Layer 2 VLAN Security
发表时间:2010-10-12 评论:0 点击 10,495+
Instructor Version
Topology Diagram
Objectives
Connect a new redundant link between SW-1 and SW-2.
Enable trunking and configure security on the new trunk link between SW-1 and SW-2.
Create a new management VLAN (VLAN 20) and attach a management PC to that VLAN.
Implement an ACL to prevent outside users from accessing the management VLAN.
Introduction
A company’s network is currently set up using two separate VLANs: VLAN 5 and VLAN 10.
In addition, all trunk ports are configured with native VLAN 15. A network administrator
wants to add a redundant link between switch SW-1 and SW-2. The link must have trunking
enabled and all security requirements should be in place.
In addition, the network administrator wants to connect a management PC to switch SW-A.
The administrator would like to allow the management PC to be able to connect to all
switches and the router, but does not want any other devices to be able to connect to
the management PC or the switches. The administrator would like to create a new VLAN 20
for management purposes.
All devices have been preconfigured with:
Enable secret password: ciscoenpa55
Console password: ciscoconpa55
VTY line password: ciscovtypa55
Task 1: Verify Connectivity
S tep 1. V er ify c o nne c tiv ity between C 2 (V L A N 10) a nd C 3 ( V L A N 10). S
tep 2. V er ify c o nne c tiv ity between C 2 (V L A N 10) a nd D1 ( V L A N 5).
Note: If using the simple PDU GUI packet, be sure to ping twice to allow for ARP.
Task 2: Create a Redundant Link Between SW-1 and SW-2
S tep 1. C o nnec t S W -1 a nd S W -2.
Using a crossover cable, connect port Fa0/23 on SW-1 to port Fa0/23 on SW-2.
S tep 2. E nable tru nk ing, in c lu din g all tru nk s ec u rity m ec h anis ms o n the
link between SW -1 a nd S W -2.
Trunking has already been configured on all pre-existing trunk interfaces. The new link
must be configured for trunking, including all trunk security mechanisms. On both SW-1
and SW-2, set the port to trunk, assign native VLAN 15 to the trunk port, and disable
auto-negotiation.
SW-1(config)# interface fa0/23
SW-1(config-if)# no shutdown
SW-1(config-if)# switchport mode trunk
SW-1(config-if)# switchport trunk native vlan 15
SW-1(config-if)# switchport nonegotiate
SW-2(config)# interface fa0/23
SW-2(config-if)# no shutdown
SW-2(config-if)# switchport mode trunk
SW-2(config-if)# switchport trunk native vlan 15
SW-2(config-if)# switchport nonegotiate
Task 3: Enable VLAN 20 as a Management VLAN
The network administrator would like to be able to access all switch and routing devices
using a management
PC. For security, the administrator wants to ensure that all managed devices are on a
separate VLAN.
S tep 1. E nable a man agement V L A N ( V L A N 20) o n S W -A .
Enable VLAN 20 on SW-A and use the default name of VLAN0020.
SW-A(config)# vlan 20
SW-A(config-vlan)# exit
Create an interface VLAN 20 and assign an IP address within the 192.168.20.0/24 network.
SW-A(config)# interface vlan 20
SW-A(config-if)# ip address 192.168.20.1 255.255.255.0
S tep 2. E na ble the s a m e ma n a ge ment V L A N o n a ll o ther s witc hes .
Be sure to create the VLAN on all switches: SW-B, SW-1, SW-2 and Central.
SW-B(config)# vlan 20
SW-B(config-vlan)# exit
SW-B(config)# interface vlan 20
SW-B(config-if)# ip address 192.168.20.2 255.255.255.0
SW-1(config)# vlan 20
SW-1(config-vlan)# exit
SW-1(config)# interface vlan 20
SW-1(config-if)# ip address 192.168.20.3 255.255.255.0
SW-2(config)# vlan 20
SW-2(config-vlan)# exit
SW-2(config)# interface vlan 20
SW-2(config-if)# ip address 192.168.20.4 255.255.255.0
Central(config)# vlan 20
Central(config-vlan)# exit
Central(config)# interface vlan 20
Central(config-if)# ip address 192.168.20.5 255.255.255.0
S tep 3. C o nfigu re the ma n a geme nt P C a nd c o nn ec t it to S W -A po rt F a
0/1.
Ensure that the management PC is assigned an IP address within the 192.168.20.0/24
network. Connect the management PC to SW-A port Fa0/1.
S tep 4. O n SW -A , ens u r e the ma n a gement P C is pa rt o f V L A N 20
Interface Fa0/1 must be part of VLAN 20.
SW-A(config)# interface fa0/1
SW-A(config-if)# switchport access vlan 20
SW-A(config-if)# no shutdown
S tep 5. V er ify c o nne c tiv ity o f the ma na gement P C to a ll s witc hes .
The management PC should be able to ping SW-A, SW-B, SW-1, SW-2 and Central.
Task 4: Enable the Management PC to Access Router R1
S tep 1. E na ble a new s u binterfa c e o n ro u ter R 1.
Create subinterface Fa0/0.3 and assign an IP address within the 192.168.20.0/24 network.
Be sure to set encapsulation to dot1q 20 to account for VLAN 20.
R1(config)# interface fa0/0.3
R1(config-subif)# encapsulation dot1q 20
R1(config-subif)# ip address 192.168.20.100 255.255.255.0
S tep 2. V er ify c o nne c tiv ity between the ma na g ement P C a n d R 1.
Be sure to configure the default gateway on the management PC to allow for connectivity.
S tep 3. E na ble s ec u rity .
While the management PC must be able to access the router, no other PC should be able to
access the management VLAN.
Create an ACL(s) that denies any network from accessing the 192.168.20.0/24 network, but
permits all other networks to access one another.
Example: (may vary from student configuration)
R1(config)# access-list 101 deny ip any 192.168.20.0 0.0.0.255
R1(config)# access-list 101 permit ip any any
Apply the ACL to the proper interface(s).
Example: (may vary from student configuration) R1(config)# int fa0/0.1
R1(config-subif)# ip access-group 101 in
R1(config-subif)# int fa0/0.2
R1(config-subif)# ip access-group 101 in
Note: There are multiple ways in which an ACL can be created to accomplish the necessary
security. For this reason, grading on this portion of the activity is based on the
correct connectivity requirements. The management PC must be able to connect to all
switches and the router. All other PCs should not be able to connect to any devices
within the management VLAN.
S tep 4. V erify S ec u rity .
From the management PC, ping SW-A, SW-B, and R1. Was the ping successful?
The ping should have been successful because all devices within the 192.168.20.0 network
should be able to ping one another. Devices within VLAN20 are not required to route
through the router.
From D1, ping the management PC. Was the ping successful?
The ping should have failed. This is because in order for a device within a different
VLAN to successfully ping a device within VLAN20, it must be routed. The router has an
ACL that prevents all packets from accessing the
192.168.20.0 network.
S tep 5. C hec k res u lts .
Your completion percentage should be 100%. Click Check Results to see feedback and
verification of which required components have been completed.
Keep in mind that if all components appear to be correct and the activity still shows
incomplete, it could be due to the connectivity tests that verify the ACL operation.
0
0