CCNA LAB11: 配置Advanced Static Switch Access Port Security

小乔

Lab Objective:
The objective of this lab exercise is for you to learn and understand how to configure static MAC entries for port security. By default, MAC entries are learned dynamically on a switchport.

Lab Purpose:
Static port security MAC entries are an advanced skill. Static MAC address entries are manually configured by the administrator. As a Cisco engineer, understanding advanced features will give you the edge over your fellow CCNAs. Certification

Level:
This lab is suitable for CCENT and CCNA certification exam preparation.

Lab Difficulty:
This lab has a difficulty rating of 8/10.

Readiness Assessment:
When you are ready for your certification exam, you should complete this lab in no more than 15 minutes.


Lab Topology:
Please use the following topology to complete this lab exercise:




Task 1:
Configure hostnames on Sw1 and R1 as illustrated in the topology. Create VLAN10 on switch Sw1 and assign port FastEthernet0/2 to this VLAN as an access port.

Task 2:
Configure IP address 172.16.0.1/27 on R1’s FastEthernet0/0 interface and IP address 172.16.0.2/27 on Sw2’s VLAN10 interface. Verify that R1 can ping Sw1, and vice versa.

Task 3:
Configure port security on port FastEthernet0/5 on Sw1 for the following static MAC addresses:


000a.1111.ab01

000b.2222.cd01

000c.3333.ef01

000d.4444.ac01


The switch should restrict access to these portsfor MACaddresses that are not known. Verify your configuration with port-security commands in Cisco IOS.

Configuration and Verification
Task 1:
For reference information on configuring hostnames, please refer to earlier labs. For reference information on Transparent mode and extended VLANs, please refer to earlier labs.

Task 2:
For reference information on configuring IP interfaces, please refer to earlier labs.

Task 3:
Sw1#conf t
Enter configuration commands, one per line.  End with CTRL/Z.
Sw1(config)#interface fastethernet0/2
Sw1(config-if)#switchport port-security
Sw1(config-if)#switchport port-security maximum 4
Sw1(config-if)#switchport port-security mac-address 000a.1111.ab01
Sw1(config-if)#switchport port-security mac-address 000b.2222.cd01
Sw1(config-if)#switchport port-security mac-address 000c.3333.ef01
Sw1(config-if)#switchport port-security mac-address 000d.4444.ac01
Sw1(config-if)#end
Sw1#
Sw1#show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation  Sec Action
             (Count)        (Count)      (Count)
----------------------------------------------------------------------
Fa0/2          5               4             0              Shutdown
----------------------------------------------------------------------
Total Addresses in System : 5
Max Addresses limit in System : 1024

Sw1#show port-security interface fastethernet0/2
Port Security : Enabled

Port status : SecureUp
Violation mode : Shutdown
Maximum MAC Addresses : 4
Total MAC Addresses : 4
Configured MAC Addresses : 4
Sticky MAC Addresses : 0
Aging time : 0 mins
Aging type : Absolute
SecureStatic address aging : Disabled
Security Violation count : 0
NOTE: The requirements of this task seem pretty simple; however, a common mistake is often made by people who forget that by default, the maximum number of addresses that can be secured is one. Therefore, since you were given four MAC addresses, you need to increase the port security limit to four. Otherwise, if you did not add the switchport port-security maximum 4 command, you would receive the following error when trying to add the second static MAC address for port security:


Sw1#conf t
Enter configuration commands, one per line.  End with CTRL/Z.
Sw1(config)#interface fastethernet0/2
Sw1(config-if)#switchport port-security
Sw1(config-if)#switchport port-security mac-address 000a.1111.ab01
Sw1(config-if)#switchport port-security mac-address 000b.2222.cd01
%Error: Cannot add secure address 000b.2222.cd01
%Error: Total secure addresses on interface reached its max limit of 1
%PSECURE: Internal Error in adding address


来源: CCNA LAB 8: 配置 Securing VTP Domains
来源: CCNA LAB 9: 配置  Switch Access Port Security
来源: CCNA LAB10: 配置 Advanced Switch Access Port Security