笔记:CCNAS_ PTA_L2-VLAN-Security

笔记:CCNAS_ PTA_L2-VLAN-Security

嚯嚯嚯www 69 2022-08-26

一、题目环境

实验拓扑
89720-dg7e2zhtwvo.png

实验要点

· Connect a new redundant link between SW-1 and SW-2.
·在SW-1和SW-2之间连接一个新的冗余链路。
· Enable trunking and configure security on the new trunk link between SW-1 and SW-2.
·在SW-1和SW-2之间的新主干链路上启用中继并配置安全性。
· Create a new management VLAN (VLAN 20) and attach a management PC to that VLAN.
·创建一个新的管理VLAN (VLAN 20),并在该VLAN上附加一个管理PC。
· Implement an ACL to prevent outside users from accessing the management VLAN.
·执行ACL,防止外部用户访问管理VLAN。

二、配置过程

1. Using a crossover cable, connect port Fa0/23 on SW-1 to port Fa0/23 on SW-2.
//使用交叉电缆,将SW-1上的端口Fa0/23连接到SW-2上的端口Fa0/23。
29940-2rhqir4qa04.png

2.On both SW-1 and SW-2, set the port to trunk, assign native VLAN 15 to the trunk port, and disable auto-negotiation.
//在SW-1和SW-2上,将端口设置为trunk,将本机VLAN 15分配给trunk端口,并禁用自动协商。

SW-1(config)#interface fastEthernet 0/23
SW-1(config-if)#no shutdown 
SW-1(config-if)#switchport mode trunk
SW-1(config-if)#switchport trunk native vlan 15
SW-1(config-if)#switchport nonegotiate

SW-2(config)#interface fastEthernet 0/23
SW-2(config-if)#no shutdown
SW-2(config-if)#switchport mode trunk
SW-2(config-if)#switchport trunk native vlan 15
SW-2(config-if)#switchport nonegotiate

3. Enable VLAN 20 on SW-A and use the default name of VLAN0020.
//在SW-A上启用VLAN 20并使用VLAN0020的默认名称。
Create an interface VLAN 20 and assign an IP address within the 192.168.20.0/24 network. Enable the same management VLAN on all other switches.
//创建一个接口VLAN 20,并在192.168.20.0/24网络中分配一个IP地址。在所有其他交换机上启用相同的管理VLAN。

SW-A(config)#vlan 20
SW-A(config-vlan)#interface vlan 20
SW-A(config-if)#ip address 192.168.20.1 255.255.255.0

SW-B(config)#vlan 20
SW-B(config-vlan)#interface vlan 20
SW-B(config-if)#ip address 192.168.20.2 255.255.255.0

SW-1(config)#vlan 20
SW-1(config-vlan)#interface vlan 20
SW-1(config-if)#ip address 192.168.20.3 255.255.255.0

SW-2(config)#vlan 20
SW-2(config-vlan)#interface vlan 20
SW-2(config-if)#ip address 192.168.20.4 255.255.255.0

Central(config)#vlan 20
Central(config-vlan)#interface vlan 20
Central(config-if)#ip address 192.168.20.5  255.255.255.0

4.Connect the management PC to SW-A port Fa0/1.
//将管理PC连接到SW-A端口Fa0/1。
39840-i1fjxc1tmh.png

5. Interface Fa0/1 must be part of VLAN 20.
//接口Fa0/1划入VLAN 20

SW-A(config)#interface fastEthernet 0/1
SW-A(config-if)#no shutdown
SW-A(config-if)#switchport access vlan 20

6. Create subinterface Fa0/0.3 and assign an IP address within the 192.168.20.0/24 network on router R1.
//R1创建子接口Fa0/0.3并分配一个IP地址在192.168.20.0/24中。
Be sure to set encapsulation to dot1q 20 to account for VLAN 20.
//将封装设置为dot1q20来通过VLAN 20。

R1(config)#interface fastEthernet 0/0.3
R1(config-subif)#encapsulation dot1Q 20
R1(config-subif)#ip address 192.168.20.100 255.255.255.0
R1(config-subif)#exit

7. Create an ACL(s) that denies any network from accessing the 192.168.20.0/24 network, but permits all other networks to access one another.
//创建ACL,该ACL拒绝任何网络访问192.168.20.0/24网络,但允许所有其他网络相互访问。
Apply the ACL to the proper interface(s).
//将ACL应用于适当的接口。

#官方文档做法,定义101acl拒绝访问20网段,应用在非管理的子接口上
R1(config)#access-list 101 deny ip any 192.168.20.0 0.0.0.255
R1(config)#access-list 101 permit ip any any
R1(config)#interface fastEthernet 0/0.1
R1(config-subif)#ip access-group 101 in 
R1(config)#interface fastEthernet 0/0.2
R1(config-subif)#ip access-group 101 in

三、验证

C1管理机可以正常访问20网段
69523-sk9ea9wu76.png

其余PC无法连接到20管理网段
66853-3h1pao74qd1.png

实验完整配置文档

R1 running-config
Building configuration…

Current configuration : 1343 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname R1
!
!
!
enable secret 5 11mERr$TfFTxE.mmb5O5BVC56ndL0
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
!
!
!
!
!
!
!
!
ip ssh version 1
ip name-server 0.0.0.0
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0.1
encapsulation dot1Q 5
ip address 192.168.5.100 255.255.255.0
ip access-group 101 in
!
interface FastEthernet0/0.2
encapsulation dot1Q 10
ip address 192.168.10.100 255.255.255.0
ip access-group 101 in
!
interface FastEthernet0/0.3
encapsulation dot1Q 20
ip address 192.168.20.100 255.255.255.0
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Serial0/0/0
ip address 209.165.200.1 255.255.255.0
clock rate 2000000
!
interface Serial0/0/1
no ip address
clock rate 2000000
shutdown
!
interface Vlan1
no ip address
shutdown
!
router rip
network 192.168.5.0
network 192.168.10.0
network 209.165.200.0
!
ip classless
!
ip flow-export version 9
!
!
access-list 101 deny ip any 192.168.20.0 0.0.0.255
access-list 101 permit ip any any
!
!
!
!
!
logging trap debugging
line con 0
password ciscoconpa55
!
line aux 0
!
line vty 0 4
password ciscovtypa55
login
!
!
!
End

Central running-config
Building configuration…

Current configuration : 1686 bytes
!
version 12.1
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Central
!
enable secret 5 11mERr$TfFTxE.mmb5O5BVC56ndL0
!
!
!
spanning-tree mode pvst
!
interface FastEthernet0/1
switchport trunk native vlan 15
switchport mode trunk
switchport nonegotiate
!
interface FastEthernet0/2
shutdown
!
interface FastEthernet0/3
shutdown
!
interface FastEthernet0/4
shutdown
!
interface FastEthernet0/5
shutdown
!
interface FastEthernet0/6
shutdown
!
interface FastEthernet0/7
shutdown
!
interface FastEthernet0/8
shutdown
!
interface FastEthernet0/9
shutdown
!
interface FastEthernet0/10
shutdown
!
interface FastEthernet0/11
shutdown
!
interface FastEthernet0/12
shutdown
!
interface FastEthernet0/13
shutdown
!
interface FastEthernet0/14
shutdown
!
interface FastEthernet0/15
shutdown
!
interface FastEthernet0/16
shutdown
!
interface FastEthernet0/17
shutdown
!
interface FastEthernet0/18
shutdown
!
interface FastEthernet0/19
shutdown
!
interface FastEthernet0/20
shutdown
!
interface FastEthernet0/21
shutdown
!
interface FastEthernet0/22
shutdown
!
interface FastEthernet0/23
shutdown
!
interface FastEthernet0/24
shutdown
!
interface GigabitEthernet0/1
switchport trunk native vlan 15
switchport mode trunk
switchport nonegotiate
!
interface GigabitEthernet0/2
switchport trunk native vlan 15
switchport mode trunk
switchport nonegotiate
!
interface Vlan1
no ip address
shutdown
!
interface Vlan20
ip address 192.168.20.5 255.255.255.0
!
logging trap debugging
!
!
!
line con 0
password ciscoconpa55
!
line vty 0 4
password ciscovtypa55
login
line vty 5 15
login
!
!
End

SW-1 running-config
Building configuration…

Current configuration : 1706 bytes
!
version 12.1
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname SW-1
!
enable secret 5 11mERr$TfFTxE.mmb5O5BVC56ndL0
!
ip name-server 0.0.0.0
!
!
spanning-tree mode pvst
!
interface FastEthernet0/1
shutdown
!
interface FastEthernet0/2
shutdown
!
interface FastEthernet0/3
shutdown
!
interface FastEthernet0/4
shutdown
!
interface FastEthernet0/5
shutdown
!
interface FastEthernet0/6
shutdown
!
interface FastEthernet0/7
shutdown
!
interface FastEthernet0/8
shutdown
!
interface FastEthernet0/9
shutdown
!
interface FastEthernet0/10
shutdown
!
interface FastEthernet0/11
shutdown
!
interface FastEthernet0/12
shutdown
!
interface FastEthernet0/13
shutdown
!
interface FastEthernet0/14
shutdown
!
interface FastEthernet0/15
shutdown
!
interface FastEthernet0/16
shutdown
!
interface FastEthernet0/17
shutdown
!
interface FastEthernet0/18
shutdown
!
interface FastEthernet0/19
shutdown
!
interface FastEthernet0/20
shutdown
!
interface FastEthernet0/21
shutdown
!
interface FastEthernet0/22
shutdown
!
interface FastEthernet0/23
switchport trunk native vlan 15
switchport mode trunk
switchport nonegotiate
!
interface FastEthernet0/24
switchport trunk native vlan 15
switchport mode trunk
switchport nonegotiate
!
interface GigabitEthernet0/1
switchport trunk native vlan 15
switchport mode trunk
switchport nonegotiate
!
interface GigabitEthernet0/2
shutdown
!
interface Vlan1
no ip address
shutdown
!
interface Vlan20
ip address 192.168.20.3 255.255.255.0
!
logging trap debugging
!
!
!
line con 0
password ciscoconpa55
!
line vty 0 4
password ciscovtypa55
login
line vty 5 15
login
!
!
End

SW-2 running-config
Building configuration…

Current configuration : 1706 bytes
!
version 12.1
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname SW-2
!
enable secret 5 11mERr$TfFTxE.mmb5O5BVC56ndL0
!
ip name-server 0.0.0.0
!
!
spanning-tree mode pvst
!
interface FastEthernet0/1
shutdown
!
interface FastEthernet0/2
shutdown
!
interface FastEthernet0/3
shutdown
!
interface FastEthernet0/4
shutdown
!
interface FastEthernet0/5
shutdown
!
interface FastEthernet0/6
shutdown
!
interface FastEthernet0/7
shutdown
!
interface FastEthernet0/8
shutdown
!
interface FastEthernet0/9
shutdown
!
interface FastEthernet0/10
shutdown
!
interface FastEthernet0/11
shutdown
!
interface FastEthernet0/12
shutdown
!
interface FastEthernet0/13
shutdown
!
interface FastEthernet0/14
shutdown
!
interface FastEthernet0/15
shutdown
!
interface FastEthernet0/16
shutdown
!
interface FastEthernet0/17
shutdown
!
interface FastEthernet0/18
shutdown
!
interface FastEthernet0/19
shutdown
!
interface FastEthernet0/20
shutdown
!
interface FastEthernet0/21
shutdown
!
interface FastEthernet0/22
shutdown
!
interface FastEthernet0/23
switchport trunk native vlan 15
switchport mode trunk
switchport nonegotiate
!
interface FastEthernet0/24
switchport trunk native vlan 15
switchport mode trunk
switchport nonegotiate
!
interface GigabitEthernet0/1
switchport trunk native vlan 15
switchport mode trunk
switchport nonegotiate
!
interface GigabitEthernet0/2
shutdown
!
interface Vlan1
no ip address
shutdown
!
interface Vlan20
ip address 192.168.20.4 255.255.255.0
!
logging trap debugging
!
!
!
line con 0
password ciscoconpa55
!
line vty 0 4
password ciscovtypa55
login
line vty 5 15
login
!
!
End

SW-A running-config
Building configuration…

Current configuration : 1613 bytes
!
version 12.1
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname SW-A
!
enable secret 5 11mERr$TfFTxE.mmb5O5BVC56ndL0
!
ip name-server 0.0.0.0
!
!
spanning-tree mode pvst
!
interface FastEthernet0/1
switchport access vlan 20
!
interface FastEthernet0/2
switchport access vlan 10
!
interface FastEthernet0/3
switchport access vlan 10
!
interface FastEthernet0/4
switchport access vlan 5
!
interface FastEthernet0/5
shutdown
!
interface FastEthernet0/6
shutdown
!
interface FastEthernet0/7
shutdown
!
interface FastEthernet0/8
shutdown
!
interface FastEthernet0/9
shutdown
!
interface FastEthernet0/10
shutdown
!
interface FastEthernet0/11
shutdown
!
interface FastEthernet0/12
shutdown
!
interface FastEthernet0/13
shutdown
!
interface FastEthernet0/14
shutdown
!
interface FastEthernet0/15
shutdown
!
interface FastEthernet0/16
shutdown
!
interface FastEthernet0/17
shutdown
!
interface FastEthernet0/18
shutdown
!
interface FastEthernet0/19
shutdown
!
interface FastEthernet0/20
shutdown
!
interface FastEthernet0/21
shutdown
!
interface FastEthernet0/22
shutdown
!
interface FastEthernet0/23
shutdown
!
interface FastEthernet0/24
switchport trunk native vlan 15
switchport mode trunk
switchport nonegotiate
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
no ip address
shutdown
!
interface Vlan20
ip address 192.168.20.1 255.255.255.0
!
logging trap debugging
!
!
!
line con 0
password ciscoconpa55
!
line vty 0 4
password ciscovtypa55
login
line vty 5 15
login
!
!
End

SW-B running-config
Building configuration…

Current configuration : 1631 bytes
!
version 12.1
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname SW-B
!
enable secret 5 11mERr$TfFTxE.mmb5O5BVC56ndL0
!
ip name-server 0.0.0.0
!
!
spanning-tree mode pvst
!
interface FastEthernet0/1
switchport access vlan 5
!
interface FastEthernet0/2
switchport access vlan 5
!
interface FastEthernet0/3
switchport access vlan 5
!
interface FastEthernet0/4
switchport access vlan 10
!
interface FastEthernet0/5
shutdown
!
interface FastEthernet0/6
shutdown
!
interface FastEthernet0/7
shutdown
!
interface FastEthernet0/8
shutdown
!
interface FastEthernet0/9
shutdown
!
interface FastEthernet0/10
shutdown
!
interface FastEthernet0/11
shutdown
!
interface FastEthernet0/12
shutdown
!
interface FastEthernet0/13
shutdown
!
interface FastEthernet0/14
shutdown
!
interface FastEthernet0/15
shutdown
!
interface FastEthernet0/16
shutdown
!
interface FastEthernet0/17
shutdown
!
interface FastEthernet0/18
shutdown
!
interface FastEthernet0/19
shutdown
!
interface FastEthernet0/20
shutdown
!
interface FastEthernet0/21
shutdown
!
interface FastEthernet0/22
shutdown
!
interface FastEthernet0/23
shutdown
!
interface FastEthernet0/24
switchport trunk native vlan 15
switchport mode trunk
switchport nonegotiate
!
interface GigabitEthernet0/1
shutdown
!
interface GigabitEthernet0/2
shutdown
!
interface Vlan1
no ip address
shutdown
!
interface Vlan20
ip address 192.168.20.2 255.255.255.0
!
logging trap debugging
!
!
!
line con 0
password ciscoconpa55
!
line vty 0 4
password ciscovtypa55
login
line vty 5 15
login
!
!
end

路由交换