0% found this document useful (0 votes)
134 views7 pages

Layer 2 VLAN Security

The document describes configuring a management VLAN (VLAN 20) for secure access to network devices. Key steps include: 1. Creating VLAN 20 on switches and routers and assigning IP addresses in the 192.168.20.0/24 subnet. 2. Connecting a management PC to VLAN 20 and verifying it can ping all devices. 3. Applying an ACL on the router to allow only the management PC to access devices, preventing access from other devices. 4. Verifying the management PC can access all devices but other devices cannot access the management VLAN.

Uploaded by

Alex Machado
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
134 views7 pages

Layer 2 VLAN Security

The document describes configuring a management VLAN (VLAN 20) for secure access to network devices. Key steps include: 1. Creating VLAN 20 on switches and routers and assigning IP addresses in the 192.168.20.0/24 subnet. 2. Connecting a management PC to VLAN 20 and verifying it can ping all devices. 3. Applying an ACL on the router to allow only the management PC to access devices, preventing access from other devices. 4. Verifying the management PC can access all devices but other devices cannot access the management VLAN.

Uploaded by

Alex Machado
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 7

Download PNETLab Platform

PNETLAB Store
PNETLab.com

Layer 2 VLAN Security

Lab Topology:
Please use the following topology to complete this lab exercise:

Objectives
• Connect a new redundant link between SW1 and SW2.
• Enable trunking and configure security on the new trunk link between SW1 and SW2.
• Create a new management VLAN (VLAN 20) and attach a management PC to that VLAN.
• Implement an ACL to prevent outside users from accessing the management VLAN.

1
Download PNETLab Platform
PNETLAB Store
PNETLab.com

Background / Scenario
A company’s network is currently set up using two separate VLANs: VLAN 5 and VLAN 10. In
addition, all trunk ports are configured with native VLAN 15. A network administrator wants to
add a redundant link between switch SW1 and SW2. The link must have trunking enabled and
all security requirements should be in place.
In addition, the network administrator wants to connect a management PC to switch SWA. The
administrator would like to enable the management PC to connect to all switches and the
router, but does not want any other devices to connect to the management PC or the switches.
The administrator would like to create a new VLAN 20 for management purposes.
All devices have been preconfigured with:
• Enable secret password: C1sco123
• Console password: C1sco123
• SSH username and password: admin / admin

Part 1: Verify Connectivity

Step 1: Verify connectivity between C2 (VLAN 10) and C3 (VLAN 10).


Step 2: Verify connectivity between C2 (VLAN 10) and D1 (VLAN 5).
Note: If using the simple PDU GUI packet, be sure to ping twice to allow for ARP.

Part 2: Enable VLAN 20 as a Management VLAN

The network administrator wants to access all switch and routing devices using a management
PC. For security purposes, the administrator wants to ensure that all managed devices are on a
separate VLAN.
Step 1: Enable a management VLAN (VLAN 20) on SWA.
a. Enable VLAN 20 on SWA.

SW-A(config)# vlan 20

SW-A(config-vlan)# exit

b. Create an interface VLAN 20 and assign an IP address within the 192.168.20.0/24 network.

SW-A(config)# interface vlan 20

SW-A(config-if)# ip address 192.168.20.1 255.255.255.0

2
Download PNETLab Platform
PNETLAB Store
PNETLab.com

Step 2: Enable the same management VLAN on all other switches.


a. Create the management VLAN on all switches: SWB, SW1, SW2, and Central.

SW-B(config)# vlan 20

SW-B(config-vlan)# exit

SW-1(config)# vlan 20

SW-1(config-vlan)# exit

SW-2(config)# vlan 20

SW-2(config-vlan)# exit

Central(config)# vlan 20

Central(config-vlan)# exit

b. Create an interface VLAN 20 on all switches and assign an IP address within the
192.168.20.0/24 network.

SW-B(config)# interface vlan 20

SW-B(config-if)# ip address 192.168.20.2 255.255.255.0

SW-1(config)# interface vlan 20

SW-1(config-if)# ip address 192.168.20.3 255.255.255.0

SW-2(config)# interface vlan 20

SW-2(config-if)# ip address 192.168.20.4 255.255.255.0

Central(config)# interface vlan 20

Central(config-if)# ip address 192.168.20.5 255.255.255.0

3
Download PNETLab Platform
PNETLAB Store
PNETLab.com

Step 3: Connect and configure the management PC.


Connect the management PC to SWA port E0/1 and ensure that it is assigned an available IP
address within the 192.168.20.0/24 network.
Step 4: On SWA, ensure the management PC is part of VLAN 20.
Interface F0/1 must be part of VLAN 20.

SW-A(config)# interface f0/1

SW-A(config-if)# switchport access vlan 20

SW-A(config-if)# no shutdown

Step 5: Verify connectivity of the management PC to all switches.


The management PC should be able to ping SW-A, SW-B, SW-1, SW-2, and Central.
VPCS> ping 192.168.20.1
84 bytes from 192.168.20.1 icmp_seq=1 ttl=255 time=0.484 ms
84 bytes from 192.168.20.1 icmp_seq=2 ttl=255 time=0.770 ms
84 bytes from 192.168.20.1 icmp_seq=3 ttl=255 time=0.604 ms
84 bytes from 192.168.20.1 icmp_seq=4 ttl=255 time=0.610 ms
84 bytes from 192.168.20.1 icmp_seq=5 ttl=255 time=0.586 ms

VPCS> ping 192.168.20.2


84 bytes from 192.168.20.2 icmp_seq=1 ttl=255 time=3.677 ms
84 bytes from 192.168.20.2 icmp_seq=2 ttl=255 time=2.455 ms
84 bytes from 192.168.20.2 icmp_seq=3 ttl=255 time=6.113 ms
84 bytes from 192.168.20.2 icmp_seq=4 ttl=255 time=2.840 ms
84 bytes from 192.168.20.2 icmp_seq=5 ttl=255 time=2.518 ms

VPCS> ping 192.168.20.3


84 bytes from 192.168.20.3 icmp_seq=1 ttl=255 time=0.734 ms
84 bytes from 192.168.20.3 icmp_seq=2 ttl=255 time=1.295 ms
84 bytes from 192.168.20.3 icmp_seq=3 ttl=255 time=1.091 ms
84 bytes from 192.168.20.3 icmp_seq=4 ttl=255 time=0.943 ms
84 bytes from 192.168.20.3 icmp_seq=5 ttl=255 time=1.315 ms

VPCS> ping 192.168.20.4


84 bytes from 192.168.20.4 icmp_seq=1 ttl=255 time=2.269 ms
84 bytes from 192.168.20.4 icmp_seq=2 ttl=255 time=1.618 ms
84 bytes from 192.168.20.4 icmp_seq=3 ttl=255 time=26.824 ms
84 bytes from 192.168.20.4 icmp_seq=4 ttl=255 time=2.142 ms
84 bytes from 192.168.20.4 icmp_seq=5 ttl=255 time=2.557 ms

4
Download PNETLab Platform
PNETLAB Store
PNETLab.com

VPCS> ping 192.168.20.5


84 bytes from 192.168.20.5 icmp_seq=1 ttl=255 time=1.635 ms
84 bytes from 192.168.20.5 icmp_seq=2 ttl=255 time=1.671 ms
84 bytes from 192.168.20.5 icmp_seq=3 ttl=255 time=1.632 ms
84 bytes from 192.168.20.5 icmp_seq=4 ttl=255 time=1.665 ms
84 bytes from 192.168.20.5 icmp_seq=5 ttl=255 time=1.578 ms

Part 3: Enable the Management PC to Access Router R1

Step 1: Enable a new subinterface on router R1.


a. Create subinterface e0/2.20 and set encapsulation to dot1q 20 to account for VLAN 20.

R1(config)# interface e0/2.20

R1(config-subif)# encapsulation dot1q 20

b. Assign an IP address within the 192.168.20.0/24 network.

R1(config)# interface e0/2.20

R1(config-subif)# ip address 192.168.20.100 255.255.255.0

Step 2: Verify connectivity between the management PC and R1.


Be sure to configure the default gateway on the management PC to allow for connectivity.
VPCS> ping 192.168.20.100
192.168.20.100 icmp_seq=1 timeout
84 bytes from 192.168.20.100 icmp_seq=2 ttl=255 time=2.002 ms
84 bytes from 192.168.20.100 icmp_seq=3 ttl=255 time=1.999 ms
84 bytes from 192.168.20.100 icmp_seq=4 ttl=255 time=17.009 ms
84 bytes from 192.168.20.100 icmp_seq=5 ttl=255 time=2.002 ms

5
Download PNETLab Platform
PNETLAB Store
PNETLab.com

Step 3: Enable security.


While the management PC must be able to access the router, no other PC should be able to
access the management VLAN.
a. Create an ACL that allows only the Management PC to access the router.

R1(config)# access-list 101 deny ip any 192.168.20.0 0.0.0.255

R1(config)# access-list 101 permit ip any any

R1(config)# access-list 102 permit ip host 192.168.20.50 any

b. Apply the ACL to the proper interface(s).


Example: (may vary from student configuration)

R1(config)# interface g0/0.1

R1(config-subif)# ip access-group 101 in

R1(config-subif)# interface g0/0.2

R1(config-subif)# ip access-group 101 in

R1(config-subif)# line vty 0 4

R1(config-line)# access-class 102 in

Note: Access list 102 is used to only allow the Management PC (192.168.20.50 in this example)
to access the
router. This prevents an IP address change to bypass the ACL.
Note: There are multiple ways in which an ACL can be created to accomplish the necessary
security. For this reason, grading on this portion of the activity is based on the correct
connectivity requirements. The management PC must be able to connect to all switches and the
router. All other PCs should not be able to connect to any devices within the management
VLAN.

6
Download PNETLab Platform
PNETLAB Store
PNETLab.com

Step 4: Verify security.


a. Verify only the Management PC can access the router. Use SSH to access R1 with
username admin and password admin.
Management#ssh -l admin 192.168.20.100
Password: admin

R1>en
Password: C1sco123
R1#
R1#show ip int brief
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 unassigned YES unset administratively down down
Ethernet0/1 unassigned YES unset administratively down down
Ethernet0/2 unassigned YES unset up up
Ethernet0/2.1 unassigned YES unset up up
Ethernet0/2.2 unassigned YES unset up up
Ethernet0/2.20 192.168.20.100 YES manual up up
Ethernet0/3 unassigned YES unset administratively down down

b. From the management PC, ping SWA, SWB, and R1. Were the pings successful? Explain.
The pings should have been successful because all devices within the 192.168.20.0 network
should be able to ping one another. Devices within VLAN20 are not required to route through
the router.
c. From D1, ping the management PC. Were the pings successful? Explain.
The ping should have failed because for a device within a different VLAN to successfully ping
a device within VLAN20, it must be routed. The router has an ACL that prevents all packets
from accessing the 192.168.20.0 network.

You might also like