CCNA LAB17: 配置Configuring Errdisable Recovery

小乔

Lab Objective:
The objective of this lab exercise is for you to learn and understand how the errdisable recovery feature works on a Layer 2 network. This lab will not work on Packet Tracer.

Lab Purpose:
Understanding how errdisable functionality works on a Layer 2 switch is a fundamental skill that will allow a network engineer to recover a port from the error-disable state. As a Cisco engineer, as well as in the Cisco CCNA exam, you will be expected to know how to recover any port in an error-disable state.

Certification Level:
This lab is suitable for CCENT certification exam preparation.

Lab Difficulty:
This lab has a difficulty rating of 5/10.

Readiness Assessment:
When you are ready for your certification exam, you should complete this lab in no more than 20 minutes.

Lab Topology:
Please use the following topology to complete this lab exercise:




Task 1:
Configure the hostname on Sw1 as illustrated in the topology.

Task 2:
Create an SVI for VLAN1 on the switch and apply the respective IP address as illustrated in the topology (do the same thing with PC1).

Task 3:
Configure Sw1 port 0/1 with the following settings:


Access-port mode
Access-port VLAN1
Switchport port-security enabled
Switchport port-security maximum MACs of 1
Switchport port-security violation mode shutdown
Task 4:
Remove PC1 and attach PC2 to the same port with a different IP address (192.168.10.2) and see how the port is shut down.

Task 5:
Configure the switch in such a way that any port being shut down by a security violation will recover automatically after 5 minutes. Check the status of the port where PC2 is connected after 5 minutes and make sure that the port is up and running. Issue a relevant show command.

Configuration and Verification
Task 1:
For reference information on configuring hostnames, please refer to earlier labs.

Task 2:
SW1#conf t
Enter configuration commands, one per line.  End with CTRL/Z.
SW1(config)#interface vlan1
SW1(config-if)#ip address 192.168.0.254 255.255.255.0
SW1(config-if)#end
SW1#
Task 3:
SW1#conf t
Enter configuration commands, one per line.  End with CTRL/Z.
SW1(config)#interface gigabit0/1
SW1(config-if)#switchport mode access
SW1(config-if)#switchport access vlan1
SW1(config-if)#switchport port-security
SW1(config-if)#switchport port-security maximum 1
SW1(config-if)#switchport port-security violation-mode shutdown
SW1(config-if)#end
Task 4:
My-PC:~ admin$ ping 192.168.0.254
PING 192.168.0.1 (192.168.0.254): 56 data bytes
64 bytes from 192.168.0.254: icmp_seq=0 ttl=64 time=1.969 ms
64 bytes from 192.168.0.254: icmp_seq=1 ttl=64 time=1.986 ms
64 bytes from 192.168.0.254: icmp_seq=2 ttl=64 time=2.047 ms
64 bytes from 192.168.0.254: icmp_seq=3 ttl=64 time=3.192 ms
^C
--- 192.168.0.254 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 1.969/2.299/3.192/0.517 ms
After removing PC1 and adding a new PC (PC2), the port will be shut down because of a port-security violation (more than one MAC address is being learned over that Gigabit interface).


The following message will be seen at the switch CLI:

%PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 001d.60b3.0aff on port FastEthernet0/1
If you go ahead and check the interface status, you will get the following:

Switch#show interface gigabit0/1 gigabitethernet0/1 is down, line protocol is down (err-disabled)
Task 5:
SW1#conf t
Enter configuration commands, one per line.  End with CTRL/Z.
SW1(config)#errdisable recovery cause psecure-violation
SW1(config)#errdisable recovery interval 300
SW1(config-if)#end
SW1#
After 5 minutes (300 seconds), you will see the following messages at the switch CLI:

%PM-4-ERR_RECOVER: Attempting to recover from psecure-violation err-disable state on interface gigabit0/1
%LINK-3-UPDOWN: interface gigabit0/1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/13, changed state to up
The new host is ready to be used, as the interface transitioned from shutdown (errdisabled) to up/up.


SW1#show errdisable recovery
ErrDisable Reason    Timer Status
-----------------    --------------
Disabled udld
Disabled             bpduguard   
Enabled              security-violation   
Disabled             channel-misconfig     
Disabled             pagp-flap            
Disabled             dtp-flap              
Disabled             link-flap            
Disabled             l2ptguard
Disabled             psecure-violation     
Disabled             gbic-invalid         
Disabled             dhcp-rate-limit      
Disabled             mac-limit            
Disabled              unicast-flood         
Disabled             arp-inspection     

Timer interval: 300 seconds   
Interfaces that will be enabled at the next timeout:
Interface      Errdisable reason      Time left(sec)
---------      ------------------     --------------
Gig0/1         security-violation     300

来源: CCNA LAB 8: 配置 Securing VTP Domains
来源: CCNA LAB 9: 配置  Switch Access Port Security
来源: CCNA LAB10: 配置 Advanced Switch Access Port Security
来源: CCNA LAB11: 配置Advanced Static Switch Access Port Security
来源: CCNA LAB12: 配置Disabling Auto-negotiation of Trunking
来源: CCNA LAB13: 配置Switchports to Dynamic
来源: CCNA LAB14: 配置Default Gateway for Routers and Switches
来源: CCNA LAB15: 配置Cisco Discovery Protocol
来源: CCNA LAB16: 配置Configuring LLDP