11.6.2 Lab - Switch Security Configuration

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hi friends welcome to all in this video we are going to discuss CCNA version 7 a lab activity a switch security configuration before coming to this a lab activity France if you like to get any CCNA project support or a CCNA version 7 online classes you can contact our team using our website link you will get from the description below and also if you like to get this type of technical videos in future considered subscribing also don't forget to enable that bill icon near the subscribe button so that you will get notification message whenever we upload a new video no coming back to our lab activity here we can see the topology we will let the same this topology in over a cisco packet tracer also we can see a dressing table we will go through the objectives in part 1 configure the network devices then cable the network configure r1 configure and verify basic switch settings then in Part II to configure VLANs on switches configure VLAN 10 configured is VI for VLAN 10 then configure VLAN triple 3 with the name native on s1 and s2 also configure a VLAN triple 9 with the name parking lot on s1 and s2 then in part 3 configure a switch security implement 8 node to dot1q trunking configure access ports secure and disable all unused switch ports then document and implement port security features then implemented DHCP snooping security then implement pod fast and bpdu guard and finally verify in the to nth connectivity here we will go through this a scenario this is a comprehensive elaborate to review previously covered in layer 2 security features also they given a note the rotors used to be the CCNA hands-on labs are a Cisco for double one with Cisco IOS XE release sixteen point nine point three the switch was used in the labs our Cisco Catalyst two nine six zero series with Cisco IOS release of 15.0 yeah these instructions usually we see with all the lab activity so directly we will go to record resources here we can see one rotor Cisco for a double to one bit Cisco IOS exhale release but here we can see this sis code for double to one is not available in a cisco packet tracer so we can go with for double three one then two switches Cisco to n60 series with Cisco IOS release 15 then two pcs then the cables record consolable to configure the cisco iOS device via the console ports anyway so here we will use the CLI directly from the device itself so no need of this second Sol cable that Ethernet cables are shown in the topology now coming to the instructions in part one configure the network devices step one cable the network cables a network as shown in the topology then initialize the devices so coming to our topology we will let design this topology nora cisco packet racer okay here instead of for a double to one we will use a for a double three one rotor here we can see that you will add one rotor then we will rename this as r1 then we can see a two as witches so click on a switches then two nine six zero series then we are required to pcs then this which is s1 and this is s2 also we have a PC - a and this is PC - B then coming to these second actions we will choose copper straight through we will press ctrl from keyboard so that we can connect multiple devices so just press ctrl and then this copper straight through then you can release control then from r1 we will let's select G 0 / 0 / 1 here we can see then on s1 we have to connect to FA 0 / 5 then from s1 to s2 here we can see from FA 0 / 1 to FA 0 / 1 so we can see it's the same device so we can go for a copper crossover before that we will connect these pcs from s 1 FA 0 / 6 to this PC - a then from s to FA 0 / 18 to this PC - B now we will let choose this copper crossover and from FA 0 / 1 to FA 0 / 1 now we will go to step to configure our burn load the following configuration script on r1 ok we can copy and paste I will do it one by one sometimes we may get the errors so here no and either better I will type this command enable kunti then we have to set this a host name as our one host name is r1 then we have to give a no IP domain lookup then we have to exclude these address IP dhcp so just I will copy each line and paste here okay then coming to this line paste it or you can type this enter command IP dhcp explorer tetris then you have to give this a low IP address and the high IP address okay then we have to create this SERP or IP a DHCP pool then we have to specify the network here we can see the network 192.168.1.0 then we have this a default gateway then press enter then we can see we will set this a domain name okay now we will create this interface loopback 0 and we will set this IP address just we'll copy this line and paste here okay now we are the interface a loopback 0 and we will just set this IP address it's here then we will go to this interface G 0 / 0 / 1 you can paste here then we will set this a description it's a link to s 1 port 5 okay then we have this command IP dhcp your relay information trusted so just I will a try this command IP dhcp will protect in mark okay so just i will exit i will try this command IP at CP here we can see you really again I will put a kitchen mark we can see information trusted so this comes in global configuration mode okay oh sorry so just let me try this information and here we can see we have this command and not trusted we have a trust all right mm-hmm we can give that trust all then we will set this IP address for this interface G 0 / 0 / 1 so actually for that we have to go to that interface interface it's a G 0 R 0 / Martin and they will page to that command also we have to give you a Shadrin command okay then we will let's set this line console 0 we will exit and we will go to line console 0 then we will give a logging synchronous we'll correct here synchronous yeah then we will give a x''k timeout here you can press this shortcut tab button to complete the incomplete a unique command but here I type the entire command exit timeout zero space zero then verify the running configuration on r1 using the following command show IP interface brief and to be able to give this a short comment in privilege like sigmoid you end show IP interface brief and here we can see the details gigabit a third 0 star 0 / 1 its IP address status up and we can see loopback 0 its IP address and its status verify IEP addressing and interfaces are in an up bar up state troubleshoot as necessary yeah so everything correct now we will go to step 3 configure and verify basic switch settings configure the house name for switches s1 and s2 will go to s1 CLA enable kind of T we will let set the hostname as s1 then we will go to s to CLI in a book untii then hostname assess - then we can prevent unwanted DNS lookups on both the switches we have to give this command no IP a domain lookup just I will copy this command then coming to yes to page 10 press ENTER then configure interface the descriptions for the ports that are in I use in s1 and s2 okay that can be done so just two will go to es one first then go to CLI and here we can see we will go to this interface first FAS 0/6 interface FAS here on our six and if we can I set this our description it's linked to PC - eh then the parties you have a zero-star six then we will go to the other interfaces just takes it and then we will go to your face 0/5 interface if a 0 / 5 and we will set this a description we will give a link to r1 right then the port we can see it's FA 0 / 5 or even we can give the port of our rotor its G 0 / 0 / 1 then we will go to exit and then go to interface FA 0 / 1 and we will I said this a description link - it says - right link it to s 2 and we can specify the port itself a 0 / 1 we will close this s 1 then we will go to s 2 we can go to the interface it's IFAs euro / 18 and we can set the description a link to PC - B port FA 0 / 18 exit go to interface fa 0 / 1 and we will s at the description link it to yes one port FA 0 / 1 set the default gateway for the management of VLAN to 192.168.1.1 on both switches just I will copy this IP address will go to s1 first default gateway so just exit and we will give IP default - gateway it's here then we will go to s to exit IP default gateway now we will go to party to configure VLANs on switches configure VLAN 10 and VLAN 10 to s1 and s2 and in name the VLAN management so we'll go to s1 you will create this VLAN 10 and we will give the name as management then coming to s2 VLAN 10 name is a management step to configure the SBA for a VLAN 10 configure the IP address according to the dressing-table for SVA 4-wheel engine on s1 and s2 enable the SPI interfaces and provide a description for the interface so coming to a dressing table here we can see yes 1 s2 interface VLAN 10 and we can see its IP address and assign it a mask we will let's set this IP address coming to s1 CLI fix it then we have to go to interface VLAN 10 then maybe less at the IEP atras just I will copy and paste then it's a default to Gateway also we will assert it's a description this is s1 management VLAN ok you will go to s to exit then to interface VLAN 10 then we will let set this IP address then it's up to mask also we will list it it's a description it's so we given here link it - yeah sorry we have to set that right description here what we given yes one management Davila and this is as to management the villain ok yeah in step 3 configure VLAN a trip to 3 with the name native on s1 and s2 fix it you create a VLAN triple 3 the name is native also we can see we have to create this VLAN triple line with the name parking lot on s1 and s2 so we will create this VLAN a triple line also with the name parking lot then we will go to s to exit and create this surveillance ripple 3 first its name is annette you then we have VLAN triple 9 it's name is parking lot now coming to part 3 configure a switch security so we have to implement 8 node to dot1q tracking on both switches configure at ranking on fa 0 / 1 to use VLAN 2 to 3 as the native VLAN then verify that trunking is configured on both switches using this command as show interface Janka so we will do this configuration first of all we will do it in this s1 we will exit from this survey lon then we'll go to the interface fa 0 / 1 then we will give us which report the more desert trunk also we will set native VLAN support the trunk native VLAN to prove 3 also we'll go to the switch s2 exit then we will go to the interface fa 0 / 1 and we will give us which reporter more desert trunk also we will a set the switch port trunk native VLAN 2 pro 3 figuration on both the switches give end show interfaces trunk and here we can see if a 0 / 1 status trunking and we can see the native VLAN 2 to 3 miles Modi's on coming to s to do the command end show interfaces a trunk and here we can see FA 0 / 1 status trunking native VLAN triple 3 mod is on then disable DTP negotiation on FS 0 / 1 on s1 and s2 then we have to verify with the show interfaces command so interfaces 0 / 1 a switch port in good negotiation so we can see a negotiation of a trunking off ok within the first of all we will left or disable this a DTP negotiation that is a dynamic trunking protocol negotiation we will go to this switch s1 first kunti then we will go to interface FA 0 / 1 and here we have switch port and then oh no not negotiate right yeah no negotiate we can verify it just we will end and here we can view the command to show interfaces FA 0 / 1 switch port people let's try with this a pipeline include negotiate so here just I will press up arrow you will remove this command you will give only show interfaces FA 0 / 1 as which port and here we can see the details you can see negotiation of a trunking off you will go to this switch s2 then go to the interface if a is 0 / 1 sorry we have to go to global configuration mode right then we can give interface FAS 0 / 1 and we have to give a switch port no negotiate give end and we can give the command a show interface FA 0 / 1 switch port ok and here we can see no negotiation of at ranking is off step 2 configure access ports on s1 configure FA 0 / 5 + fa 0 star 6 has access ports that are associated with the VLAN 10 so we will go to these interfaces FA 0 / 5 + fa 0 star 6 as a range and we will then configure these powers as access ports and we can see FA 0 / 5 is connecting to this router r1 and FA 0 star 6 is connecting to this PC - a it's coming to s1 kunti the command is interface range your face euro / 5 - 6 that means 5 & 6 okay here we have to give the commander support a modest access 1s to configure FA 0 / 18 as an access port that is associated with VLAN 10 coming to our topology here we can see FA 0 / 18 which is connecting to this PC that is PC - B so we have to configure this part as an access port will go to this s 2 and kunti we have to go to that interface that is f a0 / 18 then give the command this which report to mod axis step 3 secure and disabled and used as switch ports 1 s 1 and s 2 move the unused ports from VLAN 1 to VLAN triple 9 and disable than used to ports ok we will shut down all the unused 2 ports in these switches yes 1 and s 2 coming to s 1 here we can see be used if a 0 / 1 FA 0 / 5 + FS 0 / 6 so we will shut down all the ports except these 3 you will go to s 1 exit and here we can give the command interfaces arranged FA and we can see 0 / 1 is already used so we'll give FA 0 / 2 - a 4 because we can see 5 & 6 used coma FA 0 / 7 till 24 also we have it - Gigabit Ethernet interfaces that is G 0 / 1 - 2 okay we can give a support more the access also we will have seen these ports switch port access a VLAN triple 9 also we have to shut down all these ports now we will shut down all the unused 2 ports in this switch s2 and coming to this switch here we can see we used FA 0 / 1 + fa 0 / 18 so coming to this switch exit then we will go to interfaces arrange fa0 / - till 17 because 18 we used FA 0 / 19 till 24 also we have two gigabit interfaces G 0 / 1 - 2 here we have to give a support to mod access support access VLAN triple 9 also we will shut down all these ports okay then be able to verify that and used to pores are disabled and associated with the VLAN triple 9 by issuing the show command show interfaces status ok we will try this command coming to s 1 will give end show interfaces I will put a question mark and we will see this status here we can see that and here we can see the details so all these ports unused 2 ports are in VLAN triple line and here we can see those ports are disabled and we can see a 0 / 5 + FS 0 / 6 they are connected we can check in s 2 also end show interface status and here we can see all the unused 2 ports shutdown disabled and assign to VLAN triple 9 step before document and implemented port security features the interfaces FA 0 / 6 on s1 and FS 0 / 18 on s2 are configured as access ports in this step we will also configure a poor security on these said to access ports 1 s 1 issue the show port security interface FS 0 star 6 command to display the default port security settings for interface FA 0 / 6 record your answers in the table below so we'll go to s 1 and we will give this a show command sure port security interface FA 0 star 6 and we can see the details here we have to get a port security port security disabled replaced here then a maximum number of MAC addresses maximum MAC addresses it su one then the vibration mode we can see violation mode it's a shut down aging time zero mates then aging type absolute then a secure static address aging disabled and finally sticky mac atrĂ¡s zero 1s1 enable poor security on FS Eurostar six with the following settings maximum number of a MAC addresses three violation type restrict aging time 60-minute aging type inactivity you will do that coming to us which we have to go to this interface fa 0 / 6 right so confetti interface fa 0 / 6 and first of all you have to enable this port security switch port port security then next is switch port for security maximum 3 then we have to set violation switch port to port security violation restrict also be able to set aging time switch port for security aging time so we have this command you can see aging again we will put a question mark we have the time it's 60 minutes so we can specify in minutes so 60 also we will give a switch port port security we have aging type so we have to give a aging put a question mark so here I can see only this I will try with the type for security then we'll protection mark and we will see we unable to set this aging type inactivity right so such a port port security we will try with aging should come in this aging little protection mark and here we can see only this time we cannot see this aging type okay and in time we can see happy able to set the aging time in minutes anyways we will leave this aging type configuration and the next verify pod security on is 1 FA 0 star 6 so using this command show poor security interface FA 0 star 6 so just press ctrl is it from keyboard and here we will give the command is show poor security interface FS 0 star 6 and we can see the details poor security is enabled violation mode be given as a restrict and here we can see aging time it's 60 minutes maximum makaras it's a 3 then we can try this a show commander show poor security address so here we cannot see any address even we can see last his source such as just really fast forward and once more we will apply this command just press up arrow from keyboard and still okay secure MAC address table and actually we did not see this MAC address specified but once you ping from PC - a to PC - B or to any other device we will get these details in this switch so now enable for security for FA 0 / 18 on s to configure at the port to add MAC address SL land on the pot automatically to the running configuration ok that can be done we will go to s to CLI enable country will go to this interface FA 0 / 18 and we will enable poor security then we will give the command switch port port security market rusty key the following port security settings on s 2 F a0 / 18 maximum number of a MAC addresses - violation type protect then aging time 60 minutes we can do that here we will give a switch port port security maximum - ok then be able to be the violation type as product switch port port security violation protect also we have to set this aging time switch port port security we have this aging time 60 verify port security on s 2 FS 0 / 18 Q the command end and the give show port security interface is FA 0 / 18 and here we can see port security is enabled violation mode is protect aging time 60 minutes then maximum MAC addresses - total MAC addresses all these it will come one later this last resource address also should come once we have seen the IP address to these species then we have to give this Shaka man - oh poor security address and as I told currently it will not show this MAC address when you give this issue a command so next is implemented DHCP snooping security one has to enable a DHCP snooping and configure a DHCP snooping on VLAN 10 we will do that coming to s2 we have to go to global configuration mode confetti and here we can give IP dhcp snooping also we have to give a IP a DHCP snooping I will protection mark under here we can see VLAN for VLAN channel configure the trunk port on s2 a set trusted port again go to the switch s2 and here we can now give this command we have to go to the interface FS 0 / 1 right then we have to give this command IEP a DHCP snooping trust limit the untrusted port FA 0 / 18 on s 2 - 5 a DHCP packets per second ok that can be done again will go to s 2 then we will exit and we have to go to the interface FA 0 / 18 and here we have to give IP dhcp snooping and we can estimate i mean we can set this a limit right that is a limit here we can see DHCP snooping limit so type limit again we will have a question mark and we can set this all right as specified it's 5 DHCP snooping all right a limit if I DHCP snooping on s2 are using this command show IP dhcp snooping how can we try this end and we'll give you a show command show IP dhcp snooping and here we can see the details DHCP snooping is configured on the following VLANs billion ID is a 10 insertion of option 82 is enabled verification all these ok and here we can see the write a limit to be set to 5 for this interface FS 0 / 18 here a - Wanda I would put off for this Hershel commander show IP dhcp snooping from the command prompt on pc - b release and then renew the IP address so we have to give this command ipconfig slash release then ipconfig /all renew we can do this just go to pc - b then a desktop command prompt sure we can give an IP config space slash release ok then we can give a ipconfig /all renew and we can see DHCP requests failed why it's failed because so we can see this F a0 / 18 is in a default - VLAN 1 we can verify that this tip will go to this s 2 and here we will give a show biron brief command and so we can see these pots FA 0 / 18 is in a default - VLAN 1 we have it once a in these support FS 0 / 18 to this a VLAN 10 we can do that kind of T you will go to the interface FA 0 / 18 then we will give switch port access VLAN 10 ok no we can see it's in amber color you can click fast-forward time then we will go to this PC - B and we will again we will give this command that is release or then we'll try renew and we can DHCP requests failed why it's failed during this step to actually one thing we forgot on yes one configure FS 0 / 5 + FS 0 so our sakes a success pores that are associated with two VLAN 10 so here we can see who you the command is show VLAN brief and we can see FA 0 star 6 only a saint - VLAN 10 and here we can see FS 0 / 5 is still in a default VLAN so we cannot say in this port FA 0 / 5 - this VLAN 10 that is management so kunti will go to that interface that is FA 0 / 5 and here we can give us which port access VLAN 10 know maybe let's try this again we will go to PC - B command prompt and we will release Atris ipconfig slash release port is not using DHCP okay so we can give our renew ipconfig slash renew and it's waiting DHCP request failed so what I will do just will go to PC - B then we'll go to IP configuration before that just we will try this PC - a I think for this PC also we have to us a in DHCP yes so this will go to IP configuration and we can give DHCP and here we can see we get to dscp a request successful IP address to mask default gateway but he already is busy - B we are not getting this a DHCP requesting IP address but we can see DHCP failed so here let me try bit I will remove that IP dhcp snooping we can given no IP dhcp snooping ok then we will try this ok so it's a dhcp it's correct we are going to remove this step no IP dhcp snooping so now we left try we'll go to pc - b we can go to command prompt and yeah now we can see how will you release and we will renew and here we can see we receive the IP address to mask and default gateway now verify the DCP is snooping binding using the show IP dhcp snooping binding command so actually you remove this d IP dhcp snooping commander from this as - right ok now we will go to step 6 implement port fast and bpdu guard configure brought fast on all the access ports that are in I use on both switches ok we will go to yes one first enable kind of tea we'll go to the interface as arranged FAS 0 / 5 & 6 are in access right static access right so here we can give this a spanning-tree portfast ok now we will go to s 2 country you will go to the interface FS 0 / 18 and they probably will give this command s spanning-tree portfast then verify before that enable bpdu guard on s 1 and s 2 we lenten access ports connected to pc - a and d pc - b that means these ports FS 0 star 6 and FS 0 / 18 first of all will go to s1 exit and go to interface FA 0 / 6 and here we can give this command spanning-tree bpdu guard enable okay so just i will copy this command then go to s 2 and here already we are in the interface FSA was not shayateen here we can give this command a spanning tree bpdu guard enable now we will verify the bpdu guard and portfast enabled on the appropriate ports we can give this a show a spanning tree interface FS 0 star 6 or detail will go to this and we can give ang here we will give a show spanning tree interface FS 0 star 6 detail and here we can see the details so we can see we're on chinese designated for waiting port path cost nineteen's priority okay sure we can see big highlighted this up the port is in the portfast more and the bpdu guard is enabled so even we can see that same here the port is in the pod fast mode oh all right coming to the final step verify and it event connectivity verify pink an activity between all devices in the IP addressing table if the pings are fail you may need to a disable the firewall on the pc host ok huh so we can ping from PC - eh - PC - B or even we can ping to this router r1 so we can see its IP address 10.11 will go to command prompt when I in 2.16 eight or ten dot 11 and we can see we get the replies even we can ping - it's a default to Gateway that is 10.1 yeah it's working that's all in this lab activity that is a switch security configurations now dear friends if you have any doubt any suggestions regarding this lab activity please comment below and also if you liked our video give a thump and share with all your friends stay tuned and we will meet again with the next video thank you
Info
Channel: Tech Acad
Views: 36,689
Rating: undefined out of 5
Keywords: CISCO, CISCO Certification, CCNA, CISCO Switch, Routing and Switching, Packet Tracer, Switch Security, CCNAv7
Id: 22Bu-PbaosU
Channel Id: undefined
Length: 51min 10sec (3070 seconds)
Published: Mon Jul 13 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.