CBT IT Certification Training

Unlimited IT Certification Courses via Streaming Video

Login to this site requires ssl communication.
Click here to reload the page over ssl.

  • Lost your password?

  • Back to login
Loading
Login to this site requires ssl communication.
Click here to reload the page over ssl.

  • Lost your password?

  • Back to login
Loading
  • Home
  • Courses
        • Amazon
          • Solutions Architect
          • SysOps Associate
        • Career
          • How to Break into IT
          • IT Freelancing
          • Ace Your IT Exams
        • Cisco
          • CCNA Primer
          • CCNA Exam Coaching
          • CCNA
          • CCNA CyberOps
          • DevNet Associate
          • CCNP – ENARSI
          • CCNP ENCOR Primer
          • CCNP – ENCOR
          • CCST – Networking
        • Coding Academy
          • PhP Fundamentals
          • MySQL Fundamentals
          • Web Development
          • Python For Beginners
        • CompTIA
          • CASP+
          • Cloud Essentials
          • CySA+
          • Data+
          • Linux+
          • Network+
          • PenTest+
          • Project+
          • Security+
        • DevOps
          • DevOps Foundations
          • Docker Basics
        • EC Council
          • Certified Ethical Hacker
        • Google
          • Cloud Architect
        • ITIL
          • ITIL Foundations
        • PMI
          • CAPM
        • ISC2
          • CC
          • SSCP
        • Juniper
          • JNCIA-Junos
          • JNCIA-SEC
          • JNCIS-ENT
          • JNCIS-SEC
        • Linux
          • CompTIA Linux+
          • Linux LPI Essentials
          • Linux LPIC-1
          • Linux LPIC-2
          • Linux LPIC-3 Security
          • Red Hat RHCSA
        • Microsoft
          • Microsoft SQL Server
          • Windows 10
          • Windows Server 2016
          • Microsoft Security
          • Azure Fundamentals
          • Azure Administrator
          • Azure Developer
        • Python
          • PCEP
          • PCAP
        • TCP-IP
          • IP Subnetting
          • IPv6 Associate
          • IPv6 Professional
          • IPv6 Expert
        • VMware
          • VCA Data Center
        • Wireless
          • CWNA
          • CWSP
        • Wireshark
          • WCNA
  • Racks
    • GNS3 VM – Virtual Cisco Rack
    • Live Cisco Racks
  • Tour
  • Blog
  • Join
  • Join
  • Free IT Training
    • Free CCNA Study and Lab Guide
    • CCNA Security Study and Lab Guide
    • CompTIA Network+ Study Guide
    • CompTIA Security+ Study Guide
    • Network Design Workbook
    • Free IT Webinars
    • Free IT Exams
    • Free Labs
  • Meet the Trainers
  • Help
    • Helpdesk
    • FAQ
    • Contact Us
    • Privacy
    • Meet the Trainers
  • Products
    • IT Study Guides
  • Start $1 Trial
  • Login
  • Members
    • Account
    • Exam Coaching
    • Exams
    • Forum
    • Live Cisco Rack Training
    • Members Training
    • Member Bonuses
    • My Courses
    • Nuggets
  • Home
  • Courses
        • Amazon
          • Solutions Architect
          • SysOps Associate
        • Career
          • How to Break into IT
          • IT Freelancing
          • Ace Your IT Exams
        • Cisco
          • CCNA Primer
          • CCNA Exam Coaching
          • CCNA
          • CCNA CyberOps
          • DevNet Associate
          • CCNP – ENARSI
          • CCNP ENCOR Primer
          • CCNP – ENCOR
          • CCST – Networking
        • Coding Academy
          • PhP Fundamentals
          • MySQL Fundamentals
          • Web Development
          • Python For Beginners
        • CompTIA
          • CASP+
          • Cloud Essentials
          • CySA+
          • Data+
          • Linux+
          • Network+
          • PenTest+
          • Project+
          • Security+
        • DevOps
          • DevOps Foundations
          • Docker Basics
        • EC Council
          • Certified Ethical Hacker
        • Google
          • Cloud Architect
        • ITIL
          • ITIL Foundations
        • PMI
          • CAPM
        • ISC2
          • CC
          • SSCP
        • Juniper
          • JNCIA-Junos
          • JNCIA-SEC
          • JNCIS-ENT
          • JNCIS-SEC
        • Linux
          • CompTIA Linux+
          • Linux LPI Essentials
          • Linux LPIC-1
          • Linux LPIC-2
          • Linux LPIC-3 Security
          • Red Hat RHCSA
        • Microsoft
          • Microsoft SQL Server
          • Windows 10
          • Windows Server 2016
          • Microsoft Security
          • Azure Fundamentals
          • Azure Administrator
          • Azure Developer
        • Python
          • PCEP
          • PCAP
        • TCP-IP
          • IP Subnetting
          • IPv6 Associate
          • IPv6 Professional
          • IPv6 Expert
        • VMware
          • VCA Data Center
        • Wireless
          • CWNA
          • CWSP
        • Wireshark
          • WCNA
  • Racks
    • GNS3 VM – Virtual Cisco Rack
    • Live Cisco Racks
  • Tour
  • Blog
  • Join
  • Join
  • Free IT Training
    • Free CCNA Study and Lab Guide
    • CCNA Security Study and Lab Guide
    • CompTIA Network+ Study Guide
    • CompTIA Security+ Study Guide
    • Network Design Workbook
    • Free IT Webinars
    • Free IT Exams
    • Free Labs
  • Meet the Trainers
  • Help
    • Helpdesk
    • FAQ
    • Contact Us
    • Privacy
    • Meet the Trainers
  • Products
    • IT Study Guides
  • Start $1 Trial
  • Login
  • Members
    • Account
    • Exam Coaching
    • Exams
    • Forum
    • Live Cisco Rack Training
    • Members Training
    • Member Bonuses
    • My Courses
    • Nuggets

Switch Port Security

Lab 10 

Catalyst Switch Port Security

Back to book index.

Lab Objective:

The objective of this lab exercise is for you to learn and understand how enable the Port Security feature on Cisco IOS Catalyst switches.

Lab Purpose:

Port Security is a fundamental component of Catalyst switch security. This feature is used to provide security against CAM overflow attacks on switched networks.

Lab Difficulty:

This lab has a difficulty rating of 7/10.

Readiness Assessment:

When you are ready for your certification exam, you should complete this lab in no more than 15 minutes. 

Lab Topology:

Please use the following topology to complete this lab:

Lab 10 1

NOTE:

 

This lab is based on a Cisco Catalyst switch with 24-10/100 FastEthernet ports and 2-1000Mbs GigabitEthernet ports. If you do NOT have a similar switch, substitute the port numbers or port ranges used in this lab with those available on your switch. For example, if you only have 12-10/100 FastEthernet ports and a Task refers to Ports 1-24, simply adjust the question to Ports 1-12 so that you can complete the lab on your switch. In a similar manner, if a Task asks for configuration on the GigabitEthernet ports, and you only have a 12-port 10/100 FastEthernet switch, simply substitute GigabitEthernet0/1 and GigabitEthernet0/2 with FastEthernet0/11 and FastEthernet0/12, for example.

Lab 10 Configuration Tasks 

Task 1:

Configure the hostname on Sw1 as illustrated in the diagram. In addition to this, configure the following VLANs on Sw1:

VLAN Number VLAN Name VLAN Ports
10 VLAN_10_SECURITY FastEthernet0/1 – FastEthernet0/12
20 VLAN_20_SECURITY FastEthernet0/13 – FastEthernet0/24

Task 2:

Configure Port Security for VLAN 10 so that all learned MAC addresses are saved to the NVRAM of Sw1. In addition to this, ensure that only 1 MAC address per port is learned and if more than one is detected, the switch port(s) should be shut down. Verify your configuration. 

Task 3:

Configure Port Security for VLAN 20 so that a maximum of 5 MAC addresses can be learned dynamically. If the event that more than 5 MAC addresses are detected, the switch port(s) should restrict the port(s). These dynamically learned entries should be flushed every 24 hours. Verify your configuration using the appropriate Catalyst switch show commands. 

Lab 10 Configuration and Verification

Task 1:

Switch#config t

Enter configuration commands, one per line.  End with CNTL/Z.

Switch(config)#hostname Sw1

Sw1(config)#vlan 10

Sw1(config-vlan)#name VLAN_10_SECURITY

Sw1(config-vlan)#exit

Sw1(config)#vlan 20

Sw1(config-vlan)#name VLAN_20_SECURITY

Sw1(config-vlan)#exit

Sw1(config)#interface range fastethernet0/1 – 12

Sw1(config-if-range)#switchport mode access

Sw1(config-if-range)#switchport access vlan 10

Sw1(config-if-range)#no shutdown

Sw1(config-if-range)#exit

Sw1(config)#interface range fastethernet0/13 – 24

Sw1(config-if-range)#switchport mode access

Sw1(config-if-range)#switchport access vlan 20

Sw1(config-if-range)#no shutdown

Sw1(config-if-range)#exit

Sw1(config)#exit

Sw1#

Sw1#show vlan brief

 

VLAN Name                             Status    Ports

—- ——————————– ——— ——————————-

1    default                          active    Gi0/1, Gi0/2

10   VLAN_10_SECURITY                 active    Fa0/1, Fa0/2, Fa0/3, Fa0/4

Fa0/5, Fa0/6, Fa0/7, Fa0/8

Fa0/9, Fa0/10, Fa0/11, Fa0/12

20   VLAN_20_SECURITY                 active    Fa0/13, Fa0/14, Fa0/15, Fa0/16

Fa0/17, Fa0/18, Fa0/19, Fa0/20

Fa0/21, Fa0/22, Fa0/23, Fa0/24

1002 fddi-default                     active

1003 trcrf-default                    active

1004 fddinet-default                  active

1005 trbrf-default                    active

 Task 2:

This Task requires the use of Host 1 for accurate validation. By configuring dynamic sticky learning, you can validate that the switch has written the learned MAC address of Host 1 to NVRAM. This means that the entry will not be flushed if the switch is rebooted.

Sw1(config)#interface range fastethernet0/1 – 12

Sw1(config-if-range)#switchport port-security maximum 1

Sw1(config-if-range)#switchport port-security mac-address sticky

Sw1(config-if-range)#switchport port-security violation shutdown

Sw1(config-if-range)#exit

Sw1(config)#exit

Sw1#

Sw1#copy run start

Destination filename [startup-config]?

Building configuration…

[OK]

Sw1#

Sw1#show port-security

Secure Port      MaxSecureAddr  CurrentAddr  SecurityViolation  Security Action

(Count)        (Count)      (Count)

——————————————————————————-

     Fa0/1           1               1             0              Shutdown

Fa0/2           1               0             0              Shutdown

Fa0/3           1               0             0              Shutdown

Fa0/4           1               0             0              Shutdown

Fa0/5           1               0             0              Shutdown

Fa0/6           1               0             0              Shutdown

Fa0/7           1               0             0              Shutdown

Fa0/8           1               0             0              Shutdown

Fa0/9           1               0             0              Shutdown

Fa0/10          1               0             0              Shutdown

Fa0/11          1               0             0              Shutdown

Fa0/12          1               0             0              Shutdown

——————————————————————————-

Total Addresses in System : 1

Max Addresses limit in System : 1024

Sw1#

Sw1#show port-security interface fastethernet 0/1 address

Secure Mac Address Table

——————————————————————-

Vlan    Mac Address       Type                Ports   Remaining Age

(mins)

—-    ———–       —-                —–   ————-

10    001d.09d4.0238    SecureSticky        Fa0/1       –

——————————————————————-

Total Addresses: 1

 

Sw1#

Sw1#show running-config interface fastethernet 0/1

Building configuration…

 

Current configuration : 230 bytes

!

interface FastEthernet0/1

switchport access vlan 10

switchport mode access

switchport port-security

switchport port-security mac-address sticky

switchport port-security mac-address sticky 001d.09d4.0238

no ip address

end

 Task 3:

Sw1(config)#interface range fastethernet0/12 – 24

Sw1(config-if-range)#switchport port-security

Sw1(config-if-range)#switchport port-security maximum 5

Sw1(config-if-range)#switchport port-security violation restrict

Sw1(config-if-range)#switchport port-security aging time 1440

Sw1(config-if-range)#exit

Sw1(config)#exit

Sw1#

Sw1#show port-security | begin Fa0/13

Fa0/13          5               0             0              Restrict

Fa0/14          5               0             0              Restrict

Fa0/15          5               0             0              Restrict

Fa0/16          5               0             0              Restrict

Fa0/17          5               0             0              Restrict

Fa0/18          5               0             0              Restrict

Fa0/19          5               0             0              Restrict

Fa0/20          5               0             0              Restrict

Fa0/21          5               0             0              Restrict

Fa0/22          5               0             0              Restrict

Fa0/23          5               0             0              Restrict

Fa0/24          5               0             0              Restrict

——————————————————————————-

Total Addresses in System : 1

Max Addresses limit in System : 1024

Sw1#

Sw1#

Sw1#show port-security interface fastethernet 0/13

Port Security : Enabled

Port status : SecureUp

Violation mode : Restrict

Maximum MAC Addresses : 5

Total MAC Addresses : 0

Configured MAC Addresses : 0

Sticky MAC Addresses : 0

Aging time : 1440 mins

Aging type : Absolute

SecureStatic address aging : Disabled

Security Violation count : 0

Lab 10 Configurations

Sw1 Configuration

Sw1#show running-config

Building configuration…

 

Current configuration : 5684 bytes

!

version 12.1

no service pad

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname Sw1

!

no logging console

!

ip subnet-zero

!

spanning-tree mode pvst

no spanning-tree optimize bpdu transmission

spanning-tree extend system-id

!

!

vlan 10

name VLAN_10_SECURITY

!

vlan 20

name VLAN_20_SECURITY

!

interface FastEthernet0/1

switchport access vlan 10

switchport mode access

switchport port-security

switchport port-security mac-address sticky

switchport port-security mac-address sticky 001d.09d4.0238

no ip address

!

interface FastEthernet0/2

switchport access vlan 10

switchport mode access

switchport port-security

switchport port-security mac-address sticky

no ip address

!

interface FastEthernet0/3

switchport access vlan 10

switchport mode access

switchport port-security

switchport port-security mac-address sticky

no ip address

!

interface FastEthernet0/4

switchport access vlan 10

switchport mode access

switchport port-security

switchport port-security mac-address sticky

no ip address

!

interface FastEthernet0/5

switchport access vlan 10

switchport mode access

switchport port-security

switchport port-security mac-address sticky

no ip address

!

interface FastEthernet0/6

switchport access vlan 10

switchport mode access

switchport port-security

switchport port-security mac-address sticky

no ip address

!

interface FastEthernet0/7

switchport access vlan 10

switchport mode access

switchport port-security

switchport port-security mac-address sticky

no ip address

!

interface FastEthernet0/8

switchport access vlan 10

switchport mode access

switchport port-security

switchport port-security mac-address sticky

no ip address

!

interface FastEthernet0/9

switchport access vlan 10

switchport mode access

switchport port-security

switchport port-security mac-address sticky

no ip address

!

interface FastEthernet0/10

switchport access vlan 10

switchport mode access

switchport port-security

switchport port-security mac-address sticky

no ip address

!

interface FastEthernet0/11

switchport access vlan 10

switchport mode access

switchport port-security

switchport port-security mac-address sticky

no ip address

!

interface FastEthernet0/12

switchport access vlan 10

switchport mode access

switchport port-security

switchport port-security maximum 5

switchport port-security violation restrict

switchport port-security aging time 1440

switchport port-security mac-address sticky

no ip address

!

interface FastEthernet0/13

switchport access vlan 20

switchport mode access

switchport port-security

switchport port-security maximum 5

switchport port-security violation restrict

switchport port-security aging time 1440

no ip address

!

interface FastEthernet0/14

switchport access vlan 20

switchport mode access

switchport port-security

switchport port-security maximum 5

switchport port-security violation restrict

switchport port-security aging time 1440

no ip address

!

interface FastEthernet0/15

switchport access vlan 20

switchport mode access

switchport port-security

switchport port-security maximum 5

switchport port-security violation restrict

switchport port-security aging time 1440

no ip address

!

interface FastEthernet0/16

switchport access vlan 20

switchport mode access

switchport port-security

switchport port-security maximum 5

switchport port-security violation restrict

switchport port-security aging time 1440

no ip address

!

interface FastEthernet0/17

switchport access vlan 20

switchport mode access

switchport port-security

switchport port-security maximum 5

switchport port-security violation restrict

switchport port-security aging time 1440

no ip address

!

interface FastEthernet0/18

switchport access vlan 20

switchport mode access

switchport port-security

switchport port-security maximum 5

switchport port-security violation restrict

switchport port-security aging time 1440

no ip address

!

interface FastEthernet0/19

switchport access vlan 20

switchport mode access

switchport port-security

switchport port-security maximum 5

switchport port-security violation restrict

switchport port-security aging time 1440

no ip address

!

interface FastEthernet0/20

switchport access vlan 20

switchport mode access

switchport port-security

switchport port-security maximum 5

switchport port-security violation restrict

switchport port-security aging time 1440

no ip address

!

interface FastEthernet0/21

switchport access vlan 20

switchport mode access

switchport port-security

switchport port-security maximum 5

switchport port-security violation restrict

switchport port-security aging time 1440

no ip address

!

interface FastEthernet0/22

switchport access vlan 20

switchport mode access

switchport port-security

switchport port-security maximum 5

switchport port-security violation restrict

switchport port-security aging time 1440

no ip address

!

interface FastEthernet0/23

switchport access vlan 20

switchport mode access

switchport port-security

switchport port-security maximum 5

switchport port-security violation restrict

switchport port-security aging time 1440

no ip address

!

interface FastEthernet0/24

switchport access vlan 20

switchport mode access

switchport port-security

switchport port-security maximum 5

switchport port-security violation restrict

switchport port-security aging time 1440

no ip address

!

interface GigabitEthernet0/1

no ip address

!

interface GigabitEthernet0/2

no ip address

!

interface Vlan1

no ip address

no ip route-cache

shutdown

!

ip http server

!

!

line con 0

line vty 5 15

!

end

 

 

content-filler

ABOUT US

This site has been created to help you make the best out of your IT career. Whether you are trying to get your first job, get promoted, or start your own IT business, we have a course for you.

MOST POPULAR

  • Account
  • Forum
  • Live Cisco Rack Training
  • Members Training
  • Member Bonuses
  • My Courses

Members

  • Account
  • Forum
  • Live Cisco Rack Training
  • Members Training
  • Member Bonuses
  • My Courses

Newsletter

Subscription Form

Secure Site

website security secure

Copyright Reality Press Ltd . / Paul Browning

Insert/edit link

Enter the destination URL

Or link to existing content

    No search term specified. Showing recent items. Search or use up and down arrow keys to select an item.