MDH Lab – Private-VLANs & VACL

Topologi

pvlan

Objectives

  • Secure the server farm using private VLANs.
  • Secure the staff VLAN from the student VLAN.
  • Secure the staff VLAN when temporary staff personnel are used.

Background

In this lab, you will configure the network to protect the VLANs using router ACLs, VLAN ACLs, and private VLANs. First, you will secure the new server farm by using private VLANs so that broadcasts on one server VLAN are not heard by the other server VLAN.

Service providers use private VLANs to separate different customers’ traffic while utilizing the same parent VLAN for all server traffic. The private VLANs provide traffic isolation between devices, even though they might exist on the same VLAN.

You will then secure the staff VLAN from the student VLAN by using a RACL, which prevents traffic from the student VLAN from reaching the staff VLAN. This allows the student traffic to utilize the network and Internet services while keeping the students from accessing any of the staff resources.

Lastly, you will configure a VACL that allows a host on the staff network to be set up to use the VLAN for access but keeps the host isolated from the rest of the staff machines. This machine is used by temporary staff employees.

Genomförande

L2 basic konfig

Då vi ska använda oss av Private-VLANs i den här labben måste vi konfigurera våra switchar till VTP mode Transparent.

S1

Switch(config)#hostname S1
 S1(config)#line con 0
 S1(config-line)#logging sync
 S1(config-line)#!Trunk-links till S2
 S1(config-line)#int range fa0/1 - 2
 S1(config-if-range)#switchport trunk encaps dot1q
 S1(config-if-range)#switchport mode trunk
 S1(config-if-range)#description to S2
 S1(config-if-range)#channel-protocol lacp
 S1(config-if-range)#channel-group 1 mode active
 Creating a port-channel interface Port-channel 1
S1(config-if-range)#
 S1(config-if-range)#!Trunk-links till S3
 S1(config-if-range)#int range fa0/3 - 4
 S1(config-if-range)#switchport trunk encaps dot1q
 S1(config-if-range)#switchport mode trunk
 S1(config-if-range)#description to S2
 S1(config-if-range)#channel-protocol lacp
 S1(config-if-range)#channel-group 2 mode active
 Creating a port-channel interface Port-channel 2
S1(config-if-range)#exit
 S1(config)#vtp mode transparent
 Setting device to VTP TRANSPARENT mode.
S1(config)#vlan 100,150,200
 S1(config-vlan)#exit

S3

Switch(config)#hostname S3
 S3(config)#line con 0
 S3(config-line)#logging sync
 S3(config-line)#!Trunk-links till S2
 S3(config-line)#int range fa0/1 - 2
 S3(config-if-range)#switchport trunk encaps dot1q
 S3(config-if-range)#switchport mode trunk
 S3(config-if-range)#description to S2
 S3(config-if-range)#channel-protocol lacp
 S3(config-if-range)#channel-group 1 mode active
 Creating a port-channel interface Port-channel 1
S3(config-if-range)#
 S3(config-if-range)#!Trunk-links till S1
 S3(config-if-range)#int range fa0/3 - 4
 S3(config-if-range)#switchport trunk encaps dot1q
 S3(config-if-range)#switchport mode trunk
 S3(config-if-range)#description to S1
 S3(config-if-range)#channel-protocol lacp
 S3(config-if-range)#channel-group 2 mode passive
 Creating a port-channel interface Port-channel 2
S3(config-if-range)#exit
 S3(config)#
 S3(config)#vtp mode transparent
 Setting device to VTP Transparent mode for VLANS.
 S3(config)#vlan 100,150,200
 S3(config-vlan)#exit

S2

Switch(config)#hostname S2
 S2(config)#line con 0
 S2(config-line)#logging sync
 S2(config-line)#!Trunk-links till S1
 S2(config-line)#int range fa0/1 - 2
 S2(config-if-range)#switchport mode trunk
 S2(config-if-range)#description to S1
 S2(config-if-range)#channel-protocol lacp
 S2(config-if-range)#channel-group 1 mode passive
 Creating a port-channel interface Port-channel 1
S2(config-if-range)#
 S2(config-if-range)#!Trunk-links till S3
 S2(config-if-range)#int range fa0/3 - 4
 S2(config-if-range)#switchport mode trunk
 S2(config-if-range)#description to S3
 S2(config-if-range)#channel-protocol lacp
 S2(config-if-range)#channel-group 2 mode passive
 Creating a port-channel interface Port-channel 2
S2(config-if-range)#exit
 S2(config)#
S2(config)#vtp mode transparent
Setting device to VTP Transparent mode for VLANS.
S2(config)#vlan 100,150,200
S2(config-vlan)#exit

HSRP

S1

S1(config)#interface vlan 1
 S1(config-if)#ip add 172.16.1.10 255.255.255.0
 S1(config-if)#no shut
 S1(config-if)#standby 1 ip 172.16.1.1
 S1(config-if)#standby 1 preempt
 S1(config-if)#standby 1 priority 100
 S1(config-if)#
 S1(config-if)#interface vlan 100
 S1(config-if)#ip add 172.16.100.10 255.255.255.0
 S1(config-if)#no shut
 S1(config-if)#standby 1 ip 172.16.100.1
 S1(config-if)#standby 1 preempt
 S1(config-if)#standby 1 priority 150
 S1(config-if)#
 S1(config-if)#interface vlan 150
 S1(config-if)#ip add 172.16.150.10 255.255.255.0
 S1(config-if)#no shut
 S1(config-if)#standby 1 ip 172.16.150.1
 S1(config-if)#standby 1 preempt
 S1(config-if)#standby 1 priority 150
 S1(config-if)#
 S1(config-if)#interface vlan 200
 S1(config-if)#ip add 172.16.200.10 255.255.255.0
 S1(config-if)#no shut
 S1(config-if)#standby 1 ip 172.16.200.1
 S1(config-if)#standby 1 preempt
 S1(config-if)#standby 1 priority 100
 S1(config-if)#

S3

S3(config)#interface vlan 1
 S3(config-if)#ip add 172.16.1.30 255.255.255.0
 S3(config-if)#no shut
 S3(config-if)#standby 1 ip 172.16.1.1
 S3(config-if)#standby 1 preempt
 S3(config-if)#standby 1 priority 150
 S3(config-if)#
 S3(config-if)#interface vlan 100
 S3(config-if)#ip add 172.16.100.30 255.255.255.0
 S3(config-if)#standby 1 ip 172.16.100.1
 S3(config-if)#standby 1 preempt
 S3(config-if)#standby 1 priority 100
 S3(config-if)#
 S3(config-if)#interface vlan 150
 S3(config-if)#ip add 172.16.150.30 255.255.255.0
 S3(config-if)#standby 1 ip 172.16.150.1
 S3(config-if)#standby 1 preempt
 S3(config-if)#standby 1 priority 100
 S3(config-if)#
 S3(config-if)#interface vlan 200
 S3(config-if)#ip add 172.16.200.30 255.255.255.0
 S3(config-if)#standby 1 ip 172.16.200.1
 S3(config-if)#standby 1 preempt
 S3(config-if)#standby 1 priority 150
 S3(config-if)#

Verifiering

S1#sh standby brief
 P indicates configured to preempt.
 |
 Interface Grp Pri P State Active Standby Virtual IP
 Vl1 1 100 P Standby 172.16.1.30 local 172.16.1.1
 Vl100 1 150 P Active local 172.16.100.30 172.16.100.1
 Vl150 1 150 P Active local 172.16.150.30 172.16.150.1
 Vl200 1 100 P Standby 172.16.200.30 local 172.16.200.1

Private-VLANs

PVLANs provide layer 2-isolation between ports within the same broadcast domain. There are three types of PVLAN ports:

  • Promiscuous— A promiscuous port can communicate with all interfaces, including the isolated and community ports within a PVLAN.
  • Isolated— An isolated port has complete Layer 2 separation from the other ports within the same PVLAN, but not from the promiscuous ports. PVLANs block all traffic to isolated ports except traffic from promiscuous ports. Traffic from isolated port is forwarded only to promiscuous ports.
  • Community— Community ports communicate among themselves and with their promiscuous ports. These interfaces are separated at Layer 2 from all other interfaces in other communities or isolated ports within their PVLAN.

Mer info om just PVLANs och design-rekommendationer finns att läsa här!

Vi börjar med att konfigurera upp våra secondary-vlans (Isolated- & Community-PVLAN) i S1 & S3.

S1(config)#vlan 151
S1(config-vlan)#private-vlan isolated
S1(config-vlan)#exit
S1(config)#!Community
S1(config)#vlan 152
S1(config-vlan)#private-vlan community
S1(config-vlan)#exit
S1(config)#

S3(config)#vlan 151
S3(config-vlan)#private-vlan isolated
S3(config-vlan)#exit
S3(config)#!Community
S3(config)#vlan 152
S3(config-vlan)#private-vlan community
S3(config-vlan)#exit

Vi behöver sedan associera våra PVLAN med “parent”-vlanet 150, “primary:n”.

S1(config)#vlan 150
S1(config-vlan)#private-vlan primary
S1(config-vlan)#private-vlan association 151,152
S1(config-vlan)#exit

S3(config)#vlan 150
S3(config-vlan)#private-vlan primary
S3(config-vlan)#private-vlan association 151,152
S3(config-vlan)#exit

Då vi i detta exemplet använder SVI’s för att routa trafik direkt i switchen behöver vi även knyta våra Secondary-vlan till primaryn (150).

S1(config)#interface vlan 150
S1(config-if)#private-vlan mapping 151,152
S1(config-if)#
*Mar 1 01:35:40.794: %PV-6-PV_MSG: Created a private vlan mapping, Primary 150, Secondary 151
*Mar 1 01:35:40.794: %PV-6-PV_MSG: Created a private vlan mapping, Primary 150, Secondary 152

S3(config)#int vlan 150
S3(config-if)#private-vlan mapping 151,152
S3(config-if)#
*Mar 1 01:35:37.170: %PV-6-PV_MSG: Created a private vlan mapping, Primary 150, Secondary 151
*Mar 1 01:35:37.170: %PV-6-PV_MSG: Created a private vlan mapping, Primary 150, Secondary 152

Verifiera med “show vlan private-vlan”:

S1#sh vlan private-vlan
Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
150 151 isolated 
150 152 community

Nu återstår det endast att koppla interfacen till respektive secondary-vlan. Enligt uppgiften ska fördelningen se ut enligt följande:

  • Fa0/5-10 – Isolated
  • Fa0/11-15 – Community

S1

S1(config)#int range fa0/5 - 10
S1(config-if-range)#description Isolated-port
S1(config-if-range)#switchport mode private-vlan host
S1(config-if-range)#switchport private-vlan host-association 150 151
S1(config-if-range)#
S1(config-if-range)#int range fa0/11 - 15
S1(config-if-range)#description Community-port
S1(config-if-range)#switchport mode private-vlan host
S1(config-if-range)#switchport private-vlan host-association 150 152

S3

S3(config)#int range fa0/5 - 10
S3(config-if-range)#description Isolated-port
S3(config-if-range)#switchport mode private-vlan host
S3(config-if-range)#switchport private-vlan host-association 150 151
S3(config-if-range)#
S3(config-if-range)#int range fa0/11 - 15
S3(config-if-range)#description Community-port
S3(config-if-range)#switchport mode private-vlan host
S3(config-if-range)#switchport private-vlan host-association 150 152

Verifiering

S3#show vlan private-vlan
Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
150 151 isolated Fa0/5, Fa0/6, Fa0/7, Fa0/8, Fa0/9, Fa0/10
150 152 community Fa0/11, Fa0/12, Fa0/13, Fa0/14, Fa0/15

RACL

Vi skulle även skydda Vlan 200 (172.16.200.0/24) från Vlan 100 (172.16.100.0/24), vilket vi gör enkelt med en vanlig ACL.

S1(config)#ip access-list extended RACL
S1(config-ext-nacl)#deny ip 172.16.100.0 0.0.0.255 172.16.200.0 0.0.0.255
S1(config-ext-nacl)#permit ip any any
S1(config-ext-nacl)#exit
S1(config)#interface vlan 200
S1(config-if)#ip access-group RACL in

S3

S3(config)#ip access-list extended RACL
S3(config-ext-nacl)#deny ip 172.16.100.0 0.0.0.255 172.16.200.0 0.0.0.255
S3(config-ext-nacl)#permit ip any any
S3(config-ext-nacl)#exit
S3(config)#interface vlan 200
S3(config-if)#ip access-group RACL in
S3(config-if)#

VACL

Vlan-ACL är ett nytt koncept i CCNP, mer info finns att läsa här! Istället för att knyta det till ett interface används det istället direkt på VLAN:et, själva konfigureringen påminner väldigt mycket om route-maps som vi använt oss mycket av i tidigare inlägg om ex. route-filtering.

Enligt specifikationen skulle vi blockera hosten 172.16.100.150 från att nå någon annan på vlan 100. Vi skapar först en ACL för att ha något att använda i match-statement.

S1(config)#ip access-list extended VACL-BLOCK
S1(config-ext-nacl)#permit ip host 172.16.100.150 172.16.100.0 0.0.0.255
S1(config-ext-nacl)#exit

S3(config)#ip access-list extended VACL-BLOCK
S3(config-ext-nacl)#permit ip host 172.16.100.150 172.16.100.0 0.0.0.255
S3(config-ext-nacl)#exit

Vi bygger sedan vår VLAN Access-map, glöm inte att utan en match all/permit så blockerar vi all trafik precis som en vanlig ACL.

S1(config)#vlan access-map AM-VACL-BLOCK 10
S1(config-access-map)#match ip addr VACL-BLOCK
S1(config-access-map)#action drop
S1(config-access-map)#exit
S1(config)#vlan access-map AM-VACL-BLOCK 20
S1(config-access-map)#action forward
S1(config-access-map)#exit
S1(config)#

S3(config)#vlan access-map AM-VACL-BLOCK 10
S3(config-access-map)#match ip addr VACL-BLOCK
S3(config-access-map)#action drop
S3(config-access-map)#exit
S3(config)#vlan access-map AM-VACL-BLOCK 20
S3(config-access-map)#action forward
S3(config-access-map)#exit
S3(config)#

Sen återstår det bara att knyta detta till vlan:et.

S1(config)#vlan filter AM-VACL-BLOCK vlan-list 100
S3(config)#vlan filter AM-VACL-BLOCK vlan-list 100

Tyvärr har vi inga host att testa med så vi får helt enkelt räkna med att allt är ok! 😉

MDH Lab – Securing STP

Topologi

stp-secure

Objectives

  • Secure the Layer 2 spanning-tree topology with BPDU guard.
  • Protect the primary and secondary root bridge with root guard.
  • Protect switch ports from unidirectional links with UDLD.

Background

This lab is a continuation of Lab 6-1 and uses the network configuration set up in that lab. In this lab, you will secure the network against possible spanning-tree disruptions, such as rogue access point additions and the loss of stability to the root bridge by the addition of switches to the network.

The improper addition of switches to the network can be either malicious or accidental. In either case, the network can be secured against such a disruption.

Genomförande

Då det är precis samma topologi & HSRP-konfiguration som förra labben använder jag samma konfig nu.

BPDU-Guard

BPDU-guard konfigurerade jag redan i förra labben men vi kan väl ta det igen bara för att repetera.

S2(config)#int range fa0/6 - 20 
S2(config-if-range)#switchport mode access
S2(config-if-range)#switchport access vlan 100
S2(config-if-range)#switchport port-security
S2(config-if-range)#switchport port-security max 2
S2(config-if-range)#switchport port-security mac-address sticky
S2(config-if-range)#spanning-tree portfast
S2(config-if-range)#spanning-tree bpduguard enable

Observera att vi endast konfigurerar BPDU-guard på access-portar, och fungerar endast om vi även använder PortFast.

Root-guard

Root-guard skyddar mot switchar som felaktigt skickar ut BPDU-paket med högre Bridge-priority för att försöka ta över rollen som root-bridge. I vår topologi har vi endast tre switchar, med S1 som primary för vl1 & vl200, och S2 som primary för vl100 kan vi enkelt säga att vi aldrig vill att access-switchen ska kunna bli root för något av vlanen. Vi ställer därför in root-guard på portarna ner mot S2 i både S1 & S3.

S1(config)#spanning-tree vlan 1,200 root primary
S1(config)#spanning-tree vlan 100 root secondary
S3(config)#spanning-tree vlan 100 root primary
S3(config)#spanning-tree vlan 1,200 root secondary
S1(config)#int range fa0/1 - 2 , po1
S1(config-if-range)#spanning-tree guard root
S1(config-if-range)#
*Mar 1 03:23:32.781: %SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard enabled on port Port-channel1.
S3(config)#int range fa0/1 - 2 , po1
S3(config-if-range)#spanning-tree guard root
S3(config-if-range)#
*Mar 1 03:24:13.205: %SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard enabled on port Port-channel1.

UDLD

UDLD använder vi för att upptäcka unidirectional-forwarding främst vid fiberuppkopplingar, men det finns även möjlighet att konfigurera detta på vanliga ethernet-interface också.

UDLD

Så i mina ögon är aggresive-mode helt klart det bästa valet när vi konfigurerar upp UDLD, vilket vi gör enligt följande:

S1(config)#int range fa0/3 - 4 
S1(config-if-range)#udld port aggressive
S3(config)#int range fa0/3 - 4
S3(config-if-range)#udld port aggressive

Observera att vi endast lägger in det på de fysiska interfacen, det är ej möjligt att använda UDLD över en port-channel.

S1#sh udld fa0/3
Interface Fa0/3
---
Port enable administrative configuration setting: Enabled / in aggressive mode
Port enable operational state: Enabled / in aggressive mode
Current bidirectional state: Bidirectional
Current operational state: Advertisement - Single neighbor detected
Message interval: 7
Time out interval: 5
Entry 1
 ---
 Expiration time: 38
 Device ID: 1
 Current neighbor state: Bidirectional
 Device name: FDO1303Y3H8 
 Port ID: Fa0/3 
 Neighbor echo 1 device: FDO1303X3CX
 Neighbor echo 1 port: Fa0/3
Message interval: 15
 Time out interval: 5
 CDP Device name: S3

 Storm-Control

Används för att förhindra att broadcast-trafik sänker våra förbindelser i s.k. broadcast-stormar (orsakat av en loop), mer info finns att läsa här. Själva konfigurationen är rätt enkel, vi lägger in detta på våra trunk-länkar mellan S1-S2-S3.

Do not configure traffic storm control on ports that are members of an EtherChannel. Configuring traffic storm control on ports that are configured as members of an EtherChannel puts the ports into a suspended state.

Vi lägger därför in konfigen direkt på port-channeln istället.

S1(config)#int range po1 - 2
S1(config-if-range)#storm-control broadcast level ?
 <0.00 - 100.00> Enter rising threshold
 bps Enter suppression level in bits per second
 pps Enter suppression level in packets per second
S1(config-if-range)#storm-control broadcast level 60
S2(config)#inte range po1 - 2
S2(config-if-range)#storm-control bbroadcast level 60
S3(config)#int range po1 - 2
S3(config-if-range)#storm-control broadcast level 60

MDH Lab – HSRP & Securing L2

Topologi

6-1

Objectives

  • Secure the Layer 2 network against MAC flood attacks.
  • Prevent DHCP spoofing attacks.
  • Prevent unauthorized access to the network using AAA and 802.1X.

Background

A fellow network engineer that you have known and trusted for many years has invited you to lunch this week.

At lunch, he brings up the subject of network security and how two of his former co-workers had been arrested for using different Layer 2 attack techniques to gather data from other users in the office for their own personal gain in their careers and finances. The story shocks you because you have always known your friend to be very cautious with security on his network.

His story makes you realize that your business network has been cautious with external threats, Layer 3–7 security, firewalls at the borders, and so on, but insufficient at Layer 2 security and protection inside the local network. When you get back to the office, you meet with your boss to discuss your concerns.

After reviewing the company’s security policies, you begin to work on a Layer 2 security policy. First, you establish which network threats you are concerned about and then put together an action plan to mitigate these threats. While researching these threats, you learn about other potential threats to Layer 2 switches that might not be malicious but could threaten network stability.

You decide to include these threats in the policies as well. Other security measures need to be put in place to further secure the network, but you begin with configuring the switches against a few specific types of attacks, including MAC flood attacks, DHCP spoofing attacks, and unauthorized access to the local network. You plan to test the configurations in a lab environment before placing them into production.

Genomförande

Hoppar återigen över grundkonfigen för att få upp Port-channels/Trunking/VLAns, se tidigare inlägg för detta.

Vi börjar med att sätta upp HSRP mellan S1 & S3.

S1

S1(config)#int vlan 1 
S1(config-if)#ip add 172.16.1.10 255.255.255.0
S1(config-if)#standby 1 ip 172.16.1.1
S1(config-if)#standby 1 priority 100
S1(config-if)#standby 1 preempt
S1(config-if)#
S1(config-if)#int vlan 100
S1(config-if)#ip add 172.16.100.10 255.255.255.0
S1(config-if)#standby 1 ip 172.16.100.1
S1(config-if)#standby 1 priority 150
S1(config-if)#standby 1 preempt
S1(config-if)#
S1(config-if)#int vlan 200
S1(config-if)#ip add 172.16.200.10 255.255.255.0
S1(config-if)#standby 1 ip 172.16.200.1
S1(config-if)#standby 1 priority 100
S1(config-if)#standby 1 preempt
S1(config-if)#end

S3

S3(config)#int vlan 1 
S3(config-if)#ip add 172.16.1.30 255.255.255.0
S3(config-if)#standby 1 ip 172.16.1.1
S3(config-if)#standby 1 priority 150
S3(config-if)#standby 1 preempt
S3(config-if)#
S3(config-if)#int vlan 100
S3(config-if)#ip add 172.16.100.30 255.255.255.0
S3(config-if)#standby 1 ip 172.16.100.1
S3(config-if)#standby 1 priority 100
S3(config-if)#standby 1 preempt
S3(config-if)#
S3(config-if)#int vlan 200
S3(config-if)#ip add 172.16.200.30 255.255.255.0
S3(config-if)#standby 1 ip 172.16.200.1
S3(config-if)#standby 1 priority 150
S3(config-if)#standby 1 preempt
S3(config-if)#
S1#sh standby brief
 P indicates configured to preempt.
 |
Interface Grp Pri P State Active Standby Virtual IP
Vl1 1 100 P Standby 172.16.1.30 local 172.16.1.1
Vl100 1 150 P Active local 172.16.100.30 172.16.100.1
Vl200 1 100 P Standby 172.16.200.30 local 172.16.200.1

Nästa uppgift var att säkra vårat nät mot DHCP-spoofing attacker. För att lyckas med detta kan vi använda oss av “dhcp snooping“.

Då endast S2 är access-layer switch med användare inkopplade behöver vi bara konfa snooping där.

S2

S2(config)#!Aktiverar DHCP-snooping funktionen
S2(config)#ip dhcp snooping 
S2(config)#!Startar DHCP-snooping för vlan 100 & 200
S2(config)#ip dhcp snooping vlan 100,200

Alla portar räknas som per default untrusted, dvs får EJ skicka DHCPOFFERs & DHCPACKs. Vi måste därför konfigurera trusted där vi har vår DHCP-server. I detta fall har vi ingen lokalt på lanet, därför sätter vi trunk-portarna till trusted.

S2(config)#inte range fa0/1 - 4 , po1 - 2
S2(config-if-range)#ip dhcp snooping trust

Vi kan verifiera vår konfig med “sh ip dhcp snooping”.

S2#sh ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
100,200
DHCP snooping is operational on following VLANs:
100,200
DHCP snooping is configured on the following L3 Interfaces:
Insertion of option 82 is enabled
 circuit-id format: vlan-mod-port
 remote-id format: MAC
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:
Int
*Mar 1 02:14:22.416: %SYS-5-CONFIG_I: Configured from console by consoleerface Trusted Rate limit (pps)
------------------------ ------- ----------------
FastEthernet0/1 yes unlimited
FastEthernet0/2 yes unlimited
FastEthernet0/3 yes unlimited
FastEthernet0/4 yes unlimited
Port-channel1 yes unlimited
Port-channel2 yes unlimited

MAC-flood attacker blir bara lite repetition från CCNA, genom att begränsa antal mac-adresser en port kan lära sig behöver vi inte vara rädda för att råka ut för cam-table overflow. Även här behöver vi endast konfa S2 då det är den enda switchen i access-layer.

S2(config)#int range fa0/6 - 20 
S2(config-if-range)#switchport mode access
S2(config-if-range)#switchport access vlan 100
S2(config-if-range)#switchport port-security
S2(config-if-range)#switchport port-security max 2
S2(config-if-range)#switchport port-security mac-address sticky
S2(config-if-range)#spanning-tree portfast
S2(config-if-range)#spanning-tree bpduguard enable

Detta gör att switchen endast kan lära sig max 2st mac-adresser per interface (2×15 =  30 mac-adresser).

För att begränsa access till nätet är ett alternativ att använda oss av 802.1x, vilket kräver att användarna autentiserar sig innan porten slår över till forwarding. Mer info om dot1x finns att läsa här.

S2(config)#aaa new-model
S2(config)#!Autentiserar anvandare mot anvandardatabasen som ligger lokalt pa switchen
S2(config)#aaa authentication dot1x default local
S2(config)#!aktiverar dot1x
S2(config)#dot1x system-auth-control
S2(config)#!skapar anvndare
S2(config)#username admin1 password cisco
S2(config)#username user1 password cisco
S2(config)#username user2 password cisco
S2(config)#inte range fa0/6 - 20
S2(config-if-range)#!aktiverar dot1x-autentisering pa interfacen
S2(config-if-range)#dot1x port-control auto
S2(config-if-range)#
*Mar 1 02:28:23.114: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/11, changed state to down
*Mar 1 02:28:23.131: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/18, changed state to down

Observera att både Fa0/11 & Fa0/18 genast gick ner efter vi la in konfigen, detta pga användarna ej är autentiserade ännu.

S2#sh dot1x interface fa0/11
Dot1x Info for FastEthernet0/11
-----------------------------------
PAE = AUTHENTICATOR
PortControl = AUTO
ControlDirection = Both 
HostMode = SINGLE_HOST
Violation Mode = PROTECT
ReAuthentication = Disabled
QuietPeriod = 60
ServerTimeout = 30
SuppTimeout = 30
ReAuthPeriod = 3600 (Locally configured)
ReAuthMax = 2
MaxReq = 2
TxPeriod = 30
RateLimitPeriod = 0

Rekommenderat är dock att koppla autentiseringen mot en extern RADIUS-server istället.