6.3.1.1 Lab - Securing Layer 2 Switches
6.3.1.1 Lab - Securing Layer 2 Switches
6.3.1.1 Lab - Securing Layer 2 Switches
IP Addressing Table
Objectives
Part 1: Configure Basic Switch Settings
Build the topology.
Configure the hostname, IP address, and access passwords.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 1 of 22
Lab – Securing Layer 2 Switches
Background / Scenario
The Layer 2 infrastructure consists mainly of interconnected Ethernet switches. Most end-user devices, such
as computers, printers, IP phones, and other hosts, connect to the network via Layer 2 access switches. As a
result, switches can present a network security risk. Similar to routers, switches are subject to attack from
malicious internal users. The switch Cisco IOS software provides many security features that are specific to
switch functions and protocols.
In this lab, you will configure SSH access and Layer 2 security for S1 and S2. You will also configure various
switch protection measures, including access port security and Spanning Tree Protocol (STP) features, such
as BPDU guard and root guard.
Note: The router commands and output in this lab are from a Cisco 1941 router using Cisco IOS software,
release 15.4(3)M2 (with a Security Technology Package license). The switch commands and output are from
Cisco WS-C2960-24TT-L switches with Cisco IOS Release 15.0(2)SE4 (C2960-LANBASEK9-M image).
Other routers, switches, and Cisco IOS versions can be used. See the Router Interface Summary Table at the
end of the lab to determine which interface identifiers to use based on the equipment in the lab. The
commands available to the user and the output produced may vary depending on which router, switch, and
Cisco IOS version is used.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 2 of 22
Lab – Securing Layer 2 Switches
Note: Make sure that the routers and switches have been erased and have no startup configurations.
Required Resources
1 Router (Cisco 1941 with Cisco IOS Release 15.4(3)M2 image with a Security Technology Package
license)
2 Switches (Cisco 2960 with cryptography IOS image for SSH support – Release 15.0(2)SE7 or
comparable)
2 PCs (Windows 7 or Windows 8 with SSH client software
Ethernet cables as shown in the topology
Console cables to configure Cisco networking devices
Step 2: Configure basic settings for the router and each switch.
Perform all tasks on R1, S1, and S2. The procedure for S1 is shown here as an example.
a. Configure hostnames, as shown in the topology.
b. Configure interface IP addresses, as shown in the IP Addressing Table. The following configuration
displays the VLAN 1 management interface on S1:
c. Prevent the router or switch from attempting to translate incorrectly entered commands by disabling DNS
lookup. S1 is shown here as an example.
d. HTTP access to the switch is enabled by default. Prevent HTTP access by disabling the HTTP server and
HTTP secure server.
Note: The switch must have a cryptography IOS image to support the ip http secure-server command.
HTTP access to the router is disabled by default.
e. Configure the enable secret password cisco12345.
f. Configure console password ciscoconpass with a timeout of 5 minutes.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 3 of 22
Lab – Securing Layer 2 Switches
Step 5: Save the basic configurations for the router and both switches.
Save the running configuration to the startup configuration from the privileged EXEC mode prompt.
S1# copy running-config startup-config
Step 2: Configure a privileged user for login from the SSH client.
Use the username command to create the user ID named admin with the highest possible privilege level and
a secret password cisco12345.
Step 3: Generate the RSA encryption key pair for the router.
The switch uses the RSA key pair for authentication and encryption of transmitted SSH data.
Configure the RSA keys with 1024 modulus bits. The default number of modulus bits is 512, and the range is
from 360 to 2,048. Configure SSH version 2.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 4 of 22
Lab – Securing Layer 2 Switches
will default to user EXEC mode. Specify the use of local user accounts for mandatory login and validation
and accept only SSH connections with timeout of 5 minutes.
b. Disable login for switch vty lines 5 to 15 by allowing no transport input.
Step 1: (Optional) Download and install an SSH client on PC-A and PC-B.
If the SSH client is not already installed, download PuTTY from the following link:
http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
Note: The procedure described here is for PuTTY and pertains to PC-A.
d. Click Open.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 5 of 22
Lab – Securing Layer 2 Switches
Note: Upon first connection, the user is prompted with a PuTTY Security Alert stating that the server’s
host key is not cached in the registry.
e. In the PuTTY Security Alert window, click Yes to cache the server’s host key.
f. In the PuTTY window, enter admin as the username and cisco12345 as the password.
g. At the S1 privileged EXEC mode prompt, enter the show users command.
S1# show users
Which users are connected to S1 at this time?
____________________________________________________________________________________
____________________________________________________________________________________
h. Close the PuTTy SSH session window with the exit or quit command.
Try to open a Telnet session to S1 from PC-A. Were you able to open the Telnet session? Explain.
____________________________________________________________________________________
____________________________________________________________________________________
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 6 of 22
Lab – Securing Layer 2 Switches
b. The default priority for S1 and S2 is 32769 (32768 + 1 with System ID Extension). Set S1 priority to 0 so
that it becomes the root switch.
S1(config)# spanning-tree vlan 1 priority 0
S1(config)# exit
Note: You can also use the spanning-tree vlan 1 root primary command to make S1 the root switch for
VLAN 1.
c. Issue the show spanning-tree command to verify that S1 is the root bridge, to see the ports in use, and
to see their status.
S1# show spanning-tree
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 1
Address 001d.4635.0c80
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 7 of 22
Lab – Securing Layer 2 Switches
c. Verify that S1 port F0/1 is in trunking mode with the show interfaces trunk command.
S1# show interfaces trunk
Step 3: Change the native VLAN for the trunk ports on S1 and S2.
a. Changing the native VLAN for trunk ports to an unused VLAN helps prevent VLAN hopping attacks.
From the output of the show interfaces trunk command in the previous step, what is the current native
VLAN for the S1 F0/1 trunk interface?
____________________________________________________________________________________
b. Set the native VLAN on the S1 F0/1 trunk interface to an unused VLAN 99.
S1(config)# interface f0/1
S1(config-if)# switchport trunk native vlan 99
S1(config-if)# end
c. The following message should display after a brief period of time:
02:16:28: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on
FastEthernet0/1 (99), with S2 FastEthernet0/1 (1).
What does the message mean?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
d. Set the native VLAN on the S2 F0/1 trunk interface to VLAN 99.
S2(config)# interface f0/1
S2(config-if)# switchport trunk native vlan 99
S2(config-if)# end
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 8 of 22
Lab – Securing Layer 2 Switches
Name: Fa0/1
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: Off
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 99 (Inactive)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk private VLANs: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 9 of 22
Lab – Securing Layer 2 Switches
Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none
<output omitted>
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 10 of 22
Lab – Securing Layer 2 Switches
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 11 of 22
Lab – Securing Layer 2 Switches
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 12 of 22
Lab – Securing Layer 2 Switches
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 13 of 22
Lab – Securing Layer 2 Switches
a. From the S1 CLI, enter interface configuration mode for the port that connects to the router (Fast Ethernet
0/5).
S1(config)# interface f0/5
b. Shut down the switch port.
S1(config-if)# shutdown
c. Enable port security on the port.
S1(config-if)# switchport port-security
Note: A switch port must be configured as an access port to enable port security.
Note: Entering just the switchport port-security command sets the maximum MAC addresses to 1 and
the violation action to shutdown. The switchport port-security maximum and switchport port-
security violation commands can be used to change the default behavior.
d. Configure a static entry for the MAC address of R1 Fa0/1/ interface recorded in Step 1.
S1(config-if)# switchport port-security mac-address xxxx.xxxx.xxxx
Note: xxxx.xxxx.xxxx is the actual MAC address of the router G0/1 interface.
Note: You can also use the switchport port-security mac-address sticky command to add all the
secure MAC addresses that are dynamically learned on a port (up to the maximum set) to the switch
running configuration.
e. Enable the switch port.
S1(config-if)# no shutdown
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 14 of 22
Lab – Securing Layer 2 Switches
b. From the R1 CLI, ping PC-A to verify connectivity. This also ensures that the R1 Fa0/1 MAC address is
learned by the switch.
R1# ping 192.168.1.10
c. Now, violate security by changing the MAC address on the router interface. Enter interface configuration
mode for the Fast Ethernet 0/1. Configure a MAC address for the interface on the interface, using
aaaa.bbbb.cccc as the address.
R1(config)# interface G0/1
R1(config-if)# mac-address aaaa.bbbb.cccc
R1(config-if)# end
Note: You can also change the PC MAC address attached to S1 F0/6 and achieve similar results to those
shown here.
d. From the R1 CLI, ping PC-A. Was the ping successful? Explain.
____________________________________________________________________________________
____________________________________________________________________________________
e. On S1 console, observe the messages when port F0/5 detects the violating MAC address.
*Jan 14 01:34:39.750: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/5,
putting Fa0/5 in err-disable state
*Jan 14 01:34:39.750: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred,
caused by MAC address aaaa.bbbb.cccc on port FastEthernet0/5.
*Jan 14 01:34:40.756: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/5,
changed state to down
*Jan 14 01:34:41.755: %LINK-3-UPDOWN: Interface FastEthernet0/5, changed state to down
f. On the switch, use the show port-security commands to verify that port security has been violated.
S1# show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
--------------------------------------------------------------------
Fa0/5 1 1 1 Shutdown
----------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 8192
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 15 of 22
Lab – Securing Layer 2 Switches
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 16 of 22
Lab – Securing Layer 2 Switches
Step 8: Move active ports to a VLAN other than the default VLAN 1.
As a further security measure, you can move all active end-user ports and router ports to a VLAN other than
the default VLAN 1 on both switches.
a. Configure a new VLAN for users on each switch using the following commands:
S1(config)# vlan 20
S1(config-vlan)# name Users
S2(config)# vlan 20
S2(config-vlan)# name Users
b. Add the current active access (non-trunk) ports to the new VLAN.
S1(config)# interface f0/6
S1(config-if-range)# switchport access vlan 20
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 17 of 22
Lab – Securing Layer 2 Switches
Note: This will prevent communication between end-user hosts and the management VLAN IP address of
the switch, which is currently VLAN 1. The switch can still be accessed and configured using the console
connection.
Note: To provide SSH access to the switch, a specific port can be designated as the management port
and added to VLAN 1 with a specific management workstation attached. A more elaborate solution is to
create a new VLAN for switch management (or use the existing native trunk VLAN 99), and configure a
separate subnet for the management and user VLANs. In Part 4 you will enable trunking with
subinterfaces on R1 to provide communication between the management and user VLAN subnets.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 18 of 22
Lab – Securing Layer 2 Switches
Protected: true
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none
c. Deactivate protected port on interfaces Fa0/6 and Fa0/7 using the following commands:
S1(config)# interface range f0/6 - 7
S1(config-if-range)# no switchport protected
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 19 of 22
Lab – Securing Layer 2 Switches
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 20 of 22
Lab – Securing Layer 2 Switches
Step 4: Identify the trusted interface(s). DHCP responses are only permitted through trusted
ports.
S1(config)# interface f0/5
S1(config-if)# description connects to DHCP server
S1(config-if)# ip dhcp snooping trust
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 21 of 22
Lab – Securing Layer 2 Switches
Router Model Ethernet Interface #1 Ethernet Interface #2 Serial Interface #1 Serial Interface #2
1800 Fast Ethernet 0/0 Fast Ethernet 0/1 Serial 0/0/0 (S0/0/0) Serial 0/0/1 (S0/0/1)
(F0/0) (F0/1)
1900 Gigabit Ethernet 0/0 Gigabit Ethernet 0/1 Serial 0/0/0 (S0/0/0) Serial 0/0/1 (S0/0/1)
(G0/0) (G0/1)
2801 Fast Ethernet 0/0 Fast Ethernet 0/1 Serial 0/1/0 (S0/1/0) Serial 0/1/1 (S0/1/1)
(F0/0) (F0/1)
2811 Fast Ethernet 0/0 Fast Ethernet 0/1 Serial 0/0/0 (S0/0/0) Serial 0/0/1 (S0/0/1)
(F0/0) (F0/1)
2900 Gigabit Ethernet 0/0 Gigabit Ethernet 0/1 Serial 0/0/0 (S0/0/0) Serial 0/0/1 (S0/0/1)
(G0/0) (G0/1)
Note: Determine how the router is configured by identifying the type of router and the number of interfaces the
router has. There is no way to effectively list all the combinations of configurations for each router class. This
table includes identifiers for the possible combinations of Ethernet and Serial interfaces in the device. The table
does not include any other type of interface, even though a specific router may contain one. For example, an
ISDN BRI interface. The string in parenthesis is the legal abbreviation that can be used in Cisco IOS commands
to represent the interface.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 22 of 22