Cisco 3.3 Bedienungsanleitung PDF herunterladen (Seite 5)

Lab – Implementing VLAN Security

b. From the console session on S1, ping the management address of S2. Were the pings successful? Why?

____________________________________________________________________________________

c. From a command prompt on PC-B, ping the management addresses on S1 and S2 and the IP address of

PC-A and PC-C. Were your pings successful? Why?

____________________________________________________________________________________

d. From a command prompt on PC-C, ping the management addresses on S1 and S2 and the IP address of

PC-A. Were you successful? Why?

____________________________________________________________________________________

Step 4: Prevent the use of DTP on S1 and S2.

Cisco uses a proprietary protocol known as the Dynamic Trunking Protocol (DTP) on its switches. Some ports

automatically negotiate to trunking. A good practice is to turn off negotiation. You can see this default

behavior by issuing the following command:

S1# show interface f0/1 switchport

Name: Fa0/1

Switchport: Enabled

Administrative Mode: trunk

Operational Mode: trunk

Administrative Trunking Encapsulation: dot1q

Operational Trunking Encapsulation: dot1q

Negotiation of Trunking: On

a. Turn off negotiation on S1.

S1(config)# interface f0/1

S1(config-if)# switchport nonegotiate

b. Turn off negotiation on S2.

S2(config)# interface f0/1

S2(config-if)# switchport nonegotiate

c. Verify that negotiation is off by issuing the show interface f0/1 switchport command on S1 and S2.

S1# show interface f0/1 switchport

Name: Fa0/1

Switchport: Enabled

Administrative Mode: trunk

Operational Mode: trunk

Administrative Trunking Encapsulation: dot1q

Operational Trunking Encapsulation: dot1q

Negotiation of Trunking: Off

Step 5: Secure access ports on S1 and S2.

Even though you shut down unused ports on the switches, if a device is connected to one of those ports and

the interface is enabled, trunking could occur. In addition, all ports by default are in VLAN 1. A good practice

is to put all unused ports in a “black hole” VLAN. In this step, you will disable trunking on all unused ports.

You will also assign unused ports to VLAN 999. For the purposes of this lab, only ports 2 through 5 will be

configured on both switches.

1 2 3 4 5 6 7

Keine Kommentare

Cisco 3.3 Bedienungsanleitung Seite 5