This tutorial will guide you through the configuration of several security features on Cisco switches and show you how to configure some spanning-tree features that can help you to design the network better.

I created two Packet Tracer files:

  • configuring_layer_2_security_init.pkt has all four Cisco switches with a valid configuration and all the PCs have reachability between them.
  • configuring_layer_2_security_final.pkt contains the full configuration and can be used as verification against your configuration.

Regarding the topology, there is one PC connected on each switch,. The PCs are already configured. The IP address of a PC is in the format VLAN_ID.VLAN_ID.VLAN_ID.PC_NUMBER/24. For instance, PC_1 is in vlan 100 and its IP address is 100.100.100.1/24. The default gateway of each PC is in the format VLAN_ID.VLAN_ID.VLAN_ID.VLAN_ID/24. For instance, the default gateway for PC_1 is 100.100.100.100/24. Anyway, you have the IP addressing written on the topology.

All the PCs are connected to FastEthernet0/4 on the switch.

Task 1 requirements

  1. Configure SW4 to be the root bridge as long as it is up.
  2. Configure SW1 to be the root bridge in case that SW4 fails.
  3. Because FastEthernet0/4 on each switch is connected to a host, configure each switch so that the interface becomes active as soon as possible.
  4. Configure SW4 so that no switch can become root bridge on the interface towards SW2.
  5. Configure all switches so that on all inter-switch links, the broadcast is limited to 30%.
  6. On every switch on interface FastEthernet0/4, set the maximum number of dynamically learned MACs to 2 and restrict the traffic in case the limit is crossed.

Task 1 verification

  1. Use the command “show spanning-tree” on SW4 to confirm that the priority is 24576. You should see something similar to:

    Bridge ID Priority 24676 (priority 24576 sys-id-ext 100)

  2. Use the command “show spanning-tree” on SW1 to confirm that the priority is 28672. You should see something similar to:

    Bridge ID Priority 28673 (priority 28672 sys-id-ext 1)

  3. Use the command “show spanning-tree interface F0/4 portfast” to confirm that portfast is active on that interface. You should get something similar to:

    SW4#show spanning-tree interface f0/4 portfast
    VLAN0001 enabled
    VLAN0100 disabled
    VLAN0200 enabled
    VLAN0500 disabled
    SW4#

  4. Use the command “show storm-control broadcast” to check the storm-control limit. You should get an output similar to this:

    SW4#show storm-control broadcast
    Interface Filter State Upper Lower Current

    ——— ————- ———– ———– ———-

    Fa0/4 Link Up 30.00% 30.00% 0.32%

    SW4#

Task 1 hints

  1. Use the command “spanning-tree vlan 1-4094 root primary” on SW4 to make it the primary root bridge.
  2. Use the command “spanning-tree vlan 1-4094 root secondary” on SW1 to make it the secondary root bridge.
  3. Use the command “spanning-tree portfast” on all switches on interface FastEthernet0/4 to configure them as portfast.
  4. Use the command “spanning-tree guard root” on SW4 to make sure that no root bridge will be learned over FastEthernet0/4.
  5. Use the command “storm-control broadcast level 30” on each switch for interface FastEthernet0/4 to limit the broadcast traffic to 30%.
  6. Use the commands “switchport port-security” to enable port-security.
  7. Use the command “switchport port-security maximum 2” to set the maximum number of MACs.
  8. Use the command “switchport port-security violation restrict” to set the violation type.

These features that we’ve just discussed can help you to design the network better. Some of them optimize it and Others can protect your network from users that connect rogue switches to the network.