Title wk05-1-Lab-VLANs and Secure Switch Configuration.pdf ✅

Packet Tracer Lab: Switch Security Configuration Topology Addressing Table Device Interface / VLAN IP Address Subnet Mask R1 G0/0/1 192.168.10.1 255.255.255.0 R1 Loopback 0 10.10.1.1 255.255.255.0 S1 VLAN 10 192.168.10.201 255.255.255.0 S2 VLAN 10 192.168.10.202 255.255.255.0 PC – A NIC DHCP 255.255.255.0 PC – B NIC DHCP 255.255.255.0 Objectives Part 1: Configure the Network Devices. • Cable the network. • Configure R1. • Configure and verify basic switch settings. Part 2: Configure VLANs on Switches. • Configure VLAN 10. • Configure the SVI for VLAN 10. • Configure VLAN 333 with the name Native on S1 and S2. • Configure VLAN 999 with the name ParkingLot on S1 and S2. Part 3: Configure Switch Security. • Implement 802.1Q trunking. • Configure access ports. • Secure and disable unused switchports. • Document and implement port security features.
• Implement DHCP snooping security. • Implement PortFast and BPDU guard. • Verify end-to-end-connectivity. Background This is a comprehensive lab to review previously covered Layer 2 security features. Note: The routers used with CCNA hands-on labs are Cisco 4221 with Cisco IOS XE Release 16.9.3 (universalk9 image). The switches used in the labs are Cisco Catalyst 2960s with Cisco IOS Release 15.0(2) (lanbasek9 image). Other routers, switches, and Cisco IOS versions can be used. Depending on the model and Cisco IOS version, the commands available and the output produced might vary from what is shown in the labs. Refer to the Router Interface Summary Table at the end of the lab for the correct interface identifiers. Note: Make sure that the switches have been erased and have no startup configurations. Required Resources • 1 Router (Cisco 4221 with Cisco IOS XE Release 16.9.3 universal image or comparable) • 2 Switches (Cisco 2960 with Cisco IOS Release 15.0(2) lanbasek9 image or comparable) • 2 PCs (Windows with a terminal emulation program, such as Tera Term) • Console cables to configure the Cisco IOS devices via the console ports • Ethernet cables as shown in the topology Part 1: Configure the Network Devices. Step 1: Cable the network. 1. Cable the network as shown in the topology. 2. Initialize the devices. Step 2: Configure R1. 1. Load the following configuration script on R1. enable configure terminal hostname R1 no ip domain lookup ip dhcp excluded-address 192.168.10.1 192.168.10.9 ip dhcp excluded-address 192.168.10.201 192.168.10.202 ! ip dhcp pool Students network 192.168.10.0 255.255.255.0 default-router 192.168.10.1 domain-name secure.com ! interface Loopback0 ip address 10.10.1.1 255.255.255.0 ! interface GigabitEthernet0/0/1 description Link to S1 Port 5 ip dhcp relay information trusted
ip address 192.168.10.1 255.255.255.0 no shutdown ! line con 0 logging synchronous exec-timeout 0 0 2. Verify the running-configuration on R1 using the following command: R1# show ip interface brief Interface IP-Address OK? Method Status Protocol GigabitEthernet0/0/0 unassigned YES unset down down GigabitEthernet0/0/1 192.168.10.1 YES manual up up Loopback0 10.10.1.1 YES manual up up 3. Verify IP addressing and interfaces are in an up / up state (troubleshoot as necessary). Step 3: Configure and verify basic switch settings. 1. Configure the hostname for switches S1 and S2. Open configuration window Switch# config t Switch(config)# hostname S1 Open configuration window Switch# config t Switch(config)# hostname S2 2. Prevent unwanted DNS lookups on both switches. S1(config)# no ip domain-lookup S2(config)# no ip domain-lookup 3. Configure interface descriptions for the ports that are in use in S1 and S2. S1(config)# interface f0/1 S1(config-if)# description Link to S2 S1(config–if)# interface f0/5 S1(config-if)# description Link to R1 S1(config–if)# interface f0/6 S1(config-if)# description Link to PC-A S2(config)# interface f0/1 S2(config-if)# description Link to S1 S2(config–if)# interface f0/18 S2(config-if)# description Link to PC-B 4. Set the default-gateway for the Management VLAN to 192.168.10.1 on both switches. S1(config)# ip default-gateway 192.168.10.1 S2(config)# ip default-gateway 192.168.10.1 Part 2: Configure VLANs on Switches. Step 1: Configure VLAN 10. 1. Add VLAN 10 to S1 and S2 and name the VLAN Management. S1(config)# vlan 10 S1(config-vlan)# name Management
S2(config)# vlan 10 S2(config-vlan)# name Management Step 2: Configure the SVI for VLAN 10. 2. Configure the IP address according to the Addressing Table for SVI for VLAN 10 on S1 and S2. Enable the SVI interfaces and provide a description for the interface. S1(config)# interface vlan 10 S1(config-if)# ip address 192.168.10.201 255.255.255.0 S1(config-if)# description Management SVI S1(config-if)# no shutdown S2(config)# interface vlan 10 S2(config-if)# ip address 192.168.10.202 255.255.255.0 2S1(config-if)# description Management SVI S2(config-if)# no shutdown Step 3: Configure VLAN 333 with the name Native on S1 and S2. S1(config)# vlan 333 S1(config-vlan)# name Native S2(config)# vlan 333 S2(config-vlan)# name Native Step 4: Configure VLAN 999 with the name ParkingLot on S1 and S2. S1(config-vlan)# vlan 999 S1(config-vlan)# name ParkingLot S2(config-vlan)# vlan 999 S2(config-vlan)# name ParkingLot Part 3: Configure Switch Security. Step 1: Implement 802.1Q trunking. 1. On both switches, configure trunking on F0/1 to use VLAN 333 as the native VLAN. S1(config)# interface f0/1 S1(config-if)# switchport mode trunk S1(config-if)# switchport trunk native vlan 333 S2(config)# interface f0/1 S2(config-if)# switchport mode trunk S2(config-if)# switchport trunk native vlan 333 2. Verify that trunking is configured on both switches. S1# show interface trunk Port Mode Encapsulation Status Native vlan Fa0/1 on 802.1q trunking 333 Port Vlans allowed on trunk Fa0/1 1-4094 Port Vlans allowed and active in management domain Fa0/1 1,10,333,999
Port Vlans in spanning tree forwarding state and not pruned Fa0/1 1,10,333,999 S2# show interface trunk Port Mode Encapsulation Status Native vlan Fa0/1 on 802.1q trunking 333 Port Vlans allowed on trunk Fa0/1 1-4094 Port Vlans allowed and active in management domain Fa0/1 1,10,333,999 Port Vlans in spanning tree forwarding state and not pruned Fa0/1 1,10,333,999 3. Disable DTP negotiation on F0/1 on S1 and S2. S1(config)# interface f0/1 S1(config-if)# switchport nonegotiate S2(config)# interface f0/1 S2(config-if)# switchport nonegotiate 4. Verify with the show interfaces command. S1# show interfaces f0/1 switchport | include Negotiation Negotiation of Trunking: Off S2# show interfaces f0/1 switchport | include Negotiation Negotiation of Trunking: Off Step 2: Configure access ports. 1. On S1, configure F0/5 and F0/6 as access ports that are associated with VLAN 10. S1(config)# interface range f0/5 – 6 S1(config-if)# switchport mode access S1(config-if)# switchport access vlan 10 2. On S2, configure F0/18 as an access port that is associated with VLAN 10. S2(config)# interface f0/18 S2(config-if)# switchport mode access S2(config-if)# switchport access vlan 10 Step 3: Secure and disable unused switchports. 1. On S1 and S2, move the unused ports from VLAN 1 to VLAN 999 and disable the unused ports. S1(config)# interface range f0/2-4 , f0/7-24, g0/1-2 S1(config-if-range)# switchport mode access S1(config-if-range)# switchport access vlan 999 S1(config-if-range)# shutdown S2(config)# interface range f0/2-17 , f0/19-24, g0/1-2 S2(config-if-range)# switchport mode access S2(config-if-range)# switchport access vlan 999 S2(config-if-range)# shutdown