Configuring Advanced Switch Access Port Security on Cisco Catalyst Switches
Objective
The objective of this lab exercise is to ensure that learned MAC addresses on a secured port are retained in the switch’s NVRAM in the event of a reboot. By default, secured MAC addresses are flushed during switch reboots.
Purpose
Retaining learned secure MAC addresses is an advanced skill. When a Cisco Catalyst Switch configured with port security reboots, learned secure MAC address entries are flushed and have to be relearned when the switch comes back up. As a Cisco engineer, understanding advanced features will give you the edge over your fellow CCNAs.
Lab Topology
Use the following topology to complete this lab exercise:
Task 1: Configure Hostname
Objective: In preparation for port security configuration, configure a hostname on SW1 and R1 as illustrated in the topology.
Configuration Steps:
SW1#config t Enter configuration commands, one per line. End with CTRL/Z. SW1(config)#hostname SW1 SW1(config)# R1#config t Enter configuration commands, one per line. End with CTRL/Z. R1(config)#hostname R1 R1(config)#
Task 2: Create VLAN10 on SW1
Objective: Create VLAN10 on SW1 and assign port FastEthernet0/2 to this VLAN as an access port.
Configuration Steps:
SW1#config t Enter configuration commands, one per line. End with CTRL/Z. SW1(config)#vlan 10 SW1(config-vlan)#name VLAN10 SW1(config-vlan)#exit SW1(config)#interface fastethernet0/2 SW1(config-if)#switchport mode access SW1(config-if)#switchport access vlan 10 SW1(config-if)#end SW1
Task 3: Configure IP Addresses
Objective: Configure IP address 172.16.0.1/27 on R1’s FastEthernet0/0 interface and IP address 172.16.0.2/27 on Sw2’s VLAN10 interface. Verify that R1 can ping SW1, and vice versa.
Configuration and Verification Commands:
R1#config t Enter configuration commands, one per line. End with CTRL/Z. R1(config)#interface fastethernet0/0 R1(config-if)#ip address 172.16.0.1 255.255.255.224 R1(config-if)#no shutdown R1(config-if)#end R1#copy running-config startup-config SW1#config t Enter configuration commands, one per line. End with CTRL/Z. SW1(config)#interface vlan10 SW1(config-if)#ip address 172.16.0.2 255.255.255.224 SW1(config-if)#no shutdown SW1(config-if)#end R1#ping 172.16.0.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.0.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/0 ms SW1#ping 172.16.0.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.0.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/0 ms
Task 4: Configure Port Security
Objective: Configure port security on port FastEthernet0/2 on SW1 so that any MAC addresses learned on that interface are written to the switch’s NVRAM. The NVRAM is the startup configuration. Verify your configuration with port-security commands in Cisco IOS.
Configuration and Verification Commands:
SW1#conf t
Enter configuration commands, one per line. End with CTRL/Z.
SW1(config)#interface fastethernet0/2
SW1(config-if)#switchport port-security mac-address sticky
SW1(config-if)#end
SW1#copy running-config startup-config
Destination filename [startup-config]?
Building configuration...
[OK]
SW1#show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Sec Action
(Count) (Count) (Count)
----------------------------------------------------------------------
Fa0/2 1 1 0 Shutdown
----------------------------------------------------------------------
SW1#show port-security address
Secure Mac Address Table
-----------------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- -------------
10 0030.A337.0101 SecureSticky Fa0/2 -
-----------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 1024
SW1#reload
SW1#show port-security address
Secure Mac Address Table
-----------------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- -------------
10 0030.A337.0101 SecureSticky Fa0/2 -
-----------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 1024
Note: When configuring port security, by default the learned MAC addresses are flushed when the switch is reloaded. To prevent this and ensure that the switch preserves MAC addresses that are dynamically learned via port security, you need to configure sticky learning. This configuration, in conjunction with the copy run start command, saves the learned MAC addresses to NVRAM. This means that when the switch is rebooted, the MAC addresses learned are not lost. The switch adds the switchport port-security mac-address sticky <mac-address> command dynamically under the interface for every sticky dynamically learned MAC address. So if 100 MAC addresses are learned this way, the switch would add 100 of these statements after the switchport port-security mac-address sticky command that you issued under the interface. Be very careful because this can create a very large configuration file in the real world!
Cisco Packet Tracer file:
Load and open the .pkt Lab file in Cisco Packet Tracer from here: Advanced_Switch_Access_Port_Security.pkt