Lab Topology

Partea I Port Security

1) Activeaza port-security pentru portul pe care ai conectat statia la switch si stabileste-i numarul maxim de adrese pe care le
poate invata la 1
(conf-if)# switchport port-security
activeaza mecanismul de port security
(conf-if)# switchport port-security maximum 1
BIT Academy Romania
Calea Victoriei nr. 39A, sector 1, Bucureti
office@bitacad.net
www.bitacad.net
www.facebook.com/bitacad

2) Seteaza static o adresa MAC pentru port, diferita de cea a NIC-ului statiei, ca sa putem testa feature-ul de violation
(conf-if)# switchport port-security mac-addr 0000.0000.0001
3) In cazul incalcarii politicii de port-security pune portul in errdisable
(conf-if)# switchport port-security violation shutdown
(conf-if)# shut
(conf-if)# no shut
# show port-security interface [INT_NR]
# show interfaces status err-disabled

BIT Academy Romania

Calea Victoriei nr. 39A, sector 1, Bucureti
office@bitacad.net
www.bitacad.net
www.facebook.com/bitacad

**CLEANUP**

Partea a II-a VACLs

4) Adreseaza device-urile ESW1 si ESW2. Asigura-te ca interfetele SW1 sunt in layer 2, access vlan 100.
5) Verifica layer 3 reachability
BIT Academy Romania
Calea Victoriei nr. 39A, sector 1, Bucureti
office@bitacad.net
www.bitacad.net
www.facebook.com/bitacad

6) Blocheaza ICMP-urile in VLAN-ul de access 100.

@SW1
(conf)# ip access-list extended MATCH-ICMP
(conf-ext-nacl)# permit icmp any any

rol de matching pe pachete, nu efectiv de filtering

(conf)# vlan access-map DROP-ICMP 10

sequence 10

(conf-acc-map)# match ip address MATCH-ICMP

(conf-acc-map)# action drop
(conf)# vlan access-map DROP-ICMP 20

sequence 20

(conf-acc-map)# action forward

altfel, implicit deny similar cu cel al ACL-urilor clasice (cunoscut)

(conf)# vlan filter DROP-ICMP vlan-list 1

7) Reincearca ping

#show vlan access-map

BIT Academy Romania

Calea Victoriei nr. 39A, sector 1, Bucureti
office@bitacad.net
www.bitacad.net
www.facebook.com/bitacad

8) Reincearca alte tipuri de traffic non-ICMP

@ESW1
(conf)# line vty 0 4
(conf-line)# password bitacad
@ESW2 telnet to @ESW1

BIT Academy Romania

Calea Victoriei nr. 39A, sector 1, Bucureti
office@bitacad.net
www.bitacad.net
www.facebook.com/bitacad

**CLEANUP**

Partea a III-a Private VLANs

BIT Academy Romania

Calea Victoriei nr. 39A, sector 1, Bucureti
office@bitacad.net
www.bitacad.net
www.facebook.com/bitacad

BIT Academy Romania

Calea Victoriei nr. 39A, sector 1, Bucureti
office@bitacad.net
www.bitacad.net
www.facebook.com/bitacad

9) Adreseaza interfetele Layer 3 ca mai sus

Verifica Layer 3 reachability pentru toate nodurile
BIT Academy Romania
Calea Victoriei nr. 39A, sector 1, Bucureti
office@bitacad.net
www.bitacad.net
www.facebook.com/bitacad

10) VLAN-urile de interes sunt 100 (primary), 150 (community), 160 (isolated)
@SW1
(conf)# vtp mode transparent pentru ca VTPv1 si VTPv2 nu au functionalitati de replicare a VLAN-urilor private
in VTPv3 a fost introdus support pentru PVLANs incepand cu IOS 12.2(52)SE
(conf)# vlan 150
(conf-vlan)# private-vlan community
(conf)# vlan 160
(conf-vlan)# private-vlan isolated
(conf)# vlan 100
(conf-vlan)# private-vlan primary

11) Mapeaza VLAN-urile secondary la primary

(conf)# vlan 100

(1) asocierea la crearea VLAN-urilor

la primary

(conf-vlan)# private-vlan association add 150 asociaza secondary

(conf-vlan)# private-vlan association add 160 keyword add se comporta la fel ca allowed VLANs per trunk (add/remove)
Comanda show
BIT Academy Romania
Calea Victoriei nr. 39A, sector 1, Bucureti
office@bitacad.net
www.bitacad.net
www.facebook.com/bitacad

12) Configureaza ESW2 si R1 sa fie in secondary community VLAN 150

Identifica interfetele pe care ai conectat ESW2 si R1
@SW1 spre ESW2
(conf)# interface [INT_NR]
(conf-if)# switchport mode private-vlan host
(conf-if)# switchport private-vlan host-association 100 150

primary, secondary association

(2) asocierea pentru porturile host

@SW1 spre R1
(conf)# interface [INT_NR]
(conf-if)# switchport mode private-vlan host
(conf-if)# switchport private-vlan host-association 100 150

primary, secondary association

BIT Academy Romania

Calea Victoriei nr. 39A, sector 1, Bucureti
office@bitacad.net
www.bitacad.net
www.facebook.com/bitacad

13) Configureaza ESW3 si R2 sa fie in secondary isolated VLAN 160

Identic ca mai devreme, ajusteaza secondary VLAN pe care il mapezi la primary (adica 160, in loc de 150)

@SW1 spre ESW3

(conf)# interface [INT_NR]
(conf-if)# switchport mode private-vlan host
(conf-if)# switchport private-vlan host-association 100 160

primary, secondary association

@SW1 spre R2
(conf)# interface [INT_NR]
(conf-if)# switchport mode private-vlan host
(conf-if)# switchport private-vlan host-association 100 160

primary, secondary association

BIT Academy Romania

Calea Victoriei nr. 39A, sector 1, Bucureti
office@bitacad.net
www.bitacad.net
www.facebook.com/bitacad

14) Configureaza interfata corespunzatoare link-ului dintre SW1 si ESW1 ca port promiscuous
@SW1
(conf)# interface [INT_NR]
(conf-if)# switchport mode private-vlan promiscuous
(conf-if)# switchport private-vlan mapping 100 add 150

(3) asocierea pentru port promiscuous

(conf-if)# switchport private-vlan mapping 100 add 160

15) Ce trebuie sa observi?

ESW2 si R1 pot sa comunice intre ele (community) si cu gateway-ul
ESW3 si R2 nu pot sa comunice intre ele (isolated), dar pot sa comunice cu gateway-ul

#show vlan private-vlan

BIT Academy Romania

Calea Victoriei nr. 39A, sector 1, Bucureti
office@bitacad.net
www.bitacad.net
www.facebook.com/bitacad

**CLEANUP**
Partea a IV-a DHCP Snooping

BIT Academy Romania

Calea Victoriei nr. 39A, sector 1, Bucureti
office@bitacad.net
www.bitacad.net
www.facebook.com/bitacad

1) Configureaza adresarea IP si verifica Layer 3 reachability

2) Configureaza ESW3 ca server DHCP care face lease de adrese dintr-un pool

BIT Academy Romania

Calea Victoriei nr. 39A, sector 1, Bucureti
office@bitacad.net
www.bitacad.net
www.facebook.com/bitacad

@ESW3
(conf)# ip dhcp pool BITPOOL
(dhcp-conf)# network 10.10.10.0 /24

10.10.10.0 [space] /24

@ESW2
(conf-if)# ip addr dhcp

verifica daca noul server de DHCP face lease-uri

3) Configureaza ESW1 ca rogue DHCP

@ESW1
(conf)# ip dhcp pool ROGUEPOOL
(dhcp-conf)# network 10.10.10.0 /24

@ESW2
(conf-if)# ip addr dhcp

verifica daca server-ul rogue de DHCP face lease-uri (doar pentru test)

@ESW1 shut la interfata (pentru moment)

BIT Academy Romania
Calea Victoriei nr. 39A, sector 1, Bucureti
office@bitacad.net
www.bitacad.net
www.facebook.com/bitacad

4) Enable DHCP snooping pe SW1 (global)

@SW1
(conf)# ip dhcp snooping
(conf)# no ip dhcp snooping information option

opreste folosirea optiunii 82 in mesajele de DHCP

The DHCP Information option (Option 82) is commonly used in metro or large enterprise deployments to provide
additional information on physical attachment of the client. Option 82 is supposed to be used in distributed DHCP
server/relay environment, where relays insert additional information to identify the clients point of attachment.
(conf)# ip dhcp snooping vlan 1

5) Configureaza interfete trusted si untrusted pe SW1

By default, toate interfetele sunt untrusted
@SW1 Portul corespunzator link-ului dintre SW1 si ESW3
(conf-if)# ip dhcp snooping trust

6) Configureaza SW1 sa faca throttling la cererile de DHCP venite de la clienti la maximum 5 pachete de DHCP/sec
Pentru pool depletion (consumarea pool-ului)
@SW1 Portul corespunzator link-ului dintre DHCP client si SW1
(conf-if)# ip dhcp snooping limit rate 5
BIT Academy Romania
Calea Victoriei nr. 39A, sector 1, Bucureti
office@bitacad.net
www.bitacad.net
www.facebook.com/bitacad

7) Verifica functionalitatea DHCP snooping

@ESW2 (DHCP client)
(conf-if)# shut
(conf-if)# no shut
Verifica pe rand daca poti sa primesti adrese de la fiecare dintre cele doua servere de DHCP existente in topologie

@SW1
#show ip dhcp snooping
#show ip dhcp snooping binding

BIT Academy Romania

Calea Victoriei nr. 39A, sector 1, Bucureti
office@bitacad.net
www.bitacad.net
www.facebook.com/bitacad