Labs

Lab11/Lab 11 Instructions(1).docx

Liberty University

CSIS 331

Lab 11 Instructions

***Please use the Topology and Instructions below to create a Packet Tracer from scratch. There will not be a Packet Tracer provided for you, you must create it new. If the routers do not have enough interfaces; you will need to go to the physical tab of the router and add the correct interface card to the existing router. Make sure the router is powered down while this is going on. Please reach out to your instructor if you have issues.***

Packet Tracer:

[Adapted from Cisco Networking Academy Routing and Switching 5.2.2.9]

Addressing Table

Device	Interface	IP Address	Subnet Mask	Default Gateway
R1	G0/1	172.16.99.1	255.255.255.0	N/A
S1	VLAN 99	172.16.99.11	255.255.255.0	172.16.99.1
PC-A	NIC	172.16.99.3	255.255.255.0	172.16.99.1

Objectives

Part 1: Configure Basic Device Settings and Verify Connectivity

Part 2: Configure and Verify SSH Access on S1

• Configure SSH access.

• Modify SSH parameters.

• Verify the SSH configuration.

Part34: Configure and Verify Security Features on S1

• Configure and verify general security features.

• Configure and verify port security.

Background / Scenario

It is quite common to lock down access and install strong security features on PCs and servers. It is important that your network infrastructure devices, such as switches and routers, are also configured with security features.

In this lab, you will follow some best practices for configuring security features on LAN switches. You will only allow SSH and secure HTTPS sessions. You will also configure and verify port security to lock out any device with a MAC address not recognized by the switch.

Part 1: Configure Basic Device Settings and Verify Connectivity

You will now configure basic settings on the router, switch, and PC. Refer to the Topology and Addressing Table at the beginning of this lab for device names and address information.

Step 1: Configure an IP address on PC-A.

Refer to the Addressing Table for the IP Address information.

Step 2: Configure basic settings on R1.

a. Console into R1 and enter global configuration mode.

b. Copy the following basic configuration and paste it to running-configuration on R1.

no ip domain-lookup

hostname R1

service password-encryption

enable secret class

banner motd #

Unauthorized access is strictly prohibited. #

line con 0

password cisco

login

logging synchronous

line vty 0 4

password cisco

login

interface g0/1

ip address 172.16.99.1 255.255.255.0

no shutdown

end

c. Save the running configuration to startup configuration.

Step 3: Configure basic settings on S1.

a. Console into S1 and enter global configuration mode.

b. Copy the following basic configuration and paste it to running-configuration on S1.

no ip domain-lookup

hostname S1

service password-encryption

enable secret class

banner motd #

Unauthorized access is strictly prohibited. #

line con 0

password cisco

login

logging synchronous

line vty 0 15

password cisco

login

exit

c. Create VLAN 99 on the switch and name it Management.

S1(config)# vlan 99

S1(config-vlan)# name Management

S1(config-vlan)# exit

S1(config)#

d. Configure the VLAN 99 management interface IP address, as shown in the Addressing Table, and enable the interface.

S1(config)# interface vlan 99

S1(config-if)# ip address 172.16.99.11 255.255.255.0

S1(config-if)# no shutdown

S1(config-if)# end

S1#

e. Issue the show vlan command on S1. Answer Question 1. On the Answer Sheet.

f. Issue the show ip interface brief command on S1. Answer question 2 and 3 on the Answer Sheet.

g. Assign ports F0/5 and F0/6 to VLAN 99 on the switch.

S1# config t

S1(config)# interface f0/5

S1(config-if)# switchport mode access

S1(config-if)# switchport access vlan 99

S1(config)# interface f0/6

S1(config-if)# switchport mode access

S1(config-if)# switchport access vlan 99

S1(config-if)# end

h. Save the running configuration to startup configuration.

i. Issue the show ip interface brief command on S1. Answer question 4 on the Answer Sheet.

Note: There may be a delay while the port states converge.

Step 4: Verify connectivity between devices.

Verify connectivity between devices and complete the Ping Table on the Answer Sheet .

a. From PC-A, open a web browser and go to http://172.16.99.11.

If you are prompted for a username and password, leave the username blank and use class for the password. If you are prompted for a secured connection, answer No. Answer question 5 on the Answer Sheet

b. Close the browser.

Note: The non-secure web interface (HTTP server) on a Cisco 2960 switch is enabled by default. A common security measure is to disable this service, as described in Part 3.

Part 2: Configure and Verify SSH Access on S1

Step 1: Configure SSH access on S1.

a. Enable SSH on S1. From global configuration mode, create a domain name of CCNA-Lab.com.

S1(config)# ip domain-name CCNA-Lab.com

b. Create a local user database entry for use when connecting to the switch via SSH. The user should have administrative level access.

Note: The password used here is NOT a strong password. It is merely being used for lab purposes.

S1(config)# username admin privilege 15 secret sshadmin

c. Configure the transport input for the vty lines to allow SSH connections only, and use the local database for authentication.

S1(config)# line vty 0 15

S1(config-line)# transport input ssh

S1(config-line)# login local

S1(config-line)# exit

d. Generate an RSA crypto key using a modulus of 1024 bits.

S1(config)#crypto key generate rsa

The name for the keys will be: S1.CCNA-Lab.com

Choose the size of the key modulus in the range of 360 to 2048 for your

General Purpose Keys. Choosing a key modulus greater than 512 may take

a few minutes.

How many bits in the modulus [512]: 1024

% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

S1(config)#

S1(config)# end

e. Verify the SSH configuration.

S1# show ip ssh

Answer question s 6 -8 on the Answer Sheet

Step 2: Modify the SSH configuration on S1.

a. Modify the default SSH configuration.

S1# config t

S1(config)# ip ssh time-out 75

S1(config)# ip ssh authentication-retries 2

Answer question 9 and 10 on the Answer Sheet

b. Verify the SSH configuration on S1.

c. Using the SSH client software on PC-A (such as Tera Term), open an SSH connection to S1. If you receive a message on your SSH client regarding the host key, accept it. Log in with admin for username and sshadmin for the password.

Answer questions 11-13 on the Answer Sheet

c. Type exit to end the SSH session on S1.

Part 3: Configure and Verify Security Features on S1

In Part 3, you will shut down unused ports, turn off certain services running on the switch, and configure port security based on MAC addresses. Switches can be subject to MAC address table overflow attacks, MAC spoofing attacks, and unauthorized connections to switch ports. You will configure port security to limit the number of MAC addresses that can be learned on a switch port and disable the port if that number is exceeded.

Step 1: Configure general security features on S1.

a. Change the message of the day (MOTD) banner on S1 to, “Unauthorized access is strictly prohibited. Violators will be prosecuted to the full extent of the law.”

b. Issue a show ip interface brief command on S1. Answer question 14 on the Answer Sheet

c. Shut down all unused physical ports on the switch. Use the interface range command.

S1(config)# interface range f0/1 – 4

S1(config-if-range)# shutdown

S1(config-if-range)# interface range f0/7 – 24

S1(config-if-range)# shutdown

S1(config-if-range)# interface range g0/1 – 2

S1(config-if-range)# shutdown

S1(config-if-range)# end

S1#

d. Issue the show ip interface brief command on S1. . Answer question 15 on the Answer Sheet

Step 2: Configure and verify port security on S1.

a. Record the R1 G0/1 MAC address on the Answer Sheet Question 16.

From the R1 CLI, use the show interface g0/1 command and record the MAC address of the interface.

R1# show interface g0/1

GigabitEthernet0/1 is up, line protocol is up

Hardware is CN Gigabit Ethernet, address is 30f7.0da3.1821 (bia 3047.0da3.1821)

b. From the S1 CLI, issue a show mac address-table command from privileged EXEC mode. Find the dynamic entries for ports F0/5 and F0/6. Record them on the Answer Sheet question 17 and 18.

c. Configure basic port security.

Note: This procedure would normally be performed on all access ports on the switch. F0/5 is shown here as an example.

1) From the S1 CLI, enter interface configuration mode for the port that connects to R1.

S1(config)# interface f0/5

2) Shut down the port.

3) Enable port security on F0/5.

S1(config-if)# switchport port-security

Note: Entering the switchport port-security command sets the maximum MAC addresses to 1 and the violation action to shutdown. The switchport port-security maximum and switchport port-security violation commands can be used to change the default behavior.

4). Configure a static entry for the MAC address of R1 G0/1 interface.

S1(config-if)# switchport port-security mac-address xxxx.xxxx.xxxx

(xxxx.xxxx.xxxx is the actual MAC address of the router G0/1 interface)

Note: Optionally, you can use the switchport port-security mac-address sticky command to add all the secure MAC addresses that are dynamically learned on a port (up to the maximum set) to the switch running configuration.

5) Enable the switch port.

S1(config-if)# no shutdown

S1(config-if)# end

d. Verify port security on S1 F0/5 by issuing a show port-security interface command.

S1# show port-security interface f0/5

Port Security : Enabled

Port Status : Secure-up

Violation Mode : Shutdown

Aging Time : 0 mins

Aging Type : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses : 1

Total MAC Addresses : 1

Configured MAC Addresses : 1

Sticky MAC Addresses : 0

Last Source Address:Vlan : 0000.0000.0000:0

Security Violation Count : 0

Answer question 19 on the Answer Sheet

e. From R1 command prompt, ping PC-A to verify connectivity.

R1# ping 172.16.99.3

f. You will now violate security by changing the MAC address on the router interface. Enter interface configuration mode for G0/1 and shut it down.

R1# config t

R1(config)# interface g0/1

R1(config-if)# shutdown

g. Configure a new MAC address for the interface, using aaaa.bbbb.cccc as the address.

R1(config-if)# mac-address aaaa.bbbb.cccc

h. If possible, have a console connection open on S1 at the same time that you do the next two steps. You will eventually see messages displayed on the console connection to S1 indicating a security violation. Enable the G0/1 interface on R1.

R1(config-if)# no shutdown

i. From R1 privileged EXEC mode, ping PC-A. Answer question 20 and 21 on the Answer Sheet

j. On the switch, verify port security with the following commands.

S1# show port-security

Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action

(Count) (Count) (Count)

--------------------------------------------------------------------

Fa0/5 1 1 1 Shutdown

----------------------------------------------------------------------

Total Addresses in System (excluding one mac per port) :0

Max Addresses limit in System (excluding one mac per port) :8192

S1# show port-security interface f0/5

Port Security : Enabled

Port Status : Secure-shutdown

Violation Mode : Shutdown

Aging Time : 0 mins

Aging Type : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses : 1

Total MAC Addresses : 1

Configured MAC Addresses : 1

Sticky MAC Addresses : 0

Last Source Address:Vlan : aaaa.bbbb.cccc:99

Security Violation Count : 1

S1# show interface f0/5

FastEthernet0/5 is down, line protocol is down (err-disabled)

Hardware is Fast Ethernet, address is 0cd9.96e2.3d05 (bia 0cd9.96e2.3d05)

MTU 1500 bytes, BW 10000 Kbit/sec, DLY 1000 usec,

reliability 255/255, txload 1/255, rxload 1/255

<output omitted>

S1# show port-security address

Secure Mac Address Table

------------------------------------------------------------------------

Vlan Mac Address Type Ports Remaining Age

(mins)

---- ----------- ---- ----- -------------

99 30f7.0da3.1821 SecureConfigured Fa0/5 -

-----------------------------------------------------------------------

Total Addresses in System (excluding one mac per port) :0

Max Addresses limit in System (excluding one mac per port) :8192

k. On the router, shut down the G0/1 interface, remove the hard-coded MAC address from the router, and re-enable the G0/1 interface.

R1(config-if)# shutdown

R1(config-if)# no mac-address aaaa.bbbb.cccc

R1(config-if)# no shutdown

R1(config-if)# end

l. From R1, ping PC-A again at 172.16.99.3.Answer question 22 on the Answer Sheet

m. On the switch, issue the show interface f0/5 command to determine the cause of ping failure. Record your findings on the Answer Sheet Question 23.

n. Clear the S1 F0/5 error disabled status.

S1# config t

S1(config)# interface f0/5

S1(config-if)# shutdown

S1(config-if)# no shutdown

Note: There may be a delay while the port states converge.

o. Issue the show interface f0/5 command on S1 to verify F0/5 is no longer in error disabled mode.

S1# show interface f0/5

FastEthernet0/5 is up, line protocol is up (connected)

Hardware is Fast Ethernet, address is 0023.5d59.9185 (bia 0023.5d59.9185)

MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,

reliability 255/255, txload 1/255, rxload 1/255

p. From the R1 command prompt, ping PC-A again. The ping should be successful.

Answer Reflection Questions 1 & 2 on the Answer Sheet.