Contents Lab No__| Description Page No LAB I | Configure VLAN, Access and Trunk Port 5 TAB? | VIP Configuration 17 LAB 3 | FiherChannel Configuration 2b TAB4 | Inter-Vlan Routing Configuration with a Router B TAB 5 Inter-Vian Routing Configuration with a Muiti-Layer Switeh 33 LAB 6 | Port Secu Security configuration ona cisco switch 36 LAB 7 | Spanning tee behavior - mode, piorty value, Root Bdge 2 LABS | Configure CDP & LLDP 46 LAB 9 | NTP Configuraiion. 32 LAB 10| HSRP (Hot Stndoy Rouler Proioco}) Contiguraiion 54 TAB 1] | HSRP CONFIGURATION ON VLAN INTERFACE 39 LAB 12| VRRP Configuration 66 TAB 13 | GLBP Configuration TL LAB 14 | VLAN ACCESS LIST 7 AB IS PRIVATE VLAN. 8 LAB 16 | SPANIRSPAN ut LAB IT | CONFIGURE MULTIPLE SPANNING TREE-NST 90 TAB I8_| DHCP SNOOPING 34 ‘LAB 19 | CISCO STORM.CONTROL CONFIGURATION 100, LAB 20 | RIPv2 Neighborship Configuration 103 ‘LAB 21 | Configure Passive Interface 107 TAB 22 | Configure RIP Authentication 108 LAB 23 | Introduction to EIGRP TAB 24 | EIGRP CLASSIC MODE 19) LAB 25 | EIGRP NAMED MODE AND CLASSIC MODE. Bs TAB 26 | EIGRP AUTHENTICATION IN CLASSIC MODE 130) EAB 27__| EIGRP AUTHENTICATION IN NAMED MODE 133 LAB 28 | Defauli Route Injection into FIGRP. Bs TAB 29__| FIGRP SUMMARIZATION AND LEAK-MAP. 140. LAB 30 EIGRP STUB 147 LAB 31__| EIGRPLOAD BALANCING 155 LAB 32 Route-Map 166, TAB 33 | Prefix-list & Distribute list 171 LAB 34 Redistributing Static and Connected Routes 175 [AB 35 | REDISTRIBUTING BETWEEN EIGRP & RIP 1) LAB 36 | OSPF AND EIGRP REDISTRIBUTION 183 LAB 37__| MULTIPOINT REDISTRIBUTION 189) LAB 38 _| OSPF NEIGHBORSHIIP CONFIGURATION, VIRTUAL-LINK & AUTHENTICATION 194 LAB 39_| OSPF BROAD-CAST AND POFTN-T0-POINT NETWORK 202 TAB 40__| OSPF STUB AREA 205; LAB 4I | TOTALLY STUBBY AREA 211 LAB 42 | NOTSO STUBBY AREA (NSSA) 213) LAB 43 | Totally Not So Stubby Area (Totally NSSAY 2s EAB 44| OSPF VIRTUAL LINK AND GRE TUNNEL 225; LAB 45__| OSPF INTRA-AREA FILTERING 2 [AB 46 | OSPF INTER-AREA FILTERING — TYPE 3 238, LAB 47 | FILTERING ON ASBR 240 LAB 48 | ISP load balancing configuration wilh PBR 24s TAB) IPSLA 250 LAB 50 | INTRODUCTION TO BGP AND BGP NEIGHBORSHIP 259 [ABSI__| BGP PEER GROUPS 264 LAB S2 | BGP PEERING WITH LOOPBACK ADDRESS - EBGP Multthop 267 TAB 53__| BGP NEXT-HOPE-SFLF 270 LAB S4 | BGP REDUNDANCY WITH LOAD SHARING (BGP Single Homed) 2m LAB 55__| BGP Single Homed Design 278 EAB 56 | BGP Multi-homed Load-Sharing 281 ‘SCOR, ENCOR, NGFW & NGIPS, SVPN, SISE, SWSA, SD: WAN, ENARSI, SPCOR, CCNA SEC, DCCOR, CCNA RNS.LABS? _ | CISCO EXPRESS FORWARDING 286 LAB S8___| BGP BACKDORE 29 EAB 59 | BGP Attibutas and Path solecton 204 LAB 60 BGP WEIGHT 296 TAB61__| BGPLOCAL PREFERENCE 300. LAB 62 | BGP MED 305, TAB 63 | BGP AS PATH PREPENDING 310 LAB 64 | BGP COMMUNITY 312 TAB 65 HGP FULL MESH CONFIGURATION WITH TRANSIT AS 25 LAB 66 _| BGP ROUTE-REFLECTOR 332 LAB 67__| BGP CONFEDERATIONS 337 LAB 68__| BGP Unequal Load Cost Sharing 3a [AB 69_| CONFIGURE IPSEC VPN. 351 TAB 10 | Site-o-Sive IPSec VPN and NAT Configuration 365 TAB TI IPSEC OVER GRE TUNNEL: TUNNEL MODE AND TRANSPORT MODE 37 TAB 72__| Configure DMVPN 381 LAB73_| MPLS Basic 395, TAB 74 | VRF-ite a9 LAB75__| MPLS L3 VPN 25 LAB 76__| Configure IPv6 ADDRESS a, LAB 77__| Configure IPv6 Static Route a8 TAB 78 | Configure RIPNG on Cisco Router 450 LAB 79 | EIGRP CONFIGURATION WITILIPVé ADDRESS 455 LAB 80 | OSPF CONFIGURATION IN IPV6 455 TAB S1__| DHCPv6 Server Configuration 457 LAB 82 | Dual-Siwe 461 TABS3 | [Pvs tunneling over Pv 465 LAB 84 | IPvb over IPv GRE with IPSec 496 TAB 85__| Configuring SNMPV3 a7 LAB 86 | Syslog Server as TABA7 | Wireless LAN Convoller and Acsesspoint Configuration a8) [ABS | SD-WAN 496 ‘SCOR, ENCOR, NGFW & NGIPS, SVPN, SISE, SWSA, SD: WAN, ENARSI, SPCOR, CCNA SEC, DCCOR, CCNA RNS.LAB 1: Configure VLAN, Access and Trunk Port ‘The design of layer-2 switched network is a flat network. Each and every device on the Network can see the transmission of every broadcast packet even if it does not need to receive the data. Bul we can create ‘multiple/ separate broadcast domain logically ina L2 switch. This is possible with VLAN technology. VLAN means Virtual LAN. ‘The segregation of vian is only to reduce the broadcast domain. Every vlan means you are using one subnet for each vlan, ‘The VLANs makes network management easy with number of ways: The VLAN can categorize many broadcast domains into number of logical subnets. Y The network needs to configure a port into the suitable VLAN in order to achieve change, add or move. Y Inthe VLAN a group of users with the demand of high security ean be included so that the external users out the VLAN cannot interact with them, Y When it comes to logical classification of users in terms of function, we can consider VLAN as independent from their geographic or physical locations Y Even the security of network can be enhanced by VLAN. Y The number of broadcast domains is increased with VLANs while the size decreases. ‘Types of VLAN ‘There are the following types of VLANs — 1. Default VLAN 2. Data VLAN 3. Native VLAN 4, Management VLAN 5. Voice VLAN Default VLAN In Cisco switches, the default VLAN is VLAN 1. All the ports on that switch will belong to the default VLAN Data VLAN A data VLAN is also called as user VLAN, It is configured to carry only user-generated traffic. ‘Native VLAN SCOR, ENCOR, NGFW & NGIPS, SVPN, SISE, SWSA, SD-WAN, ENARSI, SPCOR, CCNA SEC, DCCOR, CCNA RNSThe Native VLAN is the VLAN associated with all untagged packets on a tagged/trunk port, it doesn’t have an 802,1Q tag on the Ethemet frame. By default, VLAN 1 is the native VLAN. We can change this iftwe want Frames associated with CDP, VTP, PaGP, ete are all sent over the native VLAN. STP and BPDU ate sent over native and are also tagged. Ifa switch is to receive untagged traffic on a trunk port what will the switch do with it, to which VLAN it will associate it, here is where the Native VLAN concept is used for untagged traffic. Management VLAN Management VLAN is configured to access the management capabilities of a switch, Managed VLANs are used to access and manage the switch remotely. It is also used to assign the IP address and subnet mask, Voice VLAN A voice VLAN is configured to carry the voice traffic. Voice VLANs mostly provide a transmission priority over the other types of network traffic. Voice VLANs ate used with IP phones. VLAN ports There are 2 types of VLAN ports in a switched network: Access Ports: Carries data, generally connected to hosts or Servers ‘Trunk Ports: Between switches we are going to create a trunk. A trunk connection is an interface carries multiple VLANs. A trunk link is a point-to-point link between two switches, a switch and router, or a switch and server. VLAN Encapsulation type 1, IEEE 802.1Q: Open standard, support switch of any vendor. 2. Cisco ISL (Inter-Switch Link): Cisco proprietary protocol that is only supported on some Cisco switches, VLAN information is not saved in the running-config or startup-config but in separate file vlan.dat on flash memory. To delete the VLAN information, delete the file by delete flash:vian.dat command. The VLAN tag To support VLANs, a special “tag” needs to be applied to packets so that network devices can know how to forward those packets correctly. SCOR, ENCOR, NGFW & NGIPS, SVPN, SISE, SWSA, SD-WAN, ENARSI, SPCOR, CCNA SEC, DCCOR, CCNA RNS802.1 Q adds a 32-bit field (4 bytes) inside an Ethernet frame, suc anoaess | wacrboness | FE | pantano oa mxgaooness | waGaboness | aan | PE emeonD one The first 16 bits in this field (TPID) are used to identify the frame as an 802.1 tagged frame while 12 out of the remaining 16 bits are used to carry the VLAN ID. ‘The remaining 4 bits are mainly used for Quality of Service (QoS) operations. ‘802.10 Header ree tebe ro To, x8\00 POPIs}#DEK}YLAN D412) 12 bits used for the VLAN ID means that 4096 VLANs can theoret cally be supported i.e. 212 = 4096, However, all 0s (0x000 in hexadecimal) and all 1s (OXFEF in hexadecimal) are reserved bringing the total supported VLANs to 4094. Untagged Packet/Port Most end devices that connect to a switch do not care about or understand VLAN tagging, They just want to be able to communicate on the network. This includes devices like workstations, IP cameras, and even some servers. = tagged pact ie Fi When these devices send packets to the switch, they send plain Ethemet frames (i.e. untagged packets) and it is up to the switch to determine how to forward that packet, Cisco calls this type of ports “access ports" SCOR, ENCOR, NGFW & NGIPS, SVPN, SISE, SWSA, SD-WAN, ENARSI, SPCOR, CCNA SEC, DCCOR, CCNA RNSTagged Packet/Port ‘VLANs can span multiple switches; it means there needs to be a way for tagged packets to travel from one switch to another. To do this, single port can be used on both the switches to carry traffic for that VLAN: Tagged Packet VLAN 10 “Tagged Packet VLAN 20 7 eee —_ = a9 o& oa vuanto van 20 yuo wun20 In this case, the switch will need to tag packets correctly for their correct VLANS as they exit the port and the re civing device (c.g. another switch) on the other end must understand this tagging and forward these packets to the correct VLANs: Most of our switching Iab we will use cisco Hierarchical intemetworking model which is a three-layer ‘model for network design first proposed by Cisco, It divides enterprise networks into three layers: core, distribution, and access layer. This three-layer model helps you design, implement, and maintain a scalable, reliable, and cost-effective network. Each of layers has its own features and functionality, which reduces network complexity. Access— controls user and workgroup access to the resources on the network. This layer usually incorporates Layer 2 switches and access points that provide connectivity between workstations and servers, You can manage access control and policy, cteate separate collision domains, and implement port security at this layer. Distribution — serves as the communication point between the access layer and the core. Its primary functions are to provide routing, filtering, and WAN access and to determine how packets can access the core. This layer determines the fastest way that network service requests are accessed — for example, how a file request is forwarded to a server — and, if necessary, SCOR, ENCOR, NGFW & NGIPS, SVPN, SISE, SWSA, SD-WAN, ENARSI, SPCOR, CCNA SEC, DCCOR, CCNA RNSforwards the request to the core layer. This layer usually consists of routers and multilayer switches, Core — also referred to as the network backbone, this layer is responsible for transporting large amounts of traffic quickly. The core layer provides interconnectivity between distribution layer devices it usually consists of high speed devices, like high end routers and switches with redundant links. Disiibton Maer20°3 Access ayo B00 LAB Objective ‘© Create VLANs © Configuration of trunk ports ‘+ Configuration of Access ports ‘© Assign IP to hosts © Verification ‘Vian Name Vian 1D Ponts Subnet ‘isco 10 Fa0/10-15 192.168.10.0/24 redhat 20 Fa0/20-23 192.168.20.0/24 van 0 Fo wai20 Fa sso-t9020.004 ‘SCOR, ENCOR, NGFW & NGIPS, SVPN, SISE, SWSA, SD: WAN, ENARSI, SPCOR, CCNA SEC, DCCOR, CCNA RNS.10 Create VLAN on ACCI and ACC2 switches Switch>EN Switch (config) hostname AC ACC1 (config) #vlan 10 ACC1 (config-vlan) fname cisco ACC1 (config-vlan) #exit ACC1 (config) #vlan 20 ACC1 (config-vian) #name redhat ACC] (config-vian) #exit ACC1 (config) # Switch#conf t Switch (config) #hostname ACCZ ACC2 (config) #vlan 10 ACC2 (config-vian) ¢name cisco C2 ACC2 (config-vlan) fexit ACC2 (config) #vlan 20 ACC2 (config-vlan) #name ACC2 (config-vlan) #exit Configure Trunk port (ACCI and ACC2) Before configuring trunk ports we will know the basic funetion of DTP. DIP is normally used on Cisco IOS switches to negotiate if the interface should become an access port or trunk, By default DTP is enabled and the interfaces of your switches will be in “dynamic auto” or “dynamic desirable” mode. Without configuring anything on the interfaces, the default is dynamic auto mode and the interfaces will be in access mode. Dynamic auto + dynamic auto = access ACCli#show interfaces fastEthernet 0/24 switchport Name: F30/24 SCOR, ENCOR, NGFW & NGIPS, SVPN, SISE, SWSA, SD-WAN, ENARSI, SPCOR, CCNA SEC, DCCOR, CCNA RNSAdministrative Trunking Encapsulation: dotig Operational Trunking Encapsulation: native Negotiation of Trunking: on Access Mode VLAN: 1 (default, Trunking Native Mode VIAN: 1 (default) Voice VLAN: none Administrative private-vlan host-association: none Adninistrative private-vlan mapping: none Administrative private-vlan tri native VLAN: Administrative private-vian trunk encapsulation: dotig Administrative private-vlan trunk normal VLANs: none Adninistrative private-vlan trunk private VbANs: none Operational private-vlan: none Trunking VLANs Enabled: All Pruning ViaNs Enabled: 2-1001 Capture Mode Disabled ALL capture VLANs Allowe: ACC2#show interfaces fastEthernet 0/24 switchport Name: Fa0/24 Switchport: Enabled Administrative Mode: dynamic auto Operational Mode: static access Administrative Trunking Encapsulation: dotig Operational Trunking Encapsulation: native Negotiation of Trunking: on Access Mode VIAN: 1 (default) Trunki g Native Mode VLAN: 1 (default) Voice VLAN: none Administrative private-vlan host-association: none Administrative private-vlen mapping: none Administrative private-vlan trunk native VLAN: none Administrative private-vian ¢ k encapsulation: a ig Administrative private-vlan trunk normal VLAN: Administrative private-vian trunk private VLANs: none Operational private-vian: none SCOR, ENCOR, NGFW & NGIPS, SVPN, SISE, SWSA, SD-WAN, ENARSI, SPCOR, CCNA SEC, DCCOR, CCNA RNS 12 Dynamic auto or dynamic desirable + access = access Depending on the switch model and IOS version, the default might be “dynamic auto” or “dynamic desirable”. ‘+ dynamic auto + dynamic desirable = trunk + dynamic desirable | dynamic desirable = trunk ‘+ dynamic auto or dynamic desirable + trunk = trunk ‘Now configure trunk on ACC1 switch and no configuration on ACC2 switch ACCl (config) #interface fastEthernet 0/24 ACC1 (config-if) #sw: hport mode trunk ACCl#show interfaces fastEthernet 0/24 switchport 20/24 Switchport: Enabled Negotiation of Tr Access Mode VLAN: 1 Trunking Native Mode VLAN: 1 (default) Voice VEAN. Administrative private-vlan host-association: none Adninistrative private mapping: none Administrative private-vlan trunk native VLAN: none Administrative private-vlan tru k en sulation: dotig Administrative private-vlan t mal VIAN Ae n trunk private VLANs: none ministrative private operational private-vlan: none ANS Enabled: ALL ing VLANS Enable: check the switch acc? ACC2#show interfaces fastEthernet 0/24 switchport Name: Fa0/24 Switchport: Enabled SCOR, ENCOR, NGFW & NGIPS, SVPN, SISE, SWSA, SD-WAN, ENARSI, SPCOR, CCNA SEC, DCCOR, CCNA RNS13 Administrative Mode: dynamic auto Operational Mode: trunk Administrative Trunking Encapsulation: dotia operational Trunking Encapsulation: dotlq Negotiation of Trunking: on Access Mode VIAN: 1 (default) Trunking Native Mode VLAN: 1 (default) Voice VIAN: none Administrative private-vlan host-association: ni Administrative private-vian mapping: none Administrative private-vian trunk native VLAN: Aduinistrative private-vian trunk encapsulation: dotiq Administrative private-vlan trunk normal VLANs: none Administrative private-vlan trunk private VLANS: none operational private-vla tr king VLANs Enabled: All Pruning VIANs Enabled: 2-1001 But the port is already trunk ports, right? This is because of DTP Dynamic auto or dynamic desirable + trunk = trunk ‘The DTP protocol is unauthicated which means that a station can send false DTP packets, pretending to bbe a switch. Ifthe switchport is configured as a dynamic port, an attacker can lure the switchport to become a trunk port and he will gain access to all VLANs allowed on that trunk. Therefore, after a network has been installed, itis the best practice to set the mode statically and deactivate the DTP protocol on a port using the command switehport nonegotiate (this command is necessary ony for trunk pports, as the static access ports do not send DTP packets automatically), ACCl (config) #interface fastBthernet 0/24 ACC1(config-if)#switchport mode trunk ACC1 (config-if) #switchport nonegotiate ACC] (config-if) tend Verification On ACCI switeh ACCl#show interfaces fastEthernet 0/24 switchport SCOR, ENCOR, NGFW & NGIPS, SVPN, SISE, SWSA, SD-WAN, ENARSI, SPCOR, CCNA SEC, DCCOR, CCNA RNS14 Name: Fa0/24 Switehport: Enabled Administrative Mode: trunk Operational Mode: trunk Adninistrative Trunking Encapsulation: dotiq Operational Trunking Encapsulation: dotlg Negotiation of Trunking: off Access Mode VLAN: 1 (default) Trunking Native Mode VIAN: 1 (default) Voice VLAN: none Administrative private-vlan host-association: none Adrinistrative private-vlan mapping: none Administrative private-vlan trunk native VIAN: none Administrative private-vlan trunk encapsulation: dotlq Administrative private-vlan trunk normal VLAN: none Administrative private-vlan trunk private VLANs: none Operational private-vlan: none On ACC2 switch ACC2#show interfaces fastEthernet 0/24 switchport Name: Fa0/24 switehport: Enabled Administrative Mode: dynamic auto Operational Mode: static access Administrative Trunking Encapsulation: dotiq operational Trunking Encapsulation: native Negotiation of Trunking: on Access Mode VIAN: 1 (default) Trunking Native Mode VLAN: 1 (default) Voice VLAN: none Administrative private-vlan host-association: nene Administrative private-vlan mapping: none Administrative private-vlan trunk native VLAN: none Administrative private-vlan trunk encapsulation: detlq Administrative private-vlan trunk normal VIANs: none Administrative private-vlan trunk private VLANs: none operational private-vlan: none SCOR, ENCOR, NGFW & NGIPS, SVPN, SISE, SWSA, SD-WAN, ENARSI, SPCOR, CCNA SEC, DCCOR, CCNA RNS15 Now this port of this switch can not be a trunk port as we have disabled auto negotiation, so we need to create trunk port manually ACC2 (config) #interface fastEthernet 0/24 ACC2 (config-if) #switchport mode trunk ACC2 (config-if)#switchport nonegotiate ACC2#show interfaces fastEthernet 0/24 switchport Name: Fa0/24 Switchport: Enabled Administrative Mode: trunk Operational Node: trunk Administrative Trunking Encapsulation: dotiq Operational Trunking Encapsulation: dotla Negotiation of Trunking: off Access Mode VLAN: 1 (default) ‘Trunking Native Mede VLAN: 1 (default) Voice VLAN: none Administrative private-vlan host-association: none Administrative private-vlan mapping: none Administrative private-vlan trunk native VIAN: none Administrative private-vlan trunk encapsulation: dotig Administrative private-vlan trunk normal VLANs: none Administrative private-vlan trunk private VLANs: none Operational private-vlan: none Now this port become a trunk Configure Access port ACCl (config) #interface range fastEthernet 0/10-15 ACC] (config-if-range) fswitchport mode access ACC1 (config-if-range) fswitchpor: access vlan 10 ACC1 (config) #interface range fastEthernet 0/20-23 ACCl (config-if-range) fswitchport mode access ACC] (config-if-range) fswitchport access vlan 20 ACC2 (config-vian) #interface range fastSthernet 0/10-15 ACC2 (config-if-range) #switchport mode access access vlan 10 ACC2 (config-if-range) fswitchpo: SCOR, ENCOR, NGFW & NGIPS, SVPN, SISE, SWSA, SD-WAN, ENARSI, SPCOR, CCNA SEC, DCCOR, CCNA RNS16 ACC2 (config) #interface range fastBthernet 0/20-23 ACC2 (config-if-range) fswitchport mode access ACC2 (config-if-range) fswitchport access vlan 20 Assign IP Address to host Our given subnet for vlan 10: 192.168.10.0/24 & Vlan 20: 192.168,20.0/24 So we will assign IP to associated vlan hosts from this subnet ® = Pret cag a Prourmiog Attlee IP covigesion Ome Se leases jena Sib ik meme Oras onteony 000 ONS ene one e t Pre! _usep Frogomming Aes Inofan—Fetanet| cotigzston O vce @ ome veaadenss fier Shin Caemey [od INS See feoue & = t mes coy soo ea eee a a: O pace © sae Serane (a ‘Subowt Mak [wezezeo dd, Owes Gsewey [ou ONS Sener (eons SCOR, ENCOR, NGFW & NGIPS, SVPN, SISE, SWSA, SD-WAN, ENARSI, SPCOR, CCNA SEC, DCCOR, CCNA RNSv7 z TP Contain vont sok same 20 wou caewey —(ou00 Verification First we will apply ping commands which are the same vlan host e Let’s check Every Vian is like a separate island, can’t communicate with other vians unless if we configure inter-vlan routing, We will do thi LAB 2: VTP Configuration VIP (VLAN Trunking Protocol) is a Cisco proprietary protocol used by Cisco switches to exchange VLAN information, VTP replicates configured VLANs to all paiticipating switches. SCOR, ENCOR, NGFW & NGIPS, SVPN, SISE, SWSA, SD-WAN, ENARSI, SPCOR, CCNA SEC, DCCOR, CCNA RNS18 Consider a network with 50 switches. Without VTP, if you want to create a VLAN on each switch, you ‘would have to manually enter commands to create the VLAN on each switch! VTP enables you to create the VLAN only on one switch. That switch can then propagate information about that VLAN to each switch on a network and cause other switches to create that VLAN too. If you want to delete a VLAN, ‘you only need to delete it on one switch, and the change is automatically propagated to every other switch inside the same VTP domain, Cisco switches can be configured in one of three VTP mode: + Server © Client © Transparent Server mode is the default for Cisco switches. Client mode takes VLAN configuration from the Server. It doesn’t place the VLANs in a vlan.dat file ‘Switches in Transparent mode never updated themselves. If they receive VTP advertisements they will forward them along. In Transparent mode you can configure VLANs normally as you would on a Server switch, Be careful, if switch is deployed with a higher VIP revision number than the rest of the VIP switches. Because of that, switches in Client mode will download whatever VLAN configuration that switch has, remove your current configuration. So before use them in a production network, configure them as transparent mode. You can also omit VIP Configuration to avoid this situation. SERVER cuenT Gigo/t, Gigo/, 2960-24TT 2960-24TT ‘Switchd Switeht Objective: Create VTP Server and VTP Client Configure ‘Trunk port Create VLAN on Server es . Verify 1. Create VIP Server and VTP Client SCOR, ENCOR, NGFW & NGIPS, SVPN, SISE, SWSA, SD-WAN, ENARSI, SPCOR, CCNA SEC, DCCOR, CCNA RNS19 Switch (config) #hostname SERVER SERVER (config) #vtp domain cisco.com SERVER (config) #vtp mode server SERVER (config) #vtp password cisco SERVER (config) #vtp version 2 SERVER (config) # Switch (config) fhostname Client Client (config) #vtp domain cisco.com Client (config) #vtp version 2 Client (config) #vtp mode client Client (config) #vtp password cisco ‘NOTES * The VIP domain name must match and it is ease sensitive. ‘+ Make sure that If any password is set, the password is the same on both sides, ‘+ Every switch in the VTP domain must use the same VTP version, VTP V1 and VTP V2 are not compatible on switches in the same VTP domain, But VTP v2 and v3 are compatible. 2. Configure Trunk port SERVER (config) #interface gigabitEthernet 0/1 SERVER (config-if)#switchport mode trunk SERVER (config-if)#no shut Client (config) #interface gigabitEthernet 0/1 Client (config-if) #switchport mode trunk Client (config-if)# no shut 3. Create VLAN on Server only SERVER (config) #vlan 100 SERVER (config-vlan) #name cisco SERVER (config-vlan) texit SERVER (config) #vlan 200 SCOR, ENCOR, NGFW & NGIPS, SVPN, SISE, SWSA, SD-WAN, ENARSI, SPCOR, CCNA SEC, DCCOR, CCNA RNS20 SHRVER (config-vlan) #name solaris 4 ify the VLANs are propagated on Client Switch Clienctshow vian VIAN Name Status Ports active Fa0/1, F20/2, Fa0/3, Fa0/4 20/5, Fa0/6, Fa0/7, F20/8 20/3, Fa0/10, Fa0/it, Fa0/12 20/13, , Fa0/15, Fa0/16 20/17, Fe0/19, F20/20 20/21, 20/23, Fa0/24 eigo/2 100 eice active 200 solaris active Here we can see that we have created VLAN on Server switch and it has been seen on Client Switch Vian 100 and Vian 200. Other Verification Command of VTP Clienttshow vip status VIP Version : Configuration Revision 5 Maximum VIANs supported locally = 255 Number of existing VLANs 7 VIP Operating Mode = Client VIP Demain Name ciseo.com VIP Pruning Mode = Disabled VIP V2 Mode Enabled VIP Traps Generation 3 Disabled MOS digest 0x31 0x81 0x82 OAT OxGF 0x49 Ox2F Onnd Configuration last modified by 0.0.0.0 ar 3-1-3 00:03249 Cliente 105 Command Line Interface SERVERTahow vep Status VIP Version Configuration Revision 25 Maximum VEANs supported locally : 255 Number of existing VLANs 7 VIP Operating Mode Server VIP Domain Neme VIP Pruning Mode : Disabled VIP V2 Mode VIP Traps Generation 2 Disabled MOS digest 0x31 OxS1 0252 OXAF OXGF 0449 Ox2F OxAd Configuration last modified by 0.0.0.0 ar 3-1-93 00:03:49 Local updater ID is 0.0.0.0 (no valid inte: # ce found) SCOR, ENCOR, NGFW & NGIPS, SVPN, SISE, SWSA, SD-WAN, ENARSI, SPCOR, CCNA SEC, DCCOR, CCNA RNS2 From here we can check the VIP Mode, VIP Domain Name and revision Number. Revision number must be same, If not same, Updates are not considered propagated successfully. LAB 3: EtherChannel Configuration EtherChannel is a port link aggregation technology which allows multiple physical links to combine into one logical channel. This allows load sharing of traffic among the links in the channel as well as redundancy in the event that one or more links in the channel fail. EtherChannel can be used to interconnect LAN switches, routers, servers, and clients via unshielded twisted pair (UTP) wiring or single-mode and multimode fiber. Advantages of EtherChannel + EtherChannel allows you to achieve greater speed by bundling Fast Ethernet or Gigabit Ethernet links, which makes a switch or router use the merged ports as a single port + Etherchannel is great for improving redundancy in your network. * With EtherChannel the links that are aggregated are not blocked by STP. Link aggregation is very common and is usually seen in the following scenarios: * Switch to switch connectivity in an access block (non-stackable) + Access switch connectivity to distribution switches. * Server connectivity to the data center LAN fabric Ifyou are going to create an ether channel you need to make sure that all ports have the same configuration: ‘+ Duplex has to be the same. ‘+ Speed has to be the ‘+ Same native AND allowed VLANs. + Same switeh port mode (access or trunk) There's a maximum to the number of links you can use: 8 physical interfaces. If you want to configure an Btherchannel there are two protocols you can choose from PAGP ~ port aggregation protocol + Developed by Cisco ‘+ The port modes are defined as either auto or desirable LACP - link aggregation control protocol SCOR, ENCOR, NGFW & NGIPS, SVPN, SISE, SWSA, SD-WAN, ENARSI, SPCOR, CCNA SEC, DCCOR, CCNA RNS22 ‘+ Open standard as defined by IEEE 802.3ad standard ‘+ The port modes are either passive or active. Passive is the equivalent of the PAGP auto and active is the equivalent of PAGP desirable mode. Will an EtherChannel Form? LAcP Active | Passive eee Objective 1. Create Ftherehannel 2. Configure Trunk 3. Verification bu ASHISH Gigo/1, Sigo/1, Gigo/2°———————— ciao ome 2960-2477 Switcnd Switch? Configure Etherchannel Switeh (config) #hostname DU DU(config) Finterface range gigabitethernet 0/1 - 2 DU (config-if-range) channel-group 1 mode active Creating a port-channel interface Port-channel 1 Switch (config) #hostname ASHISH ISH (config) Finterface range gigabitethernet 0/1 - 2 ASHISH (config-if-range) #channel-group 1 mode passive Configure Trunk DU (config) Finterface port-channel 1 DU(config-if)Aswitchport mode trunk DU(config-if)# no shut ASHISH (config) #interface port-channel 1 ASHISH (config-if) #switchport mode trunk ASHTSH (config-if)# no shutdown SCOR, ENCOR, NGFW & NGIPS, SVPN, SISE, SWSA, SD-WAN, ENARSI, SPCOR, CCNA SEC, DCCOR, CCNA RNS23 Verification Pol = Port channel 1, Channel group must be same for both switches $= Capital S means L2 U=inUse LACP = which Etherchannel Protol is used P= in port Channel If these appear, be sure your configuration is correct LAB 4: INTER-VLAN Routing Configuration with a Router In order to communicate with different VLAN we must need routing with different VLAN as each VLAN is a separate broadcast domain, So we need a L3 switch or Router for Routing. Here we will use a Router. sonar ote rot Th Sy i Ny. "1 Ny on TH Se " Sy i Sy Wl Sy. uorven saoaos 1 o/s Nye se ay sw SCOR, ENCOR, NGFW & NGIPS, SVPN, SISE, SWSA, SD-WAN, ENARSI, SPCOR, CCNA SEC, DCCOR, CCNA RNS24 SWITCH VLAN ID VLANNAME | SWITCH PORT | SUBNET SWI 10 Cisco FOa 192.168.10.0/24 9 MGT NIA 10.10.10.2124 SW2 20 ‘Admin Fo/0 192.168.20.0/24 997 MGT NIA 10.10.10.3/24 SW3 30 Redhat For 192.168.30.0/24 99 MGT NIA 10.10.10.4724 BASIC CONFIGURATION OF SWITCH AND ROUTER Switch#conf t Switch (config) #hostname SWi SWi (config) #enable secret cisco SW1 (config) #username ashish privilege 15 password ashish123 SW1 (config) #line console 0 SWI (config-line) #login local SW1 (config-Line) fexit SWi (config) #line vty 0 5 SW1(config-Line) #login local SWi (config-line) #transport input telnet SW1 (config-line) #exit SWi (config) # Switch#conf t itch (config) #hostname Sw2 SW2 (config) #enable secret cisco sW2 (config) #username ashish privilege 15 password ashish123 SW2 (config) #line console 0 sW2(config-line) login local SW2 (config-Line) fexit SW2(config)#line vty 0 5 SW2(config-line) login local SW2(config-line) #transport input telnet sW2 (config-line) fexit SW2 (config) # SCOR, ENCOR, NGFW & NGIPS, SVPN, SISE, SWSA, SD-WAN, ENARSI, SPCOR, CCNA SEC, DCCOR, CCNA RNS25 Switchtconf t Switch (config) #hostname SW3 SW3 (config) #enable secret cisco SW3 (config) #username ashish privilege 15 password ashish123 $W3 (config) #1ine console 0 SW3(config-line) #login local SW3 (config-line) fexit SW3 (config) #line vty 0 4 SW3(config-line) flogin local SW3(config-line) ftransport input telnet SW3 (config-line) gexit ETHER-CHANNEL & TRUNK CONFIGUARTION SW1(config)#int range fastthernet 0/1-2 SW1 (config-if-range) channel-group 1 mode active SW1 (config-if-range) dno shutdown SW1 (config-if-range) fexit SW1 (config) #interface port-channel 1 Si (config-if)#switchport mode trunk SWl (config-if) fexit Swi (config) #interface range fastEthernet 0/5-6 Sill (config-if-range) #channel-group 2 mode active Sil (config-if-range) no shutdown SW1(config)#int port-channel 2 SW1 (config-if) #switchport mode trunk SW2 (config) #int range fastEthernet 0/1-2 SW2(config-if-range) #channel-group 1 mode passive SW2(config-if-range) tno shutdown sW2(config-if-range) #exit SW2(config)#int port-channel 1 SW2(config-if) ¥switchport mode trunk sW2 (config-if) #exit SW2 (config) #interface range fastEthernet 0/3-4 SCOR, ENCOR, NGFW & NGIPS, SVPN, SISE, SWSA, SD-WAN, ENARSI, SPCOR, CCNA SEC, DCCOR, CCNA RNSU2 (config-if-range) #channel-group 3 mode active SW2 (config-if-range) #no shutdown SW2 (config-if-range) fexit sW2(config)#int port-channel 3 SW2 (config-if) #swit port mode trunk SW3(config)#int range fastBthernet 0/5-6 SW3 (config-if-range) #channel-group 2 mode passive SW3(config-if-range) tno shutdown SW3 (config-if-range) #exit SW3 (config) #int port-channel 2 SW3(config-if) #switchport mode crunk SW3(config)#interface range fastEthernet 0/3-4 SW3 (config-if-range) fchannel-group 3 mode passive SW3 (config-if-range) #no shutdown W3 (config-if-range) #exit SW3 (config) #int port-channel 3 SW3(config-if)#switchport mode trunk VERIFICATION [sWifahow otherchannsl Sunmaey Flags: D- down p - in port-channel = stand-alone 2 — suspended = Hot-standby (LACP only) ~ Layers 5 - Layer? in use £ - failed to allocate aggregator “unsuitable for bundling = waiting to be aggregated © dereult pore perce jwunber of channal-groups in use: 2 umber of aggregators: 2 Jsrou Port-channel Protocol 1 Pot (su) BACP Fa0/1(2) Fa0/2(P) 2 Po2 (80) TACP Fa0/S(P) Fa0/6(P) SCOR, ENCOR, NGFW & NGIPS, SVPN, SISE, SWSA, SD-WAN, ENARSI, SPCOR, CCNA SEC, DCCOR, CCNA RNS 267 Poi sig tring 0 bee toad teuncing pout -ylasa anieHea x sie Pad s-1008 pore Fiat sveeia aia ekve IniNapeRsE TERIA bel r Boe i wes aes in spaming tone fnvesding state and not pein Be i VTP CONFIGURATION Gomain ashish version 2 SW1 (config) #vtp. SW1 (config) #vtp SW1 (contig) #vtp. SW1 (config) #vtp SW2 (config) évtp SW2 (config) #vtp SW2 (contig) Aves SW2 (config) #vtp SW3 (config) #vtp 8W3 (config) Avtp 8W3 (config) #vtp password cisco mode server Gomain ashish. password cisco version 2 mode client domain ashish.com password version 2 SW3 (config) #vtp mode client VERIFICATION [switshow vtp status jvze version Configuration Revision 2 Bi IMaximam VEANs supported locally : 255 Number of existing ViANs 5 }v22 Operating Node 2 Server fwze Pruning Mode 2 Disables. jeae v2 made 2 Enabled wre Traps Genevation 2 Disabled Jens digest 0x52 Oxi 0x83 OXAL OXF? OXT4 OXTF OxE2 Configuration last modified by 0.0.0.0 at 3-1-93 00:33:45 fiscal updater ID ie 0.0.0.0 (no valid interface found) swe [Su2fohow wep statue leap version 2 configuration Revision oe Jwaxinam VLANs eupparted locally : 255 fwunber of existing VIANs 5 lure operating Node P elient lze Domain wane 2 ashiah.com jvre Pruning Mode 2 Disabled fae v2 wade 2 Enabled jure rape Coneration 2 Disabled uns aigest 0x82 x41 0x83 OxR4 OxE2 0X74 OXTF 0X62 Configuration last modified by 0.0.0.0 at 3-1-93 00:33:45 sua SCOR, ENCOR, NGFW & NGIPS, SVPN, SISE, SWSA, SD-WAN, ENARSI, SPCOR, CCNA SEC, DCCOR, CCNA RNS28 SnStchow ven evatue june vorsion 2 Configuration Revision pl IMaximam VANS supported locally : 255 Number of existing VLAN 5 wre operating Node 2 Client. lvee Domain Name P ashish.com jvre Pruning Mode : Disabled. wre v2 ode : Enabled lwrp traps Gensration 2 Disabled IMps digest $ Ox02 Oxd1 Ox@3 OxA4 OXEZ Ox74 OxTF 0x62 Configuration last modified by 0.0.0.0 at 3-1-93 00:33:45, Hae Revision Number is 1, same for all switches VLAN CONFIGURATION Now we will configure Vian on Server Switch SW1 (config) #vlan 10 Sil (config-vlan) fname Cisco SW1 (config-vlan) fexit SW1 (config) #vlan 20 SWi(config-vlan) fname Admin SWi (config-vlan) fexit SW1 (config) #vlan 30 SWi (config-vlan) fname Redhat SW1 (config) #vlan 99 SWi(config-vlan) fname MCT [swifabow Vian WoaN wane status Porte 2 dezeule active Fa0/7, Fa0/8, 7a0/9, ¥a0/19 Fa0/ii, Fa0/i2, Fa0/13, jeao/i4 Fa0/15, Fa0/16, Fa0/17, Fa0/18 Fa0/19, Fa0/20, Fa0/21, ¥a0/22 Fa0/23, Fad/24, Gigd/1, Jsigas2 10 Cisco active Fa0/4 20 Admin derive 30 Redhat active oo Mor Betive ON CLIENT SWITCHES WE CAN SEE THAT VLANS SCOR, ENCOR, NGFW & NGIPS, SVPN, SISE, SWSA, SD-WAN, ENARSI, SPCOR, CCNA SEC, DCCOR, CCNA RNS29 [snatehow view van Name Status Ports default active Fa0/S, Fa0/6, Fa0/7, Pa0/8 ¥20/3, Fad/1i, Fa0/i2, £a0/13 Fa0/24, 720/15, Fa0/16, Fa0/27 Fa0/18, Fa0/19, Pa0/20, Fa0/21 20/22, 720/23, Fa0/24, Gig0/t eigor2 10° Cisco active 20 Admin active Fa0/10 30. Redhat. active 99 Mar sotive 1002 fddi-defaule aetive Jsuotenow vlan 2 dedeule active F20/2, Fa0/7, 7a0/8, 7a0/9 Fe0/10, Fe0/i1, Fa0/12, Fa0/13 Fa0/14, Fa0/17, Fa0/18, Fa0/19 20/20, Fa0/21, Pa0/22, Fa0/23 720/24, Cigd/1, Gigo/2 so cisco active 20. Admin active 30 -Reshat active Fa0/i, Fa0/i5, Fa0/16 99 -NCT active 1002 Fadi~defaule active 1003 tokon-ring-default active 1004 fadinet-defaul? Sctive 1005 trnet-defauls aotive CONFIGURE ACCESS-PORTS SW1 (config) #interface fastEthernet 0/4 SW1 (config-if) #switchport mode access SW1 (config-if) #swil SWI (config-if) #exit port access vlan 10 SW2 (config) #interface fastBthernet 0/10 SW2(config-if)#switchport mode access SW2 (config-if) #switchport access vlan 20 sW3 (config) #interface fastBthernet 0/1 SW3(config-if)#switchport mode access SW3 (config-if) #switel port access vlan 30 SW3 (config-if) #exit Assign IP on Vian 99 SW1 (config) #interface vlan 99 SCOR, ENCOR, NGFW & NGIPS, SVPN, SISE, SWSA, SD-WAN, ENARSI, SPCOR, CCNA SEC, DCCOR, CCNA RNS30 SW1 (config-if)#ip address 10.10.10.2 255.255.255.0 SW1 (config-if) fexit sWi2(config)#int vlan 99 sW2(config-if)#ip address 10.10.10.3 255.255.255.0 sii2 (config-if) #exit SW3 (config) #int vlan 99 SW3(config-if)#ip address 10.10.10.4 255.255.255.0 SW3 (config-if) #exit CONFIGURE IP TO HOSTS Rc aia ee 1 ‘IP Configuration Wheesee noe eanae Home Saas me cota ean es ee E nfiguration TP Configuration opKce © static IP Address [is2.168.20.2 Subnet Mask [255.255.255.0 Default Gateway (ae = Physeal Ganka Onsen Atinee Sefrlrvenr iP c IP Configuration oDHCP IP Address. ‘Subnet Mask |255.255.255.0 Dofault Gateway [u92.168.30.1 SCOR, ENCOR, NGFW & NGIPS, SVPN, SISE, SWSA, SD-WAN, ENARSI, SPCOR, CCNA SEC, DCCOR, CCNA RNS31 CONFIGURE TRUNK BETWEEN ROUTER AND SWI SW1 (config) #interface fastEthernet 0/3 SW1(config-if) #no shutdown SWi(config-if)¥switchport mode trunk SW1 (config-if) exit Router (config) #int fastBthernet 0/0 Router (config-if} #no shutdown CONFIGURE INTER-VLAN ROUTING ON THE ROUTER Router (config) #interface fastEthernet 0/0.10 Router (config-subif) #encapsulation dotig 10 Router (config-subif)#ip address 192.168.10.1 255.255.255.0 Router (config-subif) texit Router (config) #interface fastEthernet 0/0.20 Router (config-subif) tencapsulation dotig 20 8.20.1 255.255.255.0 Router (config-subif) #ip address 192.1 Router (config-subif) texit Router (config) #interface fastEthernet 0/0.30 Router (config-subif) fencapsulation dotig 30 Router (config-subif) #ip address 192.168.30.1 255.255.255.0 Router (config-subif) texit Router (config) #interface fastBthernet 0/0.99 Router (config-subif) #encapsulation dota 99 Router (config-subif) #ip address 10.10.10.1 255.255.255.0 Router (config-subif) fexit Assign default gateway to every switch SW1 (config) #ip default-gateway 10.10.10.1 SW2(config)#ip default-gateway 10.10.10.1 SW3 (config) #ip default-gateway 10.10.10.1 SCOR, ENCOR, NGFW & NGIPS, SVPN, SISE, SWSA, SD-WAN, ENARSI, SPCOR, CCNA SEC, DCCOR, CCNA RNSVERIFY CONFIGURATION: Apply ping to different Vians | | | | | | | Phyl anf ose 9 Peet eeerenes emeereniness ee ee Apply telnet ns SCOR, ENCOR, NGFW & NGIPS, SVPN, SISE, SWSA, SD-WAN, ENARSI, SPCOR, CCNA SEC, DCCOR, CCNA RNS 3233 LAB 5: Inter-Vlan Routing Configuration with a Multi-Layer Switch SVI- Switched Virtual Interface. There is no physical interface for the VLAN, henee it is Virtual. Technique is, Assign IP address of each VLAN Interface (suppose Interface vlan 10), then issue the “ip routing “command on global configuration mode. Generally, routers do the routing between different broadcast domains that is, Different VLANs, But SVI provides the routing capabilities of different VLANs. Example switch models that support layer 3 routing are the 3550, 3750, 3560, 9300 etc lan interface 10 + 192.168.10.1 ro0/t0 lan interface 29 292.268.20.2, accor * ba / a cco eet / Fo/s-9 re \vteanon —/ ~~ na Our Tasks (All configuration is only on L3 switch here) 1. Creating vlan 10 and vlan 20 2. Naming these two vlans: vlan 10 = cisco vlan 20 = solaris 3. Configuration of Access ports, 4, Assigning IP to Hosts SCOR, ENCOR, NGFW & NGIPS, SVPN, SISE, SWSA, SD-WAN, ENARSI, SPCOR, CCNA SEC, DCCOR, CCNA RNSS. Assigning IP to Vlan Interface 6. Verification CREATE VLAN Switch (config) #vlan 10 Switch (config-vlan) #name cisco Switch (config-vlan) #exit Switch (config) #vlan 20 Switch (config-vlan) #name solaris Switch (config-vlan) #exit ACCESS-PORT CONFIGURATION Switch (config) #interface range fastEthernet 0/3 - 9 Switch (config-if-range) #switchport mode access Switch (config-if-range) #switchport access vlan 10 Switch (config-if-range) #exit Switch (config) #interface range fastBthernet 0/10 - 15 Switch (config-if-range) #switchport mede access Switch (config-if-range) #switchport access vlan 20 ASSIGN IP TO VLAN INTERFACE Switch (config) #interface vlan 10 itch (config-if) #ip address 192.168.10.1 255.255.255.0 Switch (config-if) #no shutdown Switch (config-if) fexit Switch (config) #interface vlan 20 Switch (config-if)#ip address 192.168.20.1 255.255.255.0 itch (config-if) #no shutdown ENABLE ROUTING Switch (config) #ip routing SCOR, ENCOR, NGFW & NGIPS, SVPN, SISE, SWSA, SD-WAN, ENARSI, SPCOR, CCNA SEC, DCCOR, CCNA RNS 3435 ASSIGN IP TO HOSTS pea Phys escop | Airbus | sofurelieveee TP cantiguration pace © sutie 1 Aaldee 392158.202 subnet Mas 255.255.255.0 atau Gateway 928.20. oct Fiysel [cata | Oekon [ates | sofiaraienies IP Configuration > Dre TP Address weasteS ‘Subnet mack 2552552550 0° Default Gateway 192:168.10.1 1B Confguration © bucP @ state Padres 152.168.10.2 ‘Subnet Mask 255.255.255.0 Default Gateway 1s2.208.10 VERIFICATION SCOR, ENCOR, NGFW & NGIPS, SVPN, SISE, SWSA, SD-WAN, ENARSI, SPCOR, CCNA SEC, DCCOR, CCNA RNS36 Ping to different vlan Port Security 1 switchport security feature (Port Security) is an important piece of the network switch security puzzle; it provides the ability to limit what addresses will be allowed to send traffic on individual switchports within the switched network, There is no limit of MAC addresses a switch can learn on an interface and all MAC addresses are allowed by default. Port Security provides the ability to limit what addresses will be allowed to send traffic on individual switehports within the switched network. One can access unsecure network resources by plugging his laptop into one of our available switch ports. He can also change his physical location in LAN network without telling the admin. But you can secure layer two accesses by using port security. First in our LAB we will plug one PC, and other PC will remain unplugged as shown in figure: x recs a 2960-247T = Server PT PCP ‘Switch jae ‘Severo 2 PoPT Pon SCOR, ENCOR, NGFW & NGIPS, SVPN, SISE, SWSA, SD-WAN, ENARSI, SPCOR, CCNA SEC, DCCOR, CCNA RNS7 Assign IP to hosts ero Thysca|conta | Ceseep 1? Configuration | © once IP Address Subnet Mack Interface FastethemetO 1 Configuration HCE @ sate address 192.166.1020 Subnet Mask e588255.0 Switch (config) #interface fastEthernet 0/1 Switch (config-if}#switchport mode access Switch (config-if) #switchport access vlan 1 Switeh (config-if) #switchport port-security Switch (config-if) #switchport port-security maximum 1 Switch (config-if}#switchport port-security violation shutdown Switch (config-if}#switchport port-security mac-address sticky Switch (config-if) texit Port security is disabled by default, # switehport port-security command enables it. According to our requirements we can limit hosts that can be associated with an interface. We can set this limit anywhere from 1 to 132. Maximum number of devices that can be associated with the interface is 132. By default it is set to 1. # switehport port-security maximum value command will set the maximum number of hosts. We have two options static and dynamic to associate mac address with interface, In static method we have to manually define exact host mac address with switchport port-security mac- address MAC_address command, SCOR, ENCOR, NGFW & NGIPS, SVPN, SISE, SWSA, SD-WAN, ENARSI, SPCOR, CCNA SEC, DCCOR, CCNA RNS38 In dynamic mode we use sticky feature that allows interface to learn mac address automatically We need to specify what action; it should take in security violation. Three possible modes are available: Protect — This mode drops the packets with unknown source mac address until you remove enough secure mac addresses to drop below the maximum value Restrict This mode performs the same function as protect, ie drops packets until enough secure mac addresses are removed to drop below the maximum vatue.In addition to this, it will generate a log, ‘message, increment the counter value and will also send SNMP trap. Shut down — This mode is mostly preferred as compared to other modes as it shut down the port immediately if unauthorised access is done. It will also generate a log, increment counter value and send a SNMP trap. This port will remain in shut down state until the administrator will perform “no shutdown” command. Switchport port security explained (Command Description ‘Switch>enable [Move in privilege exee mode ‘Switchiconfigure terminal ‘Move in global configuration mode ‘Switch(config)interface fastethemet O/T [Move in interface mode ‘Switch(config-if}#switchport mode access [Assign port as host port ‘Switch(config-if}switchport port-security [Enable port security feature on this port ‘Switch(config-if}#switchport port-security maximum | [Set limit for hosts that can be associated with interface, [Default value is 1. Skip this command to use default value. ‘Switch(config-if#switchport port-security violation shutdown [Set security violation mode. Default mode is shutdown. Skip {this command to use default mode, ‘Switch(config-if)/switchport port-security mac-address sticky [Enable sticky feature. SCOR, ENCOR, NGFW & NGIPS, SVPN, SISE, SWSA, SD-WAN, ENARSI, SPCOR, CCNA SEC, DCCOR, CCNA RNS39 We have secured FO/1 port of switch. We used dynamic address learning feature. Switch will remember first leamed mac address (on interface FO/1) with this port. We can check MAC Address table for currently associated address ple No mac address is associated with FO/1 port, Switch learns mac address from incoming frames. We need to generate frame from PCO that would be receive on FO/2 port of switch. We can use ping to generate frames from PCO to Server. i 02.1744. 88a: a.4142.18 STATIC DYNAMIC switcht ‘Switch learns this address dynamically but itis showing as STATIC. Sticky option automatically converts, dynamically leamed address in static address. SCOR, ENCOR, NGFW & NGIPS, SVPN, SISE, SWSA, SD-WAN, ENARSI, SPCOR, CCNA SEC, DCCOR, CCNA RNSSwitchport port security testing Now we unplugged the Ethemet cable from pe (PCO) and plugged in his pe (PC1), PSL Now try to ping from PCI to Server Deiioe [Aba | Soares eres! Why ping is not success? Because switch detected the mac address change and shutdown the port. Verify port security We have three commands to verify the port security # Show port-securi This command displays port security information about all the interfaces on switch, switchtshow port-secu Secure Port Maxs # Show port-security address Display statically defined or dynamically leamed address with port security. SCOR, ENCOR, NGFW & NGIPS, SVPN, SISE, SWSA, SD-WAN, ENARSI, SPCOR, CCNA SEC, DCCOR, CCNA RNS 40a1 Switchfshow port-security address Secure Mac Address Table vlan Nac Address = Type Ports Remaining age (nins) a 0001.c712.872A securesticky Fastethernet0/1 = Total Addresses in System (excluding one mac per port) Max Addresses limit in System (excluding one mac per port) : 1024 # Show port-security interface interface-no Display port security information about the specific interface. Switchtshow port-security interface £0/1 Fort security : Enabled Bort Status 2 Secure-shutdewn, violation mode 1 shutdow aging Time © mins Aging Type 2 Absolute Socurestatic Address Aging : Disabled Maximum MAC Addresses pa total unc Addresses a Configured Mac addresses: 0 Sticky MAC Addresses pa Last Source Addzess:vlan : 0002.1622.cB46:1. Security Violation Count: 1 Here is a useful command to check your port security configuration. Use show port-security interface to yn mode is shutdown and that the last see the port security details per interface. We can see the viol: lation was caused by MAC address 0002.1622.CB46:1 the aging time is 0 mins which means it will stay in err-disable state forever. How to reset an interface that is disabled due to violation of port security Manually restart the interface. Unplugged cable from PCI and plugged back it to PCO Run following commands on switch and test connectivity from pe ro0/g, a0, Doe——$_ we _ 256-2477 Server PT Poet Such ss ‘Server 8 Por SCOR, ENCOR, NGFW & NGIPS, SVPN, SISE, SWSA, SD-WAN, ENARSI, SPCOR, CCNA SEC, DCCOR, CCNA RNS42 £ig) finterface fastEthernet 0/1 shut ) Fshut down etEthernet0/i, changed state to adminis LAB 7: Configure Root Guard on Cisco Switch Root-guard will stop a superior bpdu from becoming the root. Note: Root guard is best deployed towards ports that connect to switches which should not be the root bridge For example, a port on the distribution layer switch which is connected to an access layer switch can be Root Guard enabled, because the access layer switch should never become the Root Bridge Oa a ae 1 ! i | t Foo) Swatch? ASHISH switch ig) #hostname DU Switch? (config) #hostname ASHISH Now check which switch is the root bridge SCOR, ENCOR, NGFW & NGIPS, SVPN, SISE, SWSA, SD-WAN, ENARSI, SPCOR, CCNA SEC, DCCOR, CCNA RNS43 DUEshow spenning-tree ‘viaNooo1 Spanning tree enabled protocol iese Rect ID Priority 32769 Address 0060.705A.aB24 Max Age 20 sec Forward Delay 19 sec ASHISEEshow spanning-sree vranoco1 Sparing tree enabled protocol ieee Root ID Priority 32768 address 0060.70EA.A524 cose 4 pore 25 (Gugabatemmenneto/1) Hello Tine 2 sec Max Age 20 sec Forvard Delay 18 sec Bridge 1D Priority 32763 (pricrity 32768 sys-id-ext 1) Hello Tine 2 sec Max Age 20 sec Forvard Delay 18 sec Aging Tine 20 Inverface Role Ste Cost Prio Nor Typ: cios1 Root FAD 4 128.258 Pep Switch DU becomes the root bridge...right? ‘Now we will enable root guard on switch DU on port G 0/1 so that if the Switch ASHISH want to become root bridge then the port G0/ of DU switch will shutdown. DU(config) #interface gigabitEthernet 0/1 DU(config-if) #spanning-tree guard root Now apply ping to PC1 to PC2 to verify connectivity €:\>ping 192.168.10.2 Line=12ms TTLA128 tinecins TTL=128 timeping 192.168.10.2 Request timed out. Request timed out. Request timed out ‘The port beomes red colored......that indicates the port is shutdown when switch ASHISH wants to root bridge °%SPANTREE-2-ROOTGUARDBLOCK: Port 0/l tried to become non-designated in VLAN | Moved to root-inconsistent state ‘And the above message is generated on switch DU~ To recover we need to do the following configuration Reset the priority value of switch ASHISH ASHISH (config) #spanning-tree vlan 1 priority 32768 On DU switch DU(config) #interface gigabitEthernet 0/1 DU (config-if) #shutdown DU(config-if) #no shutdown ‘Now apply ping to PCI to PC? to verify connectivity C:\sping 192.168.10.2 Reply from 192.168.10.2: bytes=32 time=12ms TTL=128 Reply from 192.168,10.2: bytes=32 timeping 192.168.30.2 Request timed out. Reply from 192.168.30.2: bytes=32 time hearers Hasolutien Pretocsl(reqies*) RSPAN An extension of SPAN called remote SPAN or RSPAN. RSPAN is similar to SPAN, but it supports source ports, source VLANS, and destination ports on different switches. RSPAN allows you to monitor traffic from source ports distributed over multiple switches, which means that you can centralize your network capture devices. RSPAN works by mirroring the traffic from the source ports of an RSPAN session onto a VLAN that is dedicated for the RSPAN session, This VLAN is then trunked to other switches, allowing the RSPAN session traffic to be transported across multiple switches. On the switch that contains the destination port for the session, traffic from the RSPAN session VLAN is simply mirrored out the destination port, SCOR, ENCOR, NGFW & NGIPS, SVPN, SISE, SWSA, SD-WAN, ENARSI, SPCOR, CCNA SEC, DCCOR, CCNA RNS