LAB MANUAL

LAB EXPERIMENT – 02 : SECURING NETWORK SWITCHES

SECURING NETWORK DEVICES: NETWORK SWITCHES

PERFORMANCE OBJECTIVES

Upon completion of this laboratory exercise, the student technicians/engineers will be able to:

 Designing VLAN on Switches

o Create VLANs on Switches
o Configure VLAN Access
o Configure VLAN Trunk
 Secure Access Switch Ports with MAC Addresses
 Secure Access Switch Ports
o Creating a Blackhole VLAN
o Disabling Unused Ports
 Configure Management VLAN
o Create Virtual Port Interface
o Configure VLAN for Administrative Access

TOOLS & EQUIPMENT

 PC running windows 7 or higher, having MS Office, Cisco Packet Tracer 7 or above

MATERIALS (if needed)

 None

RESOURCES (if needed)

 None

DISCUSSION

The Layer 2 infrastructure consists mainly of interconnected Ethernet switches. Most end-
user devices, such as computers, printers, IP phones, and other hosts, connect to the network
via Layer 2 access switches. As a result, switches can present a network security risk. Similar
to routers, switches are subject to attack from malicious internal users. The switch Cisco IOS
software provides many security features that are specific to switch functions and protocols.

In a Network Switches Normally work on Distribution Layer getting access for this layer
from the intruder could be more dangerous for over Security of any organization. VLANs are
helpful in the administration of logical groups, allowing members of a group to be easily

Computer Network II 3
 LAB MANUAL
LAB EXPERIMENT – 02: SECURING NETWORK SWITCHES

moved, changed, or added. This activity focuses on creating and naming VLANs, assigning
access ports to specific VLANs, changing the native VLAN, and configuring trunk links to
prevent them from unauthorized Groups/Computers.

SAFETY WARNING / CAUTION (if required)

 None

A. PROCEDURE

TASK-1: Designing VLAN on Switches

Step 1. Design the following network topology

Topology Diagram

Step 2. Verify the current running configuration on the switches.

On all three switches, enter user EXEC mode. Then enter privileged EXEC mode.

4 Yanbu University College

Educating Technologies
LAB MANUAL
LAB EXPERIMENT – 02 : SECURING NETWORK SWITCHES

From privileged EXEC mode on all three switches, issue the show running-config command
to verify the current running configuration. The basic configurations are already set, but there
are no VLAN assignments.

Step 3. Display the current VLANs.

On S1, issue the show vlan command. The only VLANs present are the default ones. By
default, all interfaces are assigned to VLAN 1.

Step 4. Verify connectivity between PCs on the same network.

Notice that each PC can ping the other PC that shares the same network:

 PC1 can ping PC4

 PC2 can ping PC5
 PC3 can ping PC6

Pings to PCs in other networks will fail.

What benefit will VLANs provide to the current configuration?

___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________

Currently, all broadcast traffic is sent out to all ports on the switch, except for the port on
which the broadcast was received. This greatly increases the traffic on all access and trunk
links as well as increases CPU usage on the switches and PCs. VLANs contain the
broadcasts within each VLAN only.

Step 5. Create VLANs on S1.

The command vlan vlan-id creates a VLAN. Use the name vlan-name command to name a
VLAN.

On S1, create four VLANs using the vlan-ids and the names shown below:

S1(config)# vlan 10

Computer Network II 5
 LAB MANUAL
LAB EXPERIMENT – 02: SECURING NETWORK SWITCHES

S1(config-vlan)# name Faculty/Staff

S1(config-vlan)# vlan 20
S1(config-vlan)# name Students

S1(config-vlan)# vlan 30
S1(config-vlan)# name Guest(Default)
S1(config-vlan)# vlan 99
S1(config-vlan)# name Management&Native

Step 6. Verify the VLAN configuration on S1.

After creating the VLANs, return to privileged EXEC and issue the show vlan command to
verify the creation of the new VLANs.

S1# show vlan

VLAN Name Status Ports

---- ------------------------------ --------- -------------------------------

1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Fa0/24
Gig1/1, Gig1/2

10 Faculty/Staff active
20 Students active
30 Guest(Default) active
99 Management&Native active

1002 fddi-default active

1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active

S1#

6 Yanbu University College

Educating Technologies
LAB MANUAL
LAB EXPERIMENT – 02 : SECURING NETWORK SWITCHES

Step 7. Create the VLANs on S2 and S3.

On S2 and S3, use the same commands you used on S1 to create and name the VLANs.

Step 8. Verify the VLAN configuration on S2 and S3.

Use the show vlan command to verify all VLANs are configured and named.

TASK-2: Configure VLAN Access

Step 1. Assign VLANs to the active ports on S2.

The switchport mode access command configures the interface as an access port. The
switchport access vlan vlan-id command assigns a VLAN to the port. An access port can
only be assigned one access VLAN. Enter the following commands on S2.

S2(config)#interface fastEthernet 0/1

S2(config-if)#switchport mode access
S2(config-if)#switchport access vlan 10

S2(config-if)#interface fastEthernet 0/2

S2(config-if)#switchport mode access
S2(config-if)#switchport access vlan 20

S2(config-if)#interface fastEthernet 0/3

S2(config-if)#switchport mode access
S2(config-if)#switchport access vlan 30

Step 2. Assign VLANs to the active ports on S3.

Assign VLANs to active ports on S3. S3 uses the same VLAN access port assignments that
you configured on S2.

Step 3. Verify loss of connectivity.

Previously, PCs that shared the same network could ping each other successfully. Try pinging
between PC1 and PC4. Although the access ports are assigned to the appropriate VLANs, the
ping fails. Why?

Computer Network II 7
 LAB MANUAL
LAB EXPERIMENT – 02: SECURING NETWORK SWITCHES

___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________

The interfaces between S2 and S1 and between S3 and S1 are not yet configured as trunks.
Nor are these interfaces configured as access links for the VLAN assigned to PC1 and PC4.
S2 and S3, therefore, do not forward VLAN 10 traffic (traffic from PC1 and PC4) out the
interface to S1.

Step 4. Check results.

Task 1 to 4 should be completed. If not, Check previous steps again to see which required
components are not yet completed.

TASK-5: Configure VLAN Trunk

Note: with Vlan Trunking, a single port can serve multiple connections as seen in the diagram below.

Step 1. Configure S1 Fa0/1 and Fa0/2 for trunking and to use VLAN 99 as the native
VLAN.

S1(config)#interface FastEthernet 0/1

S1(config-if)#switchport mode trunk
S1(config-if)#switchport trunk native vlan 99

S1(config-if)#interface FastEthernet 0/2

S1(config-if)#switchport mode trunk

8 Yanbu University College

Educating Technologies
LAB MANUAL
LAB EXPERIMENT – 02 : SECURING NETWORK SWITCHES

S1(config-if)#switchport trunk native vlan 99

The trunk port takes about a minute to become active again. You can switch between
Realtime and Simulation modes three or four times to quickly bring the port back up.

Then, the ports on S2 and S3 that connect to S1 become inactive. Again, switch between
Realtime and Simulation modes three or four times to quickly bring the ports back up.

Once the ports become active, you periodically receive the following syslog messages:

%CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on

FastEthernet0/1 (99), with S2 FastEthernet0/1 (1).

%CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on

FastEthernet0/3 (99), with S3 FastEthernet0/3 (1).

The Cisco Discovery Protocol (CDP) gave this message which tells that the native VLAN on
S1 does not match the native VLANs in S2 and S3. You configured the native VLAN on S1
to be VLAN 99. However, the native VLANs on S2 and S3 is set to the default VLAN 1.

Note: You can allow specific Vlan access by using this command:

#switchport trunk allowed vlan 99

or
#switchport trunk allowed vlan 1-99

To show Vlans trunk use the following commands:

#show vlan trunks

#show interfaces trunk

Step 2. Verify connectivity between devices on the same VLAN.

Although there is currently a native VLAN mismatch, pings between PCs on the same VLAN
are now successful. Why?

Computer Network II 9
 LAB MANUAL
LAB EXPERIMENT – 02: SECURING NETWORK SWITCHES

___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________

Pings are successful because trunking has been enabled on S1. DTP has automatically
negotiated the other side of the trunk links. In this case, S2 and S3 have now automatically
configured the ports attached to S1 as trunking ports.

Step 3. Verify trunking is enabled on S2 and configure VLAN 99 as the native VLAN.

Dynamic Trunking Protocol (DTP) has automatically enabled the FastEthernet 0/1 port on S2
for trunking. Once you configured the mode to trunking on S1, DTP messages sent from S1
to S2 automatically informed S1 to move the state of Fa0/1 to trunking. This can be verified
with the following command on S1:

S1#show interface fa0/1 switchport

Name: Fa0/1
Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
<output omitted>
S2#

Note: the administrative mode is set to dynamic auto. This is the default state of all ports on
a Cisco IOS switch. However, DTP has negotiated trunking, so the operation mode is trunk,
resulting in a native VLAN mismatch.

As a best practice, configure the administrative mode of the trunking interface to be in trunk
mode. This ensures that the interface is statically configured as a trunk port and never
negotiates a different mode.

Step 4. Verify trunking is enabled on S2 and configure VLAN 99 as the native VLAN:

10 Yanbu University College

Educating Technologies
LAB MANUAL
LAB EXPERIMENT – 02 : SECURING NETWORK SWITCHES

S2(config)#interface FastEthernet 0/4

S2(config-if)#switchport mode trunk

To correct the native VLAN mismatch, configure the trunking port with the switchport
trunk native vlan 99 command.

S2(config-if)#switchport trunk native vlan 99

Step 5. Verify trunking is enabled on S3 and configure VLAN 99 as the native VLAN.

DTP has also successfully negotiated a trunk between S1 and S3.

S3#show interfaces fastEthernet 0/4 switchport

Name: Fa0/4
Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
<output omitted>
S3#

Configure the administrative mode of the trunking interface to be in trunk mode, and correct
the native VLAN mismatch with the switchport trunk native vlan 99 command.

Step 5. Check results.

B. OBSERVATIONS

C. ANALYSIS

D. CONCLUSION

Computer Network II 11
 LAB MANUAL
LAB EXPERIMENT – 02: SECURING NETWORK SWITCHES

TASK-6: Secure Ports of Switches with MAC Address

Step 1. Design the following network topology

Step 2. Verify connectivity between PCs on the same network.

 Can PC-1 ping the other PC in the same network?

Step 3. Secure ports.

Using MAC address of each PC will secure connectivity in the network to one known MAC
address. Follow the following commands in each port.

12 Yanbu University College

Educating Technologies
LAB MANUAL
LAB EXPERIMENT – 02 : SECURING NETWORK SWITCHES

 Repeat the same instructions for Interface Fastethernet 0/2. Is it

possible?

Step 4. Show the ports' security for Interfaces 0/1 and 0/3

Step 5. Verify connectivity between PCs on the same network.

Note: PC- 1 can ping PC- 2. MAC addresses will be different because they are unique.

Step 6. Show running configuration on S-Building 10.

 Are MAC-Addresses accurate for both PCs?

Computer Network II 13
 LAB MANUAL
LAB EXPERIMENT – 02: SECURING NETWORK SWITCHES

Step 7. Show the ports' security for Interfaces 0/1 and 0/2

 Did all interfaces update their MAC addresses after the ping?

Step 8. Try to connect PC -6 with S-Building 10 switch via port interface fa 0/2 as shown
below.

Note: Before this step make sure to copy running configuration to startup configuration.

14 Yanbu University College

Educating Technologies
LAB MANUAL
LAB EXPERIMENT – 02 : SECURING NETWORK SWITCHES

Step 9. Verify connectivity between PCs on the same network (PC-1 to PC-6).

Note:

 PC- 1 can't ping PC- 6. The port became shutdown because violation mode is true.
 Once interface changed to use a different MAC- Address or more than one MAC, it
turned off for security obligation.
 All red dots in the diagram below mean ports are not active.

Step 10. Try to connect PC- 2 with the S-Building 10 switch via the same port as in the
diagram below.

Computer Network II 15
 LAB MANUAL
LAB EXPERIMENT – 02: SECURING NETWORK SWITCHES

Note: Although PC-6 use the same MAC- Address, the switch can't turn on the port
automatically.

To complete this step, there is a need for reloading the switch to activate the port fa0/2 again.

 S-Bullding10#reload

 After this try to verify connections. Ping from PC-1 to PC-2. Can they see each other?

Note: After the reloading, you are required to perform ping between PCs.

TASK-7: Secure Ports of Switches

As a further security measure, disable ports that are not being used on the switch.

Step 1. Create a Blackhole Vlan

A blackhole VLAN is a term used for a VLAN configured for unused ports. It is a security
practice, whereby you create a VLAN that has no route, or no default gateway to other
networks within your organization.

S-Bullding10 (config)# vlan 999

S-Bullding10 (config)# name Blackhole

Step 2. Assigning all unused ports to Blackhole vlan

16 Yanbu University College

Educating Technologies
LAB MANUAL
LAB EXPERIMENT – 02 : SECURING NETWORK SWITCHES

S-Bullding10 (config)# interface range fa 0/3 - fa 0/24

S-Bullding10 (config)# Switchport mode access
S-Bullding10 (config)# Switchport access vlan 999

S-Bullding10 (config-if-range)# interface range gig 0/1 - gig 0/2

S-Bullding10 (config)# Switchport mode access
S-Bullding10 (config)# Switchport access vlan 999

Step 3. Disabling Unused Ports

Note: Ports F0/1, F0/2 are used on S-Building 10 switch. The remaining FastEthernet ports
and the two GigabitEthernet ports will be shut down.

S-Bullding10 (config)# interface range fa 0/3 - fa 0/24

S-Bullding10 (config-if-range)# shutdown

S-Bullding10 (config-if-range)# interface range gig 0/1 - gig 0/2

S-Bullding10 (config-if-range)# shutdown

TASK-8: Configure Management VLAN for Administrative Access

Step 1. Design the following network topology

Computer Network II 17
 LAB MANUAL
LAB EXPERIMENT – 02: SECURING NETWORK SWITCHES

Step 2. Create Vlans on Main_Switch

 Create Vlan 10 with the name “EMP”

 Create Vlan 99 with the name “MGT”

Step 3. Assign ports to Vlans

 Fa 0/1 and Fa 0/2 should be assigned to Vlan 10

 Fa 0/24 should be assigned to Vlan 99

Note: The range command greatly reduces the amount of repetitive commands you must
enter when configuring the same commands on multiple ports.

18 Yanbu University College

Educating Technologies
LAB MANUAL
LAB EXPERIMENT – 02 : SECURING NETWORK SWITCHES

Step 4. Show all defined Vlans on the Main_Switch

Step 5. Create a virtual interface on the switch

 Create an Interface for Vlan 99

 Use IP Address: 192.168.99.2 - 255.255.255.0

Step 6. Make sure that virtual interface is assigned to Vlan 99 only.

 Show running configuration on the switch

Computer Network II 19
 LAB MANUAL
LAB EXPERIMENT – 02: SECURING NETWORK SWITCHES

Step 7. Configure the vty access for Telnet connection

 Create a User: admin

 Set a Password: admintelnet
 Give a Privilege Level: 15
 Set a Timeout: 5 minutes
 Determine Transport Input: Telnet
 Define Login: Local

Main_Switch (config)# line vty 0 4

Main_Switch (config)# exec-timeout 5
Main_Switch (config)# transport input telnet
Main_Switch (config)# login local

Step 8. Try to connect the Main Switch from Admin PC.

FINAL CHECKLIST

1. Clean your equipment, materials, and work benches before you leave
2. Return all equipment and materials to their proper storage area
3. Submit your lab report on time

20 Yanbu University College

Educating Technologies