Layer 2 VLAN Security

作者:admin发表时间:2010-10-12 评论:0 点击 9,891+

Instructor Version

Topology Diagram

Objectives

Connect a new redundant link between SW-1 and SW-2.

Enable trunking and configure security on the new trunk link between SW-1 and SW-2.

Create a new management VLAN (VLAN 20) and attach a management PC to that VLAN.

Implement an ACL to prevent outside users from accessing the management VLAN.

Introduction

A company’s network is currently set up using two separate VLANs: VLAN 5 and VLAN 10.

In addition, all trunk ports are configured with native VLAN 15. A network administrator

wants to add a redundant link between switch SW-1 and SW-2. The link must have trunking

enabled and all security requirements should be in place.

In addition, the network administrator wants to connect a management PC to switch SW-A.

The administrator would like to allow the management PC to be able to connect to all

switches and the router, but does not want any other devices to be able to connect to

the management PC or the switches. The administrator would like to create a new VLAN 20

for management purposes.

All devices have been preconfigured with:

Enable secret password: ciscoenpa55

Console password: ciscoconpa55

VTY line password: ciscovtypa55

Task 1: Verify Connectivity

S tep 1. V er ify c o nne c tiv ity between C 2 (V L A N 10) a nd C 3 ( V L A N 10). S

tep 2. V er ify c o nne c tiv ity between C 2 (V L A N 10) a nd D1 ( V L A N 5).

Note: If using the simple PDU GUI packet, be sure to ping twice to allow for ARP.

Task 2: Create a Redundant Link Between SW-1 and SW-2

S tep 1. C o nnec t S W -1 a nd S W -2.

Using a crossover cable, connect port Fa0/23 on SW-1 to port Fa0/23 on SW-2.

S tep 2. E nable tru nk ing, in c lu din g all tru nk s ec u rity m ec h anis ms o n the

link between SW -1 a nd S W -2.

Trunking has already been configured on all pre-existing trunk interfaces. The new link

must be configured for trunking, including all trunk security mechanisms. On both SW-1

and SW-2, set the port to trunk, assign native VLAN 15 to the trunk port, and disable

auto-negotiation.

SW-1(config)# interface fa0/23

SW-1(config-if)# no shutdown

SW-1(config-if)# switchport mode trunk

SW-1(config-if)# switchport trunk native vlan 15

SW-1(config-if)# switchport nonegotiate

SW-2(config)# interface fa0/23

SW-2(config-if)# no shutdown

SW-2(config-if)# switchport mode trunk

SW-2(config-if)# switchport trunk native vlan 15

SW-2(config-if)# switchport nonegotiate

Task 3: Enable VLAN 20 as a Management VLAN

The network administrator would like to be able to access all switch and routing devices

using a management

PC. For security, the administrator wants to ensure that all managed devices are on a

separate VLAN.

S tep 1. E nable a man agement V L A N ( V L A N 20) o n S W -A .

Enable VLAN 20 on SW-A and use the default name of VLAN0020.

SW-A(config)# vlan 20

SW-A(config-vlan)# exit

Create an interface VLAN 20 and assign an IP address within the 192.168.20.0/24 network.

SW-A(config)# interface vlan 20

SW-A(config-if)# ip address 192.168.20.1 255.255.255.0

S tep 2. E na ble the s a m e ma n a ge ment V L A N o n a ll o ther s witc hes .

Be sure to create the VLAN on all switches: SW-B, SW-1, SW-2 and Central.

SW-B(config)# vlan 20

SW-B(config-vlan)# exit

SW-B(config)# interface vlan 20

SW-B(config-if)# ip address 192.168.20.2 255.255.255.0

SW-1(config)# vlan 20

SW-1(config-vlan)# exit

SW-1(config)# interface vlan 20

SW-1(config-if)# ip address 192.168.20.3 255.255.255.0

SW-2(config)# vlan 20

SW-2(config-vlan)# exit

SW-2(config)# interface vlan 20

SW-2(config-if)# ip address 192.168.20.4 255.255.255.0

Central(config)# vlan 20

Central(config-vlan)# exit

Central(config)# interface vlan 20

Central(config-if)# ip address 192.168.20.5 255.255.255.0

S tep 3. C o nfigu re the ma n a geme nt P C a nd c o nn ec t it to S W -A po rt F a

0/1.

Ensure that the management PC is assigned an IP address within the 192.168.20.0/24

network. Connect the management PC to SW-A port Fa0/1.

S tep 4. O n SW -A , ens u r e the ma n a gement P C is pa rt o f V L A N 20

Interface Fa0/1 must be part of VLAN 20.

SW-A(config)# interface fa0/1

SW-A(config-if)# switchport access vlan 20

SW-A(config-if)# no shutdown

S tep 5. V er ify c o nne c tiv ity o f the ma na gement P C to a ll s witc hes .

The management PC should be able to ping SW-A, SW-B, SW-1, SW-2 and Central.

Task 4: Enable the Management PC to Access Router R1

S tep 1. E na ble a new s u binterfa c e o n ro u ter R 1.

Create subinterface Fa0/0.3 and assign an IP address within the 192.168.20.0/24 network.

Be sure to set encapsulation to dot1q 20 to account for VLAN 20.

R1(config)# interface fa0/0.3

R1(config-subif)# encapsulation dot1q 20

R1(config-subif)# ip address 192.168.20.100 255.255.255.0

S tep 2. V er ify c o nne c tiv ity between the ma na g ement P C a n d R 1.

Be sure to configure the default gateway on the management PC to allow for connectivity.

S tep 3. E na ble s ec u rity .

While the management PC must be able to access the router, no other PC should be able to

access the management VLAN.

Create an ACL(s) that denies any network from accessing the 192.168.20.0/24 network, but

permits all other networks to access one another.

Example: (may vary from student configuration)

R1(config)# access-list 101 deny ip any 192.168.20.0 0.0.0.255

R1(config)# access-list 101 permit ip any any

Apply the ACL to the proper interface(s).

Example: (may vary from student configuration) R1(config)# int fa0/0.1

R1(config-subif)# ip access-group 101 in

R1(config-subif)# int fa0/0.2

R1(config-subif)# ip access-group 101 in

Note: There are multiple ways in which an ACL can be created to accomplish the necessary

security. For this reason, grading on this portion of the activity is based on the

correct connectivity requirements. The management PC must be able to connect to all

switches and the router. All other PCs should not be able to connect to any devices

within the management VLAN.

S tep 4. V erify S ec u rity .

From the management PC, ping SW-A, SW-B, and R1. Was the ping successful?

The ping should have been successful because all devices within the 192.168.20.0 network

should be able to ping one another. Devices within VLAN20 are not required to route

through the router.

From D1, ping the management PC. Was the ping successful?

The ping should have failed. This is because in order for a device within a different

VLAN to successfully ping a device within VLAN20, it must be routed. The router has an

ACL that prevents all packets from accessing the

192.168.20.0 network.

S tep 5. C hec k res u lts .

Your completion percentage should be 100%. Click Check Results to see feedback and

verification of which required components have been completed.

Keep in mind that if all components appear to be correct and the activity still shows

incomplete, it could be due to the connectivity tests that verify the ACL operation.

顶一下 0 踩一下 0

你可能对以下内容感兴趣!

  1. Configure a Network for S...
  2. Configure and Verify a Si...
  3. Layer 2 Security
  4. Configure IOS Intrusion P...
  5. Configuring Context-Based...
  6. Configure IP ACLs to Miti...
  7. Configure AAA Authenticat...
  8. Configure Cisco Routers f...

发表评论

*

w_0002.gif w_0009.gif w_0007.gif w_0011.gif w_0005.gif w_0008.gif w_0010.gif w_0003.gif w_0012.gif w_0001.gif w_0006.gif