Network

Packet Tracer Switch Security

Posted on by admin

Soal

Topology

Task kali ini adalah mengamankan switch

SW-1(config)#vlan 100
SW-1(config-if)#name Native
SW-1(config-if)#vlan 999
SW-1(config-if)#name BlackHole

SW-2(config)#vlan 100
SW-2(config-if)#name Native
SW-2(config-if)#vlan 999
SW-2(config-if)#name blackhole

Secure Trunk

SW-1(config)#int gig0/1
SW-1(config-if)#sw mo tr
SW-1(config-if)#sw trunk native vlan 100
SW-1(config-if)#no nonegotiate 
SW-1(config)#int gig0/2
SW-1(config-if)#sw mo tr
SW-1(config-if)#sw trunk native vlan 100
SW-1(config-if)#sw nonegotiate 

SW-2(config)#int gig0/1
SW-2(config-if)#sw mo tr
SW-2(config-if)#sw trunk native vlan 100 
SW-2(config-if)#sw nonegotiate
SW-2(config)#int gig0/2
SW-2(config-if)#sw mo tr
SW-2(config-if)#sw trunk native vlan 100
SW-1(config-if)#sw nonegotiate

Secure Unused Port Switch

SW-1(config)#int ra fa0/3-9,fa0/11-23
SW-1(config-if-range)#sh
SW-1(config-if-range)#sw acc v 999

SW-2(config)#int ra fa0/3-9,fa0/11-23
SW-2(config-if-range)#sh
SW-2(config-if-range)#sw acc v 999

Implement Port Security

SW-1(config)#int ra fa0/1-2,fa0/10,fa0/24,gig0/1-2
SW-1(config-if-range)#sw port 
SW-1(config-if-range)#sw port-security maximum 4
SW-1(config-if-range)#sw port-security mac-address sticky
SW-1(config-if-range)#sw port-security violation restrict

SW-2(config)#int ra fa0/1-2,fa0/10,fa0/24,gig0/1-2
SW-2(config-if-range)#sw port 
SW-2(config-if-range)#sw port-security maximum 4
SW-2(config-if-range)#sw port-security mac-address sticky
SW-2(config-if-range)#sw port-security violation restrict

Configure DHCP Snooping

SW-1(config)#ip dhcp snooping vlan 10,20,99
SW-1(config)#int ra gig0/1-2
SW-1(config-if)#ip dhcp snooping trust
SW-1(config-if)#ip dhcp snooping limit rate 5 

SW-2(config)#ip dhcp snooping vlan 10,20,99
SW-2(config)#int ra gig0/1-2
SW-2(config-if)#ip dhcp snooping trust
SW-2(config-if)#ip dhcp snooping limit rate 5

Configure Portfast, And BPDU Guard

SW-1(config)#int ra fa0/1-2,fa0/10,fa0/24
SW-1(config-if-range)#spanning-tree portfast
SW-1(config-if-range)#spanning-tree bpduguard enable

SW-2(config)#int ra fa0/1-2,fa0/10,fa0/24
SW-2(config-if-range)#spanning-tree portfast
SW-2(config-if-range)#spanning-tree bpduguard enable