• Home
  • Exams
    Microsoft
    AI-102 (Designing and Implementing) AI-900 (AI Fundamentals) AZ-104 (Administrator) AZ-140 (Configuring and Operating) AZ-204 (Developing Solutions) AZ-305 (Designing Infrastructure Solutions) AZ-400 (DevOps Solutions) AZ-500 (Security Technologies) AZ-700 (Designing and Implementing)
    All Microsoft Exams
    Amazon
    CLF-C01 (Cloud Practitioner) DBS-C01 (Database - Specialty) DVA-C01 (Developer Associate) SCS-C01 (Security - Specialty) SAA-C02 (Solutions Architect Associate) SAA-C03 (Solutions Architect Associate) SAP-C01 (Solutions Architect Professional) SOA-C02 (Certified SysOps Administrator Associate) DOP-C01 (DevOps Engineer Professional)
    All Amazon Exams
    Cisco
    200-201 (CBROPS) 200-301 (CCNA) 200-901 (DEVASC) 300-410 (ENARSI) 300-415 (ENSDWI) 300-420 (ENSLD) 300-425 (ENWLSD) 300-430 (ENWLSI) 300-715 (SISE) 350-401 (ENCOR) 350-501 (SPCOR) 350-601 (DCCOR) 350-701 (SCOR) 350-801 (CLCOR) 400-007 (CCDE)
    All Cisco Exams
    CompTIA
    220-1101 (A+ Core 1) 220-1102 (A+ Core 2) CAS-004 (Advanced Security Practitioner) CS0-002 (CySA+) CV0-003 (Cloud+) FC0-U61 (IT Fundamentals) N10-008 (Network+) PK0-004 (Project+) PT0-002 (PenTest+) SK0-005 (Server+) SY0-601 (Security+) XK0-004 (Linux+)
    All CompTIA Exams
    Google
    Associate Cloud Engineer Cloud Digital Leader Professional Cloud Architect Professional Cloud Security Engineer Professional Data Engineer
    All Google Exams
    Huawei
    H11-851 (HCNA-VC) H12-211 (HCIA Routing&Switching) H12-221 (HCNP-RS-IERN) H12-224 (HCNP-RS Fast Track) H12-711 (HCNA-Security-CBSN) H13-612 (HCNA-Storage-BSSN) H13-629 (HCIE-Storage)
    All Huawei Exams
    Python
    Python Programming (PCAP)
    All Python Exams
    Juniper
    JN0-104 (JNCIA-Junos) JN0-251 (JNCIA-MistAI)
    All Juniper Exams
    Fortinet
    NSE4_FGT-7.0 (FortiOS 7.0) NSE4_FGT-7.2 (FortiOS 7.2) NSE5_FAZ-7.0 (FortiAnalyzer 7.0) NSE5_FCT-7.0 (FortiClient EMS 7.0) NSE5_FMG-7.0 (FortiManager 7.0) NSE7_EFW-7.0 (Enterprise Firewall 7.0) NSE7_SDW-7.0 (SD-WAN 7.0 ) NSE8_812 (Written Exam)
    All Fortinet Exams
  • LabsNew
    CCNA 200-301
    Introduction IOS Operating System IPv4 Address Configure Serial and Loopback Interfaces IPv6 Address Configuration, Verification, and Troubleshooting IPv6 Address Autoconfiguration and EUI-64 Understanding ARP and Proxy ARP Configuring Standard VLANs Configuring VTP Clients and Servers Configuring VTP Transparent Mode Securing VTP Domains Switch Access Port Security Advanced Switch Access Port Security Advanced Static Switch Access Port Security Disabling Auto-negotiation of Trunking Configuring Dynamic Trunking Configuring Default Gateways Cisco Discovery Protocol (CDP) Configuring LLDP on Cisco Devices Configuring Errdisable Recovery Configuring Inter-VLAN Routing with Router on a Stick (RoaS) Inter-VLAN Routing Using Switched Virtual Interfaces (SVI) Configuring Static Routing via Ethernet Interfaces Configuring Static Routing via IP addresses Configuring and Naming Static Routes Configuring Default Static Routes Configuring IPv6 Static Routes Configuring IPv6 Default Routes Configuring IP Floating Static Routes Configuring RIP Version 2 RIPv2 Network Summarization Configuration
  • ToolboxNew
    IPv4 Subnet Calculator
    IPv4 Wildcard Mask Calculator
    HTML Encoder and Decoder
    URL Encoder and Decoder
    Random Password Generator
  • Net Sec ToolsNew
    Cisco Packet Tracer
    GNS3
    EVE-NG
    Wireshark
    Postman
    Nmap
    Curl
    Nessus
    Burp Suite
  • Sign Up
  • Login

  • Logo

    Labs

    • Lab 1: Introduction to CISCO 200-301 Labs
    • Lab 2: Cisco IOS Operating System
    • Lab 3: IPv4 Address Configuration, Verification, and Troubleshooting on Cisco Routers
    • Lab 4: IPv6 Address Configuration, Verification, and Troubleshooting on Cisco Routers
    • Lab 5: IPv6 Address Autoconfiguration and EUI-64 Addressing on Cisco Routers
    • Lab 6: Understanding ARP and Proxy ARP on Cisco Routers
    • Lab 7: Configuring Standard VLANs on Catalyst Switches
    • Lab 8: Configuring VTP Clients and Servers on Cisco Catalyst Switches
    • Lab 9: Configuring VTP Transparent Mode on Cisco Catalyst Switches
    • Lab 10: Securing VTP Domains on Cisco Catalyst Switches
    • Lab 11: Configuring Switch Access Port Security on Cisco Catalyst Switches
    • Lab 12: Configuring Advanced Switch Access Port Security on Cisco Catalyst Switches
    • Lab 13: Configuring Advanced Static Switch Access Port Security on Cisco Catalyst Switches
    • Lab 14: Disabling Auto-negotiation of Trunking on Cisco Catalyst Switches
    • Lab 15: Configuring Dynamic Trunking on Cisco Switchports
    • Lab 16: Configuring Default Gateways for Cisco Routers and Switches
    • Lab 17: Understanding Cisco Discovery Protocol (CDP)
    • Lab 18: Configuring LLDP on Cisco Devices
    • Lab 19: Configuring Errdisable Recovery on Cisco Switches
    • Lab 20: Configuring Inter-VLAN Routing with Router on a Stick (RoaS)
    • Lab 21: Configuring Inter-VLAN Routing Using Switched Virtual Interfaces (SVI)
    • Lab 22: Configuring Static Routing via Ethernet Interfaces on Cisco Routers
    • Lab 23: Configuring Static Routing via IP addresses
    • Lab 24: Configuring and Naming Static Routes on Cisco Routers
    • Lab 25: Configuring Default Static Routes on Cisco Routers
    • Lab 26: Configuring IPv6 Static Routes on Cisco Routers
    • Lab 27: Configuring IPv6 Default Routes on Cisco Routers
    • Lab 28: Configuring IP Floating Static Routes on Cisco Routers
    • Lab 29: Configuring RIP Version 2 on Cisco Routers
    • Lab 30: RIPv2 Network Summarization Configuration on Cisco Routers

    Configuring Switch Access Port Security on Cisco Catalyst Switches

    Objective

    The objective of this lab exercise is to configure basic switch security to prevent MAC address flooding on switch ports. This is accomplished by limiting the number of MAC entries that are allowed to be learned on a port. By default, there is no limit on MAC addresses that can be learned on a port.

    Purpose

    Port security is a fundamental skill. A common Denial of Service technique used to cripple switched networks is MAC flooding. As a Cisco engineer, as well as in the Cisco CCNA exam, you will be expected to know how to configure port security to mitigate MAC flooding attacks.

    Lab Topology

    Use the following topology to complete this lab exercise:

    Router Setup 1

    Task 1: Configure Hostname

    Objective: In preparation for port security configuration, configure a hostname on SW1 and R1 as illustrated in the topology.

    Configuration Steps:

    SW1#config t
    Enter configuration commands, one per line. End with CTRL/Z.
    SW1(config)#hostname SW1
    SW1(config)#
    
    R1#config t
    Enter configuration commands, one per line. End with CTRL/Z.
    R1(config)#hostname R1
    R1(config)#

    Task 2: Create VLAN10 on SW1

    Objective: Create VLAN10 on SW1 and assign port FastEthernet0/1 to this VLAN as an access port.

    Configuration Steps:

    SW1#config t
    Enter configuration commands, one per line. End with CTRL/Z.
    SW1(config)#vlan 10
    SW1(config-vlan)#name SALES
    SW1(config-vlan)#exit
    SW1(config)#interface fastethernet0/1
    SW1(config-if)#switchport mode access
    SW1(config-if)#switchport access vlan 10
    SW1(config-if)#end
    SW1#

    Task 3: Configure IP Addresses and Verify Connectivity

    Objective: Configure IP address 10.0.0.1/30 on R1’s FastEthernet0/0 interface and IP address 10.0.0.2/30 on SW1’s VLAN10 interface. Verify that R1 can ping SW1, and vice versa.

    Verification Commands:

    R1#config t
    Enter configuration commands, one per line. End with CTRL/Z.
    R1(config)#interface fastethernet0/0
    R1(config-if)#ip address 10.0.0.1 255.255.255.252
    R1(config-if)#no shut
    R1(config-if)#end
    R1#
    
    SW1#config t
    Enter configuration commands, one per line. End with CTRL/Z.
    SW1(config)#interface vlan10
    %LINK-5-CHANGED: Interface Vlan10, changed state to up
    SW1(config-if)#ip address 10.0.0.2 255.255.255.252
    SW1(config-if)#no shut
    SW1(config-if)#end
    SW1#ping 10.0.0.1
    
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
    .!!!!
    Success rate is 80 percent (4/5), round-trip min/avg/max = 0/2/9 ms

    Task 4: Configure Port Security on SW1

    Objective: Configure port security on port FastEthernet0/1 on SW1 so that only one MAC address is allowed to be learned on that interface. In the event of port security configuration violations, where more than one MAC address is observed on that interface, the switch should shut the interface down. Verify your configuration with port-security commands in Cisco IOS.

    Verification Commands:

    SW1#config t
    Enter configuration commands, one per line. End with CTRL/Z.
    SW1(config)#interface FastEthernet0/1
    SW1(config-if)#switchport port-security
    SW1(config-if)#switchport port-security maximum 1
    SW1(config-if)#switchport port-security violation shutdown
    SW1(config-if)#end
    SW1#show port-security
    SW1#copy running-config startup-config
    
    Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
                   (Count)       (Count)        (Count)
    --------------------------------------------------------------------
            Fa0/1        1          0                 0         Shutdown
    ----------------------------------------------------------------------

    Testing Port Security Violation:

    changing the MAC address to 000a.bc01.2300 would result in a violation because this new MAC address is not permitted by the port security configuration.

    R1#config t
    Enter configuration commands, one per line. End with CTRL/Z.
    R1(config)#interface fastethernet0/0
    R1(config-if)#mac-address 000a.bc01.2300
    R1(config)#end
    R1#copy running-config startup-config
    
    SW1#show port-security
    Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
                   (Count)       (Count)        (Count)
    --------------------------------------------------------------------
            Fa0/1        1          0                 1         Shutdown
    ----------------------------------------------------------------------
    
    SW1#show interfaces FastEthernet0/1
    FastEthernet0/1 is down, line protocol is down (err-disabled)
      Hardware is Lance, address is 0060.476e.1701 (bia 0060.476e.1701)
     BW 100000 Kbit, DLY 1000 usec,
         reliability 255/255, txload 1/255, rxload 1/255
    
    [Output Truncated]

    As can be seen in the output above, the violation counter has incremented and the interface is now in an errdisabled mode, which basically means it has been shut down due to a port security violation. To bring this interface back up, you need to issue a shutdown command and then a no shutdown command under the interface.


    Cisco Packet Tracer file:
    Load and open the .pkt Lab file in Cisco Packet Tracer from here: Configuring_Switch_Access_Port_Security.pkt

    © 2025 WinITExam.com
    Terms | Privacy | Refund | Contact