CCNA 2: SRWE Practice PT Skills Assessment (PTSA) – Part 2 Answers

토폴로지

 

 

 

 

Addressing Table

DeviceInterfaceAddress and Prefix

Central	G0/0/0	192.168.1.1/24
		2001:db8:acad:1::1/64
		fe80::1
	G0/0/1	192.168.2.1/24
		2001:db8:acad:2::1/64
		fe80::1
	G0/0/2	10.1.0.1/30
		2001:db8:acad:a::1/64
		fe80::2
	S0/1/0	10.2.0.1/30
		2001:db8:acad:b::1/64
		fe80::2
	S0/1/1	10.4.0.1/30
		2001:db8:acad:d::1/64
Office-1	S0/1/1	10.4.0.2/30
		2001:db8:acad:d::2/64
		fe80::2
	G0/0/0	192.168.3.1/24
		2001:db8:acad:3::1/64
		fe80::1
Branch-101	G0/0/0.10	192.168.10.1/24
	G0/0/0.100	192.168.100.1/24
	G0/0/0.172	172.16.1.1/24
	G0/0/1	DHCP
		2001:db8:acad:c::2/64
	S0/1/0	10.2.0.2/30
		2001:db8:acad:b::2/64
ISP Router	G0/0/0	10.1.0.2/24
		2001:DB8:ACAD:A::2/64
	G0/0/1	10.3.0.1/24
		2001:DB8:ACAD:C::1/64
WLC-10	management	192.168.100.254
	WLAN 10	192.168.10.254/24
Server-01	NIC	192.168.3.122
		2001:db8:acad:3::122
Internet Server	NIC	203.0.113.25
		2001:db8:acad:cafe:25
DNS Server	NIC	198.51.100.163
		2001:DB8:face::163
Management Host	NIC	192.168.100.23
Wireless Host	NIC	DHCP
RADIUS server	NIC	172.16.1.100/24
PC-A	NIC	192.168.1.10/24
		2001:db8:acad:1::10/64
PC-B	NIC	192.168.1.11/24
		2001:db8:acad:1::11/64
PC-C	NIC	192.168.2.20/24
		2001:db8:acad:2::20/64
PC-D	NIC	192.168.2.11/24
		2001:db8:acad:2::21/64
PC-E	NIC	192.168.3.30/24
		2001:db8:acad:3::30/64

 

 

목표
이 평가에서 다음 사항을 구성하십시오.

IPV4 및 IPV6의 부동 정적 및 기본 경로.
IPV4 및 IPV6의 호스트 경로.
DHCP 풀 및 범위.
포트 보안을 포함한 스위치 보안
DHCP 스누핑, 동적 ARP 검사, PortFast 및 BPDU 가드로 향상된 LAN 보안
무선 LAN 컨트롤러 기반 무선 LAN(기업 인증 포함)

 

---

Step 1: Configure VLANs

• a. Configure VLAN 10 with name users.
• b. Configure VLAN 999 with the name unused.

 

S1-1(config)#vlan 10
S1-1(config-vlan)#name users
S1-1(config-vlan)#vlan 999	
S1-1(config-vlan)#name unused

 

Step 2: Configure active switch ports.

 

a. Configure the ports FastEthernet 01 through 05 and port GigabitEthernet 0/1 as static access ports in VLAN 10.

S1-1(config)#interface range f0/1-5, g0/1
S1-1(config-if-range)#switchport mode access
S1-1(config-if-range)#switchport access vlan 10

 

b. Activate port security on the ports.

1. Configure the ports to accept a maximum of 4 MAC addresses.
2. If a violation occurs, configure the port to drop frames from the unauthorized MAC address, log it, and send an alert.
3. MAC addresses should be present in the MAC address table for a maximum of 10 minutes before they are removed.
4. Ports should add the learned MAC addresses to the running configuration.
5. Configure the MAC address of PC-A as a static address on port FastEthernet0/1

S1-1(config)#interface range f0/1-5
S1-1(config-if-range)#switchport port-security
S1-1(config-if-range)#switchport port-security maximum 4
S1-1(config-if-range)#switchport port-security violation restrict
S1-1(config-if-range)#switchport port-security aging time 10
S1-1(config-if-range)#switchport port-security mac-address sticky
S1-1(config-if-range)#exit

S1-1(config)#interface f0/1
S1-1(config-if)#switchport port-security mac-address 00D0.D3DC.2825
S1-1(config-if)#exit

 

 

c. Protect against DHCP snooping.

1. Activate DHCP snooping globally.
2. Activate DHCP snooping for the two VLANs that you configured.
3. Configure the ports to limit the rate to 5 DHCP packets per second.
4. Configure the port that links to the router as trusted.

# dhcp 서버 외에서 오는 dhcp 패킷을 관리 및 막음 

스위치에서는 trust 쪽에서만 오는 거만 dhcp패킷을 받도록 한다 

end point와 연결된 포트에서 많은 dhcp discover 메세지가 보내면 안 되기에 메세지 수 제한 

 

S1-1(config)#ip dhcp snooping 
S1-1(config)#ip dhcp snooping vlan 10,999
S1-1(config)#interface range f0/1-5, g0/1
S1-1(config-if-range)#ip dhcp snooping limit rate 5  ## 메세지 수 제한 
S1-1(config-if-range)#exit
S1-1(config)#interface g0/1
S1-1(config-if)#ip dhcp snooping trust  
S1-1(config-if)#exit

 

https://hoonheui.tistory.com/entry/DHCP-Snoofing

DHCP Snoofing

https://m.blog.naver.com/bestsecurity/221501137099

DHCP Snooping

 

d. Guard against ARP attacks by implementing DAI.

1. Activate DA globally.
2. Activate Dal on the two VLANs.
3. Configure the port that links to the router as trusted.

 

S1-1(config)#ip arp inspection vlan 10,999  ## 어느 vlan 범위에 활성화 할 것인지! 
S1-1(config)#interface g0/1
S1-1(config-if)#ip arp inspection trust
# 디폴트는 untrust _ trust에서 받은 arp 패킷은 요구 및 응답을 점검하지 않는다 
# untrust 에서 오는 arp패킷은 스위치가 받아서 ip-mac 쌍을 ( 미리 만들어 둠) 비교해서 맞으면 보내고
# 아니면 그냥 버리고 로그를 남김 
S1-1(config-if)#exit

 

dynamic arp inspection

- dai 는 스위치의 보안 기능 arp 위조 구현하는 arp 공격을 막기 위해 

- untrust에서 오는 모든 arp 체크하고 dhcp snooping을 이용하여 구축 정보 혹은 비교 arp 정보가 db와 맞지 않으면 버리고 막는 듯 

 

e. Secure STP by configuring PortFast and BPDUGuard
f. Mitigate STP attacks by configuring BPDUguard and PortFast on the active ports.

 

S1-1(config)#interface range f0/1-5
S1-1(config-if-range)#spanning-tree portfast
S1-1(config-if-range)#spanning-tree bpduguard enable

 

portpast

- 리스닝과 러닝의 상태 거치지 않고 block -> forwarding 으로 stp 시간 단축 및 네트워크 단말 빠르게 연결

 

bpdu guard

- 스위치 포트로 bpdu 수신하면 포트 상태를 err-disable로 전환 및 비활성화 

- edge port에서 들어오는 bpdu 차단을 통해 해커가 bpdu값의 우선순위를 최상으로 하여 루트스위치가 되어 중간에 트래픽 거쳐서 볼 수 있기 때문에 설정하는 것이 중요 

 

https://blog.naver.com/youandi0442/80123750943

19일이론 Cisco STP Tookit BPDU Guard, BPDU Filter, Portfast, RootGuard, LoopGuard, UplinkFast, BackboneFast, UDLD

 

Step 3: Secure unused switch ports.

 

a. Move all unused switch ports to VLAN 999.

b. Configure all unused switch ports as static access ports.

C. Deactivate all unused switch ports.

 

 

S1-1(config)#interface range f0/6-24, g0/2
S1-1(config-if-range)#switchport mode access
S1-1(config-if-range)#switchport access vlan 999
S1-1(config-if-range)#shutdown

 

 

 

---

Part 2: Configure Addressing and DHCP

 

Step 1: Configure and address a subinterface for the WLAN user network.

 

a. Configure subinterface 10 on the router interface that is connected to the switch S4-1.

b. The router should provide router-on-a-stick routing to VLAN 10.

c. Configure the subinterface with the address from the Addressing Table.

 

 

Branch-101(config)#interface g0/0/0.10
Branch-101(config-subif)#description WLAN users
Branch-101(config-subif)#encapsulation dot1q 10
Branch-101(config-subif)#ip address 192.168.10.1 255.255.255.0

 

 

---

Step 2: Configure a DHCP pool for WLAN user network.

 

 

a. Exclude the router interface address and the management address of the WLC.

Branch-101(config)#ip dhcp excluded-address 192.168.10.1
Branch-101(config)#ip dhcp excluded-address 192.168.10.254

 

b. Configure a DHCP pool that will be used by hosts that are connecting to the WLAN.

1. Name the pool WLAN-hosts.
2. Configure the pool to use addresses in the 192.168.10.0/24 network.
3. The pool should also provide the default gateway and DNS server addresses.

Branch-101(config)#ip dhcp pool WLAN-hosts
Branch-101(dhcp-config)#network 192.168.10.0 255.255.255.0
Branch-101(dhcp-config)#default-router 192.168.10.1
Branch-101(dhcp-config)#dns-server 198.51.100.163

 

---

Step 3: Configure an interface as a DHCP client.

 

On ERROR: VARIABLE NOT FOUND [[Cld_router-names]], configure the interface that is connected to the cloud to receive its address over DHCP.

 

Branch-101(config)#interface g0/0/1
Branch-101(config-if)#ip address dhcp

 

---

 

Part 3: Configure Static Routes

 

 

Step 1: Configure static routes on Central.

 

a. 이더넷 링크를 기본 링크로, 직렬 링크를 백업으로 사용하여 클라우드에 대한 IPv4 기본 라우트를 구성하십시오. 백업 경로에 대해 관리 거리 10을 사용하십시오.

 

Central(config)#ip route 0.0.0.0 0.0.0.0 g0/0/2
Central(config)#ip route 0.0.0.0 0.0.0.0 s0/1/0 10   # 관리 거리 낮을수록 우선순위 높다

http://www.ktword.co.kr/abbr_view.php?m_temp1=2472

관리 거리 [정보통신기술용어해설]

 

 

b. Configure IPv6 default routes to the cloud. Use the Ethernet link as the primary route, and the serial link as backup. Use an administrative distance of 10 for the backup route. These routes should specify the next hop interface address.

 

Central(config)#ipv6 unicast-routing
Central(config)#ipv6 route ::/0 2001:DB8:ACAD:A::2
Central(config)#ipv6 route ::/0 2001:db8:acad:b::2 10

 

 

c. Configure IPv4 static routes to the Remote Office LAN WLAN user network following the same guidelines as above for type of route and administrative distance.

 

Central(config)#ip route 192.168.10.0 255.255.255.0 g0/0/2
Central(config)#ip route 192.168.10.0 255.255.255.0 s0/1/0 10

 

 

d. Configure IPv4 and IPv6 host routes on Central to the Server-01 on the Remote Office LAN. Create a directly connected route for IPv4 and a next-hop route for IPv6.

 

Central(config)#ip route 192.168.3.122 255.255.255.255 s0/1/1
Central(config)#ipv6 route 2001:db8:acad:3::122/128 2001:db8:acad:d::2

 

---

 

Step 2: Configure static routes on Branch-101.

 

a. Configure IPv4 default routes to the cloud using the Ethernet link as the preferred link and the serial link as the backup.

 

 

Branch-101(config)#ip route 0.0.0.0 0.0.0.0 g0/0/1
Branch-101(config)#ip route 0.0.0.0 0.0.0.0 s0/1/0 10

 

b. Configure IPv6 default routes to the cloud. Use the Ethernet link as the primary route, and the serial link as backup. Use an administrative distance of 10 for the backup route. These routes should specify the next hop interface address.

 

Branch-101(config)#ipv6 unicast-routing
Branch-101(config)#ipv6 route ::/0 2001:DB8:ACAD:C::1
Branch-101(config)#ipv6 route ::/0 2001:DB8:ACAD:B::1 10

 

 

 

 

 

 

 

 

 

 

https://itexamanswers.net/ccna-2-srwe-practice-pt-skills-assessment-ptsa-part-2-answers.html

CCNA 2: SRWE Practice PT Skills Assessment (PTSA) - Part 2 Answers