthernet0/5

interface FastEthernet0/6

interface FastEthernet0/7

interface FastEthernet0/8

switchport access vlan 99

interface FastEthernet0/9

interface FastEthernet0/10

interface FastEthernet0/11

!
interface FastEthernet0/12

interface FastEthernet0/13

interface FastEthernet0/14

interface FastEthernet0/15

interface FastEthernet0/16

interface FastEthernet0/17

interface FastEthernet0/18

switchport access vlan 99

interface FastEthernet0/19

interface FastEthernet0/20

interface FastEthernet0/21

interface FastEthernet0/22

interface FastEthernet0/23

interface FastEthernet0/24

interface GigabitEthernet1/1
!

interface GigabitEthernet1/2

interface Vlan1

no ip address

shutdown

interface Vlan99

ip address 172.17.99.11 255.255.255.0

ip default-gateway 172.17.99.1

line con 0

password cisco

login

line vty 0 4

password cisco

login

line vty 5 15

password cisco

login

end
Task 4: Managing the MAC Address Table

Step 1. Record the MAC addresses of the hosts.

Determine and record the Layer 2 (physical) addresses of the PC network interface cards using the
following steps:

 Click the PC.

 Select the Desktop tab.
 Click Command Prompt.
 Type the ipconfig /all command.

Step 2. Determine the MAC addresses that the switch has learned.

Display the MAC addresses using the show mac-address-table command in privileged EXEC mode. If
there are no MAC addresses, ping from PC1 to S1 then check again.

susheel#show mac-address-table dynamic

Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports

---- ----------- -------- -----
Step 3. Clear the MAC address table.

To remove the existing MAC addresses, use the clear mac-address-table dynamic command from
privileged EXEC mode.

kuldeep#clear mac-address-table dynamic

Step 4. Verify the results.

Verify that the MAC address table was cleared.

kuldeep#show mac-address-table dynamic

Mac Address Table

-------------------------------------------

Vlan Mac Address Type Ports

---- ----------- -------- -----

kuldeep#clear mac-address-table dynamic

kuldeep#show mac-address-table

Mac Address Table

-------------------------------------------

Vlan Mac Address Type Ports

---- ----------- -------- -----

Step 5. Examine the MAC table again.

The table has not changed

Step 6. Set up a static MAC address.

To specify which ports a host can connect to, one option is to create a static mapping of the host MAC
address to a port.

Set up a static MAC address on Fast Ethernet interface 0/18 using the address that was recorded for PC1
in Step 1 of this task, 0002.16E8.C285.

kuldeep#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

kuldeep(config)#mac-address-table static 0002.16E8.c285 vlan 99 interface fastethernet 0/18

kuldeep(config)#end

%SYS-5-CONFIG_I: Configured from console by console

Step 7. Verify the results.

Verify the MAC address table entries.

kuldeep#show mac-address-table
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports

---- ----------- -------- -----

99 0002.16e8.c285 STATIC Fa0/18

Step 8. Remove the static MAC entry.

Enter configuration mode and remove the static MAC by putting a no in front of the command string.

kuldeep#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
kuldeep(config)#no mac-address-table static 0002.16E8.c285 vlan 99
interface fastethernet 0/18
kuldeep(config)#end
kuldeep#
%SYS-5-CONFIG_I: Configured from console by console

Step 9. Verify the results.

Verify that the static MAC address has been cleared with the show mac-address-table static command.

kuldeep#show mac-address-table static

Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports

---- ----------- -------- -----

Task 5: Configuring Port Security

Step 1. Configure a second host.

A second host is needed for this task. Set the IP address of PC2 to 172.17.99.22, with a subnet mask of
255.255.255.0 and a default gateway of 172.17.99.11. Do not connect this PC to the switch yet.

Step 2. Verify connectivity.

Verify that PC1 and the switch are still correctly configured by pinging the VLAN 99 IP address of the
switch from the host. If the pings were not successful, troubleshoot the host and switch configurations.
Step 3. Determine which MAC addresses that the switch has learned.

Display the learned MAC addresses using the show mac-address-table command in privileged EXEC
mode.

kuldeep#show mac-address-table static

Mac Address Table

-------------------------------------------

Vlan Mac Address Type Ports

---- ----------- -------- -----

kuldeep#show mac-address-table

Mac Address Table

-------------------------------------------
Vlan Mac Address Type Ports

---- ----------- -------- -----

99 0002.16e8.c285 DYNAMIC Fa0/18

Step 4. List the port security options.

Explore the options for setting port security on interface Fast Ethernet 0/18.

kuldeep#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

kuldeep(config)#interface fastethernet 0/18

kuldeep(config-if)#switchport port-security ?

mac-address Secure mac address

maximum Max secure addresses

violation Security violation mode

<cr>

Step 5. Configure port security on an access port.

Configure switch port Fast Ethernet 0/18 to accept only two devices, to learn the MAC addresses of those
devices dynamically, and to shutdown the port if a violation occurs.

kuldeep(config-if)#switchport mode access

kuldeep(config-if)#switchport port-security

kuldeep(config-if)#switchport port-security maximum 2

kuldeep(config-if)#switchport port-security mac-address sticky

kuldeep(config-if)#switchport port-security violation shutdown

kuldeep(config-if)#end

%SYS-5-CONFIG_I: Configured from console by console

Step 6. Verify the results.

Show the port security settings with the show port-security interface fa0/18 command.

kuldeep#show port-security interface fa0/18

Port Security : Enabled

Port Status : Secure-down

Violation Mode : Shutdown

Aging Time : 0 mins

Aging Type : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses :2

Total MAC Addresses :0

Configured MAC Addresses : 0

Sticky MAC Addresses :0

Last Source Address:Vlan : 0000.0000.0000:0

Security Violation Count : 0

How many secure addresses are allowed on Fast Ethernet 0/18?

What is the security action for this port?

Step 7. Examine the running configuration file.

kuldeep#show running-config

Building configuration...

Current configuration : 1418 bytes

version 12.2
no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

hostname kuldeep

enable secret 5 $1$mERr$9cTjUIEqNGurQiFU.ZeCi1

interface FastEthernet0/1

switchport access vlan 99

interface FastEthernet0/2

interface FastEthernet0/3

interface FastEthernet0/4

interface FastEthernet0/5

interface FastEthernet0/6

interface FastEthernet0/7

interface FastEthernet0/8

switchport access vlan 99

!
interface FastEthernet0/9

interface FastEthernet0/10

interface FastEthernet0/11

interface FastEthernet0/12

interface FastEthernet0/13

interface FastEthernet0/14

interface FastEthernet0/15

interface FastEthernet0/16

interface FastEthernet0/17

interface FastEthernet0/18

switchport access vlan 99

switchport mode access

switchport port-security

switchport port-security maximum 2

switchport port-security mac-address sticky

interface FastEthernet0/19

interface FastEthernet0/20
!

interface FastEthernet0/21

interface FastEthernet0/22

interface FastEthernet0/23

interface FastEthernet0/24

interface GigabitEthernet1/1

interface GigabitEthernet1/2

interface Vlan1

no ip address

shutdown

interface Vlan99

ip address 172.17.99.11 255.255.255.0

ip default-gateway 172.17.99.1

line con 0

password cisco

login

line vty 0 4
 password cisco

login

line vty 5 15

password cisco

login

end

Are there statements listed that directly reflect the security implementation of the running configuration?

YES

Step 8. Modify the port security settings on a port.

On interface Fast Ethernet 0/18, change the port security maximum MAC address count to 1.

kuldeepl#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

kuldeep(config)#interface switchport

kuldeep(config)#interface fastethernet 0/18

kuldeep(config-if)#switchport port-security maximum 1

kuldeep(config-if)#end

Step 9. Verify the results.

Show the port security settings with the show port-security interface fa0/18 command.

Have the port security settings changed to reflect the modifications in Step 8?

Ping the VLAN 99 address of the switch from PC1 to verify connectivity and to refresh the MAC address
table.

kuldeep#show port-security interface fa0/18

Port Security : Enabled

Port Status : Secure-up

Violation Mode : Shutdown

Aging Time : 0 mins

Aging Type : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses :1

Total MAC Addresses :0

Configured MAC Addresses : 0

Sticky MAC Addresses :0

Last Source Address:Vlan : 0000.0000.0000:0

Security Violation Count : 0

Step 10. Introduce a rogue host.

Disconnect the PC attached to Fast Ethernet 0/18 from the switch. Connect PC2, which has been given the
IP address 172.17.99.22 to port Fast Ethernet 0/18. Ping the VLAN 99 address 172.17.99.11 from the new
host.

What happened when you tried to ping S1?

kuldeep#

%LINK-5-CHANGED: Interface FastEthernet0/18, changed state to down

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/18, changed state to down

%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan99, changed state to down

%LINK-5-CHANGED: Interface FastEthernet0/18, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/18, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan99, changed state to up

Note: Convergence may take up to a minute. Switch between Simulation and Realtime mode to

accelerate convergence.
Step 11. Reactivate the port.

As long as the rogue host is attached to Fast Ethernet 0/18, no traffic can pass between the host and
switch. Reconnect PC1 to Fast Ethernet 0/18, and enter the following commands on the switch to
reactivate the port:

kuldeep#

%LINK-5-CHANGED: Interface FastEthernet0/18, changed state to down

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/18, changed state to down

%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan99, changed state to down

%LINK-5-CHANGED: Interface FastEthernet0/18, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/18, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan99, changed state to up

kuldeep#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Kuldeep(config)#interface fastethernet 0/18

kuldeep(config-if)#no shutdown

kuldeep(config-if)#end

%SYS-5-CONFIG_I: Configured from console by console

Step 12. Verify connectivity.

After convergence, PC1 should be able to again ping S1.