Packet Tracer - Layer 2 Security Topology
Objectives •
Assign the Central Central switch as the the root bridge.
•
ecure s!anning"tree !arameters to !revent TP mani!ulation attac#s.
•
$nable storm control to !revent broadcast storms.
•
$nable !ort securit% to !revent &AC address table overflow attac#s.
Background / Scenario There have been a number of attac#s on the networ# recentl%. recentl%. 'or this reason( the networ# administrator has assigned %ou the tas# of configuring )a%er 2 securit%. 'or o!timum !erformance and securit%( the administrator administrator would li#e to ensure that the root bridge is the *+,0 Central switch. To To !revent against s!anning"tree mani!ulation attac#s( the administrator wants to ensure that the TP !arameters are secure. -n addition( the networ# administrator would li#e to enable storm control to !revent broadcast storms. 'inall%( to !revent against &AC address table overflow attac#s( the networ# administrator has decided to configure !ort securit% to limit the number of &AC addresses that can be learned !er switch !ort. -f the number of &AC addresses eceeds the set limit( the administrator would li#e the !ort to be shutdown. All switch devices have been !reconfigured !reconfigured with the the following o
$nable !assword ciscoenpa55
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
Page 1 of 6
Packet Tracer - Layer 2 Security
o
Console !assword ciscoconpa55
o
T line !assword ciscovtypa55
Part ! "on#igure $oot Bridge Step ! %eter&ine t'e current root bridge( 'rom "entral( issue the s'o) spanning-tree command to determine the current root bridge and to see the !orts in use and their status.
hich switch is the current root bridge3 1
Current root is "1 ased on the current root bridge( what is the resulting s!anning tree3 56raw the s!anning"tree to!olog%.7
Step 2! *ssign "entral as t'e pri&ary root bridge( 8sing the spanning-tree vlan root pri&ary command( assign "entral as the root bridge. Central(config)# spanning-tree vlan 1 root primary
Step +! *ssign S,- as a secondary root bridge( Assign S,- as the secondar% root bridge using the spanning-tree vlan root secondary command. SW-1(config)# spanning-tree vlan 1 root secondary
Step ! .eri#y t'e spanning-tree con#iguration( -ssue the s'o) spanning-tree command to verif% that "entral is the root bridge.
Packet Tracer - Layer 2 Security
hich switch is the current root bridge3Current root is Central ased on the new root"bridge( what is the resulting s!anning tree3 56raw the s!anning"tree to!olog%.7
Part 2! Protect *gainst STP *ttacks ecure the TP !arameters to !revent TP mani!ulation attac#s.
Step ! nable Port0ast on all access ports( Port'ast is configured on access !orts that connect to a single wor#station or server to enable them to become active more 9uic#l%. :n the connected access !orts of the S,-* and S,-B( use the spanning-tree port#ast command. SW-A(config)# interface range fastethernet 0/1 - 4 SW-A(config-if-range)# spanning-tree portfast
Packet Tracer - Layer 2 Security
SW-B(config)# interface range fastethernet 0/1 - 4 SW-B(config-if-range)# spanning-tree portfast
Step 2! nable BP%1 guard on all access ports( P68 guard is a feature that can hel! !revent rogue switches and s!oofing on access !orts. $nable P68 guard on S,-* and S,-B access !orts. SW-A(config)# interface range fastethernet 0/1 - 4 SW-A(config-if-range)# spanning-tree bpduguard enable
SW-B(config)# interface range fastethernet 0/1 - 4 SW-B(config-if-range)# spanning-tree bpduguard enable
ote !anning"tree P68 guard can be enabled on each individual !ort using the spanning-tree bpduguard enable command in the interface configuration mode or the spanning-tree port#ast bpduguard de#ault command in the global configuration mode. 'or g rading !ur!oses in this activit%( !lease use the spanning-tree bpduguard enable command.
Step +! nable root guard( ;oot guard can be enabled on all !orts on a switch that are not root !orts. -t is best de!lo%ed on !orts that connect to other non"root switches. 8se the s'o) spanning-tree command to determine the location of the root !ort on each switch. :n S,-( enable root guard on !orts 'a0/2* and 'a0/24. :n S,-2( enable root guard on !orts 'a0/2* and 'a0/24. SW-1(config)# interface range fa0/23 - 24 SW-1(config-if-range)# spanning-tree guard root
SW-2(config)# interface range fa0/23 - 24 SW-2(config-if-range)# spanning-tree guard root
Part +! nable Stor& "ontrol Step ! nable stor& control #or broadcasts( a. $nable storm control for broadcasts on all !orts connecting switches 5trun# !orts7. b. $nable storm control on interfaces connecting "entral( S,-( and S,-2. et a 53 !ercent rising su!!ression level using the stor&-control broadcast command. SW-1(config)# interface range gi1/1 , fa0/1 , fa0/23 - 24 SW-1(config-if)# storm-control broadcast level 50
SW-2(config)# interface range gi1/1 , fa0/1 , fa0/23 - 24 SW-2(config-if)# storm-control broadcast level 50
Central(config-if)# interface range gi0/1 , gi0/2 , fa0/1 Central(config-if)# storm-control broadcast level 50
Step 2! .eri#y stor& control con#iguration( erif% %our configuration with the s'o) stor&-control broadcast and the s'o) run commands.
Part ! "on#igure Port Security and %isable 1nused Ports Step ! "on#igure basic port security on all ports connected to 'ost devices( This !rocedure should be !erformed on all access !orts on S,-* and S,-B. et the maimum number of learned &AC address to 2( allow the &AC address to be learned d%namicall%( and set the violation to s'utdo)n. ote A switch !ort must be configured as an access ! ort to enable !ort securit%. SW-A(config)# interface range fa0/1 - 22 SW-A(config-if-range)# switchport mode access SW-A(config-if-range)# switchport port-security SW-A(config-if-range)# switchport port-security maimum 2 SW-A(config-if-range)# switchport port-security violation shutdown SW-A(config-if-range)# switchport port-security mac-address stic!y
SW-B(config)# interface range fa0/1 - 22 SW-B(config-if-range)# switchport mode access SW-B(config-if-range)# switchport port-security SW-B(config-if-range)# switchport port-security maimum 2 SW-B(config-if-range)# switchport port-security violation shutdown SW-B(config-if-range)# switchport port-security mac-address stic!y
h% would %ou not want to enable !ort securit% on !orts connected to other switches or routers3
Ports connected to other switch devices and routers can( and should( have a multitude of &AC addresses learned for that single !ort. )imiting the number of &AC addresses that can be learned on these !orts can significantl% im!act networ# functionalit%.
Step 2! .eri#y port security( :n S,-*( issue the s'o) port-security inter#ace #a3/ command to verif% that !ort securit% has been configured.
Step +! %isable unused ports(
6isable all !orts that are currentl% unused. SW-A(config)# interface range fa0/5 - 22 SW-A(config-if-range)# shutdown
SW-B(config)# interface range fa0/5 - 22 SW-B(config-if-range)# shutdown
Step ! "'eck results( our com!letion !ercentage should be 100<. Clic# "'eck $esults to see feedbac# and verification of which re9uired com!onents have been com!leted.
444Script #or "entral conf t spanning-tree vlan 1 root primary interface range gi0/1 , gi0/2 , fa0/1 storm-control roa!cast level "0 en!
444Script #or S,- conf t spanning-tree vlan 1 root secon!ary interface range fa0/2 - 2$ spanning-tree g%ar!
root
interface range gi1/1 , fa0/1 , fa0/2 - 2$ storm-control roa!cast level "0 en!
444Script #or S,-2 conf t interface range fa0/2 - 2$ spanning-tree
g%ar!
root
interface range gi1/1 , fa0/1 , fa0/2 - 2$ storm-control roa!cast level "0 en!
444Script #or S,-* conf t interface range fastet&ernet 0/1 - $ spanning-tree portfast spanning-tree p!%g%ar! enale interface range fa0/1 - 22 s'itc&port mo!e access s'itc&port port-sec%rity s'itc&port port-sec%rity maim%m 2 s'itc&port port-sec%rity violation s&%t!o'n s'itc&port port-sec%rity mac-a!!ress sticy interface range fa0/" - 22 s&%t!o'n en!
444Script #or S,-B conf t interface range fastet&ernet 0/1 - $
spanning-tree portfast
spanning-tree p!%g%ar! enale interface range fa0/1 - 22 s'itc&port mo!e access s'itc&port port-sec%rity s'itc&port port-sec%rity maim%m 2 s'itc&port port-sec%rity violation s&%t!o'n s'itc&port port-sec%rity mac-a!!ress sticy interface range fa0/" - 22 s&%t!o'n en!
