11.6.2 Lab - Switch Security Configuration

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

switch security configuration topology use a router 4321 packet racer switch for s1 2960 switch and also for s2 two pcs and r1 s1 s2 dash a dash b now connections and from gigabit zero zero one more one to facet faster not five minus one between switches faster than one on both sides and the connection from s1 use faster note 6 to pca and from s2 faster not 18 to pcb this is the addressing table gigabit 001 ip addresses 10.1 a loopback interface on r1 s1 uses vlan 10 the management interface will be vlan 10 and ip10.201 and s2 vlan 10 10. 202. and pcb you see in the hcp required resources on real lab one router 4221 two switches to 960 two pcs console cables internet cables configure the network devices cable the network ready cable initialize the devices okay on real lab on our white you need to erase the star of config then reload and unreal up on switches erase the star of config and delete the vlan database and reload configure r1 load the following configuration script on r1 okay copy all this okay i i prefer to paste fields on notepad and review okay enable to go from user xml to privileged accent mode configure terminal to go global configuration mode and set the hostname no ip the main lookup exclude address for exclude addresses for dhcp dhcp pool okay r1 will be a dhcp server interface loopback 0 the ip address gigabit 001 description ipdhcp relay information trusted okay packet racer does not support this command but i will do it anyway and i'll p address 10.1 not shut down and line console configurage okay go to our command line interface okay would you like to enter initial configuration dialog no enter okay user access mode and copy this okay enable configure terminal hostname click copy paste okay very good enabled configure terminal hostname ipv excluded addresses dhcp port loopback 0 gigabit description does not support this this comment ip dhcp relay but don't worry dhcp server will work very good ip address now shutdown line console very good and continue with verify show ip interface brief okay go to privilege excel mode and show ip interface brief enter and gigabit zero zero ip address status up protocol up loopback zero ip address status app protocol very nice verify ap addressing interfaces are in up up state the up very nice so configure number five basic switch settings first name on s1 minus two okay go to s1 for example command interface enter enable to go privilege action mode configure terminal to go global configuration mode and set the hostname for s1 hostname as one enter now prevent unwanted dns lookups no ip domain lookup enter configure interface descriptions for the ports that are in use in s1 and s2 ok only descriptions for example faster than that five on switch s1 interface for center note 5 you are on interface configuration mode description you can say connection r1 enter okay you can use any description any label it's only a label 4.6 connection to pca this is the nut six connection to pc dash a and first another one connection to s2 first one connection to s2 okay only descriptions only information are and exit to go global configuration mode and set the default gateway for the management we launched 192.168.10.1 okay maybe the file get way when i do 168 and that one the same procedure on s2 enter enable configure terminal hostname s2 now ip no ip domain lookup interface facility one connection to s1 first internet one description [Music] connection to s1 fast internet 18 connection to pcb first internet 18 connection to dash pc enter exit and the default gateway on global configuration mode ip for get way okay gateway 192.168.10.1 enter configurability configure wheel antenna milan configurability to s1 and s2 the name is management okay s1 milan night management exit s2 billing name management exit okay you are configuring vlan on global configuration mode and set the name um vlan configuration mode then exit to go back global configuration world and configure sbi for vlan 10 configure ip address according to the addressing table for sbi switch virtual interface for vlan 10 on s1 and s2 okay enable the interfaces and provide a description go to addressing table and configure unless one vlan 10 ip address and subnet mask don't forget description and enable the interface as well billan tank interface vlan 10 description management interface apis 182 168 10201 subnet mask 24 now shut down okay exit go to s2 interface billing tag description management interface ip address 181 168 10.202 subnet mask 24. now shut down exit configurability 333 with the name native on s1 and s2 configure belong 999 with the name parking lot on s1 and s2 okay first another one without 333 name native belong 999 name parking lot case sensitive parking lot that's it has to be 333 name 90 billion 999 name parking lot that's it configure switch security implement a02.1q for ranking onboard switches configure trunking on facet.1 to use vlan 333 as the nativilla okay this will be the trunk link is the first another one or on both sides and this one configure interface for the network switch port mode trunk enter okay is switch switch import mode trunk okay very good switchboard mode trunk and usb lamp 333 as the nativilla switchboard trunk dip below 333 enter and exit okay and now go to s2 but you will see this message [Music] native language much discovered on facebook then a typical facility on s1 is belong 333 okay with the native lang on facebook one on s2 is different the native land by default is belong one so this message will appear okay so go to s2 enter interface versatile as well switch port mode trunk and switchboard trunk space net t belong 333 enter and now once nativiland is 333 you will you will see this poor consistency restored now it's fixable very good exit and now you are on global configuration mode and verify show interface strong go to s1 enter and privilege action mode show inter face trunk and okay board facing at one mode on static trunk encapsulation a02.1 queue start to strike in nativian333 okay and let's do the same configuration and show interface or show interfaces strong okay fastener one mode on encapsulation status nativilla 333 disable dtp negotiation on facetime l1 on s1 and s2 okay go to s1 configure terminal fasten another one and switch port no negotiate switchboard space no nego shade enter exit and s2 configure terminal interface facility one switchboard no negotiate exit okay verify show interfaces commands for example on s1 exit to go replace excel mode show interfaces 401 switch port pipe include negotiation enter and you will see this message negotiation of trunking of disabled with this command no negotiate okay but try to only show this and this part show interfaces for set another one should switch port adder on this output and all this output you want only this line negotiation of trunking of only this line so that's why you will include the pipe and the include keyword to only show the line with negotiation word okay s2 and show interface 1 switch boards by include gaussian okay very nice negotiation on trunking of configure access ports another one over here facetime five and six is access ports associated with bilante okay on s1 five and six remember one is the trunk so only facetime five and six the access ports space configure terminal interface range okay to select range to select two and two ports for center five and six switch port mode access and assign to vlan 10 switchboard access milan 10. enter exit on s2 configure facet18 accessport and vlan chain this interface for setup 18 another one is the trunking configure terminal interface faster than 18 switch port mode axis search for access bill enter enter exit very good and secure and disable and use switchboards because one has to move the adjusted ports from billion one to belong 999 and disable the unused ports okay what ports are in usos one five six and one so select the all the injected ports with interface range command range command for settlement one in use select from two to four five and six engines and select from seven to twenty four and gigabit zero want and enter switchboard mode access switchboard accessb999 the parking lot will app and disable the unused ports shut down okay exit go to s2 what parts are used from s2 1 and 18 so select all induced words interface range what's up there from one is in use from 2 to 17 18 is in use and 19 to 24 and gigabit zero want to enter switchboard more access switch for access and switch form access below 999 parking lot below shut down exit ok very good verify show interfaces status unless one for example exit to privilege xml show interfaces status one connected from two to four disable disable five and six connected seven eight nine ten disable disable okay very nice on s2 exit show interface status space now you will see faster than that one connected all interfaces and any other interfaces disabled except facet 5018 connected document and implement poor security features the interface for satellite 6 of s1 and 18 honest2 are configured as access ports you will also configure port security on these two access ports 1s1 show port security interface for center at 6. to display the default port security settings okay go to s1 you will see the security configuration by default on facebook.6 click on s1 show or dodge say curate interface faster than e6 enter and now record your answers in the table below this table before security by default disabled maximum mag addresses only one relation mode shutdown age in time zero minutes aging type absolute secure static address aging disabled sticky mac addresses zero unless one enable port security on faceturn 6 with the following settings configure all this but first enable port security on faceturn 6 configure terminal interface for setting at 6. switch port or securing this command to enable both security and now maximum number of mac addresses three mag symbol 3 relation restrict or switch for for security validation registry and aging time 60 minutes switchboard or security engine time 60 minutes 60 aging type inactivity switch for security aging type in activity okay enter pocket eraser does not support this command but don't worry and finally end to go privilege xml okay and maximum number of mac addresses three okay maximum three so on facebook and six on this one you can connect three mac addresses maximum three if the maximum number of mac addresses is exceeded ovulation will occur and this case the action is restrict and this action restrict drops all the packets from the insecure host and increments the security relation count okay this security election count will be incremented okay using restricts and drops all the packets from the insecure host okay the aging time is 60 minutes okay and sets the duration for which all addresses are secured one thing to keep in mind is that when port security is activated mac addresses do not expire by default if you want to configure expiration time you must configure aging time again type inactivity specifies that the timer starts to run only when there is no traffic okay verify show port security interface faster than e6 and now for security now is enabled status is up with secure relation mode now change it to restrict agent time 60 minutes aging types should be inactivity because this command was rejected but [Music] relapse should be inactivity secure static address agent disabled maximum mac addresses three total mark addresses zero with unreal and relapse should be one last shows address no mac and villa no villain okay but on real app you should have the mac address and billing this is the mac address and billing okay mark address column the number of belong time but to simulate the real app on pca you can generate traffic to r1 okay to generate traffic configure the hcp uh client on pca now you got the ips net mass and default gateway from the dhcp server place at the r1 okay and i think traffic was generated between r1 and pca so you can repeat you you can repeat the command show port security interface facility 6 enter and now you will see the mac address on facebook.6 this is the mac address of pca and 10 because it's the belong vlan 10. okay and now and total mac addresses one this mac others one one pc connected one billion time okay show board security address show port dash security space others and now you will see vlan check mark address is this mac others of pca pca and type dynamic configuring okay so dynamically learned by the switch okay you only configure it enable for security maximum number of mac addresses relation restrict agent type and agent type okay dynamically learned dynamic configuring ports 406 okay very good this interface and remaining edge no information okay but on real app you should see 60 60 minutes okay 60 minutes okay pocket razor does not show this because this agent type command was not accepted okay enable port security on faster 18 on s2 okay faster not 18 on s2 click on s2 enter enable configure terminal interface for satellite 18. and now configure the port to add mac addresses learned on the port automatically to the running configuration add mac addresses learned on the port automatically to the running configuration so this is a sticky switch for port security first enable port security enter now configure sticky switchboard or security mac dash dash address sticky okay to learn automatically to the ram or running config and now configure the following security settings okay on facebook.18 maximum number of addresses too for security maximum 2 relation protect space village and protect aging time 60 minutes aging time agent time 60 minutes and then exit our end to go privilege xml now enable for security the portal security might address sticky to learn mac addresses automatically and place to running configuration ram okay maximum number of mac addresses two okay two mac addresses maximum on facet18 you have only one for now and the maximum is two if this maximum number is exceeded ovulation will occur and the action is protect the action protect drops all the packets from the insecure host but does not increment the security oblation codes okay the difference with restrict restrict will increment the security relation but protect will not increment the count okay aging time 60 minutes and now verify so port say q security interface 518 enter for security enable status up with secure relation mode protect aging time 60 minutes agent type absolute maximum number of mac addresses too total mac addresses and zero okay for now zero or real app you you should have one learn it the last source and villain no mark address no me language on real app you should you should see among others and bill and chang but generate traffic from pcb to simulate a real lab and go to pcb and desktop dhcp now you got the ip parameters from dhcp server that is r1 and you generate the traffic between r1 and pcb now repeat show or security interface facility 18 and you will have total mac addresses one sticky mac address one okay and last source address mac address and vlan check this is the mac address of pcb and vlan 10. sticky mac address now you are using a sticky method on s1 the configuration was a dynamic okay by default now a sticky mark addresses okay okay one one others is dynamic configuration dynamically learned but unless to the method is a sticky mac others one okay and also show for security others show or security address enter now and you will see belong this time mark address mark address of pcb type secure sticky because is not dynamic is sticky port 4.18 remaining age no information okay very good no information also on real lab no information aging agent time remaining age in minutes no information why because this switch does not support the poor security aging of sticky secure addresses okay very nice implement dhcp snowpin security on s2 only s2 enable dhcp snooping and configure the hcp as not being on vlan 10 okay click on s2 go to global configuration mode configure terminal ip dhcp is nothing enter okay and a snapping on vlan 10 ipdhcp snooping bill and enter configure trunk port unless to as a trusted port okay okay the trunk port what is the trunk port on s2 facility one is a trunk import uh trusted port fastener one will be the trusted port but why is the trusted port because is the connection to dhcp server okay the the connection to dhcp server that is r1 so this port will be the trusted port for dhcp snoopy okay interface faster than one ip dhcp as no ping trust enter limit a in untrusted ports 418 on s2 to 5 dhcp packets per second okay what what what is the untrusted port is this the connection to a pc first 18 is the untrusted port and access facilitating ip dhcp snoopy limit write 5 packets per second but only packets for the hcp five packets per second five dhcp packets per second okay exit or and and verify show ip dhcp is no ping facility 1 is the trusted yes limit unlimited 518 trusted no write five dhcp packets per second very nice okay and the acp is snooping is configured on vlan tag from the command prompt on pcb release and then renew the ip address okay um on pcb okay [Music] verify the ip address ipconfig this is the ip address using dhcp my piece of net mass default gatling and you can use this command ipconfig space release command to remove the the ip address and then ipconfig and renew to get the ip parameters again both commands works very well on pocket razer but i will not do this because pocket razor does not support these commands when snooping is configured on s2 okay [Music] and don't worry about this on real app you can test this and verify your cps looping binding using show ip dhcp snooping binding okay go to s2 show ip dhcp snooping space binding enter okay in my case no information why on real app you should see the mac address of pcb you also you will see the ip address of pcb the list time and the type dhcp snoop is not being the villain factor at 18 on s2 first editor 18 and total number of bindings one okay but this will appear in my case no information but this will appear when you test this these commands release and renew okay but for now continue implement board fast and bpd uart configure profiles on all access ports that are in use on both features enable vpdu word on s1 and superlan chain access ports connected to pca and pcb okay go to s1 enter enable configure terminal okay for fast all access ports on s1 all access ports are 5 and 6. interface range first internet five and six uh spawning three or fast enter okay and don't worry about this big message spanning triple fast or okay okay and go to s2 what is the access port only faster not 18 configure terminal interface faster not 18 and expanding dash three or fast enter very good enable vpd world on s1 and superlan tank access port connected to pca and pcb okay only here on pc6 connected to pca on s1 or okay you can verify s1 only interface faster not six spanning tree vpdu1 bpdu word enable enter and then exit and s2 interface facilitating now i i am on interface con from configuration mode of 4018 so you can apply this spanning tree vpdu word space enable and very good exit then verify as one and show expanding three interface facility six detail enter now you will see uh the port is in the port fast mode okay and also on real lab you will see vpdu world is enabled okay go to s2 and show spawning tree interface facilitating detail or fast mode very good verify end-to-end connectivity okay for example from pca comma prompt and go to addressing table first ip address of pcb 192.168 turned at 11. big to pcb 18068 10.11. okay pink to router go to addressing table router gigabit zero zero one right eight one sixty eight ten at one ten success pick the loop back on r1 10 10 1 1 ping 10 1 enter switch one pink to switch one 10.201 success and now pink2s210 202 success and finally in reference to port security on s2 why is there no timer value for the remaining hd minutes when sdk learning was configured okay go to s2 and remember this okay no information on show port security address no information on remaining age in minutes no information only a line also on real lab no information okay and the answer is the switch does not support the port security aging of the sticky secure addresses in reference port security on s2 if you love the running config script on s2 why will pcb on port 18 never get an ip address via dhcp ok on s2 click here and do the following show running config on privilege xml and you will see this part faster than 18 configuration for security maximum 2 and you will see this mac address sticky learned with a sticky mode and this is the mac address of pcb port security is set for only two mac addresses and port 18 has two sticky mac addresses bound to the port this mac address and a new additional mac address the violation is protect which will never send a console system of message or increment the abullation counter in reference to board security what is the difference between the absolute agent type and inactivity agent type if the inactivity type is set then the secure addresses on the port will be removed only if there is no data traffic from the secure source addresses for the specified time period if the absolute type is set then all secure addresses on this port age out exactly after the time specified ends thank you very much you

Info

Channel: Christian Augusto Romero Goyzueta

Views: 13,971

Rating: undefined out of 5

Keywords: switching, routing, wireless, essentials, srwe, ipv4, security, port-security, dhcp snooping, restrict, protect, aging time, portfast, bpdu guard

Id: zmdgrlK5Dmw

Channel Id: undefined

Length: 48min 30sec (2910 seconds)

Published: Mon Jul 20 2020