Scribd
Upload
101 views

Lab 5 Ch-2 & 3 - Switch Security Part B - Apr18 - 2013

This document provides instructions for completing the second part of Lab 5 on switch security. The objectives are to set up L2 security features like DHCP snooping and dynamic ARP inspection on VLAN 10. It also details how to secure the switch management sessions by configuring username/password authentication and allowing only SSH access on the VTY lines. The network topology connects 2 switches and 2 routers. Steps are provided to configure the routers, switches, and workstations, and enable the security features like DHCP snooping protection and ARP spoofing mitigation on VLAN 10. Status files from the switches are to be uploaded for lab completion.

Uploaded by

Mayu Kanes
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
101 views

Lab 5 Ch-2 & 3 - Switch Security Part B - Apr18 - 2013

This document provides instructions for completing the second part of Lab 5 on switch security. The objectives are to set up L2 security features like DHCP snooping and dynamic ARP inspection on VLAN 10. It also details how to secure the switch management sessions by configuring username/password authentication and allowing only SSH access on the VTY lines. The network topology connects 2 switches and 2 routers. Steps are provided to configure the routers, switches, and workstations, and enable the security features like DHCP snooping protection and ARP spoofing mitigation on VLAN 10. Status files from the switches are to be uploaded for lab completion.

Uploaded by

Mayu Kanes
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
You are on page 1/ 3

CST6474

Lab 5 Ch-2 & 3: Switch Security

Algonquin

Lab 5 Ch-2 & 3: Switch Security Part B


Objectives: This lab exercise continues from the previous lab and adds Switch L2 security features, and management-session security. Complete Lab 4 Ch-2 & 3: VLANs to L3 Part A, use its switch configuration files. And features: Setup L2 Security: DHCP Snooping and Dynamic ARP Inspection Secure the Switch the VTY lines: require username/password authentication allow only ssh Network Topology:

1.

Cabling (lab T113) DO NOT connect any switch ports YET!!! a. Connect your lab PC COMM port cable to various switch and router consol ports as necessary to perform configurations. b. Clear any existing switch & router configurations (details Lab 2.5.1, Appendix 1). c. Now cable the rest entire topology per the above diagram. Router configuration: Note cable your Pod racks: (bottom rack switch) via the Yellow lab network rather than the Red at the patch panel. This connects to the instructor-supplied router: T113-Yellow-Net providing ALG-Net connectivity via a local NAT. a. Download router configuration files from Blackboard for your particular T113 lab Pod #
Page 1 of

2.

M.Gough, Algonquin College 3

CST6474
i. ii.

Lab 5 Ch-2 & 3: Switch Security

Algonquin

Please note each group of students using a Pod must use a unique IP subnet. Note your Pod # in the topology diagram, and download from Blackboard the correct router config files. b. Upload the correct files to the correct routers for your lab equipment c. Verify R1, 2, can ping: - 172. X7.99.1 (X your Pod #) OK? ___. - 10.50.13.1 OK? ___. d. Verify R2 gets all routing table routes for all VLAN subnets and links: R2#sho ip route Gateway of last resort is 172.17.9.254 to network 0.0.0.0 C R C R R R* 172.17.0.0/24 is subnetted, 8 subnets 172.17.1.0 is directly connected, Serial0/1 172.17.3.0 [120/1] via 172.17.2.2, 00:00:13, Serial0/1 172.17.9.0 is directly connected, FastEthernet0/0 172.17.10.0 [120/1] via 172.17.1.1, 00:00:07, Serial0/1 172.17.20.0 [120/1] via 172.17.1.1, 00:00:07, Serial0/1 0.0.0.0/0 [120/1] via 172.17.9.254, 00:00:05, FastEthernet0/0 i. 3. Troubleshoot with instructor support as needed. OK? ___.

Initial Switch Configuration use your Lab 3.5.1 switch S1, S2: a. Edit all switch config files: i. Add VLAN 99: before the first interface line add the line: vlan 99 ii. Change the second octet of your SVI IP address after interface vlan 99 to correspond to your lab equipment Pod # as per: Pod S1 Config: S2 Config: # IP Addr IP Addr 172. 1 7. 99. 172. 17. 99. 12 1 2 3 4 5 6
11 172. 27. 99. 11 172. 37. 99. 11 172. 47. 99. 11 172. 57. 99. 11 172. 67. 99. 11 172. 27. 99. 12 172. 37. 99. 12 172. 47. 99. 12 172. 57. 99. 12 172. 67. 99. 12

iii. Add a line: no shutdown after your line: ip address 172. swi trunk encap dot1q b. Upload your switch config files to your respective switches: S1, S2, interface range fa0/1 24 no shut interface range gi0/1 2 note in PT its: gi1/1-2 switchport access vlan 99 no shut Verify switch connectivity to all neighbour switch SVIs (see IP table above), OK? ___. You will not have switch connectivity to other VLANs nor the routers as the switches SVIs on VLAN-99 are not connected to their default gateway in R3 (later Step-6).
Page 2 of

c. Enable all ports on all switches, and assign GigE ports to VLAN 99:

d. e.

M.Gough, Algonquin College 3

CST6474
4.

Lab 5 Ch-2 & 3: Switch Security

Algonquin

Workstation configuration: R2 has a DHCP server for PCs on their different VLANs a. Verify that the workstations: i. received an IP address and can ping 172.17.9.254 ii. receive a default gateway and DNS address and can surf ALG-Net (note slow performance through serial WAN links) Configure S1 VTY lines for SSH only, max 4 sessions: a. This configuration is somewhat cookbook: S(config)# username ciscoccna password cisco S(config)# ip domain-name example.com S(config)# crypto key zeroize <- clears out previous crypto IPSec RSA Keys S(config)# crypto key generate rsa <- for sshv2, keylength MUST be 1024 (min) S(config)# ip ssh version 2 S(config)# line vty 0 3 S(config)# login local <- uses above username/pw local to this router S(config)# transport input SSH Verify SSH vty access from a PC using Putty connected to a switchport on VLAN-99

5.

6. 7.

Configure DHCP Snooping for the DHCP server ingress ports for VLAN 10 only. a. Again somewhat cookbook: ip dhcp snooping <- turn on feature ip dhcp snooping vlan 10 <- activate on VLAN 10 only no ip dhcp snooping information option <- for remote DHCP server support inter range fa0/11, fa0/18 ports ip dhcp snooping trust inter range fa0/6-24
ip dhcp snooping limit rate 100

<- trust DHCP only from DHCP server

<- untrusted ports: limit DHCP requests

8.

Verify DHCP snooping protection:

a. #show ip dhcp snooping

9.

Set up ARP spoofing (or ARP poisoning) attack mitigation on VLAN 10 only: a. ip arp inspection vlan 10 b. inter ra fa0/11, fa0/18 c. ip arp inspection trust Copy switch status for all switches to a text file, plus your PT Topology files for each VLAN, and upload to BBrd for this lab completion delivery: a. Show ip interface brief b. Show vlan c. Show ip dhcp snooping d. Show run

10.

M.Gough, Algonquin College 3

Page 3 of

You might also like