Senior Acquisitions Editor: Kenyon Brown Development Editor: Kim Wimpsett
Yüklə 22,5 Mb. Pdf görüntüsü
|
|
Summary In this chapter, I introduced you to the world of virtual LANs and described how Cisco switches can use them. We talked about how VLANs break up broadcast domains in a switched internetwork—a very important, necessary thing because layer 2 switches only break up collision domains, and by default, all switches make up one large broadcast domain. I also described access links to you, and we went over how trunked VLANs work across a FastEthernet or faster link. Trunking is a crucial technology to understand really well when you’re dealing with a network populated by multiple switches that are running several VLANs. You were also presented with some key troubleshooting and configuration examples for access and trunk ports, configuring trunking options, and a huge section on IVR. Exam Essentials Understand the termframe tagging. Frame tagging refers to VLAN identification; this is what switches use to keep track of all those frames as they’re traversing a switch fabric. It’s how switches identify which frames belong to which VLANs. Understand the 802.1q VLAN identification method. This is a nonproprietary IEEE method of frame tagging. If you’re trunking between a Cisco switched link and a different brand of switch, you have to use 802.1q for the trunk to work. Remember how to set a trunk port on a 2960 switch. To set a port to trunking on a 2960, use the switchport mode trunk command.
Remember to check a switch port’s VLAN assignment when plugging in a new host. If you plug a new host into a switch, then you must verify the VLAN membership of that port. If the membership is different than what is needed for that host, the host will not be able to
reach the needed network services, such as a workgroup server or printer. Remember how to create a Cisco router on a stick to provide inter-VLAN communication. You can use a Cisco FastEthernet or Gigabit Ethernet interface to provide inter-VLAN routing. The switch port connected to the router must be a trunk port; then you must create virtual interfaces (subinterfaces) on the router port for each VLAN connecting to it. The hosts in each VLAN will use this subinterface address as their default gateway address. Remember how to provide inter-VLAN routing with a layer 3 switch. You can use a layer 3 (multilayer) switch to provide IVR just as with a router on a stick, but using a layer 3 switch is more efficient and faster. First you start the routing process with the command ip routing , then create a virtual interface for each VLAN using the command interface vlan vlan , and then apply the IP address for that VLAN under that logical interface.
In this section, you’ll complete the following lab to make sure you’ve got the information and concepts contained within them fully dialed in: Lab 11.1: VLANs You can find the answers to this lab in Appendix A, “Answers to Written Labs.”
Write the answers to the following questions: 1. True/False: To provide IVR with a layer 3 switch, you place an IP address on each interface of the switch. 2. What protocol will stop loops in a layer 2 switched network? 3. VLANs break up ___________ domains in a layer 2 switched network.
4. Which VLAN numbers are reserved by default? 5. If you have a switch that provides both ISL and 802.1q frame tagging, what command under the trunk interface will make the trunk use 802.1q?
6. What does trunking provide? 7. How many VLANs can you create on an IOS switch by default? 8. True/False: The 802.1q encapsulation is removed from the frame if the frame is forwarded out an access link. 9. What type of link on a switch is a member of only one VLAN? 10. You want to change from the default of VLAN 1 to VLAN 4 for untagged traffic. What command will you use? Hands-on Labs In these labs, you will use three switches and a router. To perform the last lab, you’ll need a layer 3 switch. Lab 11.1: Configuring and Verifying VLANs Lab 11.2: Configuring and Verifying Trunk Links Lab 11.3: Configuring Router on a Stick Routing Lab 11.4: Configuring IVR with a Layer 3 Switch In these labs, I’ll use the following layout: Hands-on Lab 11.1: Configuring and Verifying VLANs This lab will have you configure VLANs from global configuration mode and then verify the VLANs. 1. Configure two VLANs on each switch, VLAN 10 and VLAN 20. S1(config)#
S1(config-vlan)# vlan 20 S2(config)# vlan 10 S2(config-vlan)# vlan 20 S3(config)# vlan 10 S3(config-vlan)# vlan 20 2. Use the show vlan and
show vlan brief commands to verify your VLANs. Notice that all interfaces are in VLAN 1 by default. S1#
sh vlan S1#
sh vlan brief Hands-on Lab 11.2: Configuring and Verifying Trunk Links This lab will have you configure trunk links and then verify them. 1. Connect to each switch and configure trunking on all switch links. If you are using a switch that supports both 802.1q and ISL frame tagging, then use the encapsulation command; if not, then skip that command.
S1# config t S1(config)# interface fa0/15 S1(config-if)# switchport trunk encapsulation ? dot1q Interface uses only 802.1q trunking encapsulation when trunking isl Interface uses only ISL trunking encapsulation when trunking negotiate Device will negotiate trunking encapsulation with peer on interface Again, if you typed the previous and received an error, then your switch does not support both encapsulation methods: S1 (config-if)# switchport trunk encapsulation dot1q S1 (config-if)# switchport mode trunk S1 (config-if)# interface fa0/16 S1 (config-if)# switchport trunk encapsulation dot1q S1 (config-if)# switchport mode trunk S1 (config-if)# interface fa0/17 S1 (config-if)# switchport trunk encapsulation dot1q S1 (config-if)# switchport mode trunk S1 (config-f)# interface fa0/18 S1 (config-if)# switchport trunk encapsulation dot1q S1 (config-if)# switchport mode trunk 2. Configure the trunk links on your other switches. 3. On each switch, verify your trunk ports with the show interface trunk command: S1#
show interface trunk 4. Verify the switchport configuration with the following: S1#
The second interface in the command is a variable, such as Fa0/15. Hands-on Lab 11.3: Configuring Router on a Stick Routing In this lab, you’ll use the router connected to port F0/8 of switch S1 to configure ROAS. 1. Configure the F0/0 of the router with two subinterfaces to provide inter-VLAN routing using 802.1q encapsulation. Use 172.16.10.0/24 for your management VLAN, 10.10.10.0/24 for VLAN 10, and 20.20.20.0/24 for VLAN 20. Router#
config t Router (config)# int f0/0 Router (config-if)# ip address 172.16.10.1 255.255.255.0 Router (config-if)# interface f0/0.10 Router (config-subif)# encapsulation dot1q 10 Router (config-subif)# ip address 10.10.10.1 255.255.255.0 Router (config-subif)# interface f0/0.20 Router (config-subif)# encapsulation dot1q 20 Router (config-subif)# ip address 20.20.20.1 255.255.255.0 2. Verify the configuration with the show running-config command.
3. Configure trunking on interface F0/8 of the S1 switch connecting to your router. 4. Verify that your VLANs are still configured on your switches with the sh vlan
command. 5. Configure your hosts to be in VLAN 10 and VLAN 20 with the switchport access vlan x command.
6. Ping from your PC to the router’s subinterface configured for your VLAN.
7. Ping from your PC to your PC in the other VLAN. You are now routing through the router! Hands-on Lab 11.4: Configuring IVR with a Layer 3 Switch In this lab, you will disable the router and use the S1 switch to provide inter-VLAN routing by creating SVI’s. 1. Connect to the S1 switch and make interface F0/8 an access port, which will make the router stop providing inter-VLAN routing. 2. Enable IP routing on the S1 switch. S1(config)#
3. Create two new interfaces on the S1 switch to provide IVR. S1(config)#
S1(config-if)# ip address 10.10.10.1 255.255.255.0 S1(config-if)# interface vlan 20 S1(config-if)# ip address 20.20.20.1 255.255.255.0 4. Clear the ARP cache on the switch and hosts. S1#
5. Ping from your PC to the router’s subinterface configured for your VLAN. 6. Ping from your PC to your PC in the other VLAN. You are now routing through the S1 switch! Review Questions The following questions are designed to test your understanding of this chapter’s material. For more information on how to get additional questions, please see www.lammle.com/ccna .
You can find the answers to these questions in Appendix B, “Answers to Review Questions.” 1. Which of the following statements is true with regard to VLANs? A. VLANs greatly reduce network security. B. VLANs increase the number of collision domains while decreasing their size. C. VLANs decrease the number of broadcast domains while decreasing their size. D. Network adds, moves, and changes are achieved with ease by just configuring a port into the appropriate VLAN. 2. Write the command that must be present for this layer 3 switch to provide inter-VLAN routing between the two VLANs created with these commands: S1(config)# int vlan 10 S1(config-if)# ip address 192.168.10.1 255.255.255.0 S1(config-if)# int vlan 20 S1(config-if)# ip address 192.168.20.1 255.255.255.0 3. In the following diagram, how must the port on each end of the line be configured to carry traffic between the four hosts?
A. Access port B. 10 GB C. Trunk D. Spanning 4. What is the only type of second VLAN of which an access port can be a member?
A. Secondary B. Voice C. Primary D. Trunk 5. In the following configuration, what command is missing in the creation of the VLAN interface? 2960#
2960(config)# int vlan 1 2960(config-if)# ip address 192.168.10.2 255.255.255.0 2960(config-if)# exit 2960(config)# ip default-gateway 192.168.10.1 A.
no shutdown under int vlan 1 B. encapsulation dot1q 1 under int vlan 1 C.
switchport access vlan 1 D.
passive-interface 6. Which of the following statements is true with regard to ISL and 802.1q? A. 802.1q encapsulates the frame with control information; ISL inserts an ISL field along with tag control information. B. 802.1q is Cisco proprietary. C. ISL encapsulates the frame with control information; 802.1q inserts an 802.1q field along with tag control information. D. ISL is a standard. 7. What concept is depicted in the diagram? A. Multiprotocol routing C. Gateway redundancy D. Router on a stick 8. Write the command that places an interface into VLAN 2. Write only the command and not the prompt. 9. Write the command that generated the following output: VLAN Name Status Ports ---- ------------------------- --------- ----------------------- - 1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, Fa0/10, Fa0/11, Fa0/12 Fa0/13, Fa0/14, Fa0/19, Fa0/20 Fa0/21, Fa0/22, Fa0/23, Gi0/1 Gi0/2
2 Sales active 3 Marketing active 4 Accounting active [output cut] 10. In the configuration and diagram shown, what command is missing to enable inter-VLAN routing between VLAN 2 and VLAN 3? A. encapsulation dot1q 3 under int f0/0.2 B.
encapsulation dot1q 2 under int f0/0.2 C. no shutdown under int f0/0.2 D.
no shutdown under int f0/0.3 11. Based on the configuration shown here, what statement is true? S1(config)# ip routing S1(config)# int vlan 10 S1(config-if)# ip address 192.168.10.1 255.255.255.0 S1(config-if)# int vlan 20 S1(config-if)# ip address 192.168.20.1 255.255.255.0 A. This is a multilayer switch. B. The two VLANs are in the same subnet. C. Encapsulation must be configured. D. VLAN 10 is the management VLAN. 12. What is true of the output shown here? S1#
VLAN Name Status Ports ---- ---------------------- --------- -------------------------- -----
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/19, Fa0/20,
Fa0/22, Fa0/23, Gi0/1, Gi0/2
2 Sales active 3 Marketing active Fa0/21 4 Accounting active [output cut] A. Interface F0/15 is a trunk port. B. Interface F0/17 is an access port. C. Interface F0/21 is a trunk port. D. VLAN 1 was populated manually. 13. 802.1q untagged frames are members of the __________ VLAN. A. Auxiliary B. Voice C. Native D. Private 14. Write the command that generated the following output. Write only the command and not the prompt:
Name: Fa0/15 Switchport: Enabled Administrative Mode: dynamic desirable Operational Mode: trunk Administrative Trunking Encapsulation: negotiate Operational Trunking Encapsulation: isl Negotiation of Trunking: On Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) Administrative Native VLAN tagging: enabled Voice VLAN: none [output cut] 15. In the switch output of question 12, how many broadcast domains are shown?
A. 1 B. 2
C. 4 D. 1001
16. In the diagram, what should be the default gateway address of Host B? A. 192.168.10.1 B. 192.168.1.65 C. 192.168.1.129 D. 192.168.1.2 17. What is the purpose of frame tagging in virtual LAN (VLAN) configurations? B. Encryption of network packets C. Frame identification over trunk links D. Frame identification over access links 18. Write the command to create VLAN 2 on a layer 2 switch. Write only the command and not the prompt. 19. Which statement is true regarding 802.1q frame tagging? A. 802.1q adds a 26-byte trailer and 4-byte header. B. 802.1q uses a native VLAN. C. The original Ethernet frame is not modified. D. 802.1q only works with Cisco switches. 20. Write the command that prevents an interface from generating DTP frames. Write only the command and not the prompt.
Chapter 12 Security THE FOLLOWING ICND1 EXAM TOPICS ARE COVERED IN THIS CHAPTER: 4.0 Infrastructure Services 4.6 Configure, verify, and troubleshoot IPv4 standard numbered and named access list for routed interfaces If you’re a sys admin, it’s my guess that shielding sensitive, critical data, as well as your network’s resources, from every possible evil exploit is a top priority of yours, right? Good to know you’re on the right page because Cisco has some really effective security solutions to equip you with the tools you’ll need to make this happen in a very real way! The first power tool I’m going to hand you is known as the access control list (ACL). Being able to execute an ACL proficiently is an integral part of Cisco’s security solution, so I’m going to begin by showing you how to create and implement simple ACLs. From there, I’ll move to demonstrating more advanced ACLs and describe how to implement them strategically to provide serious armor for an internetwork in today’s challenging, high-risk environment. In Appendix C, “Disabling and Configuring Network Services,” I’ll show you how to mitigate most security-oriented network threats. Make sure you don’t skip this appendix because it is chock full of great security information, and the information it contains is part of the Cisco exam objectives as well! The proper use and configuration of access lists is a vital part of router configuration because access lists are such versatile networking accessories. Contributing mightily to the efficiency and operation of your network, access lists give network managers a huge amount of control over traffic flow throughout the enterprise. With access lists, we can gather basic statistics on packet flow and security policies can be implemented. These dynamic tools also enable us to protect sensitive devices from the dangers of unauthorized access. In this chapter, we’ll cover ACLs for TCP/IP as well as explore effective ways available to us for testing and monitoring how well applied access lists are functioning. We’ll begin now by discussing key security measures deployed using hardware devices and VLANs and then I’ll introduce you to ACLs.
To find up-to-the-minute updates for this chapter, please see www.lammle.com/ccna or the book’s web page at www.sybex.com/go/ccna .
You see this a lot—typically, in medium to large enterprise networks—the various strategies for security are based on some mix of internal and perimeter routers plus firewall devices. Internal routers provide additional security by screening traffic to various parts of the protected corporate network, and they achieve this using access lists. You can see where each of these types of devices would be found in Figure 12.1 .
FIGURE 12.1 A typical secured network I’ll use the terms trusted network and untrusted network throughout this chapter, so it’s important that you can see where they’re found in a typical secured network. The demilitarized zone (DMZ) can be global (real) Internet addresses or private addresses, depending on how you configure your firewall, but this is typically where you’ll find the HTTP, DNS, email, and other Internet-type corporate servers. As you now know, instead of using routers, we can create VLANs with switches on the inside trusted network. Multilayer switches containing their own security features can sometimes replace internal (LAN) routers to provide higher performance in VLAN architectures. Let’s look at some ways of protecting the internetwork using access lists.
An access list is essentially a list of conditions that categorize packets, and they really come in handy when you need to exercise control over network traffic. An ACL would be your tool of choice for decision making in these situations. One of the most common and easiest-to-understand uses of access lists is to filter unwanted packets when implementing security policies. For example, you can set them up to make very specific decisions about regulating traffic patterns so that they’ll allow only certain hosts to access web resources on the Internet while restricting others. With the right combination of access lists, network managers arm themselves with the power to enforce nearly any security policy they can invent. Creating access lists is really a lot like programming a series of if-then statements—if a given condition is met, then a given action is taken. If the specific condition isn’t met, nothing happens and the next statement is evaluated. Access-list statements are basically packet filters that packets are compared against, categorized by, and acted upon accordingly. Once the lists are built, they can be applied to either inbound or outbound traffic on any interface. Applying an access list causes the router to analyze every packet crossing that interface in the specified direction and take the appropriate action. There are three important rules that a packet follows when it’s being compared with an access list: The packet is always compared with each line of the access list in sequential order—it will always start with the first line of the access list, move on to line 2, then line 3, and so on. The packet is compared with lines of the access list only until a match is made. Once it matches the condition on a line of the access list, the packet is acted upon and no further comparisons take place. There is an implicit “deny” at the end of each access list—this means that if a packet doesn’t match the condition on any of the lines in the access list, the packet will be discarded. Each of these rules has some powerful implications when filtering IP packets with access lists, so keep in mind that creating effective access lists definitely takes some practice. There are two main types of access lists:
|