Lab 13

Catalyst Switch Port-Based Traffic Control

Lab Objective:

The objective of this lab exercise is for you to learn and understand how enable port-based traffic control features on Cisco IOS Catalyst switches.

Lab Purpose:

Catalyst switch port-based traffic control features are implemented at the port-level on Cisco IOS Catalyst switches and provide per-port security on these devices.

Lab Difficulty:

This lab has a difficulty rating of 8/10.

Readiness Assessment:

When you are ready for your certification exam, you should complete this lab in no more than 15 minutes.

Lab Topology:

Please use any single switch to complete this lab:

NOTE:

This lab is based on a Cisco Catalyst switch with 24-10/100 FastEthernet ports and 2-1000Mbs GigabitEthernet ports. If you do NOT have a similar switch, substitute the port numbers or port ranges used in this lab with those available on your switch. For example, if you only have 12-10/100 FastEthernet ports and a Task refers to Ports 1-24, simply adjust the question to Ports 1-12 so that you can complete the lab on your switch. In a similar manner, if a Task asks for configuration on the GigabitEthernet ports, and you only have a 12-port 10/100 FastEthernet switch, simply substitute GigabitEthernet0/1 and GigabitEthernet0/2 with FastEthernet0/11 and FastEthernet0/12, for example.

Lab 13 Configuration Tasks

Task 1:

Configure the hostname on Sw1 as illustrated in the diagram. In addition to this configure Sw1 so that it operates in Transparent mode switch in VTP domain SECURITY. This domain should be secured by the password secure for security purposes.

Task 2:

Configure storm control on ports FastEthernet0/1 – FastEthernet0/8 as follows:

Traffic Type	Suppress when exceeds (%)	Forward when below (%)
Broadcast	15	10
Multicast	80	50
Unicast	95	75

When these thresholds are exceeded, Sw1 should send an SNMP Trap notification to server 192.168.1.254. This server uses the SNMP community STRMCTRL as a RO community.

Task 3:

Configure FastEthernet0/9 – FastEthernet0/15 so that there is never an exchange of Unicast, Broadcast, or Multicast traffic between these ports on the switch.

Task 4:

Configure FastEthernet0/16 – FastEthernet0/24 so that these ports send an SNMP trap when a MAC address is added to the entries already learned.

Lab 13 Configuration and Verification

Task 1:

Switch(config)#hostname Sw1

Sw1(config)#vtp mode transparent

Setting device to VTP TRANSPARENT mode.

Sw1(config)#vtp domain SECURITY

Changing VTP domain name from Null to SECURITY

Sw1(config)#vtp password secure

Setting device VLAN database password to secure

Sw1(config)#exit

Sw1#

Sw1#show vtp status

VTP Version : 2

Configuration Revision : 0

Maximum VLANs supported locally : 250

Number of existing VLANs : 5

VTP Operating Mode : Transparent

VTP Domain Name : SECURITY

VTP Pruning Mode : Enabled

VTP V2 Mode : Enabled

VTP Traps Generation : Disabled

MD5 digest : 0x32 0xB2 0x45 0x18 0xB1 0x28 0x56 0x70

Configuration last modified by 0.0.0.0 at 3-1-93 00:17:41

Task 2:

Sw1(config)#int range fastethernet0/1 – 8

Sw1(config-if-range)#storm-control broadcast level 15.00 10.00

Sw1(config-if-range)#storm-control multicast level 80.00 50.00

Sw1(config-if-range)#storm-control unicast level 95.00 75.00

Sw1(config-if-range)#storm-control action trap

Sw1(config-if-range)#exit

Sw1(config)#snmp-server host 192.168.1.254 traps STRMCTRL

Sw1(config)#snmp-server community STRMCTRL ro 10

Sw1(config)#access-list 10 permit 192.168.1.254

Sw1(config)#exit

Sw1#

Sw1#show snmp

Chassis: FOC0730W239

0 SNMP packets input

0 Bad SNMP version errors

0 Unknown community name

0 Illegal operation for community name supplied

0 Encoding errors

0 Number of requested variables

0 Number of altered variables

0 Get-request PDUs

0 Get-next PDUs

0 Set-request PDUs

0 SNMP packets output

0 Too big errors (Maximum packet size 1500)

0 No such name errors

0 Bad values errors

0 General errors

0 Response PDUs

0 Trap PDUs

SNMP global trap: disabled

SNMP logging: enabled

Logging to 192.168.1.254.162, 0/10, 0 sent, 0 dropped.

SNMP agent enabled

Sw1#

Sw1#show storm-control broadcast

Interface Filter State Trap State Upper Lower Current Traps Sent

——— ————- ————- ——- ——- ——- ———-

Fa0/1 Forwarding Below rising 15.00% 10.00% 0.00% 0

Fa0/2 Forwarding Below rising 15.00% 10.00% 0.00% 0

Fa0/3 Forwarding Below rising 15.00% 10.00% 0.00% 0

Fa0/4 Forwarding Below rising 15.00% 10.00% 0.00% 0

Fa0/5 Forwarding Below rising 15.00% 10.00% 0.00% 0

Fa0/6 Forwarding Below rising 15.00% 10.00% 0.00% 0

Fa0/7 Forwarding Below rising 15.00% 10.00% 0.00% 0

Fa0/8 Forwarding Below rising 15.00% 10.00% 0.00% 0

—-[Truncated Output]—-

Sw1#

Sw1#show storm-control multicast

Interface Filter State Trap State Upper Lower Current Traps Sent

——— ————- ————- ——- ——- ——- ———-

Fa0/1 Forwarding Below rising 80.00% 50.00% 0.00% 0

Fa0/2 Forwarding Below rising 80.00% 50.00% 0.00% 0

Fa0/3 Forwarding Below rising 80.00% 50.00% 0.00% 0

Fa0/4 Forwarding Below rising 80.00% 50.00% 0.00% 0

Fa0/5 Forwarding Below rising 80.00% 50.00% 0.00% 0

Fa0/6 Forwarding Below rising 80.00% 50.00% 0.00% 0

Fa0/7 Forwarding Below rising 80.00% 50.00% 0.00% 0

Fa0/8 Forwarding Below rising 80.00% 50.00% 0.00% 0

—-[Truncated Output]—-

Sw1#

Sw1#show storm-control unicast

Interface Filter State Trap State Upper Lower Current Traps Sent

——— ————- ————- ——- ——- ——- ———-

Fa0/1 Forwarding Below rising 95.00% 75.00% 0.00% 0

Fa0/2 Forwarding Below rising 95.00% 75.00% 0.00% 0

Fa0/3 Forwarding Below rising 95.00% 75.00% 0.00% 0

Fa0/4 Forwarding Below rising 95.00% 75.00% 0.00% 0

Fa0/5 Forwarding Below rising 95.00% 75.00% 0.00% 0

Fa0/6 Forwarding Below rising 95.00% 75.00% 0.00% 0

Fa0/7 Forwarding Below rising 95.00% 75.00% 0.00% 0

Fa0/8 Forwarding Below rising 95.00% 75.00% 0.00% 0

Task 3:

Sw1(config)#int range f0/9 – 15

Sw1(config-if-range)#switchport protected

Sw1(config-if-range)#exit

Sw1(config)#exit

Sw1#

Sw1#show interfaces fastethernet0/15 switchport

Name: Fa0/15

Switchport: Enabled

Administrative Mode: dynamic desirable

Operational Mode: down

Administrative Trunking Encapsulation: dot1q

Negotiation of Trunking: On

Access Mode VLAN: 1 (default)

Trunking Native Mode VLAN: 1 (default)

Voice VLAN: none

Administrative private-vlan host-association: none

Administrative private-vlan mapping: none

Operational private-vlan: none

Trunking VLANs Enabled: ALL

Pruning VLANs Enabled: 2-1001

Capture Mode Disabled

Capture VLANs Allowed: ALL

Protected: true

Voice VLAN: none (Inactive)

Appliance trust: none

Task 4:

Sw1(config)#mac-address-table notification

Sw1(config)#snmp-server enable traps mac-notification

Sw1(config)#interface range f0/16 – 24

Sw1(config-if-range)#snmp trap mac-notification added

Sw1(config-if-range)#exit

Sw1(config)#exit

Sw1#

Sw1#show mac-address-table notification

MAC Notification Feature is Enabled on the switch

Interval between Notification Traps : 1 secs

Number of MAC Addresses Added : 0

Number of MAC Addresses Removed : 0

Number of Notifications sent to NMS : 0

Maximum Number of entries configured in History Table : 1

Current History Table Length : 0

MAC Notification Traps are Enabled

History Table contents

———————-

Sw1#

Sw1#show mac-address-table notification interface f0/24

MAC Notification Feature is Enabled on the switch

Interface MAC Added Trap MAC Removed Trap

——— ————– —————-

FastEthernet0/24 Enabled Disabled

Lab 13 Configurations

Sw1 Configuration

Sw1#show run

Building configuration…

Current configuration : 3453 bytes

version 12.1

no service pad

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

hostname Sw1

no logging console

ip subnet-zero

vtp domain SECURITY

vtp mode transparent

spanning-tree mode pvst

no spanning-tree optimize bpdu transmission

spanning-tree extend system-id

interface FastEthernet0/1

no ip address

storm-control broadcast level 15.00 10.00

storm-control multicast level 80.00 50.00

storm-control unicast level 95.00 75.00

storm-control action trap

interface FastEthernet0/2

no ip address

storm-control broadcast level 15.00 10.00

storm-control multicast level 80.00 50.00

storm-control unicast level 95.00 75.00

storm-control action trap

interface FastEthernet0/3

no ip address

storm-control broadcast level 15.00 10.00

storm-control multicast level 80.00 50.00

storm-control unicast level 95.00 75.00

storm-control action trap

interface FastEthernet0/4

no ip address

storm-control broadcast level 15.00 10.00

storm-control multicast level 80.00 50.00

storm-control unicast level 95.00 75.00

storm-control action trap

interface FastEthernet0/5

no ip address

storm-control broadcast level 15.00 10.00

storm-control multicast level 80.00 50.00

storm-control unicast level 95.00 75.00

storm-control action trap

interface FastEthernet0/6

no ip address

storm-control broadcast level 15.00 10.00

storm-control multicast level 80.00 50.00

storm-control unicast level 95.00 75.00

storm-control action trap

interface FastEthernet0/7

no ip address

storm-control broadcast level 15.00 10.00

storm-control multicast level 80.00 50.00

storm-control unicast level 95.00 75.00

storm-control action trap

interface FastEthernet0/8

no ip address

storm-control broadcast level 15.00 10.00

storm-control multicast level 80.00 50.00

storm-control unicast level 95.00 75.00

storm-control action trap

interface FastEthernet0/9

switchport protected

no ip address

interface FastEthernet0/10

switchport protected

no ip address

interface FastEthernet0/11

switchport protected

no ip address

interface FastEthernet0/12

switchport protected

no ip address

interface FastEthernet0/13

switchport protected

no ip address

interface FastEthernet0/14

switchport protected

no ip address

interface FastEthernet0/15

switchport protected

no ip address

interface FastEthernet0/16

no ip address