Lab – Implementing VLAN Security

Topology

Addressing Table

VLAN Assignments

Step 1: Configure VLANs on each switch

  • Create and name VLANs according to the VLAN Assignments table.

  • Configure the IP address listed in the Addressing Table for VLAN 99 on both switches.

  • Configure F0/6 on S1 as an access port and assign it to VLAN 99.

  • Configure F0/11 on S2 as an access port and assign it to VLAN 10.

  • Configure F0/18 on S2 as an access port and assign it to VLAN 99.

  • Issue show vlan brief command to verify VLAN and port assignments.

S1 Configuration

Switch>enable 
Switch#configure terminal 
Switch(config)#vlan 99
Switch(config-vlan)#exit
Switch(config)#vlan 10
Switch(config-vlan)#name Data
Switch(config-vlan)#exit
Switch(config)#vlan 99
Switch(config-vlan)#name Management&Native
Switch(config-vlan)#exit
Switch(config)#vlan 999
Switch(config-vlan)#name BlackHole
Switch(config-vlan)#exit
S1(config)#interface vlan 99
Switch(config-if)#ip address 172.17.99.11 255.255.255.0
Switch(config-if)#no shut
Switch(config-if)#exit
Switch(config)#interface fa0/1
Switch(config-if)#switchport mode trunk 
Switch(config-if)#exit
Switch(config)#interface fa0/6
Switch(config-if)#switchport mode access 
Switch(config-if)#switchport access vlan 99
Switch(config-if)#^Z
Switch#show vlan brief 

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/1, Fa0/2, Fa0/3, Fa0/4
                                                Fa0/5, Fa0/7, Fa0/8, Fa0/9
                                                Fa0/10, Fa0/11, Fa0/12, Fa0/13
                                                Fa0/14, Fa0/15, Fa0/16, Fa0/17
                                                Fa0/18, Fa0/19, Fa0/20, Fa0/21
                                                Fa0/22, Fa0/23, Fa0/24, Gig0/1
                                                Gig0/2
10   Data                             active    
99   Management&Native                active    Fa0/6
999  BlackHole                        active    
1002 fddi-default                     active    
1003 token-ring-default               active    
1004 fddinet-default                  active    
1005 trnet-default                    active    
Switch#

S2 Configuration

Switch>enable 
Switch#configure terminal 
Switch(config)#vlan 10
Switch(config-vlan)#name Data
Switch(config-vlan)#exit
Switch(config)#vlan 99
Switch(config-vlan)#name Management&Native
Switch(config-vlan)#exit
Switch(config)#vlan 999
Switch(config-vlan)#name BlackHole
Switch(config-vlan)#exit
Switch(config)#interface fa0/1
Switch(config-if)#switchport mode trunk 
Switch(config-if)#exit
Switch(config)#interface vlan 99
Switch(config-if)#ip address 172.17.99.12 255.255.255.0
Switch(config-if)#no shutdown
Switch(config-if)#exit
Switch(config)#interface fa0/11
Switch(config-if)#switchport mode access 
Switch(config-if)#switchport access vlan 10
Switch(config-if)#exit
Switch(config)#interface fa0/18
Switch(config-if)#switchport mode access 
Switch(config-if)#switchport access vlan 99
Switch(config-if)#^Z
Switch#show vlan brief 

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/1, Fa0/2, Fa0/3, Fa0/4
                                                Fa0/5, Fa0/6, Fa0/7, Fa0/8
                                                Fa0/9, Fa0/10, Fa0/12, Fa0/13
                                                Fa0/14, Fa0/15, Fa0/16, Fa0/17
                                                Fa0/19, Fa0/20, Fa0/21, Fa0/22
                                                Fa0/23, Fa0/24, Gig0/1, Gig0/2
10   Data                             active    Fa0/11
99   Management&Native                active    Fa0/18
999  BlackHole                        active    
1002 fddi-default                     active    
1003 token-ring-default               active    
1004 fddinet-default                  active    
1005 trnet-default                    active    
Switch#

Step 2: Configure basic switch security

  • Configure a MOTD banner to warn users that unauthorized access is prohibited.

  • Encrypt all passwords.

  • Shut down all unused physical ports.

  • Disable the basic web service running.

S1 Configuration

S1(config)#banner motd #unauthorized access is prohibited#
S1(config)#service password-encryption
S1(config)#interface range fa0/2-5 , fa0/7-24
S1(config-if-range)#shutdown 
S1(config-if-range)#exit
S1(config)#no ip http server
S1(config)#

S2 Configuration

S2(config)#banner motd #unauthorized access is prohibited#
S2(config)#service password-encryption
S2(config)#interface range fa0/2-10 , fa0/12-17 , fa0/19-24
S2(config-if-range)#shutdown 
S2(config-if-range)#exit
S2(config)#no ip http server
S2(config)#

Step 3: Verify connectivity between devices and VLAN information

From a command prompt on PC-A, ping the management address of S1. Were the pings successful? Why?

PC-A>ping 172.17.99.11

Pinging 172.17.99.11 with 32 bytes of data:

Reply from 172.17.99.11: bytes=32 time=0ms TTL=255
Reply from 172.17.99.11: bytes=32 time=0ms TTL=255
Reply from 172.17.99.11: bytes=32 time=0ms TTL=255
Reply from 172.17.99.11: bytes=32 time=0ms TTL=255

Ping statistics for 172.17.99.11:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

PC-A>

Yes, the pings were successful. PC-A is in the same VLAN as the management address on the switch.

From S1, ping the management address of S2. Were the pings successful? Why?

S1#ping 172.17.99.12

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.17.99.12, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/1 ms

S1#

Yeo, the pings were successful. The management addresses on S1 and S2 are in the same VLAN and interface F0/1 on both switches is configured as a trunk port.

From a command prompt on PC-B, ping the management addresses on S1 and S2 and the IP address of PC-A and PC-C. Were your pings successful? Why?

PC-A>ping 172.17.99.11

Pinging 172.17.99.11 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 172.17.99.11:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

PC-A>ping 172.17.99.12

Pinging 172.17.99.12 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 172.17.99.12:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

PC-A>ping 172.17.99.3

Pinging 172.17.99.3 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 172.17.99.3:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

PC-A>ping 172.17.99.4

Pinging 172.17.99.4 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 172.17.99.4:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

PC>

Step 4: Implement VLAN Security on the Switches

Task 1

Verify trunking on S1 and S2. Issue the show interface trunk command on both switches.

S1#show interfaces trunk 
Port        Mode         Encapsulation  Status        Native vlan
Fa0/1       on           802.1q         trunking      1

Port        Vlans allowed on trunk
Fa0/1       1-1005

Port        Vlans allowed and active in management domain
Fa0/1       1,10,99,999

Port        Vlans in spanning tree forwarding state and not pruned
Fa0/1       1,10,99,999
S1#
S2#show interfaces trunk 
Port        Mode         Encapsulation  Status        Native vlan
Fa0/1       on           802.1q         trunking      1

Port        Vlans allowed on trunk
Fa0/1       1-1005

Port        Vlans allowed and active in management domain
Fa0/1       1,10,99,999

Port        Vlans in spanning tree forwarding state and not pruned
Fa0/1       1,10,99,999
S2#

What is the current native VLAN for the S1 and S2 F0/1 interfaces?

VLAN 1 is the native VLAN for both switches.

Task 2

Configure the native VLAN on the S1 F0/1 trunk interface to Management&Native VLAN 99.

S1(config)#interface fastEthernet 0/1
S1(config-if)#switchport trunk native vlan 99

Wait a few seconds. You should start receiving error messages on the console session of S1. What does the %CDP-4-NATIVE_VLAN_MISMATCH: message mean?

%CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on FastEthernet0/1 (99), with S2 FastEthernet0/1 (1).

This is a Cisco Discovery Protocol (CDP) message indicating that the S1 and S2 native VLANs do not match. S2 still has the native VLAN set to VLAN 1. S1 has set the native VLAN to 99.

Task 3

Configure the native VLAN on the S2 F0/1 trunk interface to VLAN 99.

S2(config)#interface fa0/1
S2(config-if)#switchport trunk native vlan 99

Task 4

Verify that the native VLAN is now 99 on both switches. S1 output is shown below.

S1#show interfaces trunk 
Port        Mode         Encapsulation  Status        Native vlan
Fa0/1       on           802.1q         trunking      99

Port        Vlans allowed on trunk
Fa0/1       1-1005

Port        Vlans allowed and active in management domain
Fa0/1       1,10,99,999

Port        Vlans in spanning tree forwarding state and not pruned
Fa0/1       1,10,99,999
S1#
S2#show interfaces trunk 
Port        Mode         Encapsulation  Status        Native vlan
Fa0/1       on           802.1q         trunking      99

Port        Vlans allowed on trunk
Fa0/1       1-1005

Port        Vlans allowed and active in management domain
Fa0/1       1,10,99,999

Port        Vlans in spanning tree forwarding state and not pruned
Fa0/1       1,10,99,999
S2#

Step 5: Prevent the use of DTP on S1 and S2

Cisco uses a proprietary protocol known as the Dynamic Trunking Protocol (DTP) on its switches. Some ports automatically negotiate to trunking. A good practice is to turn off negotiation. You can see this default behavior by issuing the following command:

S1#show interfaces fastEthernet 0/1 switchport 
Name: Fa0/1
...
Negotiation of Trunking: On
...
S1#

Task 1

Turn off negotiation on S1 and S2.

S1(config)#interface fa0/1
S1(config-if)#switchport nonegotiate 
S2(config)#interface fa0/1
S2(config-if)#switchport nonegotiate 

Task 2

Verify that negotiation is off by issuing the show interface f0/1 switchport command on S1 and S2.

S1#show interfaces fastEthernet 0/1 switchport 
...
Negotiation of Trunking: Off
...
S1#
S2#show interfaces fa0/1 switchport 
...
Negotiation of Trunking: Off
...
S2#

Step 6: Secure access ports on S1 and S2

Task 1

Issue the show interface f0/2 switchport command on S1. Notice the administrative mode and state for trunking negotiation.

S1#show interfaces fa0/2 switchport 
...
Administrative Mode: dynamic auto
...
Negotiation of Trunking: On
...
S1#

Task 2

Disable trunking on S1 access ports.

S1(config)#interface range fa0/2-5 , fa0/7-24
S1(config-if-range)#switchport mode access 
S1(config-if-range)#switchport access vlan 999
S1(config-if-range)#shutdown 

Task 3

Disable trunking on S2 access ports.

S2(config)#interface range fa0/2-10 , fa0/12-17 , fa0/19-24
S2(config-if-range)#switchport mode access 
S2(config-if-range)#switchport access vlan 999
S2(config-if-range)#shutdown 

Task 4

Verify that port F0/2 is set to access on S1.

S1#show interfaces fastEthernet 0/2 switchport 
...
Administrative Mode: static access
...
Negotiation of Trunking: Off
Access Mode VLAN: 999 (BlackHole)
...
S1#

By default, all VLANs are allowed to be carried on trunk ports. For security reasons, it is a good practice to only allow specific desired VLANs to cross trunk links on your network.

Task 5

Restrict the trunk port F0/1 on S1 to only allow VLANs 10 and 99.

S1(config)#interface fa0/1
S1(config-if)#switchport trunk allowed vlan 10,99
S2(config)#interface fa0/1
S2(config-if)#switchport trunk allowed vlan 10,99

Task 6

Verify the allowed VLANs. Issue a show interface trunk command in privileged EXEC mode on both S1 and S2.

S1#show interfaces trunk 
Port        Mode         Encapsulation  Status        Native vlan
Fa0/1       on           802.1q         trunking      99

Port        Vlans allowed on trunk
Fa0/1       10,99

Port        Vlans allowed and active in management domain
Fa0/1       10,99

Port        Vlans in spanning tree forwarding state and not pruned
Fa0/1       10,99
S1#
S2#show interfaces trunk 
Port        Mode         Encapsulation  Status        Native vlan
Fa0/1       on           802.1q         trunking      99

Port        Vlans allowed on trunk
Fa0/1       10,99

Port        Vlans allowed and active in management domain
Fa0/1       10,99

Port        Vlans in spanning tree forwarding state and not pruned
Fa0/1       10,99
S2#

Keyword

vlan , vlan security , topology , native , blackhole , management , configure terminal , switch , switch security , ping , DTP , secure access port , Request timed out , Encapsulation , Cisco Discovery Protocol , 802.1q , native vlan , trunk , switchport , allowed , negotiation

Last updated