Lab 13
Catalyst Switch Port-Based Traffic Control
Lab Objective:
The objective of this lab exercise is for you to learn and understand how enable port-based traffic control features on Cisco IOS Catalyst switches.
Lab Purpose:
Catalyst switch port-based traffic control features are implemented at the port-level on Cisco IOS Catalyst switches and provide per-port security on these devices.
Lab Difficulty:
This lab has a difficulty rating of 8/10.
Readiness Assessment:
When you are ready for your certification exam, you should complete this lab in no more than 15 minutes.
Lab Topology:
Please use any single switch to complete this lab:
NOTE:
This lab is based on a Cisco Catalyst switch with 24-10/100 FastEthernet ports and 2-1000Mbs GigabitEthernet ports. If you do NOT have a similar switch, substitute the port numbers or port ranges used in this lab with those available on your switch. For example, if you only have 12-10/100 FastEthernet ports and a Task refers to Ports 1-24, simply adjust the question to Ports 1-12 so that you can complete the lab on your switch. In a similar manner, if a Task asks for configuration on the GigabitEthernet ports, and you only have a 12-port 10/100 FastEthernet switch, simply substitute GigabitEthernet0/1 and GigabitEthernet0/2 with FastEthernet0/11 and FastEthernet0/12, for example. |
Lab 13 Configuration Tasks
Task 1:
Configure the hostname on Sw1 as illustrated in the diagram. In addition to this configure Sw1 so that it operates in Transparent mode switch in VTP domain SECURITY. This domain should be secured by the password secure for security purposes.
Task 2:
Configure storm control on ports FastEthernet0/1 – FastEthernet0/8 as follows:
Traffic Type | Suppress when exceeds (%) | Forward when below (%) |
Broadcast | 15 | 10 |
Multicast | 80 | 50 |
Unicast | 95 | 75 |
When these thresholds are exceeded, Sw1 should send an SNMP Trap notification to server 192.168.1.254. This server uses the SNMP community STRMCTRL as a RO community.
Task 3:
Configure FastEthernet0/9 – FastEthernet0/15 so that there is never an exchange of Unicast, Broadcast, or Multicast traffic between these ports on the switch.
Task 4:
Configure FastEthernet0/16 – FastEthernet0/24 so that these ports send an SNMP trap when a MAC address is added to the entries already learned.
Lab 13 Configuration and Verification
Task 1:
Switch(config)#hostname Sw1
Sw1(config)#vtp mode transparent Setting device to VTP TRANSPARENT mode. Sw1(config)#vtp domain SECURITY Changing VTP domain name from Null to SECURITY Sw1(config)#vtp password secure Setting device VLAN database password to secure Sw1(config)#exit Sw1# Sw1#show vtp status VTP Version : 2 Configuration Revision : 0 Maximum VLANs supported locally : 250 Number of existing VLANs : 5 VTP Operating Mode : Transparent VTP Domain Name : SECURITY VTP Pruning Mode : Enabled VTP V2 Mode : Enabled VTP Traps Generation : Disabled MD5 digest : 0x32 0xB2 0x45 0x18 0xB1 0x28 0x56 0x70 Configuration last modified by 0.0.0.0 at 3-1-93 00:17:41 |
Task 2:
Sw1(config)#int range fastethernet0/1 – 8
Sw1(config-if-range)#storm-control broadcast level 15.00 10.00 Sw1(config-if-range)#storm-control multicast level 80.00 50.00 Sw1(config-if-range)#storm-control unicast level 95.00 75.00 Sw1(config-if-range)#storm-control action trap Sw1(config-if-range)#exit Sw1(config)#snmp-server host 192.168.1.254 traps STRMCTRL Sw1(config)#snmp-server community STRMCTRL ro 10 Sw1(config)#access-list 10 permit 192.168.1.254 Sw1(config)#exit Sw1# Sw1#show snmp Chassis: FOC0730W239 0 SNMP packets input 0 Bad SNMP version errors 0 Unknown community name 0 Illegal operation for community name supplied 0 Encoding errors 0 Number of requested variables 0 Number of altered variables 0 Get-request PDUs 0 Get-next PDUs 0 Set-request PDUs 0 SNMP packets output 0 Too big errors (Maximum packet size 1500) 0 No such name errors 0 Bad values errors 0 General errors 0 Response PDUs 0 Trap PDUs SNMP global trap: disabled
SNMP logging: enabled Logging to 192.168.1.254.162, 0/10, 0 sent, 0 dropped. SNMP agent enabled Sw1# Sw1# Sw1#show storm-control broadcast Interface Filter State Trap State Upper Lower Current Traps Sent ——— ————- ————- ——- ——- ——- ———- Fa0/1 Forwarding Below rising 15.00% 10.00% 0.00% 0 Fa0/2 Forwarding Below rising 15.00% 10.00% 0.00% 0 Fa0/3 Forwarding Below rising 15.00% 10.00% 0.00% 0 Fa0/4 Forwarding Below rising 15.00% 10.00% 0.00% 0 Fa0/5 Forwarding Below rising 15.00% 10.00% 0.00% 0 Fa0/6 Forwarding Below rising 15.00% 10.00% 0.00% 0 Fa0/7 Forwarding Below rising 15.00% 10.00% 0.00% 0 Fa0/8 Forwarding Below rising 15.00% 10.00% 0.00% 0 —-[Truncated Output]—- Sw1# Sw1#show storm-control multicast Interface Filter State Trap State Upper Lower Current Traps Sent ——— ————- ————- ——- ——- ——- ———- Fa0/1 Forwarding Below rising 80.00% 50.00% 0.00% 0 Fa0/2 Forwarding Below rising 80.00% 50.00% 0.00% 0 Fa0/3 Forwarding Below rising 80.00% 50.00% 0.00% 0 Fa0/4 Forwarding Below rising 80.00% 50.00% 0.00% 0 Fa0/5 Forwarding Below rising 80.00% 50.00% 0.00% 0 Fa0/6 Forwarding Below rising 80.00% 50.00% 0.00% 0 Fa0/7 Forwarding Below rising 80.00% 50.00% 0.00% 0 Fa0/8 Forwarding Below rising 80.00% 50.00% 0.00% 0 —-[Truncated Output]—- Sw1# Sw1#show storm-control unicast Interface Filter State Trap State Upper Lower Current Traps Sent ——— ————- ————- ——- ——- ——- ———- Fa0/1 Forwarding Below rising 95.00% 75.00% 0.00% 0 Fa0/2 Forwarding Below rising 95.00% 75.00% 0.00% 0 Fa0/3 Forwarding Below rising 95.00% 75.00% 0.00% 0 Fa0/4 Forwarding Below rising 95.00% 75.00% 0.00% 0 Fa0/5 Forwarding Below rising 95.00% 75.00% 0.00% 0 Fa0/6 Forwarding Below rising 95.00% 75.00% 0.00% 0 Fa0/7 Forwarding Below rising 95.00% 75.00% 0.00% 0 Fa0/8 Forwarding Below rising 95.00% 75.00% 0.00% 0 |
Task 3:
Sw1(config)#int range f0/9 – 15
Sw1(config-if-range)#switchport protected Sw1(config-if-range)#exit Sw1(config)#exit Sw1# Sw1#show interfaces fastethernet0/15 switchport Name: Fa0/15 Switchport: Enabled Administrative Mode: dynamic desirable Operational Mode: down Administrative Trunking Encapsulation: dot1q Negotiation of Trunking: On Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) Voice VLAN: none Administrative private-vlan host-association: none Administrative private-vlan mapping: none Operational private-vlan: none Trunking VLANs Enabled: ALL Pruning VLANs Enabled: 2-1001 Capture Mode Disabled Capture VLANs Allowed: ALL
Protected: true
Voice VLAN: none (Inactive) Appliance trust: none |
Task 4:
Sw1(config)#mac-address-table notification
Sw1(config)#snmp-server enable traps mac-notification Sw1(config)#interface range f0/16 – 24 Sw1(config-if-range)#snmp trap mac-notification added Sw1(config-if-range)#exit Sw1(config)#exit Sw1# Sw1#show mac-address-table notification MAC Notification Feature is Enabled on the switch Interval between Notification Traps : 1 secs Number of MAC Addresses Added : 0 Number of MAC Addresses Removed : 0 Number of Notifications sent to NMS : 0 Maximum Number of entries configured in History Table : 1 Current History Table Length : 0 MAC Notification Traps are Enabled History Table contents ———————- Sw1# Sw1# Sw1#show mac-address-table notification interface f0/24 MAC Notification Feature is Enabled on the switch Interface MAC Added Trap MAC Removed Trap ——— ————– —————- FastEthernet0/24 Enabled Disabled |
Lab 13 Configurations
Sw1 Configuration
Sw1#show run
Building configuration…
Current configuration : 3453 bytes ! version 12.1 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname Sw1 ! no logging console ! ip subnet-zero vtp domain SECURITY vtp mode transparent ! spanning-tree mode pvst no spanning-tree optimize bpdu transmission spanning-tree extend system-id ! ! interface FastEthernet0/1 no ip address storm-control broadcast level 15.00 10.00 storm-control multicast level 80.00 50.00 storm-control unicast level 95.00 75.00 storm-control action trap ! interface FastEthernet0/2 no ip address storm-control broadcast level 15.00 10.00 storm-control multicast level 80.00 50.00 storm-control unicast level 95.00 75.00 storm-control action trap ! interface FastEthernet0/3 no ip address storm-control broadcast level 15.00 10.00 storm-control multicast level 80.00 50.00 storm-control unicast level 95.00 75.00 storm-control action trap ! interface FastEthernet0/4 no ip address storm-control broadcast level 15.00 10.00 storm-control multicast level 80.00 50.00 storm-control unicast level 95.00 75.00 storm-control action trap ! interface FastEthernet0/5 no ip address storm-control broadcast level 15.00 10.00 storm-control multicast level 80.00 50.00 storm-control unicast level 95.00 75.00 storm-control action trap ! interface FastEthernet0/6 no ip address storm-control broadcast level 15.00 10.00 storm-control multicast level 80.00 50.00 storm-control unicast level 95.00 75.00 storm-control action trap ! interface FastEthernet0/7 no ip address storm-control broadcast level 15.00 10.00 storm-control multicast level 80.00 50.00 storm-control unicast level 95.00 75.00 storm-control action trap ! interface FastEthernet0/8 no ip address storm-control broadcast level 15.00 10.00 storm-control multicast level 80.00 50.00 storm-control unicast level 95.00 75.00 storm-control action trap ! interface FastEthernet0/9 switchport protected no ip address ! interface FastEthernet0/10 switchport protected no ip address ! interface FastEthernet0/11 switchport protected no ip address ! interface FastEthernet0/12 switchport protected no ip address ! interface FastEthernet0/13 switchport protected no ip address ! interface FastEthernet0/14 switchport protected no ip address ! interface FastEthernet0/15 switchport protected no ip address ! interface FastEthernet0/16 no ip address snmp trap mac-notification added ! interface FastEthernet0/17 no ip address snmp trap mac-notification added ! interface FastEthernet0/18 no ip address snmp trap mac-notification added ! interface FastEthernet0/19 no ip address snmp trap mac-notification added ! interface FastEthernet0/20 no ip address snmp trap mac-notification added ! interface FastEthernet0/21 no ip address snmp trap mac-notification added ! interface FastEthernet0/22 no ip address snmp trap mac-notification added ! interface FastEthernet0/23 no ip address snmp trap mac-notification added ! interface FastEthernet0/24 no ip address snmp trap mac-notification added ! interface GigabitEthernet0/1 no ip address ! interface GigabitEthernet0/2 no ip address ! interface Vlan1 no ip address no ip route-cache shutdown ! ip http server ! access-list 10 permit 192.168.1.254 snmp-server community STRMCTRL RO 10 snmp-server enable traps MAC-Notification snmp-server host 192.168.1.254 STRMCTRL ! line con 0 line vty 5 15 ! mac-address-table notification end |