CCNA Security Lab: Securing Layer 2 Switches Packet tracer issue

sinergycena · ‎09-03-2020

I am working with this laboratory

https://ccnasec.com/6-3-1-1-lab-securing-layer-2-switches-instructor-version.html

in Packet tracer but there is a part where the procedure hangs because it doesn't work. Next I show the Running config R1, SW1, SW2.

Running config R1

Building configuration...

Current configuration : 1227 bytes
!
version 15.1
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname R1
!
!
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.4
ip dhcp excluded-address 192.168.20.1
!
ip dhcp pool CCNAS
 network 192.168.1.0 255.255.255.0
 default-router 192.168.1.1
ip dhcp pool 20Users
 network 192.168.20.0 255.255.255.0
 default-router 192.168.20.1
!
!
!
ip cef
no ipv6 cef
!
!
!
!
license udi pid CISCO2911/K9 sn FTX15243825-
!
!
!
!
!
!
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface GigabitEthernet0/0
 no ip address
 duplex auto
 speed auto
 shutdown
!
interface GigabitEthernet0/1
 no ip address
 duplex auto
 speed auto
!
interface GigabitEthernet0/1.1
 encapsulation dot1Q 1 native
 ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet0/1.20
 encapsulation dot1Q 20
 ip address 192.168.20.1 255.255.255.0
!
interface GigabitEthernet0/1.99
 encapsulation dot1Q 99
 ip address 192.168.99.1 255.255.255.0
!
interface GigabitEthernet0/2
 no ip address
 duplex auto
 speed auto
 shutdown
!
interface Vlan1
 no ip address
 shutdown
!
ip classless
!
ip flow-export version 9
!
!
!
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
 login
!
!
!
end

Running config S1

version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname SW1
!
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
spanning-tree vlan 1 priority 0
!
interface FastEthernet0/1
 switchport trunk native vlan 99
 switchport mode trunk
 switchport nonegotiate
!
interface FastEthernet0/2
 shutdown
!
interface FastEthernet0/3
 shutdown
!
interface FastEthernet0/4
 shutdown
!
interface FastEthernet0/5
 switchport trunk native vlan 99
 switchport mode trunk
 switchport port-security
 spanning-tree portfast
!
interface FastEthernet0/6
 switchport access vlan 20
 switchport mode access
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface FastEthernet0/7
 shutdown
!
interface FastEthernet0/8
 shutdown
!
interface FastEthernet0/9
 shutdown
!
interface FastEthernet0/10
 shutdown
!
interface FastEthernet0/11
 shutdown
!
interface FastEthernet0/12
 shutdown
!
interface FastEthernet0/13
 shutdown
!
interface FastEthernet0/14
 shutdown
!
interface FastEthernet0/15
 shutdown
!
interface FastEthernet0/16
 shutdown
!
interface FastEthernet0/17
 shutdown
!
interface FastEthernet0/18
 shutdown
!
interface FastEthernet0/19
 shutdown
!
interface FastEthernet0/20
 shutdown
!
interface FastEthernet0/21
 shutdown
!
interface FastEthernet0/22
 shutdown
!
interface FastEthernet0/23
 shutdown
!
interface FastEthernet0/24
 shutdown
!
interface GigabitEthernet0/1
 shutdown
!
interface GigabitEthernet0/2
 shutdown
!
interface Vlan1
 ip address 192.168.1.2 255.255.255.0
!
!
!
!
line con 0
!
line vty 0 4
 login
line vty 5 15
 login
!
!
!
!
end

Running config S2

Current configuration : 1543 bytes
!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname SW2
!
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
interface FastEthernet0/1
 switchport trunk native vlan 99
 switchport mode trunk
 switchport nonegotiate
!
interface FastEthernet0/2
 shutdown
!
interface FastEthernet0/3
 shutdown
!
interface FastEthernet0/4
 shutdown
!
interface FastEthernet0/5
 shutdown
!
interface FastEthernet0/6
 shutdown
!
interface FastEthernet0/7
 shutdown
!
interface FastEthernet0/8
 shutdown
!
interface FastEthernet0/9
 shutdown
!
interface FastEthernet0/10
 shutdown
!
interface FastEthernet0/11
 shutdown
!
interface FastEthernet0/12
 shutdown
!
interface FastEthernet0/13
 shutdown
!
interface FastEthernet0/14
 shutdown
!
interface FastEthernet0/15
 shutdown
!
interface FastEthernet0/16
 shutdown
!
interface FastEthernet0/17
 shutdown
!
interface FastEthernet0/18
 switchport access vlan 20
 switchport mode access
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface FastEthernet0/19
 shutdown
!
interface FastEthernet0/20
 shutdown
!
interface FastEthernet0/21
 shutdown
!
interface FastEthernet0/22
 shutdown
!
interface FastEthernet0/23
 shutdown
!
interface FastEthernet0/24
 shutdown
!
interface GigabitEthernet0/1
 spanning-tree guard root
 shutdown
!
interface GigabitEthernet0/2
 shutdown
!
interface Vlan1
 ip address 192.168.1.3 255.255.255.0
!
!
!
!
line con 0
!
line vty 0 4
 login
line vty 5 15
 login
!
!
!
!
end

My problem is in the next step

Step 8: Move active ports to a VLAN other than the default VLAN 1.

Add the current active access (non-trunk) ports to the new VLAN.

S1 (config) # interface f0 / 6
S1 (config-if-range) # switchport access vlan 20

S2 (config) # interface f0 / 18
S2 (config-if) # switchport access vlan 20

At this point R1 there is no communication between R1> SW1> SW2> PCA> PCB

and the next step

Part 4: Configure DHCP Snooping

DHCP snooping is a Cisco Catalyst feature that determines which switch ports can respond to DHCP requests. It enables only authorized DHCP servers to respond to DHCP requests and distribute network information to clients.

Task 1: Set Up DHCP

Step 1: Set up DHCP on R1 for VLAN 1.

R1(config)# ip dhcp pool CCNAS
R1(dhcp-config)# network 192.168.1.0 255.255.255.0
R1(dhcp-config)# default-router 192.168.1.1 
R1(config)# ip dhcp excluded-address 192.168.1.1 192.168.1.4

Step 2: Set up DHCP on R1 for VLAN 20.

R1(config)# ip dhcp pool 20Users
R1(dhcp-config)# network 192.168.20.0 255.255.255.0
R1(dhcp-config)# default-router 192.168.20.1 
R1(config)# ip dhcp excluded-address 192.168.20.1

Task 2: Configure Inter-VLAN Communication

Step 1: Configure subinterfaces on R1.

R1(config)# interface g0/1
R1(config-if)# shutdown
R1(config-if)# no ip address 192.168.1.1 255.255.255.0
R1(config-if)# no shutdown
R1(config-if)# int g0/1.1
R1(config-if)# encapsulation dot1q 1
R1(config-if)# ip address 192.168.1.1 255.255.255.0
R1(config-if)# int g0/1.20
R1(config-if)# encapsulation dot1q 20
R1(config-if)# ip address 192.168.20.1 255.255.255.0
R1(config-if)# int g0/1.99 
R1(config-if)# encapsulation dot1q 99
R1(config-if)# ip address 192.168.99.1 255.255.255.0

Step 2: Configure S1 interface f0/5 as a trunk port.

S1(config)# int f0/5
S1(config-if)# switchport mode trunk
S1(config-if)# switchport trunk native vlan 99

When doing this procedure in step 4, the F0 / 5 interface turns off and when trying to turn it on again it only stays on for 30 seconds and turns off again.

Note: I have not yet applied the security part of ip ssh to be able to work without using usernames and passwords

Can you help me understand what I am doing wrong?

I have done the whole procedure several times and connectivity is lost, I cannot restore it.

PKT file is attachment if you want to download it

Martin L · ‎09-04-2020

If you have done the whole procedure several times, then likely PT is at fault. I am surprised PT can do DHCP Snooping at all. I remember I had issues with Snooping in my CCIE lab until right version of IOS is used. so far I have 2 issues:

1. I do not see " ip dhcp snooping trust" on switch ports

2. I can see you use IOS 12. but not 15 for switches; I think PT comes with IOS 15 for switch, find it and try it using switch IOS 15.

You could try this on CML (free via SandBox), although not sure if their version of L2-iosv supports snooping as well.

let us know how is goes; I don't have access to PT software atm;

Regards, ML
**Please Rate All Helpful Responses **

sinergycena · ‎09-04-2020

i found the issue, port security in f0/5 enabled... thanks anyway for answer :)