!----Task 1: Configure Root Bridge
!--Step 3. As sign S W-1 as a s econdary root bridge.
!
enable
ciscoenpa55
configure terminal
!
spanning-tree vlan 1 root secondary
!
!----Task 2: Protect Against STP Attacks
!--Step 3. Enable root guard.
interface fa0/23
spanning-tree guard root
interface fa0/24
spanning-tree guard root
!
!----Task 3: Enable Storm Control
!--Step 1. E nable s torm control for broadcas ts .
!
interface gi1/1
storm-control broadcast level 50
interface fa0/1
storm-control broadcast level 50
interface fa0/23
storm-control broadcast level 50
interface fa0/24
storm-control broadcast level 50
!
--------------------------------------------------------------------------------------------------------------------------------------
SW-2
!----Task 2: Protect Against STP Attacks
!--Step 3. E nable root guard.
!
!
enable
ciscoenpa55
configure terminal
!
interface fa0/23
spanning-tree guard root
interface fa0/24
spanning-tree guard root
!
!----Task 3: Enable Storm Control
!--Step 1. E nable s torm control for broadcas ts .
!
interface gi1/1
storm-control broadcast level 50
interface fa0/1
storm-control broadcast level 50
interface fa0/23
storm-control broadcast level 50
interface fa0/24
storm-control broadcast level 50
!
--------------------------------------------------------------------------------------------------------------------------------------
SW-A
!--Task 2: Protect Against STP Attacks
!--Step 1. E nable PortF as t on all acces s ports .
!
!
enable
ciscoenpa55
configure terminal
!
interface range fastethernet 0/1 - 4
spanning-tree portfast
!
!--Step 2. E nable B PDU guard on all acces s ports .
!
interface range fastethernet 0/1 - 4
spanning-tree bpduguard enable
!
!----Task 4: Configure Port Security and Disable Unused Ports
!--Step 1. Configure basic port security on all ports connected to host devices .
!
interface range fastEthernet 0/1 - 4
switchport mode access
switchport port-security
switchport port-security maximum 2
switchport port-security violation shutdown
switchport port-security mac-address sticky
!
!Why would you not want to enable port-security on ports connected to other switches or routers?
!Ports connected to other switch devices and routers can, and should, have a multitude of MAC addresses
!learned for that single port. Limiting the number of MAC addresses that can be learned on these ports can
!significantly impact network functionality.
!
!--Step 3. Disable unused ports .
!
interface range fastEthernet 0/5 - 22 , gigabitEthernet 1/1 - 2
shutdown
!
--------------------------------------------------------------------------------------------------------------------------------------
SW-B
!--Task 2: Protect Against STP Attacks
!--Step 1. E nable PortF as t on all acces s ports .
!
!
enable
ciscoenpa55
configure terminal
!
interface range fastethernet 0/1 - 4
spanning-tree portfast
!
!--Step 2. E nable B PDU guard on all acces s ports .
!
interface range fastethernet 0/1 - 4
spanning-tree bpduguard enable
!
!----Task 4: Configure Port Security and Disable Unused Ports
!--Step 1. Configure basic port security on all ports connected to host devices .
!
interface range fastEthernet 0/1 - 4
switchport mode access
switchport port-security
switchport port-security maximum 2
switchport port-security violation shutdown
switchport port-security mac-address sticky
!
!Why would you not want to enable port-security on ports connected to other switches or routers?
!Ports connected to other switch devices and routers can, and should, have a multitude of MAC addresses
!learned for that single port. Limiting the number of MAC addresses that can be learned on these ports can
!significantly impact network functionality.
!
!--Step 3. Disable unused ports .
!
interface range fastEthernet 0/5 - 22 , gigabitEthernet 1/1 - 2
shutdown
!
--------------------------------------------------------------------------------------------------------------------------------------
CENTRAL
!----Task 1: Configure Root Bridge
!--Step 1. Determine the current root bridge.
!
Which switch is the current root-bridge?
!SW-1
!
!--Step 2. As s ign C entral as the primary root bridge.
!
enable
ciscoenpa55
configure terminal
!
spanning-tree vlan 1 root primary
!
!--Step 4. Verify the s panning-tree configuration.
!.
!Which switch is the current root-bridge?
!Central
!
!----Task 3: Enable Storm Control
!--Step 1. E nable s torm control for broadcas ts .
!
interface gi0/1
storm-control broadcast level 50
interface gi0/2
storm-control broadcast level 50
interface fa0/1
!
No comments:
Post a Comment