LAPORAN PRAKTIKUM CISCO PACKET TREACER 11.6.2 - Switch Security Configuration
NAMA : PUPUT ANGGRAENI
KELAS : XI TJKT B
Pengertian cisco packet treacer
Pengertian Packet Tracer adalah simulator alat-alat jaringan Cisco yang sering digunakan sebagai media pembelajaran dan pelatihan, dan juga dalam bidang penelitian simulasi jaringan komputer. Program ini dibuat oleh Cisco Systems dan disediakan gratis untuk fakultas, siswa dan alumni yang telah berpartisipasi di Cisco Networking Academy. Tujuan utama Packet Tracer adalah untuk menyediakan alat bagi siswa dan pengajar agar dapat memahami prinsip jaringan komputer dan juga membangun skill di bidang alat-alat jaringan Cisco.
.png)
.png)
Tujuan
Bagian 1: Konfigurasikan Perangkat Jaringan.
Kabel jaringan.
Konfigurasikan R1.
Konfigurasikan dan verifikasi pengaturan sakelar dasar.
Bagian 2: Konfigurasikan VLAN di Switch.
Konfigurasi VLAN 10.
Konfigurasikan SVI untuk VLAN 10.
Konfigurasikan VLAN 333 dengan nama Native pada S1 dan S2.
Konfigurasikan VLAN 999 dengan nama ParkingLot pada S1 dan S2.
Bagian 3: Konfigurasikan Keamanan Switch.
Menerapkan trunking 802.1Q.
Konfigurasikan port akses.
Amankan dan nonaktifkan switchport yang tidak digunakan.
Mendokumentasikan dan mengimplementasikan fitur keamanan pelabuhan.
Menerapkan keamanan pengintaian DHCP.
Melaksanakan penjagaan PortFast dan BPDU.
Verifikasi konektivitas ujung ke ujung.
Sumber Daya yang Dibutuhkan
1 Router (Cisco 4221 dengan Cisco IOS XE Rilis 16.9.3 universal image atau sebanding)
2 Switch (Cisco 2960 dengan Cisco IOS Release 15.0(2) lanbasek9 image atau sebanding)
2 PC (Windows dengan program emulasi terminal, seperti Tera Term)
Kabel konsol untuk mengkonfigurasi perangkat Cisco IOS melalui port konsol
Kabel Ethernet seperti yang ditunjukkan pada top
instruksi
Bagian 1: Konfigurasikan Perangkat Jaringan.
Langkah 1: Hubungkan jaringan.
Langkah 2: Konfigurasikan R1.
perintah :
enable
configure terminal
hostname R1
no ip domain lookup
ip dhcp excluded-address 192.168.10.1 192.168.10.9
ip dhcp excluded-address 192.168.10.201 192.168.10.202
!
ip dhcp pool Students
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
domain-name CCNA2.Lab-11.6.1
!
interface Loopback0
ip address 10.10.1.1 255.255.255.0
!
interface GigabitEthernet0/0/1
description Link to S1 Port 5
ip dhcp relay information trusted
ip address 192.168.10.1 255.255.255.0
no shutdown
!
line con 0
logging synchronous
exec-timeout 0 0
R1# show ip interface brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0/0 unassigned YES unset down down
GigabitEthernet0/0/1 192.168.10.1 YES manual up up
Loopback0 10.10.1.1 YES manual up up
Langkah 3: Konfigurasikan dan verifikasi pengaturan sakelar dasar.
S1
perintah :
Switch# config t
Switch(config)# hostname S1
S1(config)# no ip domain-lookup
S1(config)# interface f0/1
S1(config-if)# description Link to S2
S1(config-if)# interface f0/5
S1(config-if)# description Link to R1
S1(config-if)# interface f0/6
S1(config-if)# description Link to PC-A
S1(config)# ip default-gateway 192.168.10.1
S2
perintah :
Switch# config t
Switch(config)# hostname S2
S2(config)# no ip domain-lookup
S2(config)# interface f0/1
S2(config-if)# description Link to S1
S2(config-if)# interface f0/18
S2(config-if)# description Link to PC-B
S2(config)# ip default-gateway 192.168.10.1
Bagian 2: Konfigurasikan VLAN di Switch.
Langkah 1: Konfigurasikan VLAN 10.
S1
S1(config)# vlan 10
S1(config-vlan)# name Management
S2
S2(config)# vlan 10
S2(config-vlan)# name Management
Langkah 2: Konfigurasikan SVI untuk VLAN 10.
S1
perintah :
S1(config)# interface vlan 10
S1(config-if)# ip address 192.168.10.201 255.255.255.0
S1(config-if)# description Management SVI
S1(config-if)# no shutdown
S2
S2(config)# interface vlan 10
S2(config-if)# ip address 192.168.10.202 255.255.255.0
S2(config-if)# description Management SVI
S2(config-if)# no shutdown
Langkah 3: Konfigurasikan VLAN 333 dengan nama Native di S1 dan S2.
perintah :
S1
S1(config)# vlan 333
S1(config-vlan)# name Native
S2
S2(config)# vlan 333
S2(config-vlan)# name Native
Langkah 4: Konfigurasi VLAN 999 dengan nama ParkingLot di S1 dan S2.
perintah :
S1
S1(config-vlan)# vlan 999
S1(config-vlan)# name ParkingLot
S2
S2(config-vlan)# vlan 999
S2(config-vlan)# name ParkingLot
Bagian 3: Konfigurasikan Keamanan Switch.
Langkah 1: Terapkan trunking 802.1Q.
perintah :
S1
S1(config)# interface f0/1
S1(config-if)# switchport mode trunk
S1(config-if)# switchport trunk native vlan 333
S1# show interface trunk
Port Mode Encapsulation Status Native vlan
Fa0/1 on 802.1q trunking 333
Port Vlans allowed on trunk
Fa0/1 1-4094
Port Vlans allowed and active in management domain
Fa0/1 1,10,333,999
Port Vlans in spanning tree forwarding state and not pruned
Fa0/1 1,10,333,999
S1(config)# interface f0/1
S1(config-if)# switchport nonegotiate
S1# show interfaces f0/1 switchport | include Negotiation
Negotiation of Trunking: Off
S2
S2(config)# interface f0/1
S2(config-if)# switchport mode trunk
S2(config-if)# switchport trunk native vlan 333
S2# show interface trunk
Port Mode Encapsulation Status Native vlan
Fa0/1 on 802.1q trunking 333
Port Vlans allowed on trunk
Fa0/1 1-4094
Port Vlans allowed and active in management domain
Fa0/1 1,10,333,999
Port Vlans in spanning tree forwarding state and not pruned
Fa0/1 1,10,333,999
S2(config)# interface f0/1
S2(config-if)# switchport nonegotiate
S2# show interfaces f0/1 switchport | include Negotiation
Negotiation of Trunking: Off
Langkah 2: Konfigurasikan port akses.
perintah :
S1
S1(config)# interface range f0/5-6
S1(config-if)# switchport mode access
S1(config-if)# switchport access vlan 10
S2
S2(config)# interface f0/18
S2(config-if)# switchport mode access
S2(config-if)# switchport access vlan 10
Langkah 3: Amankan dan nonaktifkan switchport yang tidak digunakan.
perintah :
S1
S1(config)# interface range f0/2-4 , f0/7-24, g0/1-2
S1(config-if-range)# switchport mode access
S1(config-if-range)# switchport access vlan 999
S1(config-if-range)# shutdown
S1# show interfaces status
Port Name Status Vlan Duplex Speed Type
Fa0/1 Link to S2 connected trunk a-full a-100 10/100BaseTX
Fa0/2 disabled 999 auto auto 10/100BaseTX
Fa0/3 disabled 999 auto auto 10/100BaseTX
Fa0/4 disabled 999 auto auto 10/100BaseTX
Fa0/5 Link to R1 connected 10 a-full a-100 10/100BaseTX
Fa0/6 Link to PC-A connected 10 a-full a-100 10/100BaseTX
Fa0/7 disabled 999 auto auto 10/100BaseTX
Fa0/8 disabled 999 auto auto 10/100BaseTX
Fa0/9 disabled 999 auto auto 10/100BaseTX
Fa0/10 disabled 999 auto auto 10/100BaseTX
<output omitted>
S2
S2(config)# interface range f0/2-17 , f0/19-24, g0/1-2
S2(config-if-range)# switchport mode access
S2(config-if-range)# switchport access vlan 999
S2(config-if-range)# shutdown
S2# show interfaces status
Port Name Status Vlan Duplex Speed Type
Fa0/1 Link to S1 connected trunk a-full a-100 10/100BaseTX
Fa0/2 disabled 999 auto auto 10/100BaseTX
Fa0/3 disabled 999 auto auto 10/100BaseTX
<output omitted>
Fa0/14 disabled 999 auto auto 10/100BaseTX
Fa0/15 disabled 999 auto auto 10/100BaseTX
Fa0/16 disabled 999 auto auto 10/100BaseTX
Fa0/17 disabled 999 auto auto 10/100BaseTX
Fa0/18 Link to PC-B connected 10 a-full a-100 10/100BaseTX
Fa0/19 disabled 999 auto auto 10/100BaseTX
Fa0/20 disabled 999 auto auto 10/100BaseTX
Fa0/21 disabled 999 auto auto 10/100BaseTX
Fa0/22 disabled 999 auto auto 10/100BaseTX
Fa0/23 disabled 999 auto auto 10/100BaseTX
Fa0/24 disabled 999 auto auto 10/100BaseTX
Gi0/1 disabled 999 auto auto 10/100/1000BaseTX
Gi0/2 disabled 999 auto auto 10/100/1000BaseTX
Langkah 4: Dokumentasikan dan terapkan fitur keamanan port.
perintah :
S1
S1# show port-security interface f0/6
Port Security : Disabled
Port Status : Secure-down
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0000.0000.0000:0
Security Violation Count : 0
S1(config)# interface f0/6
S1(config-if)# switchport port-security
S1(config-if)# switchport port-security maximum 3
S1(config-if)# switchport port-security violation restrict
S1(config-if)# switchport port-security aging time 60
S1(config-if)# switchport port-security aging type inactivity
S1# show port-security interface f0/6
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Restrict
Aging Time : 60 mins
Aging Type : Inactivity
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 3
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0022.5646.3411:10
Security Violation Count : 0
S1# show port-security address
Secure Mac Address Table
-----------------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- -------------
10 0022.5646.3411 SecureDynamic Fa0/6 60 (I)
-----------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 8192
perintah
S2
S2(config)# interface f0/18
S2(config-if)# switchport port-security
S2(config-if)# switchport port-security mac-address sticky
S2(config)# interface f0/18
S2(config-if)# switchport port-security aging time 60
S2(config-if)# switchport port-security maximum 2
S2(config-if)# switchport port-security violation protect
S2# show port-security interface f0/18
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Protect
Aging Time : 60 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 2
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0022.5646.3413:10
Security Violation Count : 0
S2# show port-security address
Secure Mac Address Table
-----------------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- -------------
10 0022.5646.3413 SecureSticky Fa0/18 -
-----------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 8192
Langkah 5: Terapkan keamanan pengintaian DHCP.
perintah
S2
S2(config)# ip dhcp snooping
S2(config)# ip dhcp snooping vlan 10
S2(config)# interface f0/18
S2(config-if)# ip dhcp snooping limit rate 5
S2# show ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
10
DHCP snooping is operational on following VLANs:
10
DHCP snooping is configured on the following L3 Interfaces:
Insertion of option 82 is enabled
circuit-id default format: vlan-mod-port
remote-id: 0cd9.96d2.3f80 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:
Interface Trusted Allow option Rate limit (pps)
----------------------- ------- ------------ ----------------
FastEthernet0/1 yes yes unlimited
Custom circuit-ids:
FastEthernet0/18 no no 5
Custom circuit-ids:
C:\Users\Student> ipconfig /release
C:\Users\Student> ipconfig /renew
S2# show ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
00:50:56:90:D0:8E 192.168.10.11 86213 dhcp-snooping 10 FastEthernet0/18
Total number of bindings: 1
Langkah 6: Terapkan penjaga PortFast dan BPDU.
perintah :
S1
S1(config)# interface range f0/5-6
S1(config-if)# spanning-tree portfast
S1(config)# interface f0/6
S1(config-if)# spanning-tree bpduguard enable
S1# show spanning-tree interface f0/6 detail
Port 8 (FastEthernet0/6) of VLAN0010 is designated forwarding
Port path cost 19, Port priority 128, Port Identifier 128.6.
<output omitted for brevity>
Number of transitions to forwarding state: 1
The port is in the portfast mode
Link type is point-to-point by default
Bpdu guard is enabled
BPDU: sent 128, received 0
S2
S2(config)# interface f0/18
S2(config-if)# spanning-tree portfast
S2(config)# interface f0/18
S2(config-if)# spanning-tree bpduguard enable
Switch S1
S1# show running-config
Building configuration...
Current configuration : 5203 bytes
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname S1
!
no ip domain-lookup
!
spanning-tree mode pvst
!
vlan 10
name Management
!
vlan 333
name Native
!
vlan 999
name ParkingLot
!
interface FastEthernet0/1
description Link to S2
switchport trunk encapsulation dot1q
switchport trunk native vlan 333
switchport mode trunk
switchport nonegotiate
!
interface FastEthernet0/2
switchport access vlan 999
switchport mode access
shutdown
!
interface FastEthernet0/3
switchport access vlan 999
switchport mode access
shutdown
!
interface FastEthernet0/4
switchport access vlan 999
switchport mode access
shutdown
!
interface FastEthernet0/5
description Link to R1
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/6
description Link to PC-A
switchport access vlan 10
switchport mode access
switchport port-security maximum 3
switchport port-security violation restrict
switchport port-security aging time 60
switchport port-security aging type inactivity
switchport port-security
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/7
switchport access vlan 999
switchport mode access
shutdown
!
interface FastEthernet0/8
switchport access vlan 999
switchport mode access
shutdown
!
interface FastEthernet0/9
switchport access vlan 999
switchport mode access
shutdown
!
interface FastEthernet0/10
switchport access vlan 999
switchport mode access
shutdown
!
interface FastEthernet0/11
switchport access vlan 999
switchport mode access
shutdown
!
interface FastEthernet0/12
switchport access vlan 999
switchport mode access
shutdown
!
interface FastEthernet0/13
switchport access vlan 999
switchport mode access
shutdown
!
interface FastEthernet0/14
switchport access vlan 999
switchport mode access
shutdown
!
interface FastEthernet0/15
switchport access vlan 999
switchport mode access
shutdown
!
interface FastEthernet0/16
switchport access vlan 999
switchport mode access
shutdown
!
interface FastEthernet0/17
switchport access vlan 999
switchport mode access
shutdown
!
interface FastEthernet0/18
switchport access vlan 999
switchport mode access
shutdown
!
interface FastEthernet0/19
switchport access vlan 999
switchport mode access
shutdown
!
interface FastEthernet0/20
switchport access vlan 999
switchport mode access
shutdown
!
interface FastEthernet0/21
switchport access vlan 999
switchport mode access
shutdown
!
interface FastEthernet0/22
switchport access vlan 999
switchport mode access
shutdown
!
interface FastEthernet0/23
switchport access vlan 999
switchport mode access
shutdown
!
interface FastEthernet0/24
switchport access vlan 999
switchport mode access
shutdown
!
interface GigabitEthernet0/1
switchport access vlan 999
switchport mode access
shutdown
!
interface GigabitEthernet0/2
switchport access vlan 999
switchport mode access
shutdown
!
interface Vlan1
no ip address
!
interface Vlan10
description Management SVI
ip address 192.168.10.201 255.255.255.0
!
ip default-gateway 192.168.10.1
line con 0
exec-timeout 0 0
logging synchronous
line vty 0 4
login
line vty 5 15
login
!
end
Switch S2
S2# show running-config
Building configuration...
Current configuration : 5303 bytes
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname S2
!
ip dhcp snooping vlan 10
ip dhcp snooping
no ip domain-lookup
!
spanning-tree mode pvst
!
vlan 10
name Students
!
vlan 333
name Native
!
vlan 999
name ParkingLot
!
interface FastEthernet0/1
description Link to S1
switchport trunk native vlan 333
switchport mode trunk
switchport nonegotiate
ip dhcp snooping trust
!
interface FastEthernet0/2
switchport access vlan 999
switchport mode access
shutdown
!
interface FastEthernet0/3
switchport access vlan 999
switchport mode access
shutdown
!
interface FastEthernet0/4
switchport access vlan 999
switchport mode access
shutdown
!
interface FastEthernet0/5
switchport access vlan 999
switchport mode access
shutdown
!
interface FastEthernet0/6
switchport access vlan 999
switchport mode access
shutdown
!
interface FastEthernet0/7
switchport access vlan 999
switchport mode access
shutdown
!
interface FastEthernet0/8
switchport access vlan 999
switchport mode access
shutdown
!
interface FastEthernet0/9
switchport access vlan 999
switchport mode access
shutdown
!
interface FastEthernet0/10
switchport access vlan 999
switchport mode access
shutdown
!
interface FastEthernet0/11
switchport access vlan 999
switchport mode access
shutdown
!
interface FastEthernet0/12
switchport access vlan 999
switchport mode access
shutdown
!
interface FastEthernet0/13
switchport access vlan 999
switchport mode access
shutdown
!
interface FastEthernet0/14
switchport access vlan 999
switchport mode access
shutdown
!
interface FastEthernet0/15
switchport access vlan 999
switchport mode access
shutdown
!
interface FastEthernet0/16
switchport access vlan 999
switchport mode access
shutdown
!
interface FastEthernet0/17
switchport access vlan 999
switchport mode access
shutdown
!
interface FastEthernet0/18
description Link to PC-B
switchport access vlan 10
switchport mode access
switchport port-security maximum 2
switchport port-security violation protect
switchport port-security mac-address sticky
switchport port-security aging time 60
switchport port-security
spanning-tree portfast
spanning-tree bpduguard enable
ip dhcp snooping limit rate 5
!
interface FastEthernet0/19
switchport access vlan 999
switchport mode access
shutdown
!
interface FastEthernet0/20
switchport access vlan 999
switchport mode access
shutdown
!
interface FastEthernet0/21
switchport access vlan 999
switchport mode access
shutdown
!
interface FastEthernet0/22
switchport access vlan 999
switchport mode access
shutdown
!
interface FastEthernet0/23
switchport access vlan 999
switchport mode access
shutdown
!
interface FastEthernet0/24
switchport access vlan 999
switchport mode access
shutdown
!
interface GigabitEthernet0/1
switchport access vlan 999
switchport mode access
shutdown
!
interface GigabitEthernet0/2
switchport access vlan 999
switchport mode access
shutdown
!
interface Vlan1
no ip address
!
interface Vlan10
description Management SVI
ip address 192.168.10.202 255.255.255.0
!
ip default-gateway 192.168.10.1
!
line con 0
exec-timeout 0 0
logging synchronous
line vty 0 4
login
line vty 5 15
login
!
end
LINK VIDIO
PART 1 : https://drive.google.com/file/d/1qu4W0DzMJDjzpK9vAF1Fnm8dmbHvc_8C/view?usp=sharing
PART 2 : https://drive.google.com/file/d/17KkRPotUfiN87oBBr7_8qKYDvLaEoVS5/view?usp=sharing
.png)
Komentar
Posting Komentar