Layer 2 VLAN Security
Layer 2 VLAN Security
PNETLAB Store
PNETLab.com
Lab Topology:
Please use the following topology to complete this lab exercise:
Objectives
• Connect a new redundant link between SW1 and SW2.
• Enable trunking and configure security on the new trunk link between SW1 and SW2.
• Create a new management VLAN (VLAN 20) and attach a management PC to that VLAN.
• Implement an ACL to prevent outside users from accessing the management VLAN.
1
Download PNETLab Platform
PNETLAB Store
PNETLab.com
Background / Scenario
A company’s network is currently set up using two separate VLANs: VLAN 5 and VLAN 10. In
addition, all trunk ports are configured with native VLAN 15. A network administrator wants to
add a redundant link between switch SW1 and SW2. The link must have trunking enabled and
all security requirements should be in place.
In addition, the network administrator wants to connect a management PC to switch SWA. The
administrator would like to enable the management PC to connect to all switches and the
router, but does not want any other devices to connect to the management PC or the switches.
The administrator would like to create a new VLAN 20 for management purposes.
All devices have been preconfigured with:
• Enable secret password: C1sco123
• Console password: C1sco123
• SSH username and password: admin / admin
The network administrator wants to access all switch and routing devices using a management
PC. For security purposes, the administrator wants to ensure that all managed devices are on a
separate VLAN.
Step 1: Enable a management VLAN (VLAN 20) on SWA.
a. Enable VLAN 20 on SWA.
SW-A(config)# vlan 20
SW-A(config-vlan)# exit
b. Create an interface VLAN 20 and assign an IP address within the 192.168.20.0/24 network.
2
Download PNETLab Platform
PNETLAB Store
PNETLab.com
SW-B(config)# vlan 20
SW-B(config-vlan)# exit
SW-1(config)# vlan 20
SW-1(config-vlan)# exit
SW-2(config)# vlan 20
SW-2(config-vlan)# exit
Central(config)# vlan 20
Central(config-vlan)# exit
b. Create an interface VLAN 20 on all switches and assign an IP address within the
192.168.20.0/24 network.
3
Download PNETLab Platform
PNETLAB Store
PNETLab.com
SW-A(config-if)# no shutdown
4
Download PNETLab Platform
PNETLAB Store
PNETLab.com
5
Download PNETLab Platform
PNETLAB Store
PNETLab.com
Note: Access list 102 is used to only allow the Management PC (192.168.20.50 in this example)
to access the
router. This prevents an IP address change to bypass the ACL.
Note: There are multiple ways in which an ACL can be created to accomplish the necessary
security. For this reason, grading on this portion of the activity is based on the correct
connectivity requirements. The management PC must be able to connect to all switches and the
router. All other PCs should not be able to connect to any devices within the management
VLAN.
6
Download PNETLab Platform
PNETLAB Store
PNETLab.com
R1>en
Password: C1sco123
R1#
R1#show ip int brief
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 unassigned YES unset administratively down down
Ethernet0/1 unassigned YES unset administratively down down
Ethernet0/2 unassigned YES unset up up
Ethernet0/2.1 unassigned YES unset up up
Ethernet0/2.2 unassigned YES unset up up
Ethernet0/2.20 192.168.20.100 YES manual up up
Ethernet0/3 unassigned YES unset administratively down down
b. From the management PC, ping SWA, SWB, and R1. Were the pings successful? Explain.
The pings should have been successful because all devices within the 192.168.20.0 network
should be able to ping one another. Devices within VLAN20 are not required to route through
the router.
c. From D1, ping the management PC. Were the pings successful? Explain.
The ping should have failed because for a device within a different VLAN to successfully ping
a device within VLAN20, it must be routed. The router has an ACL that prevents all packets
from accessing the 192.168.20.0 network.