CBT IT Certification Training

Unlimited IT Certification Courses via Streaming Video

Login to this site requires ssl communication.
Click here to reload the page over ssl.

  • Lost your password?

  • Back to login
Loading
Login to this site requires ssl communication.
Click here to reload the page over ssl.

  • Lost your password?

  • Back to login
Loading
  • Home
  • Courses
        • Amazon
          • Solutions Architect
          • SysOps Associate
        • Career
          • How to Break into IT
          • IT Freelancing
          • Ace Your IT Exams
        • Cisco
          • CCNA Primer
          • CCNA Exam Coaching
          • CCNA
          • CCNA CyberOps
          • DevNet Associate
          • CCNP – ENARSI
          • CCNP ENCOR Primer
          • CCNP – ENCOR
          • CCST – Networking
        • Coding Academy
          • PhP Fundamentals
          • MySQL Fundamentals
          • Web Development
          • Python For Beginners
        • CompTIA
          • CASP+
          • Cloud Essentials
          • CySA+
          • Data+
          • Linux+
          • Network+
          • PenTest+
          • Project+
          • Security+
        • DevOps
          • DevOps Foundations
          • Docker Basics
        • EC Council
          • Certified Ethical Hacker
        • Google
          • Cloud Architect
        • ITIL
          • ITIL Foundations
        • PMI
          • CAPM
        • ISC2
          • CC
          • SSCP
        • Juniper
          • JNCIA-Junos
          • JNCIA-SEC
          • JNCIS-ENT
          • JNCIS-SEC
        • Linux
          • CompTIA Linux+
          • Linux LPI Essentials
          • Linux LPIC-1
          • Linux LPIC-2
          • Linux LPIC-3 Security
          • Red Hat RHCSA
        • Microsoft
          • Microsoft SQL Server
          • Windows 10
          • Windows Server 2016
          • Microsoft Security
          • Azure Fundamentals
          • Azure Administrator
          • Azure Developer
        • Python
          • PCEP
          • PCAP
        • TCP-IP
          • IP Subnetting
          • IPv6 Associate
          • IPv6 Professional
          • IPv6 Expert
        • VMware
          • VCA Data Center
        • Wireless
          • CWNA
          • CWSP
        • Wireshark
          • WCNA
  • Racks
    • GNS3 VM – Virtual Cisco Rack
    • Live Cisco Racks
  • Tour
  • Blog
  • Join
  • Join
  • Free IT Training
    • Free CCNA Study and Lab Guide
    • CCNA Security Study and Lab Guide
    • CompTIA Network+ Study Guide
    • CompTIA Security+ Study Guide
    • Network Design Workbook
    • Free IT Webinars
    • Free IT Exams
    • Free Labs
  • Meet the Trainers
  • Help
    • Helpdesk
    • FAQ
    • Contact Us
    • Privacy
    • Meet the Trainers
  • Products
    • IT Study Guides
  • Start $1 Trial
  • Login
  • Members
    • Account
    • Exam Coaching
    • Exams
    • Forum
    • Live Cisco Rack Training
    • Members Training
    • Member Bonuses
    • My Courses
    • Nuggets
  • Home
  • Courses
        • Amazon
          • Solutions Architect
          • SysOps Associate
        • Career
          • How to Break into IT
          • IT Freelancing
          • Ace Your IT Exams
        • Cisco
          • CCNA Primer
          • CCNA Exam Coaching
          • CCNA
          • CCNA CyberOps
          • DevNet Associate
          • CCNP – ENARSI
          • CCNP ENCOR Primer
          • CCNP – ENCOR
          • CCST – Networking
        • Coding Academy
          • PhP Fundamentals
          • MySQL Fundamentals
          • Web Development
          • Python For Beginners
        • CompTIA
          • CASP+
          • Cloud Essentials
          • CySA+
          • Data+
          • Linux+
          • Network+
          • PenTest+
          • Project+
          • Security+
        • DevOps
          • DevOps Foundations
          • Docker Basics
        • EC Council
          • Certified Ethical Hacker
        • Google
          • Cloud Architect
        • ITIL
          • ITIL Foundations
        • PMI
          • CAPM
        • ISC2
          • CC
          • SSCP
        • Juniper
          • JNCIA-Junos
          • JNCIA-SEC
          • JNCIS-ENT
          • JNCIS-SEC
        • Linux
          • CompTIA Linux+
          • Linux LPI Essentials
          • Linux LPIC-1
          • Linux LPIC-2
          • Linux LPIC-3 Security
          • Red Hat RHCSA
        • Microsoft
          • Microsoft SQL Server
          • Windows 10
          • Windows Server 2016
          • Microsoft Security
          • Azure Fundamentals
          • Azure Administrator
          • Azure Developer
        • Python
          • PCEP
          • PCAP
        • TCP-IP
          • IP Subnetting
          • IPv6 Associate
          • IPv6 Professional
          • IPv6 Expert
        • VMware
          • VCA Data Center
        • Wireless
          • CWNA
          • CWSP
        • Wireshark
          • WCNA
  • Racks
    • GNS3 VM – Virtual Cisco Rack
    • Live Cisco Racks
  • Tour
  • Blog
  • Join
  • Join
  • Free IT Training
    • Free CCNA Study and Lab Guide
    • CCNA Security Study and Lab Guide
    • CompTIA Network+ Study Guide
    • CompTIA Security+ Study Guide
    • Network Design Workbook
    • Free IT Webinars
    • Free IT Exams
    • Free Labs
  • Meet the Trainers
  • Help
    • Helpdesk
    • FAQ
    • Contact Us
    • Privacy
    • Meet the Trainers
  • Products
    • IT Study Guides
  • Start $1 Trial
  • Login
  • Members
    • Account
    • Exam Coaching
    • Exams
    • Forum
    • Live Cisco Rack Training
    • Members Training
    • Member Bonuses
    • My Courses
    • Nuggets

STP and DTP Security

Lab 12 

Catalyst Switch STP and DTP Security

Back to book index.

Lab Objective:

The objective of this lab exercise is for you to learn and understand how enable other Catalyst switch security features that can be used in conjunction with STP and DTP.

Lab Purpose:

While there are a plethora of security features that can be configured on Catalyst switches, it is important to understand and have practical knowledge of those that pertain to the CCNA Security course and how they are implemented and validated.

Lab Difficulty:

This lab has a difficulty rating of 7/10.

Readiness Assessment:

When you are ready for your certification exam, you should complete this lab in no more than 15 minutes. 

Lab Topology:

Please use any single switch to complete this lab:

Lab 12 1

NOTE:

 

This lab is based on a Cisco Catalyst switch with 24-10/100 FastEthernet ports and 2-1000Mbs GigabitEthernet ports. If you do NOT have a similar switch, substitute the port numbers or port ranges used in this lab with those available on your switch. For example, if you only have 12-10/100 FastEthernet ports and a Task refers to Ports 1-24, simply adjust the question to Ports 1-12 so that you can complete the lab on your switch. In a similar manner, if a Task asks for configuration on the GigabitEthernet ports, and you only have a 12-port 10/100 FastEthernet switch, simply substitute GigabitEthernet0/1 and GigabitEthernet0/2 with FastEthernet0/11 and FastEthernet0/12, for example.

Lab 12 Configuration Tasks

 Task 1:

Configure the hostname on Sw1 as illustrated in the diagram. In addition to this configure the following VLANs on Sw1 and assign the ports specified to those VLANs:

VLAN Number VLAN Name VLAN Ports
100 CATALYST_VLAN_100 FastEthernet0/1 – FastEthernet0/9
200 CATALYST_VLAN_200 FastEthernet0/10 – FastEthernet0/19

Task 2:

Configure all ports in VLAN 100 as static Access ports that also use Port Fast. These ports will always be connected to end hosts (i.e. PCs), therefore, configure these ports so that if a BPDU is received, the ports will be immediately shut down. 

Task 3:

Configure all ports in VLAN 200 as static Access ports that also use Port Fast. These ports will also be connected to end hosts (i.e. PCs); however, Sw1 should never send BPDUs on these ports, as is the default behavior of all switches. 

Task 4:

Ports FastEthernet0/20 to FastEthernet0/24 are currently not being used and should be shut down. However, in order to prevent an STP topology change in the event that someone plugs in a switch with superior BPDUs on any one of these ports and brings them up, configure these ports so that the placement of the root bridge in the network is not changed. 

Task 5:

Configure the GigabitEthernet0/1 and GigabitEthernet0/2 interfaces of Sw1 as Trunk ports that will never use the Dynamic Trunking Protocol.

Lab 12 Configuration and Verification

Task 1:

Switch(config)#hostname Sw1

Sw1(config)#vlan 100

Sw1(config-vlan)#name CATALYST_VLAN_100

Sw1(config-vlan)#exit

Sw1(config)#vlan 200

Sw1(config-vlan)#name CATALYST_VLAN_200

Sw1(config-vlan)#exit

Sw1(config)#interface range fast 0/1 – 9

Sw1(config-if-range)#switchport access vlan 100

Sw1(config-if-range)#exit

Sw1(config)#interface range fast 0/10 – 19

Sw1(config-if-range)#switchport access vlan 200

Sw1(config-if-range)#exit

Sw1(config)#exit

Sw1#

Sw1#show vlan brief

 

VLAN Name                             Status    Ports

—- ——————————– ——— ——————————-

1    default                          active    Fa0/20, Fa0/21, Fa0/22, Fa0/23

Fa0/24, Gi0/1, Gi0/2

100  CATALYST_VLAN_100                active    Fa0/1, Fa0/2, Fa0/3, Fa0/4

Fa0/5, Fa0/6, Fa0/7, Fa0/8

Fa0/9

200  CATALYST_VLAN_200                active    Fa0/10, Fa0/11, Fa0/12, Fa0/13

Fa0/14, Fa0/15, Fa0/16, Fa0/17

Fa0/18, Fa0/19

1002 fddi-default                     active

1003 trcrf-default                    active

1004 fddinet-default                  active

1005 trbrf-default                    active

 Task 2:

Sw1(config)#spanning-tree portfast bpduguard default

Sw1(config)#interface range fast 0/1 – 9

Sw1(config-if-range)#switchport mode access

Sw1(config-if-range)#spanning-tree portfast

%Warning: portfast should only be enabled on ports connected to a single

host. Connecting hubs, concentrators, switches, bridges, etc… to this

interface  when portfast is enabled, can cause temporary bridging loops.

Use with CAUTION

 

%Portfast will be configured in 9 interfaces due to the range command

but will only have effect when the interfaces are in a non-trunking mode.

Sw1(config-if-range)#spanning-tree bpduguard enable

Sw1(config-if-range)#exit

Sw1(config)#exit

Sw1#

Sw1#show spanning-tree summary

Switch is in pvst mode

Root bridge for: none

EtherChannel misconfiguration guard is enabled

Extended system ID   is enabled

Portfast             is disabled by default

PortFast BPDU Guard  is enabled by default

Portfast BPDU Filter is disabled by default

Loopguard            is disabled by default

UplinkFast           is disabled

BackboneFast         is disabled

Pathcost method used is short

 

Name                   Blocking Listening Learning Forwarding STP Active

———————- ——– ——— ——– ———- ———-

Total                        0         0        0          0          0

To further verify your configuration, you can enable a port in VLAN 100 – that has a device connected to it – and issue the show spanning-tree interface command as follows:

Sw1#show spanning-tree interface f0/1 detail

Port 1 (FastEthernet0/1) of VLAN0100 is forwarding

Port path cost 19, Port priority 128, Port Identifier 128.1.

Designated root has priority 32868, address 000d.bd06.4100

Designated bridge has priority 32868, address 000d.bd06.4100

Designated port id is 128.1, designated path cost 0

Timers: message age 0, forward delay 0, hold 0

Number of transitions to forwarding state: 1

The port is in the portfast mode

Link type is point-to-point by default

Bpdu guard is enabled

Bpdu filter is disabled by default

BPDU: sent 11, received 0

 Task 3:

Sw1(config)#spanning-tree portfast bpdufilter default

Sw1(config)#interface range fast 0/10 – 19

Sw1(config-if-range)#switchport mode access

Sw1(config-if-range)#spanning-tree portfast

%Warning: portfast should only be enabled on ports connected to a single

host. Connecting hubs, concentrators, switches, bridges, etc… to this

interface  when portfast is enabled, can cause temporary bridging loops.

Use with CAUTION

 

%Portfast will be configured in 10 interfaces due to the range command

but will only have effect when the interfaces are in a non-trunking mode.

Sw1(config-if-range)#spanning-tree bpdufilter enable

Sw1(config-if-range)#exit

Sw1(config)#exit

Sw1#

Sw1#show spanning-tree summary

Switch is in pvst mode

Root bridge for: none

EtherChannel misconfiguration guard is enabled

Extended system ID   is enabled

Portfast             is disabled by default

PortFast BPDU Guard  is enabled by default

Portfast BPDU Filter is enabled by default

Loopguard            is disabled by default

UplinkFast           is disabled

BackboneFast         is disabled

Pathcost method used is short

 

Name                   Blocking Listening Learning Forwarding STP Active

———————- ——– ——— ——– ———- ———-

Total                        0         0        0          0          0

To further verify your configuration, you can enable a port in VLAN 100 – that has a device connected to it – and issue the show spanning-tree interface command as follows:

Sw1#show spanning-tree interface f0/12 detail

Port 12 (FastEthernet0/12) of VLAN0200 is forwarding

Port path cost 19, Port priority 128, Port Identifier 128.12.

Designated root has priority 32968, address 000d.bd06.4100

Designated bridge has priority 32968, address 000d.bd06.4100

Designated port id is 128.12, designated path cost 0

Timers: message age 0, forward delay 0, hold 0

Number of transitions to forwarding state: 1

The port is in the portfast mode

Link type is point-to-point by default

Bpdu guard is enabled by default

Bpdu filter is enabled

BPDU: sent 0, received 0

 Task 4:

Sw1(config)#interface range f0/20 – 24

Sw1(config-if-range)#description ‘Currently not being used'

Sw1(config-if-range)#shutdown

Sw1(config-if-range)#spanning-tree guard root

Sw1(config-if-range)#exit

Sw1(config)#exit

Sw1#

 Task 5:

Sw1(config)#interface range g0/1 – 2

Sw1(config-if-range)#no shutdown

Sw1(config-if-range)#switchport mode trunk

Sw1(config-if-range)#switchport nonegotiate

Sw1(config-if-range)#exit

Sw1(config)#exit

Sw1#

Sw1#show interfaces gigabitethernet 0/1 switchport

Name: Gi0/1

Switchport: Enabled

Administrative Mode: trunk

Operational Mode: down

Administrative Trunking Encapsulation: dot1q

Negotiation of Trunking: Off

Access Mode VLAN: 1 (default)

Trunking Native Mode VLAN: 1 (default)

Voice VLAN: none

Administrative private-vlan host-association: none

Administrative private-vlan mapping: none

Operational private-vlan: none

Trunking VLANs Enabled: ALL

Pruning VLANs Enabled: 2-1001

Capture Mode Disabled

Capture VLANs Allowed: ALL

 

Protected: false

 

Voice VLAN: none (Inactive)

Appliance trust: none

Lab 12 Configurations

Sw1 Configuration

Sw1#show running-config

Building configuration…

 

Current configuration : 4260 bytes

!

version 12.1

no service pad

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname Sw1

!

no logging console

!

ip subnet-zero

vtp domain LAB12

vtp mode transparent

!

spanning-tree mode pvst

spanning-tree portfast bpduguard default

spanning-tree portfast bpdufilter default

no spanning-tree optimize bpdu transmission

spanning-tree extend system-id

!

!

vlan 100

name CATALYST_VLAN_100

!

vlan 200

name CATALYST_VLAN_200

!

interface FastEthernet0/1

switchport access vlan 100

switchport mode access

no ip address

spanning-tree portfast

spanning-tree bpduguard enable

!

interface FastEthernet0/2

switchport access vlan 100

switchport mode access

no ip address

spanning-tree portfast

spanning-tree bpduguard enable

!

interface FastEthernet0/3

switchport access vlan 100

switchport mode access

no ip address

spanning-tree portfast

spanning-tree bpduguard enable

!

interface FastEthernet0/4

switchport access vlan 100

switchport mode access

no ip address

spanning-tree portfast

spanning-tree bpduguard enable

!

interface FastEthernet0/5

switchport access vlan 100

switchport mode access

no ip address

spanning-tree portfast

spanning-tree bpduguard enable

!

interface FastEthernet0/6

switchport access vlan 100

switchport mode access

no ip address

spanning-tree portfast

spanning-tree bpduguard enable

!

interface FastEthernet0/7

switchport access vlan 100

switchport mode access

no ip address

spanning-tree portfast

spanning-tree bpduguard enable

!

interface FastEthernet0/8

switchport access vlan 100

switchport mode access

no ip address

spanning-tree portfast

spanning-tree bpduguard enable

!

interface FastEthernet0/9

switchport access vlan 100

switchport mode access

no ip address

spanning-tree portfast

spanning-tree bpduguard enable

!

interface FastEthernet0/10

switchport access vlan 200

switchport mode access

no ip address

spanning-tree portfast

spanning-tree bpdufilter enable

!

interface FastEthernet0/11

switchport access vlan 200

switchport mode access

no ip address

spanning-tree portfast

spanning-tree bpdufilter enable

!

interface FastEthernet0/12

switchport access vlan 200

switchport mode access

no ip address

spanning-tree portfast

spanning-tree bpdufilter enable

!

interface FastEthernet0/13

switchport access vlan 200

switchport mode access

no ip address

spanning-tree portfast

spanning-tree bpdufilter enable

!

interface FastEthernet0/14

switchport access vlan 200

switchport mode access

no ip address

spanning-tree portfast

spanning-tree bpdufilter enable

!

interface FastEthernet0/15

switchport access vlan 200

switchport mode access

no ip address

spanning-tree portfast

spanning-tree bpdufilter enable

!

interface FastEthernet0/16

switchport access vlan 200

switchport mode access

no ip address

spanning-tree portfast

spanning-tree bpdufilter enable

!

interface FastEthernet0/17

switchport access vlan 200

switchport mode access

no ip address

spanning-tree portfast

spanning-tree bpdufilter enable

!

interface FastEthernet0/18

switchport access vlan 200

switchport mode access

no ip address

spanning-tree portfast

spanning-tree bpdufilter enable

!

interface FastEthernet0/19

switchport access vlan 200

switchport mode access

no ip address

spanning-tree portfast

spanning-tree bpdufilter enable

!

interface FastEthernet0/20

description ‘Currently not being used'

no ip address

shutdown

spanning-tree guard root

!

interface FastEthernet0/21

description ‘Currently not being used'

no ip address

shutdown

spanning-tree guard root

!

interface FastEthernet0/22

description ‘Currently not being used'

no ip address

shutdown

spanning-tree guard root

!

interface FastEthernet0/23

description ‘Currently not being used'

no ip address

shutdown

spanning-tree guard root

!

interface FastEthernet0/24

description ‘Currently not being used'

no ip address

shutdown

spanning-tree guard root

!

interface GigabitEthernet0/1

switchport mode trunk

switchport nonegotiate

no ip address

!

interface GigabitEthernet0/2

switchport mode trunk

switchport nonegotiate

no ip address

!

interface Vlan1

no ip address

no ip route-cache

shutdown

!

ip http server

!

!

line con 0

line vty 5 15

!

end

content-filler

ABOUT US

This site has been created to help you make the best out of your IT career. Whether you are trying to get your first job, get promoted, or start your own IT business, we have a course for you.

MOST POPULAR

  • Account
  • Forum
  • Live Cisco Rack Training
  • Members Training
  • Member Bonuses
  • My Courses

Members

  • Account
  • Forum
  • Live Cisco Rack Training
  • Members Training
  • Member Bonuses
  • My Courses

Newsletter

Subscription Form

Secure Site

website security secure

Copyright Reality Press Ltd . / Paul Browning

Insert/edit link

Enter the destination URL

Or link to existing content

    No search term specified. Showing recent items. Search or use up and down arrow keys to select an item.