Scenario 9: Securing Access and Managing Traffic in a Switched Network


This scenario is designed to stir your thinking about how to control access to switched networks, how to control traffic within a VLAN, and how to monitor traffic.

1.

Network administrators want to have tight control over hosts moving around within their network. A Catalyst 3750 needs to have port-level security enabled on all 48 of its FastEthernet access-layer ports. Only one host should be connected per port, so the default behavior of shutting down the port is acceptable. What commands are necessary to do this?

2.

Port-level security is desired on a Catalyst 3750 interface FastEthernet 1/0/18, where 24 users are connected through an Ethernet hub. Rather than have the switch port shut down upon a security violation, network administrators want only the hosts in violation to be rejected. What command can accomplish this?

3.

Configure a VLAN access control list that can perform packet filtering within a VLAN. Users in the 192.168.191.0 255.255.255.0 network should be allowed to use only HTTP (www) traffic to the web server 192.168.191.199/24, on VLAN 180. How can you configure the VACL to accomplish this?

4.

An access-layer switch has ports FastEthernet 1/0/1 through 1/0/48 connected to end-user PCs. Is it possible for a user to make one of these ports come up in trunking mode? If so, what commands should you enter to prevent unexpected trunk negotiation?

5.

Suppose that a switch has a trunk link GigabitEthernet 1/0/1 configured with the following commands:

Switch(config)# interface gigabitethernet 1/0/1 Switch(config-if)# switchport Switch(config-if)# switchport trunk encapsulation dot1q Switch(config-if)# switchport trunk native vlan 100 Switch(config-if)# switchport trunk allowed vlan 100-300 Switch(config-if)# switchport mode trunk

VLANs 100, 200, and 300 all are used for user traffic. What, if anything, should be done to the trunk configuration to prevent a VLAN hopping attack from occurring?

6.

A Catalyst switch has users connected to ports FastEthernet 1/0/1 through 1/0/30. These users are associated with VLAN 50. Two production DHCP servers are connected to ports FastEthernet 1/0/40 and 1/0/41. What commands should be entered to enable DHCP snooping so that DHCP spoofing attacks can be detected and prevented?

7.

Assume that a server is connected to interface GigabitEthernet 3/3 on a Catalyst 6500. What command can be used to monitor traffic transmitted and received on the server port with a network analyzer connected to interface GigabitEthernet 5/8 on the same switch?

8.

Suppose that the only network analyzer available has a 10/100 Ethernet NIC. It is connected to Catalyst 6500 interface FastEthernet 2/1, to monitor the server on GigabitEthernet 3/3. Explain any problems you might encounter with this setup.



CCNP Self-Study(c) CCNP BCMSN Exam Certification Guide
Red Hat Fedora 5 Unleashed
ISBN: N/A
EAN: 2147483647
Year: 2003
Pages: 177

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net