Scribd
Upload
244 views27 pages

6.5.1.3 Packet Tracer - Layer 2 VLAN Security - T

The document describes configuring a management VLAN on a network. Steps include connecting a redundant link between two switches, enabling trunking and security on the link, creating VLAN 20 for management, and implementing an ACL to prevent access to the management VLAN from outside users.

Uploaded by

Millas A Forza
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
244 views27 pages

6.5.1.3 Packet Tracer - Layer 2 VLAN Security - T

The document describes configuring a management VLAN on a network. Steps include connecting a redundant link between two switches, enabling trunking and security on the link, creating VLAN 20 for management, and implementing an ACL to prevent access to the management VLAN from outside users.

Uploaded by

Millas A Forza
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 27

Packet Tracer - Layer 2 VLAN Security (Instructor Version)

Instructor Note: Red font color or Gray highlights indicate text that appears in the instructor copy only.

Topology

Objectives
 Connect a new redundant link between SW-1 and SW-2.
 Enable trunking and configure security on the new trunk link between SW-1 and SW-2.
 Create a new management VLAN (VLAN 20) and attach a management PC to that VLAN.
 Implement an ACL to prevent outside users from accessing the management VLAN.

Background / Scenario
A company’s network is currently set up using two separate VLANs: VLAN 5 and VLAN 10. In addition, all
trunk ports are configured with native VLAN 15. A network administrator wants to add a redundant link
between switch SW-1 and SW-2. The link must have trunking enabled and all security requirements should
be in place.
In addition, the network administrator wants to connect a management PC to switch SW-A. The administrator
would like to allow the management PC to be able to connect to all switches and the router, but does not want
any other devices to connect to the management PC or the switches. The administrator would like to create a
new VLAN 20 for management purposes.
All devices have been preconfigured with:
o Enable secret password: ciscoenpa55
o Console password: ciscoconpa55

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 1 of
Packet Tracer - Layer 2 VLAN Security

o VTY line password: ciscovtypa55

Part 1: Verify Connectivity


Step 1: Verify connectivity between C2 (VLAN 10) and

C3 (VLAN 10).

Step 2: Verify connectivity between C2 (VLAN 10) and

D1 (VLAN 5).
Note: If using the simple PDU GUI packet, be sure to ping twice to allow for ARP.
Packet Tracer - Layer 2 VLAN Security

Part 2: Create a Redundant Link Between SW-1 and SW-2


Step 1: Connect SW-1 and SW-2.
Using a crossover cable, connect port Fa0/23 on SW-1 to port Fa0/23 on SW-2.
Packet Tracer - Layer 2 VLAN Security

Step 2: Enable trunking, including all trunk security mechanisms on the link
between SW-1 and SW-2.
Trunking has already been configured on all pre-existing trunk interfaces. The new link
must be configured for trunking, including all trunk security mechanisms. On both SW-1
and SW-2, set the port to trunk, assign native VLAN 15 to the trunk port, and disable auto-
negotiation.
Packet Tracer - Layer 2 VLAN Security
Packet Tracer - Layer 2 VLAN Security

Part 3: Enable VLAN 20 as a Management VLAN


The network administrator wants to access all switch and routing devices using a
management PC. For security, the administrator wants to ensure that all managed
devices are on a separate VLAN.

Step 1: Enable a management VLAN (VLAN 20) on SW-A.


a. Enable VLAN 20 on SW-A.
SW-A(config)# vlan 20
SW-A(config-vlan)# exit
Packet Tracer - Layer 2 VLAN Security

b. Create an interface VLAN 20 and assign an IP address within the 192.168.20.0/24 network.

Step 2: Enable the same management VLAN on all other switches.


a. Create the management VLAN on all switches: SW-B, SW-1, SW-2, and Central.
Packet Tracer - Layer 2 VLAN Security
Packet Tracer - Layer 2 VLAN Security
b. Create an interface VLAN 20 on all switches and assign an IP address within the 192.168.20.0/24
network.
Step 3: Configure the management PC and connect it to SW-A port Fa0/1.
Ensure that the management PC is assigned an IP address within the 192.168.20.0/24 network. Connect the
management PC to SW-A port Fa0/1.
Step 4: On SW-A, ensure the management PC is part of VLAN 20.
Interface Fa0/1 must be part of VLAN 20.

Step 5: Verify connectivity of the management PC to all switches.


The management PC should be able to ping SW-A, SW-B, SW-1, SW-2, and Central.
Part 4: Enable the Management PC to Access Router R1
Step 1: Enable a new subinterface on router R1.
a. Create subinterface Fa0/0.3 and set encapsulation to dot1q 20 to account for VLAN 20.
b. Assign an IP address within the 192.168.20.0/24 network.
Step 2: Verify connectivity between the management PC and R1.
Be sure to configure the default gateway on the management PC to allow for connectivity.
Step 3: Enable security.
While the management PC must be able to access the router, no other PC should be able to access the
management VLAN.
a. Create an ACL that denies any network from accessing the 192.168.20.0/24 network, but permits all other
networks to access one another.
b. Apply the ACL to the proper interface(s).
Step 4: Verify security.
a. From the management PC, ping SW-A, SW-B, and R1. Were the pings successful? Explain.
los pings deberían haber tenido éxito porque todos los dispositivos dentro de la red 192.168.20.0 deberían
poder hacer ping entre sí. No se requieren dispositivos dentro de VLAN20 para enrutar a través del enrutador.
From D1, ping the management PC. Were the pings successful? Explain.

El ping debería haber fallado. Esto se debe a que para que un dispositivo dentro de una VLAN diferente haga
ping con éxito a un dispositivo dentro de VLAN20, debe enrutarse. El enrutador tiene una ACL que impide que todos
los paquetes accedan a la red 192.168.20.0.
Step 5: Check results.
Your completion percentage should be 100%. Click Check Results to see feedback and verification of which
required components have been completed.
If all components appear to be correct and the activity still shows incomplete, it could be due to the
connectivity tests that verify the ACL operation.

You might also like