Task 8: Assign VLANs and Configure Port Security
Step 1. Assign VLANs to access ports.
Use the VLAN Configuration and Port Mappings table to complete the following requirements:
- Configure access ports
- Assign VLANs to the access ports
 |
| Branch B3 LAN Topology |
B3-S2(config)#int f0/6Configure Wireless Port in Access
B3-S2(config-if)#switchport mode access
B3-S2(config-if)#switchport access vlan 10
B3-S2(config-if)#int fa0/11
B3-S2(config-if)#switchport mode access
B3-S2(config-if)#switchport access vlan 20
B3-S2(config-if)#int fa 0/16
B3-S2(config-if)#switchport mode access
B3-S2(config-if)#switchport access vlan 30
B3-S3(config)#int fa 0/7Step 2. Configure port security.
B3-S3(config-if)#swi mode access
B3-S3(config-if)#switchport access vlan 88
Use the following policy to establish port security on the BX-S2 access ports:
- Allow only one MAC address
- Configure the first learned MAC address to "stick" to the configuration - Set the port to shut down if there is a security violation
B3-S2(config)#int range fastEthernet 0/6 - fa 0/24Step 3. Verify VLAN assignments and port security.
B3-S2(config-if-range)#switchport port-security
! by default is only 1 MAC, but anyway we will enter this command
B3-S2(config-if-range)#switchport port-security maximum 1
B3-S2(config-if-range)#switchport port-security mac-address sticky
Use the appropriate commands to verify that access VLANs are correctly assigned and that the port security policy has been enabled.
B3-S2#show port-security interface f0/6
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0000.0000.0000:0
Security Violation Count : 0
Task 9: Configure STP
Step 1. Configure BX-S1 as the root bridge.
Set the priority level to 4096 on BX-S1 so that these switches are always the root bridge for all VLANs.
B3-S1(config)#spanning-tree vlan 1-1001 priority 4096Step 2. Configure BX-S3 as the backup root bridge.Set the priority level to 8192 on BX-S3 so that these switches are always the backup root bridge for all VLANs.
B2-S3(config)#spanning-tree vlan 1-1001 priority 8192Step 3. Verify that BX-S1 is the root bridge.
Switch#sh spanning-tree
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 4097
Address 00D0.BA3D.2C94
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 4097 (priority 4096 sys-id-ext 1)
Address 00D0.BA3D.2C94
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 20
Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/1 Desg FWD 19 128.1 P2p
Fa0/2 Desg FWD 19 128.2 P2p
Fa0/3 Desg FWD 19 128.3 P2p
Fa0/4 Desg FWD 19 128.4 P2p
Fa0/5 Desg FWD 19 128.5 P2p
VLAN0010
Spanning tree enabled protocol ieee
Root ID Priority 4106
Address 00D0.BA3D.2C94
This bridge is the root
...
VLAN0020
Spanning tree enabled protocol ieee
Root ID Priority 4116
Address 00D0.BA3D.2C94
This bridge is the root
...
VLAN0030
Spanning tree enabled protocol ieee
Root ID Priority 4126
Address 00D0.BA3D.2C94
This bridge is the root
...
VLAN0088
Spanning tree enabled protocol ieee
Root ID Priority 4184
Address 00D0.BA3D.2C94
This bridge is the root
...
VLAN0099
Spanning tree enabled protocol ieee
Root ID Priority 4195
Address 00D0.BA3D.2C94
This bridge is the root
...
Task 10: Configure DHCP
Step 1. Configure DHCP pools for each VLAN.
On the Branch routers, configure DHCP pools for each VLAN using the following requirements:
- Exclude the first 10 IP addresses in each pool for the LANs.
- Exclude the first 24 IP addresses in each pool for the wireless LANs.
- The pool name is BX_VLAN## where X is the router number and ## is the VLAN number.
- Include the DNS server attached to the HQ server farm as part of the DHCP configuration.
Configure on Branch Routers
DHCP Exclude pools
B3(config)#ip dhcp excluded-address 10.3.10.1 10.3.10.10Configure VLAN pools
B3(config)#ip dhcp excluded-address 10.3.20.1 10.3.20.10
B3(config)#ip dhcp excluded-address 10.3.30.1 10.3.30.10
B3(config)#ip dhcp excluded-address 10.3.88.1 10.3.88.24
B3(config)#ip dhcp pool B3_VLAN10Step 2. Configure the PCs to use DHCP.
B3(dhcp-config)#network 10.3.10.0 255.255.255.0
B3(dhcp-config)#dns-server 10.0.1.4
B3(dhcp-config)#default-router 10.3.10.1
B3(config)#ip dhcp pool B3_VLAN20
B3(dhcp-config)#network 10.3.20.0 255.255.255.0
B3(dhcp-config)#dns-server 10.0.1.4
B3(dhcp-config)#default-router 10.3.20.1
B3(config)#ip dhcp pool B3_VLAN30
B3(dhcp-config)#network 10.3.30.0 255.255.255.0
B3(dhcp-config)#dns-server 10.0.1.4
B3(dhcp-config)#default-router 10.3.30.1
B3(config)#ip dhcp pool B3_VLAN88
B3(dhcp-config)#network 10.3.88.0 255.255.255.0
B3(dhcp-config)#dns-server 10.0.1.4
B3(dhcp-config)#default-router 10.3.88.1
Currently, the PCs are configured to use static IP addresses. Change this configuration to DHCP.
B3-PC3>ipconfig /renew
IP Address......................: 10.3.30.11
Subnet Mask.....................: 255.255.255.0
Default Gateway.................: 10.3.30.1
DNS Server......................: 10.0.1.4
B3-PC3>ping www.cisco.com
Pinging 209.165.202.134 with 32 bytes of data:
Request timed out.
Reply from 209.165.202.134: bytes=32 time=71ms TTL=125
Reply from 209.165.202.134: bytes=32 time=112ms TTL=125
Ping statistics for 209.165.202.134:
Packets: Sent = 3, Received = 2, Lost = 1 (34% loss),
Approximate round trip times in milli-seconds:
Minimum = 71ms, Maximum = 112ms, Average = 91ms
Control-C
B3-PC3>
Step 3. Verify that the PCs and wireless routers have an IP address.
Activate Wireless Connection
PC-with-Wireless>ipconfig /renew
IP Address......................: 192.168.3.100
Subnet Mask.....................: 255.255.255.0
Default Gateway.................: 192.168.3.1
DNS Server......................: 10.0.1.4
PC-with-Wireless>ping www.cisco.comStep 4. Verify connectivity.
Pinging 209.165.202.134 with 32 bytes of data:
Reply from 209.165.202.134: bytes=32 time=130ms TTL=124
Reply from 209.165.202.134: bytes=32 time=131ms TTL=124
All PCs physically attached to the network should be able to ping the www.cisco.com web server.
First, was tested port-security on int fa 0/11 (add another switch with 2 PC attached).
When initial PC was reconnected, port was shuted down (port security).
B3-S2#sh port-sec int fa 0/11
Port Security : Enabled
Port Status : Secure-shutdown
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 1
Last Source Address:Vlan : 0000.0CEA.CDE5:20
Security Violation Count : 1
B3-S2#
! copy run star, Actually reloaded SW,because Packet Tracer was not clearing port-security properly
B3-S2#clear port-security all
PC>ipconfig /renew
IP Address......................: 10.3.10.11
Subnet Mask.....................: 255.255.255.0
Default Gateway.................: 10.3.10.1
DNS Server......................: 10.0.1.4
PC>ping www.cisco.com
Pinging 209.165.202.134 with 32 bytes of data:
Reply from 209.165.202.134: bytes=32 time=125ms TTL=125
Reply from 209.165.202.134: bytes=32 time=86ms TTL=125
Reply from 209.165.202.134: bytes=32 time=120ms TTL=125
Reply from 209.165.202.134: bytes=32 time=120ms TTL=125
Task 11: Configure a Firewall ACL
Step 1. Verify connectivity from Outside Host.
The Outside Host PC should be able to ping the server at www.xyzcorp.com.
Outside-PC>ping www.xyzcorp.com
Pinging 209.165.200.246 with 32 bytes of data:
Request timed out.
Reply from 209.165.200.246: bytes=32 time=80ms TTL=126
Reply from 209.165.200.246: bytes=32 time=80ms TTL=126
Reply from 209.165.200.246: bytes=32 time=60ms TTL=126
Ping statistics for 209.165.200.246:
Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in milli-seconds:
Minimum = 60ms, Maximum = 80ms, Average = 73ms
Outside-PC>
Step 2. Implement a basic firewall ACL.
Because ISP represents connectivity to the Internet, configure a named ACL called FIREWALL in the following order:
- Allow inbound HTTP requests to the www.xyzcorp.com server. - Allow only established TCP sessions from ISP and any source beyond ISP.
- Allow only inbound ping replies from ISP and any source beyond ISP.
- Explicitly block all other inbound access from ISP and any source beyond ISP.
HQ(config)#ip access-list extended FIREWALL
HQ(config-ext-nacl)#permit tcp any host 209.165.200.246 eq www
HQ(config-ext-nacl)#permit tcp any any established
HQ(config-ext-nacl)#permit icmp any any echo-reply
HQ(config-ext-nacl)#deny ip any any
HQ(config)#int s0/1/0
HQ(config-if)#ip access-group FIREWALL in
Step 3. Verify connectivity from Outside Host.
The Outside Host PC should not be able to ping the server at www.xyzcorp.com. However, the Outside Host PC should be able to request a web page.
Outside-PC>ping www.xyzcorp.com
Pinging 209.165.200.246 with 32 bytes of data:
Reply from 209.165.201.1: Destination host unreachable.
Reply from 209.165.201.1: Destination host unreachable.
Reply from 209.165.201.1: Destination host unreachable.
Reply from 209.165.201.1: Destination host unreachable.
Ping statistics for 209.165.200.246:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
Outside-PC>ipconfig
IP Address......................: 209.165.202.130
 |
| Outside Host PC is able to request a web page |
NetAdmin-PC>ping 209.165.202.130
Pinging 209.165.202.130 with 32 bytes of data:
Reply from 209.165.202.130: bytes=32 time=120ms TTL=126
Reply from 209.165.202.130: bytes=32 time=50ms TTL=126
Reply from 209.165.202.130: bytes=32 time=50ms TTL=126
Reply from 209.165.202.130: bytes=32 time=20ms TTL=126
Ping statistics for 209.165.202.130:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 20ms, Maximum = 120ms, Average = 60ms
NetAdmin-PC>
Task 12: Configure Wireless Connectivity
Step 1. Verify the DHCP configuration.
Each BX-WRS router should already have IP addressing from the DHCP of the BX router for VLAN 88.
Step 2. Configure the Network Setup/LAN settings.
The "Router IP" on the Status page in the GUI tab should be the first IP of the 10.X.40.0 /24 subnet. Leave all other settings at the default.
Step 3. Configure the wireless network settings.
The SSIDs for the routers are BX-WRS_LAN where the X is the Branch router number.
The WEP key is 12345ABCDE
 |
| Setup Wireless Branch B3 Router |
Configure the administration password as cisco123 and enable remote management.
Activate Remote Administration for WEB GUI, set passw- cisco123
Step 5. Configure the BX-PC4 PCs to access the wireless network using DHCP.
B3-PC4>ping www.cisco.comStep 6. Verify connectivity and remote management capability.
Pinging 209.165.202.134 with 32 bytes of data:
Request timed out.
Reply from 209.165.202.134: bytes=32 time=180ms TTL=124
Reply from 209.165.202.134: bytes=32 time=150ms TTL=124
Reply from 209.165.202.134: bytes=32 time=140ms TTL=124
Ping statistics for 209.165.202.134:
Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in milli-seconds:
Minimum = 140ms, Maximum = 180ms, Average = 156ms
B3-PC4>
Each wireless PC should be able to access the www.cisco.com web server.
Verify remote management capability by accessing the wireless router through the web browser.
From NetAdmin Browser access http://10.3.88.2/, user- admin, pass- cisco123
Task 13: Network Troubleshooting
Step 1. Break the network.
One student leaves the room, if necessary, while another student breaks the configuration.
Step 2. Troubleshoot the problem.
The student returns and uses troubleshooting techniques to isolate and solve the problem.
Step 3. Break the network again.
The students switch roles and repeat steps 1 and 2.
Links
http://www.invialgo.com/2012/packet-tracer-activity-8-6-1-answer-100/