Lab 3.1.4 Applying Basic Switch Security
Step 1: Connect PC1 to the switch
Step 2: Connect PC2 to the switch
Step 3: Configure PC3 but do not connect
Step 4: Perform an initial configuration on the switch
a. Configure the hostname of the switch as Switch1
b. Set the privileged EXEC mode password to cisco.
c. Set the privileged EXEC mode secret password to class.
d. Configure the console and virtual terminal lines to use a password and require it at login.
e. Exit from the console session and log in again.
Which password was required to enter privileged EXEC mode? The secret password.
Why? When both enable and secret passwords are configured, the IOS defaults to the secret password
Step 5: Configure the switch management interface on VLAN 1
a. Enter the interface configuration mode for VLAN 1.
b. Set the IP address, subnet mask, and default gateway for the management interface.
Why does interface VLAN 1 require an IP address in this LAN? To access the switch for management purposes through virtual terminals, like Telnet.
What is the purpose of the default gateway? It handles access to other networks.
Step 6: Verify the management LANs settings
a. Verify that the IP address of the management interface on the switch VLAN 1 and the IP address of PC1 and PC2 are on the same local network. Use the show running-config command to check the IP address configuration of the switch.
b. Verify the interface settings on VLAN 1.
What is the bandwidth on this interface? The 2950 is 1000000 Kbit.
What are the VLAN states?
VLAN 1 is up and line protocol is up.
Step 7: Disable the switch from being an http server
Step 8: Verify connectivity
a. To verify that hosts and switch are correctly configured, ping the switch IP address from the hosts. Were the pings successful? Should be yes
If the ping is not successful, verify the connections and configurations again. Check to ensure that all cables are correct and that connections are seated. Check the host and switch configurations.
b. Save the configuration.
Step 9: Record the host MAC addresses
Determine and record the Layer 2 addresses of the PC network interface cards. From the command prompt of each PC, enter ipconfig /all.
PC1
PC2
PC3
Step 10: Determine what MAC addresses the switch has learned
Determine what MAC addresses the switch has learned by using the show mac-address-table command at the privileged EXEC mode prompt.
How many dynamic addresses are there?2
How many total MAC addresses are there?6
Do the MAC addresses match the host MAC addresses?ya
Step 11: View the show mac-address-table options
View the options that the show mac-address-table command has available.
Switch1(config)#show mac-address-table ?
What options are available? Static, notification. Aging-time
Step 12: Set up a static MAC address
Step 13: Verify the results
a. Verify the MAC address table entries.
Switch1#show mac-address-table
How many dynamic MAC addresses are there now? 1
How many static MAC addresses are there now? 5
b. Remove the static entry from the MAC Address Table.
Step 14: List port security options
a. Determine the options for setting port security on interface FastEthernet 0/4.
What are some available options? Aging, mac-address, maximum, violation
b. To allow the switch port FastEthernet 0/4 to accept only one device, configure port security.
c. Exit configuration mode and check the port security settings.
If a host other than PC2 attempts to connect to Fa0/4, what will happen? The connection will be shut down.
Step 15: Limit the number of hosts per port
a. On interface FastEthernet 0/4, set the port security maximum MAC count to 1.
b. Disconnect the PC attached to FastEthernet 0/4. Connect PC3 to FastEthernet 0/4. PC3 has been given the IP address of 192.168.1.5 and has not yet been attached to the switch. It may be necessary to ping the switch address 192.168.1.2 to generate some traffic. Record any observations. sukses
Step 16: Configure the port to shut down if there is a security violation
a. In the event of a security violation, the interface should be shut down. To make the port security shut down, enter the following command: Switch1(config-if)#switchport port-security violation shutdown
What other action options are available with port security? protect, restrict
b. If necessary, ping the switch address 192.168.1.2 from the PC3 192.168.1.5. This PC is now connected to interface FastEthernet 0/4. This ensures that there is traffic from the PC to the switch.
c. Record any observations. sukses
d. Check the port security settings
Step 17: Show port 0/4 configuration information
FastEthernet0/4 is up and line protocol is up
Step 18: Reactivate the port
Step 19: Disable unused ports
Step 20: Reflection
a. Why would port security be enabled on a switch? Security reasons. Port security would allow only one host to use the port so no one could utilize the
network without authorization.
b. Why should unused ports on a switch be disabled? that no one would be able to walk by a switch and plug in and
use the network because the unused ports will have to be administratively turned on to be utilized
Lab 3.2.3 Building a Switched Network with Redundant Links
Step 1: Cable the network
a. Connect Host 1 to Switch 1 Fast Ethernet port Fa0/7, using a straight-through Ethernet cable.
b. Connect Host 2 to Switch 2 Fast Ethernet port Fa0/8, using a straight-through Ethernet cable.
c. Connect Switch 1 Fast Ethernet port Fa0/1 to Switch 2 Fast Ethernet port Fa0/1, using a crossover Ethernet cable.
d. Create a redundant link between the switches by connecting Switch 1 Fast Ethernet port Fa0/4 to Switch 2 Fast Ethernet port Fa0/4, using a crossover Ethernet cable. What typically undesirable traffic pattern have you created by using the two crossover cables between the two switches? A loop.
Predict: What do you think the switches will do to keep this from becoming a problem? include blocking one of the ports to “break” the loop without physically
eliminating it.
Step 2: Configure the switches
Step 3: Configure the hosts
a. Configure each host to use an IP address in the same network as the switches.
b. Configure each host to use the same subnet mask as the switches. Why is no default gateway specified for this network? No router is present.
Step 4: Verify connectivity
a. To verify that the network is set up successfully, ping from Host 1 to Host 2. Was the ping successful? ya
b. If the ping is not successful, verify the connections and configurations again. Check to ensure that all cables are correct and that connections are seated. If the ping is not successful, what utility could you use to determine where the connection is failing? Traceroute
Step 5: Examine interface VLAN 1 information
a. From the terminal emulation session on either switch, enter the command show interface vlan1 ? at the privileged EXEC mode prompt.
SwitchA#show interface vlan1 ?
List some of the options that are available
b. On SwitchA, enter the command show interface vlan1 at the privileged EXEC mode prompt. SwitchA#show interface vlan1
What is the MAC address of the switch?
What other term for MAC address is used? bia
c. On SwitchB, enter the command show interface vlan1 at the privileged EXEC mode prompt. What is the MAC address of the switch?
Which switch should be the root of the spanning tree for this network? but the switch with the lowest MAC address should be the root.
Step 6: Examine the spanning-tree tables on each switch
a. On SwitchA, enter the command show spanning-tree at the privileged EXEC mode prompt.
b. On SwitchB, enter the command show spanning-tree at the privileged EXEC mode prompt.
c. Examine the outputs and answer the following questions:
Which switch is the root bridge? the switch with the lowest MAC address should be the root
What is the priority of the root bridge? The factory default priority value, usually 32768.
What is the bridge ID of the root bridge? The factory default priority value, followed by the MAC address of the root bridge
Which ports are forwarding on the root bridge? All ports.
Which ports are blocking on the root bridge? None.
What is the priority of the non-root bridge? It is the same as the root bridge
What is the bridge ID of the non-root bridge? The factory default priority value, followed by the MAC address of the root bridge.
Which ports are forwarding on the non-root bridge? All except for one.
Which ports are blocking on the non-root bridge? there should be one blocking port.
d. Examine the link lights on both switches.
Can you tell which port is in blocking state? No; on 2950 and 2960 switches, the link lights remain green
Why is there no change in the link lights? Because the port is not physically down.
Step 7: Reassign the root bridge
What would you do if you wanted a different switch to be the root bridge for this network? Change the bridge priority to make it lower than the priority value of the other switch.
Why might you want to do this? If a slower or less-desirable switch is the root bridge, you would do this to make sure it does not become
the root bridge.
For the purposes of this lab, assume that the switch that is currently the root bridge is undesirable. The example assumes that SwitchB is preferred as the root switch. To “force” SwitchB to become the new root bridge, you need to configure a new priority for it.
a. Go to the console and enter configuration mode on SwitchB.
b. Determine the options that can be configured for the Spanning Tree Protocol by issuing this command: SwitchB(config)#spanning-tree ?
c. List the options that are available: could include mode, pathcost, portfast
d. Set the priority of the switch to 4096.
SwitchB(config)#spanning-tree vlan 1 priority 4096
SwitchB(config)#exit
Step 8: Look at the spanning-tree table
a. On SwitchA, enter show spanning-tree at the privileged EXEC mode prompt.
b. On SwitchB, enter show spanning-tree at the privileged EXEC mode prompt.
c. Examine the outputs and answer the following questions:
Which switch is the root bridge? the switch with the lowest MAC address should be the root.
What is the priority of the root bridge? 4096.
What is the bridge ID of the root bridge? 4096, followed by the MAC address of the root bridge.
Which ports are forwarding on the root bridge? All ports.
Which ports are blocking on the root bridge? None.
What is the priority of the non-root bridge? The factory default priority value.
What is the bridge ID of the non-root bridge? The default priority value, followed by the MAC address of the root bridge.
Which ports are forwarding on the non-root bridge? All but one port.
Which ports are blocking on the non-root bridge? one port should be blocking
Step 9: Verify the running configuration file on the root bridge
a. On the switch that was changed to be the root bridge, enter the show running-config command at the privileged EXEC mode prompt.
b. Locate the spanning-tree priority information for this switch.
c. How can you tell from the information given that this switch is the root bridge? The priority value is lower than the default value.
Step 10: Reflection
Suppose that you are adding new switches to a company’s network. Why should you plan the physical design carefully? Why should you be prepared to make adjustments to factory default settings? providing redundancy while avoiding loops, and creating priorities
that support the spanning tree.
Lab 3.2.4 Verifying STP with Show Commands
Step 1: Cable the network
What is the advantage of providing redundant links in a network like this one? a backup line in case of a link failure, and attempting
to achieve 99.999% uptime.
Step 2: Configure the switches
Step 3: Configure the hosts
Step 4: Verify connectivity
To verify that the network is set up successfully, ping from Host 1 to Host 2.
Was the ping successful? ya
Step 5: Examine interface VLAN 1 information
a. On SwitchA, enter the command show interface vlan1 at the privileged EXEC mode prompt. What is the MAC address of SwitchA?
b. On SwitchB, enter the command show interface vlan1 at the privileged EXEC mode prompt. What is the MAC address of SwitchB?
Which switch should be the root of the spanning tree for this network? the lowest MAC address should be the root.
Step 6: Determine the roles of ports participating in the spanning tree on each switch
On SwitchB, enter the command show spanning-tree at the privileged EXEC mode prompt. Which switch is the root bridge? the lowest MAC address should be the root.
The spanning tree is using three ports on each switch. Complete this chart indicating the port state and role for each port.
Step 7: Create a change in the network topology
a. Remove the crossover cable from the forwarding port on the non-root bridge.
b. Wait a few seconds, and then enter the show spanning-tree command again on the non-root bridge. What changes do you see in the spanning tree? One port is missing, and one port is now in listening state
c. Check the spanning tree on the root bridge.
What changes have occurred there? Similar changes have occurred. The tree shows two participating ports.
d. Continue to check the spanning tree on both switches until a new tree has been calculated and all ports are either forwarding or blocking. How long does it take for this to happen? About 2 minutes.
e. Replace the cable that was removed in Step 7a.
f. Wait again until both switches have recalculated their tables. How much time has passed since you first removed the crossover cable? About 5 minutes.
What effect did these topology changes have on network uptime? During the recalculations, data was delayed and could have been lost.
Step 8: Examine the spanning tree on each switch
a. On each switch, enter the command show spanning-tree detail.
b. Examine the information for port Fa0/1. The output shows the interface, role, and state for each switch. It also provides details about port activity and characteristics.
How might the following information help you to verify the status of the network and troubleshoot network problems?
1) Number of transitions to forwarding state:
Large numbers of transitions could indicate connectivity problems with that port or with another port participating in the spanning tree.
1) Number of BPDUs that have been sent and received: BPDUs should be sent and received at regular intervals for the network to function properly. If a part of the network is experiencing connectivity problems, BPDUs may be lost.
c. On each switch, enter the following commands. Determine the type of information that each command provides:
show spanning-tree bridge
jawab:
Displays a brief summary of the most important information about that particular switch, such as BID and hello timer
show spanning-tree summary
jawab:
Displays proprietary features such as portfast that are enabled and disabled, and indicates the
number of ports in each spanning-tree state.
Step 9: Reflection
Your networking team is deciding whether to disable Spanning Tree Protocol on the switches in your corporate network. Explain how you would feel about this decision. What are the advantages and disadvantages? How would this decision affect your network design? loop avoidance as an advantage, and downtime as a disadvantage. If
STP is disabled, it will be more difficult to provide redundant links. Most students will decide that the
advantages outweigh the drawbacks and that STP provides more options in designing the network.
Lab 3.3.2 Configuring, Verifying, and Troubleshooting VLANs
Step 1: Connect the equipment
Step 2: Perform basic configuration on the router
Step 3: Configure Switch 1
Step 4: Verify connectivity and default VLAN configuration
Are all switch ports assigned to VLAN 1? ya
Step 5: Configure VLANs on S1
Do the new VLANs appear in the output? ya
What interfaces belong to the new VLANs? none
Which interfaces now belong to VLAN 1? Fa0/1, 9-24
Which interfaces belong to VLAN 20? Fa0/2
Which interfaces belong to VLAN 30? Fa0/3 - Fa0/8
Other commands can be used to show different amounts of information or specific pieces of information. Enter the following commands on S1 and observe the output: S1#show vlan brief
Is all of the basic VLAN membership information shown?ya
S1#show vlan id 30
What information is shown? only VLAN 30
S1#show vlan name fred
What information is shown? only VLAN 20
Step 6: Verify VLAN segmentation
a. Ping from Host 1b to R1. Were the pings successful? ya
b. Ping from Host 1b to Host 1a.
Were the pings successful? tidak
c. Ping from Host 1b to R1.
Were the pings successful? tidak
Why were some pings successful and others not? Because the devices are in different VLANs.
How could Host 1b communicate with Host 1a in different VLAN? Implement routing.
Step 7: Change and delete VLAN configurations
a. Reassign S1 port Fa0/3 to VLAN 20.
Does the output reflect the VLAN membership change? ya
b. Remove VLAN 30.
Which two commands would be used to delete all VLAN configuration and return to the default configuration? erase startup-config and delete flash:vlan.dat
Step 8: Reflection
a. Why would VLANs be configured in a network? Answers will vary. To group departments together, job functions, regardless of physical location. VLANs are essentially a broadcast domain.
b. What must be set up to communicate between VLANS? Routing.
c. With no configuration, what VLAN are all ports a member of? VLAN 1, the default VLAN
Lab 3.4.1 Creating VLANs and Assigning Ports
Step 1: Connect the equipment
Step 2: Perform basic PC configuration
Step 3: Configure Switch 1
Are all other switch ports in VLAN 1? ya
Which switch ports are in VLAN 10? Fa0/5 and Fa0/6
Which switch ports are in VLAN 20? Fa0/7 and Fa0/8
Issue the command show vlan.
What difference is noticed between the two commands show vlan brief and show vlan? The most noticed difference is the additional information showing VLAN types: Ethernet, fiber, etc.
Step 4: Verify connectivity
a. Ping from each PC to Switch1 address of 172.16.1.2. Are PC1 pings successful? ya
Are PC2 pings successful? no
Are PC3 pings successful? no
b. Ping from PC1 to PC2 and PC3.
Can PC1 ping PC2? no
Can PC1 ping PC3? no
Step 5: Reflection
a. Why can PC1 ping Switch1 when PC2 and PC3 cannot? PC1 and the switch management interface are in the same VLAN. PC2 and PC3 are not on the same VLAN as the switch
a. The PCs cannot ping each other. Why? They are in different VLANs. A router is needed to direct traffic between different VLANs. In addition, they have different subnets assigned and therefore will be trying to route packets to the other PCs via the default gateway and not sending them directly.
Lab 3.4.2 Configuring a Trunk Port
Step 1: Connect the equipment
Step 2: Perform basic configuration of Switch 1 and Switch 2
Step 3: Configure host PCs
Step 4: Verify default VLAN configuration and connectivity
Is every switch port assigned to a VLAN? ya
Which VLAN do the ports appear in? VLAN 1
Should any host or switch be able to ping any other host or switch at this time? ya
Verify this by pinging from Host 1a to all the other hosts and switches.
Are all the pings successful? ya
Step 5: Create and verify VLAN configuration
Test connectivity between devices.
1) Ping from S1 to S2.
Are the pings successful? ya
To what VLAN do the management interfaces of S1 and S2 belong? VLAN1
2) Ping from Host 1a to Host 2.
Are the pings successful? NO
To what VLAN do Hosts 1a and 2 belong? VLAN 2, but on separate switches
To what VLAN do the Fa0/1 interfaces of the switches belong? VLAN1
If Hosts 1a and 2 belong to the same VLAN, why can’t they ping each other? There is no VLAN 2 connection between the switches.
3) Ping from host 1a to S1.
Are the pings successful? no
Why can’t Host 1a ping S1? They are in different VLANs and no routing is set up.
Step 6: Configure and verify trunking
Do the trunk interfaces appear in the output? ya
What VLAN is set as the native VLAN? VLAN1
What VLANs are allowed to communicate over the trunk? 1 to 4094
View the VLAN configuration on both switches with the show vlan command. S1#show vlan
S2#show vlan
Do the S1 and S2 Fa0/1 interfaces appear in a VLAN? Why or why not? They are not in a VLAN because they are trunking and carry traffic for all VLANS.
Retest the connectivity between devices.
1) Ping from S1 to S2.
Are the pings successful? ya
2) Ping from Host 1a to Host 2.
Are the pings successful? ya
3) Ping from Host 1b to Host 2.
Are the pings successful? tidak
4) Ping from Host 1a to S1.
Are the pings successful? tidak
The ping test should show that devices that belong to the same VLAN can now communicate with each other across switches, but devices in different VLANs cannot communicate with each other.
What would have to be configured to allow devices in different VLANs to communicate with each other? Tidak ada
Step 7: Observe the default trunking behavior of switches
Are Fa0/1 on S1 and S2 in trunking mode? ya
What trunking mode did they default to? desirable
What trunking encapsulation did they default to? 802.1q
Step 8: Reflection
a. Why would trunking be configured in a network? VLANs to communicate over a single link. This will reduce the number of interconnections between switches.
b. Does trunking allow for communication between VLANS? No, routing is still required to communicate between VLANs
c. With no configuration, from which VLAN are frames forwarded across the trunk without VLAN tagging added? VLAN 1, the default VLAN.
Lab 3.4.3 Part A: Configuring Inter-VLAN Routing
Step 1: Connect the equipment
Step 2: Perform basic configurations on the router
Step 3: Configure Fast Ethernet connections for each VLAN on the router
Step 4: Configure Switch 1
Step 5: Configure Switch 2
Step 6: Configure Switch 3
Step 7: Configure Host 1
Step 8: Configure Host 2
Step 9: Configure Host 3
Step 10: Configure the server
Step 11: Verify connectivity
The router should be able to ping the interfaces of the other devices.
a. From the router, issue a ping to Host 1.
Is the ping successful? ya
b. From the router, issue a ping to Host 2.
Is the ping successful? ya
c. From the router, issue a ping to Host 3.
Is the ping successful? ya
d. From the router, issue a ping to the server.
Is the ping successful? ya
Host 1 should be able to ping all other devices.
a. From Host 1, ping Host 2.
Is the ping successful? ya
b. From Host 1, ping the server.
Is the ping successful? ya
Why can Host 1 ping the server? Communication occurs because the router is allowing inter-VLAN routing to take place between the 2
different VLANs.
c. From the server, ping Host 1.
Is the ping successful? ya
d. From Switch 3, issue the command show spanning-tree.
Which ports are being used on Switch 3? Ports Fa0/1, Fa0/2, Fa0/5, Fa0/9
What is the role of each of these ports? Designated Ports
Which switch is acting as the root? Swich3
What is the protocol that allows VLANs to communicate without switching loops? Spanning Tree Protocol
Step 12: Reflection
a. Why does this topology not scale well? Since there are only two Ethernet ports on this router, there can only be 2 VLANs because you need a port for each VLAN unless you use trunking so therefore, no further VLANs could be added.
b. Why would a VLAN benefit from trunking? If a router does not have enough ports, it is beneficial to trunk many VLANs over one port.
a. Which device provides connectivity between different VLANs? Router
Lab 3.4.3 Part B: Configuring Inter-VLAN Routing
Step 1: Connect the equipment
Step 2: Perform basic configurations on the router
Step 3: Configure VLAN trunking on the router
Step 4: .Configure Switch 1
Are all other switch ports in VLAN 1? ya
Which switch ports are in VLAN 10? Fa0/5 and Fa0/6
Which switch ports are in VLAN 20? Fa0/7 and Fa0/8
Issue the command show vlan.
What difference is noticed between the two commands show vlan brief and show vlan? The most noticed difference is the additional information showing VLAN types, Ethernet, fiber, etc
Step 5: Configure VLAN trunking on Switch 1
Which interfaces on Switch 1 are in trunk mode? Fa0/1 and Fa0/2
Which VLANs are allowed and active in the management domain? 1, 10, 20
Step 6: Configure VTP on Switch 1
Step 7: Configure Switch 2
Step 8: Configure VLAN trunking on Switch 2
Step 9: Configure VTP on Switch 2
Switch2(config)#vtp mode client
From Switch 2, verify that all VLANs have been propagated across the domain by issuing the command show vtp status.
What is the VTP version used on Switch 2? 2
What is the maximum VLANs supported locally? 64
What VTP operating mode is used on Switch 2? client
What is the VTP domain name? grup1
How did Switch 2 learn the domain name and VLAN information? When VTP was configured, Switch 1 sent Switch 2 the information through VTP advertisements
Step 10: Verify connectivity
The router and switches should be able to ping the interfaces of the other devices.
a. From each device, issue a ping to all interfaces.
Are the router pings successful?ya
b. From Switch 1, ping to all other devices.
Are Switch 1 pings successful? ya
From Switch 2, ping to all other devices.
Are Switch 2 pings successful? _ya_________ If the ping is not successful, verify the connections and configurations again. Check to ensure that all cables are correct and that connections are seated. Check the router and switch configurations.
Step 11: Reflection
a. Why would VLANs be configured in a network? To group departments together, job functions, regardless of physical location. VLANs are essentially a broadcast domain.
b. Why would a VLAN benefit from trunking? If a router does not have enough ports, it is beneficial to trunk many VLANs over one port.
c. Why should VTP be used? VTP makes VLAN configuration easier. If there are 10 switches that are all a part of VLAN 3 on all 10, VTP sends advertisements for the other switches to learn dynamically.
d. Which device provides connectivity between different VLANs? router
e. What are some benefits of VLANs? Workstations are easily movable on the LAN or to a LAN, easily change LAN configurations, easily control network traffic, and help improve security on the network
thanks heaps! this has been very helpful to me :) keep up the great work
BalasHapussalam.
BalasHapusmohon copy jawapan ya.