Create and name VLANs according to the VLAN Assignments table.
Configure the IP address listed in the Addressing Table for VLAN 99 on both switches.
Configure F0/6 on S1 as an access port and assign it to VLAN 99.
Configure F0/11 on S2 as an access port and assign it to VLAN 10.
Configure F0/18 on S2 as an access port and assign it to VLAN 99.
Issue show vlan brief command to verify VLAN and port assignments.
S1 Configuration
Switch>enable
Switch#configure terminal
Switch(config)#vlan 99
Switch(config-vlan)#exit
Switch(config)#vlan 10
Switch(config-vlan)#name Data
Switch(config-vlan)#exit
Switch(config)#vlan 99
Switch(config-vlan)#name Management&Native
Switch(config-vlan)#exit
Switch(config)#vlan 999
Switch(config-vlan)#name BlackHole
Switch(config-vlan)#exit
S1(config)#interface vlan 99
Switch(config-if)#ip address 172.17.99.11 255.255.255.0
Switch(config-if)#no shut
Switch(config-if)#exit
Switch(config)#interface fa0/1
Switch(config-if)#switchport mode trunk
Switch(config-if)#exit
Switch(config)#interface fa0/6
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlan 99
Switch(config-if)#^Z
Switch#show vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/7, Fa0/8, Fa0/9
Fa0/10, Fa0/11, Fa0/12, Fa0/13
Fa0/14, Fa0/15, Fa0/16, Fa0/17
Fa0/18, Fa0/19, Fa0/20, Fa0/21
Fa0/22, Fa0/23, Fa0/24, Gig0/1
Gig0/2
10 Data active
99 Management&Native active Fa0/6
999 BlackHole active
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
Switch#
S2 Configuration
Switch>enable
Switch#configure terminal
Switch(config)#vlan 10
Switch(config-vlan)#name Data
Switch(config-vlan)#exit
Switch(config)#vlan 99
Switch(config-vlan)#name Management&Native
Switch(config-vlan)#exit
Switch(config)#vlan 999
Switch(config-vlan)#name BlackHole
Switch(config-vlan)#exit
Switch(config)#interface fa0/1
Switch(config-if)#switchport mode trunk
Switch(config-if)#exit
Switch(config)#interface vlan 99
Switch(config-if)#ip address 172.17.99.12 255.255.255.0
Switch(config-if)#no shutdown
Switch(config-if)#exit
Switch(config)#interface fa0/11
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlan 10
Switch(config-if)#exit
Switch(config)#interface fa0/18
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlan 99
Switch(config-if)#^Z
Switch#show vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/12, Fa0/13
Fa0/14, Fa0/15, Fa0/16, Fa0/17
Fa0/19, Fa0/20, Fa0/21, Fa0/22
Fa0/23, Fa0/24, Gig0/1, Gig0/2
10 Data active Fa0/11
99 Management&Native active Fa0/18
999 BlackHole active
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
Switch#
Step 2: Configure basic switch security
Configure a MOTD banner to warn users that unauthorized access is prohibited.
Encrypt all passwords.
Shut down all unused physical ports.
Disable the basic web service running.
S1 Configuration
S1(config)#banner motd #unauthorized access is prohibited#
S1(config)#service password-encryption
S1(config)#interface range fa0/2-5 , fa0/7-24
S1(config-if-range)#shutdown
S1(config-if-range)#exit
S1(config)#no ip http server
S1(config)#
S2 Configuration
S2(config)#banner motd #unauthorized access is prohibited#
S2(config)#service password-encryption
S2(config)#interface range fa0/2-10 , fa0/12-17 , fa0/19-24
S2(config-if-range)#shutdown
S2(config-if-range)#exit
S2(config)#no ip http server
S2(config)#
Step 3: Verify connectivity between devices and VLAN information
From a command prompt on PC-A, ping the management address of S1. Were the pings successful? Why?
PC-A>ping 172.17.99.11
Pinging 172.17.99.11 with 32 bytes of data:
Reply from 172.17.99.11: bytes=32 time=0ms TTL=255
Reply from 172.17.99.11: bytes=32 time=0ms TTL=255
Reply from 172.17.99.11: bytes=32 time=0ms TTL=255
Reply from 172.17.99.11: bytes=32 time=0ms TTL=255
Ping statistics for 172.17.99.11:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
PC-A>
Yes, the pings were successful. PC-A is in the same VLAN as the management address on the switch.
From S1, ping the management address of S2. Were the pings successful? Why?
S1#ping 172.17.99.12
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.17.99.12, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/1 ms
S1#
Yeo, the pings were successful. The management addresses on S1 and S2 are in the same VLAN and interface F0/1 on both switches is configured as a trunk port.
From a command prompt on PC-B, ping the management addresses on S1 and S2 and the IP address of PC-A and PC-C. Were your pings successful? Why?
PC-A>ping 172.17.99.11
Pinging 172.17.99.11 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 172.17.99.11:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
PC-A>ping 172.17.99.12
Pinging 172.17.99.12 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 172.17.99.12:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
PC-A>ping 172.17.99.3
Pinging 172.17.99.3 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 172.17.99.3:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
PC-A>ping 172.17.99.4
Pinging 172.17.99.4 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 172.17.99.4:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
PC>
Step 4: Implement VLAN Security on the Switches
Task 1
Verify trunking on S1 and S2. Issue the show interface trunk command on both switches.
S1#show interfaces trunk
Port Mode Encapsulation Status Native vlan
Fa0/1 on 802.1q trunking 1
Port Vlans allowed on trunk
Fa0/1 1-1005
Port Vlans allowed and active in management domain
Fa0/1 1,10,99,999
Port Vlans in spanning tree forwarding state and not pruned
Fa0/1 1,10,99,999
S1#
S2#show interfaces trunk
Port Mode Encapsulation Status Native vlan
Fa0/1 on 802.1q trunking 1
Port Vlans allowed on trunk
Fa0/1 1-1005
Port Vlans allowed and active in management domain
Fa0/1 1,10,99,999
Port Vlans in spanning tree forwarding state and not pruned
Fa0/1 1,10,99,999
S2#
What is the current native VLAN for the S1 and S2 F0/1 interfaces?
VLAN 1 is the native VLAN for both switches.
Task 2
Configure the native VLAN on the S1 F0/1 trunk interface to Management&Native VLAN 99.
Wait a few seconds. You should start receiving error messages on the console session of S1. What does the %CDP-4-NATIVE_VLAN_MISMATCH: message mean?
%CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on FastEthernet0/1 (99), with S2 FastEthernet0/1 (1).
This is a Cisco Discovery Protocol (CDP) message indicating that the S1 and S2 native VLANs do not match. S2 still has the native VLAN set to VLAN 1. S1 has set the native VLAN to 99.
Task 3
Configure the native VLAN on the S2 F0/1 trunk interface to VLAN 99.
Verify that the native VLAN is now 99 on both switches. S1 output is shown below.
S1#show interfaces trunk
Port Mode Encapsulation Status Native vlan
Fa0/1 on 802.1q trunking 99
Port Vlans allowed on trunk
Fa0/1 1-1005
Port Vlans allowed and active in management domain
Fa0/1 1,10,99,999
Port Vlans in spanning tree forwarding state and not pruned
Fa0/1 1,10,99,999
S1#
S2#show interfaces trunk
Port Mode Encapsulation Status Native vlan
Fa0/1 on 802.1q trunking 99
Port Vlans allowed on trunk
Fa0/1 1-1005
Port Vlans allowed and active in management domain
Fa0/1 1,10,99,999
Port Vlans in spanning tree forwarding state and not pruned
Fa0/1 1,10,99,999
S2#
Step 5: Prevent the use of DTP on S1 and S2
Cisco uses a proprietary protocol known as the Dynamic Trunking Protocol (DTP) on its switches. Some ports automatically negotiate to trunking. A good practice is to turn off negotiation. You can see this default behavior by issuing the following command:
S1#show interfaces fastEthernet 0/1 switchport
Name: Fa0/1
...
Negotiation of Trunking: On
...
S1#
By default, all VLANs are allowed to be carried on trunk ports. For security reasons, it is a good practice to only allow specific desired VLANs to cross trunk links on your network.
Task 5
Restrict the trunk port F0/1 on S1 to only allow VLANs 10 and 99.
Verify the allowed VLANs. Issue a show interface trunk command in privileged EXEC mode on both S1 and S2.
S1#show interfaces trunk
Port Mode Encapsulation Status Native vlan
Fa0/1 on 802.1q trunking 99
Port Vlans allowed on trunk
Fa0/1 10,99
Port Vlans allowed and active in management domain
Fa0/1 10,99
Port Vlans in spanning tree forwarding state and not pruned
Fa0/1 10,99
S1#
S2#show interfaces trunk
Port Mode Encapsulation Status Native vlan
Fa0/1 on 802.1q trunking 99
Port Vlans allowed on trunk
Fa0/1 10,99
Port Vlans allowed and active in management domain
Fa0/1 10,99
Port Vlans in spanning tree forwarding state and not pruned
Fa0/1 10,99
S2#