[CCNA Security v2] 6.3.1.3 Packet Tracer - Layer 2 VLAN Security



Packet Tracer - Layer 2 VLAN Security
Objectives

·         Connect a new redundant link between SW-1 and SW-2.
·         Enable trunking and configure security on the new trunk link between SW-1 and SW-2.
·         Create a new management VLAN (VLAN 20) and attach a management PC to that VLAN.
·         Implement an ACL to prevent outside users from accessing the management VLAN.
Background / Scenario

A company’s network is currently set up using two separate VLANs: VLAN 5 and VLAN 10. In addition, all trunk ports are configured with native VLAN 15. A network administrator wants to add a redundant link between switch SW-1 and SW-2. The link must have trunking enabled and all security requirements should be in place.

In addition, the network administrator wants to connect a management PC to switch SW-A. The administrator would like to enable the management PC to connect to all switches and the router, but does not want any other devices to connect to the management PC or the switches. The administrator would like to create a new VLAN 20 for management purposes.

All devices have been preconfigured with:

o    Enable secret password: ciscoenpa55
o    Console password: ciscoconpa55
o    SSH username and password: SSHadmin / ciscosshpa55
Part 1: Verify Connectivity
Step 1: Verify connectivity between C2 (VLAN 10) and C3 (VLAN 10).

Step 2: Verify connectivity between C2 (VLAN 10) and D1 (VLAN 5).

Note: If using the simple PDU GUI packet, be sure to ping twice to allow for ARP.

Part 2: Create a Redundant Link Between SW-1 and SW-2
Step 1: Connect SW-1 and SW-2.

Using a crossover cable, connect port F0/23 on SW-1 to port F0/23 on SW-2.

Step 2: Enable trunking, including all trunk security mechanisms on the link between SW-1 and SW-2.

Trunking has already been configured on all pre-existing trunk interfaces. The new link must be configured for trunking, including all trunk security mechanisms. On both SW-1 and SW-2, set the port to trunk, assign native VLAN 15 to the trunk port, and disable auto-negotiation.

Part 3: Enable VLAN 20 as a Management VLAN
The network administrator wants to access all switch and routing devices using a management PC. For security purposes, the administrator wants to ensure that all managed devices are on a separate VLAN.

Step 1: Enable a management VLAN (VLAN 20) on SW-A.

a.     Enable VLAN 20 on SW-A.

b.     Create an interface VLAN 20 and assign an IP address within the 192.168.20.0/24 network.

Step 2: Enable the same management VLAN on all other switches.

a.     Create the management VLAN on all switches: SW-B, SW-1, SW-2, and Central.

b.     Create an interface VLAN 20 on all switches and assign an IP address within the 192.168.20.0/24 network.

Step 3: Connect and configure the management PC.

Connect the management PC to SW-A port F0/1 and ensure that it is assigned an available IP address within the 192.168.20.0/24 network.

Step 4: On SW-A, ensure the management PC is part of VLAN 20.

Interface F0/1 must be part of VLAN 20.

Step 5: Verify connectivity of the management PC to all switches.

The management PC should be able to ping SW-A, SW-B, SW-1, SW-2, and Central.

Part 4: Enable the Management PC to Access Router R1
Step 1: Enable a new subinterface on router R1.

a.     Create subinterface g0/0.3 and set encapsulation to dot1q 20 to account for VLAN 20.

b.     Assign an IP address within the 192.168.20.0/24 network.

Step 2: Verify connectivity between the management PC and R1.

Be sure to configure the default gateway on the management PC to allow for connectivity.

Step 3: Enable security.

While the management PC must be able to access the router, no other PC should be able to access the management VLAN.

a.     Create an ACL that allows only the Management PC to access the router.

b.     Apply the ACL to the proper interface(s).

Note: There are multiple ways in which an ACL can be created to accomplish the necessary security. For this reason, grading on this portion of the activity is based on the correct connectivity requirements. The management PC must be able to connect to all switches and the router. All other PCs should not be able to connect to any devices within the management VLAN.

Step 4: Verify security.

a.     Verify only the Management PC can access the router. Use SSH to access R1 with username SSHadmin and password ciscosshpa55.

PC> ssh -l SSHadmin 192.168.20.100
b.     From the management PC, ping SW-A, SW-B, and R1. Were the pings successful? Explain.

c.     From D1, ping the management PC. Were the pings successful? Explain.

Step 5: Check results.

Your completion percentage should be 100%. Click Check Results to view feedback and verification of which required components have been completed.

If all components appear to be correct and the activity still shows incomplete, it could be due to the connectivity tests that verify the ACL operation.


Configuration SW-1:

enable
ciscoenpa55
configure terminal
interface f0/23
 switchport mode trunk
 switchport trunk native vlan 15
 switchport nonegotiate
 exit
!
vlan 20
name Management
exit
!
interface vlan 20
 ip address 192.168.20.3 255.255.255.0
 exit
!

Configuration SW-2:

enable
ciscoenpa55
configure terminal
interface f0/23
 switchport mode trunk
 switchport trunk native vlan 15
 switchport nonegotiate
 exit
!
vlan 20
name Management
exit
!
interface vlan 20
 ip address 192.168.20.4 255.255.255.0
 exit
!

Configuration Central: 

enable
ciscoenpa55
configure terminal
!
vlan 20
name Management
exit
!
interface vlan 20
 ip address 192.168.20.2 255.255.255.0
 exit
!

 Configuration SW-A:

enable
ciscoenpa55
configure terminal
!
vlan 20
name Management
exit
!
interface vlan 20
 ip address 192.168.20.5 255.255.255.0
 exit
!
interface f0/1
 no shutdown
 switchport mode access
 switchport access vlan 20
 exit
!


Configuration  SW-B:

enable
ciscoenpa55
configure terminal
!
vlan 20
name Management
exit
!
interface vlan 20
 ip address 192.168.20.6 255.255.255.0
 exit
!

Configuration  R1

ciscoconpa55
enable
ciscoenpa55
configure terminal
interface g0/0.3
 encapsulation dot1q 20
 ip address 192.168.20.1 255.255.255.0
 exit
!
access-list 10 permit host 192.168.20.254 
line vty 0 4
 access-class 10 in
 exit
!
access-list 110 deny ip  any 192.168.20.0 0.0.0.255
access-list 110 permit ip any any
interface g0/0.3
 ip access-group 110 out
 exit
!

Configuration PC Management: 







Nhận xét

Đăng nhận xét

Bài đăng phổ biến từ blog này

[CCNAv6 S2] 2.2.2.4 Packet Tracer - Configuring IPv4 Static and Default Routes

Hình ảnh
Packet Tracer - Configuring IPv4 Static and Default Routes Addressing Table Objectives Part 1: Examine the Network and Evaluate the Need for Static Routing Part 2: Configure Static and Default Routes Part 3: Verify Connectivity Background In this activity, you will configure static and default routes. A static route is a route that is entered manually by the network administrator to create a reliable and safe route. There are four different static routes that are used in this activity: a recursive static route, a directly attached static route, a fully specified static route, and a default route. Part 1:     Examine the Network and Evaluate the Need for Static Routing a.     Looking at the topology diagram, how many networks are there in total? b.    How many networks are directly connected to R1, R2, and R3? c.     How many static routes are required by each router to reach networks that are not directly connected? d.    Test connectivity to the R2 and R3
Đọc thêm

[CCNAv6 S2] 8.3.1.2 Packet Tracer - Skills Integration Challenge

Hình ảnh
Packet Tracer – Skills Integration Challenge Addressing Table VLAN Port Assignments and DHCP Information Scenario In this culminating activity, you will configure VLANs, trunks, DHCP Server, DHCP relay agents, and configure a router as a DHCP client. Requirements Using the information in the tables above, implement the following requirements: ·         Create VLANs on S2 and assign VLANs to appropriate ports. Names are case-sensitive ·         Configure S2 ports for trunking. ·         Configure all non-trunk ports on S2 as access ports. ·         Configure R1 to route between VLANs. Subinterface names should match the VLAN number. ·         Configure R1 to act as a DHCP server for the VLANs attached to S2. -       Create a DHCP pool for each VLAN. Names are case-sensitive. -       Assign the appropriate addresses to each pool. -       Configure DHCP to provide the default gateway address -       Configure the DNS server 209.165.201.14 for each pool. - 
Đọc thêm

[CCNAv6 S3] 7.2.3.5 Packet Tracer - Troubleshooting EIGRP for IPv4

Hình ảnh
Packet Tracer – Troubleshooting EIGRP for IPv4 Addressing Table Scenario In this activity, you will troubleshoot EIGRP neighbor issues. Use show commands to identify errors in the network configuration. Then, you will document the errors you discover and implement an appropriate solution. Finally, you will verify full end-to-end connectivity is restored. Troubleshooting Process 1.     Use testing commands to discover connectivity problems in the network and document the problem in the Documentation Table. 2.     Use verification commands to discover the source of the problem and devise an appropriate solution to implement. Document the proposed solution in the Documentation Table. 3.     Implement each solution one at a time and verify if the problem is resolved. Indicate the resolution status in the Documentation Table. 4.     If the problem is not resolved, it may be necessary to first remove the implemented solution before returning to Step 2. 5.     Once al
Đọc thêm