Here’s another lab from Dave Hucaby. As always, please try to do them yourself before looking at the possible answers below:

http://dhucaby.wordpress.com/2010/06/15/scenario-2-securing-a-trunk/

Dave’s original question:

Today’s scenario involves securing a trunk between two switches…

A user PC A is located on Switch A with the interface configuration shown in the diagram below. A different user PC X is located on Switch B, and that interface configuration is also shown. Switches A and B are connected by a trunk link on their GigabitEthernet1/0/49 interfaces. The same configuration commands that are shown below the link have been applied to both switches. Assume that neither switch A nor B has been configured for IP routing.

1. Given the interface configurations, is it possible for user PC A to send traffic from VLAN 100 onto VLAN 200, so that it reaches PC X? If so, what configuration command(s) make it possible?

2. What configuration commands should you enter into switches A and B to secure the trunk link and prevent any VLAN hopping? (Hint: There may be more than one way to secure the trunk link.)

And here’s my modified lab scenario:

This is a more straight forward lab scenario. Both switches were wiped out to default settings. This means that the switchport modes are all “dynamic desirable”. Upon connecting cross-over cables to the switches here’s the message that prompts up on each switch:

SW-3550-01:

*Mar  1 00:07:35.951: %LINK-3-UPDOWN: Interface FastEthernet0/24, changed state to up
*Mar  1 00:07:36.951: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/24, changed state to down
*Mar  1 00:07:37.963: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/24, changed state to up

SW-3550-02:

*Mar  1 00:07:38.743: %LINK-3-UPDOWN: Interface FastEthernet0/24, changed state to up
*Mar  1 00:07:39.743: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/24, changed state to down
*Mar  1 00:07:40.755: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/24, changed state to up

We will now configure the switchports according to the diagram with these commands:

int fa0/24
switchport trunk native vlan 100
switchport trunk allowed vlan 100,200
switchport mode trunk

I received a rejected command when entering “switchport mode trunk”. Here’s the rejection: (this occured on both switches)

switchport mode trunk
Command rejected: An interface whose trunk encapsulation is “Auto” can not be configured to “trunk” mode.

Ok, so to fix this issue, on both switches I entered the command “switchport trunk encapsulation dot1q”.

Upon entering this command, the interfaces came up.

*Mar  1 00:24:24.379: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/24, changed state to down
*Mar  1 00:24:27.383: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/24, changed state to up

The “show interfaces trunk” command output on both switches (notice the subtle differences):

SW-3550-01
sh int trunk

Port        Mode             Encapsulation  Status        Native vlan
Fa0/24      on               802.1q         trunking      100

Port        Vlans allowed on trunk
Fa0/24      100,200

Port        Vlans allowed and active in management domain
Fa0/24      100

Port        Vlans in spanning tree forwarding state and not pruned
Fa0/24      100

SW-3550-02
sh int trunk

Port        Mode             Encapsulation  Status        Native vlan
Fa0/24      on               802.1q         trunking      100

Port        Vlans allowed on trunk
Fa0/24      100,200

Port        Vlans allowed and active in management domain
Fa0/24      200

Port        Vlans in spanning tree forwarding state and not pruned
Fa0/24      200

So what we have here is that SW-3550-01 is only allowing VLAN 100 through, and SW-3550-02 is only allowing VLAN 200 through.

Ok, so now the trunks are all set. Now we quickly configure the interfaces for the hosts. As Dave described:

SW-3550-01(config-if)#int fa0/1
SW-3550-01(config-if)#switchport access vlan 100
% Access VLAN does not exist. Creating vlan 100
SW-3550-01(config-if)#switchport mode access

SW-3550-02(config)#int fa0/1
SW-3550-02(config-if)#switchport mode access
SW-3550-02(config-if)#switchport access vlan 200
% Access VLAN does not exist. Creating vlan 200

Notice the comment the switches made about the VLAN not existing. This is another way to create a VLAN if it does not exist.

Now the true test. PING!!! Can PC A get to PC B and vice versa. Well below you can see the results of both PING tests.

RTR-2501#ping 192.168.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)

RTR-1720#ping 192.168.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)

Boo! It didn’t work! Why? And how can we make it work?

Thoughts?

Tags: 802.1Q, dave hucaby, dot1q, dynamic desirable, ping, switchport, trunking, vlan
Posted in CCNP, Certifications, Cisco, Labs, Networking