Lab 12
Catalyst Switch STP and DTP Security
Lab Objective:
The objective of this lab exercise is for you to learn and understand how enable other Catalyst switch security features that can be used in conjunction with STP and DTP.
Lab Purpose:
While there are a plethora of security features that can be configured on Catalyst switches, it is important to understand and have practical knowledge of those that pertain to the CCNA Security course and how they are implemented and validated.
Lab Difficulty:
This lab has a difficulty rating of 7/10.
Readiness Assessment:
When you are ready for your certification exam, you should complete this lab in no more than 15 minutes.
Lab Topology:
Please use any single switch to complete this lab:
| NOTE:
This lab is based on a Cisco Catalyst switch with 24-10/100 FastEthernet ports and 2-1000Mbs GigabitEthernet ports. If you do NOT have a similar switch, substitute the port numbers or port ranges used in this lab with those available on your switch. For example, if you only have 12-10/100 FastEthernet ports and a Task refers to Ports 1-24, simply adjust the question to Ports 1-12 so that you can complete the lab on your switch. In a similar manner, if a Task asks for configuration on the GigabitEthernet ports, and you only have a 12-port 10/100 FastEthernet switch, simply substitute GigabitEthernet0/1 and GigabitEthernet0/2 with FastEthernet0/11 and FastEthernet0/12, for example. |
Lab 12 Configuration Tasks
Task 1:
Configure the hostname on Sw1 as illustrated in the diagram. In addition to this configure the following VLANs on Sw1 and assign the ports specified to those VLANs:
| VLAN Number | VLAN Name | VLAN Ports |
| 100 | CATALYST_VLAN_100 | FastEthernet0/1 – FastEthernet0/9 |
| 200 | CATALYST_VLAN_200 | FastEthernet0/10 – FastEthernet0/19 |
Task 2:
Configure all ports in VLAN 100 as static Access ports that also use Port Fast. These ports will always be connected to end hosts (i.e. PCs), therefore, configure these ports so that if a BPDU is received, the ports will be immediately shut down.
Task 3:
Configure all ports in VLAN 200 as static Access ports that also use Port Fast. These ports will also be connected to end hosts (i.e. PCs); however, Sw1 should never send BPDUs on these ports, as is the default behavior of all switches.
Task 4:
Ports FastEthernet0/20 to FastEthernet0/24 are currently not being used and should be shut down. However, in order to prevent an STP topology change in the event that someone plugs in a switch with superior BPDUs on any one of these ports and brings them up, configure these ports so that the placement of the root bridge in the network is not changed.
Task 5:
Configure the GigabitEthernet0/1 and GigabitEthernet0/2 interfaces of Sw1 as Trunk ports that will never use the Dynamic Trunking Protocol.
Lab 12 Configuration and Verification
Task 1:
| Switch(config)#hostname Sw1
Sw1(config)#vlan 100 Sw1(config-vlan)#name CATALYST_VLAN_100 Sw1(config-vlan)#exit Sw1(config)#vlan 200 Sw1(config-vlan)#name CATALYST_VLAN_200 Sw1(config-vlan)#exit Sw1(config)#interface range fast 0/1 – 9 Sw1(config-if-range)#switchport access vlan 100 Sw1(config-if-range)#exit Sw1(config)#interface range fast 0/10 – 19 Sw1(config-if-range)#switchport access vlan 200 Sw1(config-if-range)#exit Sw1(config)#exit Sw1# Sw1#show vlan brief
VLAN Name Status Ports —- ——————————– ——— ——————————- 1 default active Fa0/20, Fa0/21, Fa0/22, Fa0/23 Fa0/24, Gi0/1, Gi0/2 100 CATALYST_VLAN_100 active Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9 200 CATALYST_VLAN_200 active Fa0/10, Fa0/11, Fa0/12, Fa0/13 Fa0/14, Fa0/15, Fa0/16, Fa0/17 Fa0/18, Fa0/19 1002 fddi-default active 1003 trcrf-default active 1004 fddinet-default active 1005 trbrf-default active |
Task 2:
| Sw1(config)#spanning-tree portfast bpduguard default
Sw1(config)#interface range fast 0/1 – 9 Sw1(config-if-range)#switchport mode access Sw1(config-if-range)#spanning-tree portfast %Warning: portfast should only be enabled on ports connected to a single host. Connecting hubs, concentrators, switches, bridges, etc… to this interface when portfast is enabled, can cause temporary bridging loops. Use with CAUTION
%Portfast will be configured in 9 interfaces due to the range command but will only have effect when the interfaces are in a non-trunking mode. Sw1(config-if-range)#spanning-tree bpduguard enable Sw1(config-if-range)#exit Sw1(config)#exit Sw1# Sw1#show spanning-tree summary Switch is in pvst mode Root bridge for: none EtherChannel misconfiguration guard is enabled Extended system ID is enabled Portfast is disabled by default PortFast BPDU Guard is enabled by default Portfast BPDU Filter is disabled by default Loopguard is disabled by default UplinkFast is disabled BackboneFast is disabled Pathcost method used is short
Name Blocking Listening Learning Forwarding STP Active ———————- ——– ——— ——– ———- ———- Total 0 0 0 0 0 |
To further verify your configuration, you can enable a port in VLAN 100 – that has a device connected to it – and issue the show spanning-tree interface command as follows:
| Sw1#show spanning-tree interface f0/1 detail
Port 1 (FastEthernet0/1) of VLAN0100 is forwarding Port path cost 19, Port priority 128, Port Identifier 128.1. Designated root has priority 32868, address 000d.bd06.4100 Designated bridge has priority 32868, address 000d.bd06.4100 Designated port id is 128.1, designated path cost 0 Timers: message age 0, forward delay 0, hold 0 Number of transitions to forwarding state: 1 The port is in the portfast mode Link type is point-to-point by default Bpdu guard is enabled Bpdu filter is disabled by default BPDU: sent 11, received 0 |
Task 3:
| Sw1(config)#spanning-tree portfast bpdufilter default
Sw1(config)#interface range fast 0/10 – 19 Sw1(config-if-range)#switchport mode access Sw1(config-if-range)#spanning-tree portfast %Warning: portfast should only be enabled on ports connected to a single host. Connecting hubs, concentrators, switches, bridges, etc… to this interface when portfast is enabled, can cause temporary bridging loops. Use with CAUTION
%Portfast will be configured in 10 interfaces due to the range command but will only have effect when the interfaces are in a non-trunking mode. Sw1(config-if-range)#spanning-tree bpdufilter enable Sw1(config-if-range)#exit Sw1(config)#exit Sw1# Sw1#show spanning-tree summary Switch is in pvst mode Root bridge for: none EtherChannel misconfiguration guard is enabled Extended system ID is enabled Portfast is disabled by default PortFast BPDU Guard is enabled by default Portfast BPDU Filter is enabled by default Loopguard is disabled by default UplinkFast is disabled BackboneFast is disabled Pathcost method used is short
Name Blocking Listening Learning Forwarding STP Active ———————- ——– ——— ——– ———- ———- Total 0 0 0 0 0 |
To further verify your configuration, you can enable a port in VLAN 100 – that has a device connected to it – and issue the show spanning-tree interface command as follows:
| Sw1#show spanning-tree interface f0/12 detail
Port 12 (FastEthernet0/12) of VLAN0200 is forwarding Port path cost 19, Port priority 128, Port Identifier 128.12. Designated root has priority 32968, address 000d.bd06.4100 Designated bridge has priority 32968, address 000d.bd06.4100 Designated port id is 128.12, designated path cost 0 Timers: message age 0, forward delay 0, hold 0 Number of transitions to forwarding state: 1 The port is in the portfast mode Link type is point-to-point by default Bpdu guard is enabled by default Bpdu filter is enabled BPDU: sent 0, received 0 |
Task 4:
| Sw1(config)#interface range f0/20 – 24
Sw1(config-if-range)#description ‘Currently not being used' Sw1(config-if-range)#shutdown Sw1(config-if-range)#spanning-tree guard root Sw1(config-if-range)#exit Sw1(config)#exit Sw1# |
Task 5:
| Sw1(config)#interface range g0/1 – 2
Sw1(config-if-range)#no shutdown Sw1(config-if-range)#switchport mode trunk Sw1(config-if-range)#switchport nonegotiate Sw1(config-if-range)#exit Sw1(config)#exit Sw1# Sw1#show interfaces gigabitethernet 0/1 switchport Name: Gi0/1 Switchport: Enabled Administrative Mode: trunk Operational Mode: down Administrative Trunking Encapsulation: dot1q Negotiation of Trunking: Off Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) Voice VLAN: none Administrative private-vlan host-association: none Administrative private-vlan mapping: none Operational private-vlan: none Trunking VLANs Enabled: ALL Pruning VLANs Enabled: 2-1001 Capture Mode Disabled Capture VLANs Allowed: ALL
Protected: false
Voice VLAN: none (Inactive) Appliance trust: none |
Lab 12 Configurations
Sw1 Configuration
| Sw1#show running-config
Building configuration…
Current configuration : 4260 bytes ! version 12.1 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname Sw1 ! no logging console ! ip subnet-zero vtp domain LAB12 vtp mode transparent ! spanning-tree mode pvst spanning-tree portfast bpduguard default spanning-tree portfast bpdufilter default no spanning-tree optimize bpdu transmission spanning-tree extend system-id ! ! vlan 100 name CATALYST_VLAN_100 ! vlan 200 name CATALYST_VLAN_200 ! interface FastEthernet0/1 switchport access vlan 100 switchport mode access no ip address spanning-tree portfast spanning-tree bpduguard enable ! interface FastEthernet0/2 switchport access vlan 100 switchport mode access no ip address spanning-tree portfast spanning-tree bpduguard enable ! interface FastEthernet0/3 switchport access vlan 100 switchport mode access no ip address spanning-tree portfast spanning-tree bpduguard enable ! interface FastEthernet0/4 switchport access vlan 100 switchport mode access no ip address spanning-tree portfast spanning-tree bpduguard enable ! interface FastEthernet0/5 switchport access vlan 100 switchport mode access no ip address spanning-tree portfast spanning-tree bpduguard enable ! interface FastEthernet0/6 switchport access vlan 100 switchport mode access no ip address spanning-tree portfast spanning-tree bpduguard enable ! interface FastEthernet0/7 switchport access vlan 100 switchport mode access no ip address spanning-tree portfast spanning-tree bpduguard enable ! interface FastEthernet0/8 switchport access vlan 100 switchport mode access no ip address spanning-tree portfast spanning-tree bpduguard enable ! interface FastEthernet0/9 switchport access vlan 100 switchport mode access no ip address spanning-tree portfast spanning-tree bpduguard enable ! interface FastEthernet0/10 switchport access vlan 200 switchport mode access no ip address spanning-tree portfast spanning-tree bpdufilter enable ! interface FastEthernet0/11 switchport access vlan 200 switchport mode access no ip address spanning-tree portfast spanning-tree bpdufilter enable ! interface FastEthernet0/12 switchport access vlan 200 switchport mode access no ip address spanning-tree portfast spanning-tree bpdufilter enable ! interface FastEthernet0/13 switchport access vlan 200 switchport mode access no ip address spanning-tree portfast spanning-tree bpdufilter enable ! interface FastEthernet0/14 switchport access vlan 200 switchport mode access no ip address spanning-tree portfast spanning-tree bpdufilter enable ! interface FastEthernet0/15 switchport access vlan 200 switchport mode access no ip address spanning-tree portfast spanning-tree bpdufilter enable ! interface FastEthernet0/16 switchport access vlan 200 switchport mode access no ip address spanning-tree portfast spanning-tree bpdufilter enable ! interface FastEthernet0/17 switchport access vlan 200 switchport mode access no ip address spanning-tree portfast spanning-tree bpdufilter enable ! interface FastEthernet0/18 switchport access vlan 200 switchport mode access no ip address spanning-tree portfast spanning-tree bpdufilter enable ! interface FastEthernet0/19 switchport access vlan 200 switchport mode access no ip address spanning-tree portfast spanning-tree bpdufilter enable ! interface FastEthernet0/20 description ‘Currently not being used' no ip address shutdown spanning-tree guard root ! interface FastEthernet0/21 description ‘Currently not being used' no ip address shutdown spanning-tree guard root ! interface FastEthernet0/22 description ‘Currently not being used' no ip address shutdown spanning-tree guard root ! interface FastEthernet0/23 description ‘Currently not being used' no ip address shutdown spanning-tree guard root ! interface FastEthernet0/24 description ‘Currently not being used' no ip address shutdown spanning-tree guard root ! interface GigabitEthernet0/1 switchport mode trunk switchport nonegotiate no ip address ! interface GigabitEthernet0/2 switchport mode trunk switchport nonegotiate no ip address ! interface Vlan1 no ip address no ip route-cache shutdown ! ip http server ! ! line con 0 line vty 5 15 ! end |
