2.2.4.11 Lab - Configuring Switch Security Features - ILM
-
Upload
jose-maria-rendon-rodriguez -
Category
Documents
-
view
1.078 -
download
108
description
Transcript of 2.2.4.11 Lab - Configuring Switch Security Features - ILM
7/17/2019 2.2.4.11 Lab - Configuring Switch Security Features - ILM
http://slidepdf.com/reader/full/22411-lab-configuring-switch-security-features-ilm-568e47253c441 1/15
Lab – Configuring Switch Security Features (Instructor Version)Instructor Note: Red font color or Gray highlights indicate text that appears in the instructor copy only.
Topology
Aressing Table
!e"ice Interface I# Aress Subnet $as% !efault &ateway
R1 G0/1 172.16.99.1 255.255.255.0 /!
"1 #$! 99 172.16.99.11 255.255.255.0 172.16.99.1
%&'! (& 172.16.99.) 255.255.255.0 172.16.99.1
'becti"es
#art * Set +p the Topology an Initiali,e !e"ices
#art -* Configure .asic !e"ice Settings an Verify Connecti"ity
#art /* Configure an Verify SS0 Access on S
• &onfigure ""* access.
• +odify ""* para,eters.
•
#erify the ""* configuration.#art 1* Configure an Verify Security Features on S
• &onfigure and -erify general security features.
• &onfigure and -erify port security.
.ac%groun 2 Scenario
(t is uite co,,on to loc don access and install good security features on %&s and ser-ers. (t is i,portantthat your netor infrastructure de-ices such as sitches and routers are also configured ith securityfeatures.
(n this la you ill follo so,e est practices for configuring security features on $! sitches. 3ou ill only
allo ""* and secure *44%" sessions. 3ou ill also configure and -erify port security to loc out any de-iceith a +!& address not recognied y the sitch.
Note: 4he router used ith &&! hands'on las is a &isco 191 (ntegrated "er-ices Router ("R8 ith &isco(" Release 15.28+) uni-ersal9 i,age8. 4he sitch used is a &isco &atalyst 2960 ith &isco ("Release 15.028 lanase9 i,age8. ther routers sitches and &isco (" -ersions can e used. ependingon the ,odel and &isco (" -ersion the co,,ands a-ailale and output produced ,ight -ary fro, hat isshon in the las. Refer to the Router (nterface "u,,ary 4ale at the end of this la for the correct interfaceidentifiers.
Note: +ae sure that the router and sitch ha-e een erased and ha-e no startup configurations. (f you areunsure contact your instructor or refer to the pre-ious la for the procedures to initialie and reload de-ices.
; 201) &isco and/or its affiliates. !ll rights reser-ed. 4his docu,ent is &isco %ulic. %age of 3
7/17/2019 2.2.4.11 Lab - Configuring Switch Security Features - ILM
http://slidepdf.com/reader/full/22411-lab-configuring-switch-security-features-ilm-568e47253c441 2/15
Lab – Configuring Switch Security Features
Instructor Note: Refer to the (nstructor $a +anual for the procedures to initialie and reload de-ices.
4e5uire 4esources
• 1 Router &isco 191 ith &isco (" Release 15.28+) uni-ersal i,age or co,parale8
• 1 "itch &isco 2960 ith &isco (" Release 15.028 lanase9 i,age or co,parale8
• 1 %& <indos 7 #ista or =% ith ter,inal e,ulation progra, such as 4era 4er,8
• &onsole cales to configure the &isco (" de-ices -ia the console ports
• >thernet cales as shon in the topology
#art * Set +p the Topology an Initiali,e !e"ices
(n %art 1 you ill set up the netor topology and clear any configurations if necessary.
Step * Cable the networ% as shown in the topology6
Step -* Initiali,e an reloa the router an switch6
(f configuration files ere pre-iously sa-ed on the router or sitch initialie and reload these de-ices ac totheir asic configurations.
#art -* Configure .asic !e"ice Settings an Verify Connecti"ity
(n %art 2 you configure asic settings on the router sitch and %&. Refer to the 4opology and !ddressing4ale at the eginning of this la for de-ice na,es and address infor,ation.
Step * Configure an I# aress on #C7A6
Step -* Configure basic settings on 46
a6 &onfigure the de-ice na,e.
b6 isale " looup.
c6 &onfigure interface (% address as shon in the !ddressing 4ale.
6 !ssign class as the pri-ileged >=>& ,ode passord.
e6 !ssign cisco as the console and -ty passord and enale login.
f6 >ncrypt plain text passords.
g6 "a-e the running configuration to startup configuration.
Step /* Configure basic settings on S6
! good security practice is to assign the ,anage,ent (% address of the sitch to a #$! other than #$! 1
or any other data #$! ith end users8. (n this step you ill create #$! 99 on the sitch and assign it an(% address.
a6 &onfigure the de-ice na,e.
b6 isale " looup.
c6 !ssign class as the pri-ileged >=>& ,ode passord.
6 !ssign cisco as the console and -ty passord and then enale login.
e6 &onfigure a default gateay for "1 using the (% address of R1.
; 201) &isco and/or its affiliates. !ll rights reser-ed. 4his docu,ent is &isco %ulic. %age - of 3
7/17/2019 2.2.4.11 Lab - Configuring Switch Security Features - ILM
http://slidepdf.com/reader/full/22411-lab-configuring-switch-security-features-ilm-568e47253c441 3/15
Lab – Configuring Switch Security Features
f6 >ncrypt plain text passords.
g6 "a-e the running configuration to startup configuration.
h6 &reate #$! 99 on the sitch and na,e it $anage8ent.
S1(config)# vlan 99
S1(config-vlan)# name Management
S1(config-vlan)# exit
S1(config)#
i6 &onfigure the #$! 99 ,anage,ent interface (% address as shon in the !ddressing 4ale and enalethe interface.
S1(config)# interface vlan 99
S1(config-if)# ip address 172.16.99.11 255.255.255.0
S1(config-if)# no shutdown
S1(config-if)# end
S1#
6 (ssue the show "lan co,,and on "1. <hat is the status of #$! 99? @@@@@@@@@@@@@@@@@@@@@@ !cti-e
%6 (ssue the show ip interface brief co,,and on "1. <hat is the status and protocol for ,anage,entinterface #$! 99?
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
"tatus is up and protocol is don.
<hy is the protocol don e-en though you issued the no shutown co,,and for interface #$! 99?
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
o physical ports on the sitch ha-e een assigned to #$! 99.
l6 !ssign ports A0/5 and A0/6 to #$! 99 on the sitch.
S1# config t
S1(config)# interface f0/5
S1(config-if)# switchport mode access
S1(config-if)# switchport access vlan 99
S1(config-if)# interface f0/6
S1(config-if)# switchport mode access
S1(config-if)# switchport access vlan 99
S1(config-if)# end
86 (ssue the show ip interface brief co,,and on "1. <hat is the status and protocol shoing for interface#$! 99? @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Bp and up
Note: 4here ,ay e a delay hile the port states con-erge.
Step 1* Verify connecti"ity between e"ices6
a6 Aro, %&'! ping the default gateay address on R1. <ere your pings successful? @@@@@@@@@@@@@@ 3es
b6 Aro, %&'! ping the ,anage,ent address of "1. <ere your pings successful? @@@@@@@@@@@@@@ 3es
c6 Aro, "1 ping the default gateay address on R1. <ere your pings successful? @@@@@@@@@@@@@@ 3es
6 Aro, %&'! open a e roser and go to http://172.16.99.11. (f it pro,pts you for a userna,e andpassord lea-e the userna,e lan and use class for the passord. (f it pro,pts for securedconnection anser No. <ere you ale to access the e interface on "1? @@@@@@@@@@@@@@ 3es
; 201) &isco and/or its affiliates. !ll rights reser-ed. 4his docu,ent is &isco %ulic. %age / of 3
7/17/2019 2.2.4.11 Lab - Configuring Switch Security Features - ILM
http://slidepdf.com/reader/full/22411-lab-configuring-switch-security-features-ilm-568e47253c441 4/15
Lab – Configuring Switch Security Features
e6 &lose the roser session on %&'!.
Note: 4he non'secure e interface *44% ser-er8 on a &isco 2960 sitch is enaled y default. ! co,,onsecurity ,easure is to disale this ser-ice as descried in %art .
#art /* Configure an Verify SS0 Access on S
Step * Configure SS0 access on S6
a6 >nale ""* on "1. Aro, gloal configuration ,ode create a do,ain na,e of CCNA7Lab6co8.
S1(config)# ip domainname !!"#$a%.com
b6 &reate a local user dataase entry for use hen connecting to the sitch -ia ""*. 4he user should ha-ead,inistrati-e le-el access.
Note: 4he passord used here is 4 a strong passord. (t is ,erely eing used for la purposes.
S1(config)# username admin privilege 15 secret sshadmin
c6 &onfigure the transport input for the -ty lines to allo ""* connections only and use the local dataasefor authentication.
S1(config)# line vt& 0 15S1(config-line)# transport input ssh
S1(config-line)# login local
S1(config-line)# exit
6 Generate an R"! crypto ey using a ,odulus of 102 its.
S1(config)# cr&pto 'e& generate rsa modulus 102(
The name for the keys will be: S1.CCN-!ab.com
" The key mo$l$s si%e is 1&' bits
" enerating 1&' bit *S keys+ keys will be non-e,ortable...
/0 (elase time was 2 secons)
S1(config)#
S1(config)# end
e6 #erify the ""* configuration and anser the uestions elo.
S1# show ip ssh
SS3 4nable - version 1.55
$thentication timeo$t: 1'& secs6 $thentication retries: 2
7inim$m e,ecte 8iffie 3ellman key si%e : 1&' bits
9/S 0eys in S4CS3 format(ssh-rsa+ base encoe):
ssh-rsa ;2N%aC1yc'48<;g<C0=>CN&g?!@AAB/r5>oAkD>CEg&/$@1semr*FE
,y&bbB;Gywv>hwSGAt$c90,0wEHfr*CeDwHcEISeck3ah$v&IAf/Dcg>i0eel$$i<'r4k
b$tnl!TmtNh4A7,riEJe/2;sDcn3/1hb;@sm?*?kK/f<LL
<hat -ersion of ""* is the sitch using? @@@@@@@@@@@@@@@@@@@@@@@ 1.99
*o ,any authentication atte,pts does ""* allo? @@@@@@@@@@@@@@@@@@@@@@@ )
<hat is the default ti,eout setting for ""*? @@@@@@@@@@@@@@@@@@@@@@@ 120 seconds
; 201) &isco and/or its affiliates. !ll rights reser-ed. 4his docu,ent is &isco %ulic. %age 1 of 3
7/17/2019 2.2.4.11 Lab - Configuring Switch Security Features - ILM
http://slidepdf.com/reader/full/22411-lab-configuring-switch-security-features-ilm-568e47253c441 5/15
Lab – Configuring Switch Security Features
Step -* $oify the SS0 configuration on S6
+odify the default ""* configuration.
S1# config t
S1(config)# ip ssh timeout 75
S1(config)# ip ssh authenticationretries 2
S1# show ip ssh
SS3 4nable - version 1.55
$thentication timeo$t: KF secs6 $thentication retries: '
7inim$m e,ecte 8iffie 3ellman key si%e : 1&' bits
9/S 0eys in S4CS3 format(ssh-rsa+ base encoe):
ssh-rsa ;2N%aC1yc'48<;g<C0=>CN&g?!@AAB/r5>oAkD>CEg&/$@1semr*FE
,y&bbB;Gywv>hwSGAt$c90,0wEHfr*CeDwHcEISeck3ah$v&IAf/Dcg>i0eel$$i<'r4k
b$tnl!TmtNh4A7,riEJe/2;sDcn3/1hb;@sm?*?kK/f<LL
*o ,any authentication atte,pts does ""* allo? @@@@@@@@@@@@@@@@@@@@@@@ 2
<hat is the ti,eout setting for ""*? @@@@@@@@@@@@@@@@@@@@@@@ 75 seconds
Step /* Verify the SS0 configuration on S6
a6 Bsing ""* client softare on %&'! such as 4era 4er,8 open an ""* connection to "1. (f you recei-e a,essage on your ""* client regarding the host ey accept it. $og in ith a8in for userna,e and cisco for the passord.
<as the connection successful? @@@@@@@@@@@@@@@@@@@@@@@@@ 3es
<hat pro,pt as displayed on "1? <hy?
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
"1 is shoing the pro,pt at pri-ileged >=>& ,ode ecause the pri-ilege 15 option as used henconfiguring userna,e and passord
b6 4ype e9it to end the ""* session on "1.
#art 1* Configure an Verify Security Features on S
(n %art you ill shut don unused ports turn off certain ser-ices running on the sitch and configure portsecurity ased on +!& addresses. "itches can e suCect to +!& address tale o-erflo attacs +!&spoofing attacs and unauthoried connections to sitch ports. 3ou ill configure port security to li,it thenu,er of +!& addresses that can e learned on a sitch port and disale the port if that nu,er isexceeded.
Step * Configure general security features on S6
a6 &onfigure a ,essage of the day +48 anner on "1 ith an appropriate security arning ,essage.
b6 (ssue a show ip interface brief co,,and on "1. <hat physical ports are up?
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
%orts A0/5 and A0/6
c6 "hut don all unused physical ports on the sitch. Bse the interface range co,,and.
S1(config)# interface range f0/1 ) (
; 201) &isco and/or its affiliates. !ll rights reser-ed. 4his docu,ent is &isco %ulic. %age 3 of 3
7/17/2019 2.2.4.11 Lab - Configuring Switch Security Features - ILM
http://slidepdf.com/reader/full/22411-lab-configuring-switch-security-features-ilm-568e47253c441 6/15
Lab – Configuring Switch Security Features
S1(config-if-range)# shutdown
S1(config-if-range)# interface range f0/7 ) 2(
S1(config-if-range)# shutdown
S1(config-if-range)# interface range g0/1 ) 2
S1(config-if-range)# shutdown
S1(config-if-range)# end S1#
6 (ssue the show ip interface brief co,,and on "1. <hat is the status of ports A0/1 to A0/?
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
!d,inistrati-ely don.
e6 (ssue the show ip http ser"er status co,,and.
S1# show i htt server stat$s
3TTG server stat$s: 4nable
3TTG server ort: M&
3TTG server a$thentication metho: enable
3TTG server access class: &3TTG server base ath: flash:html
3TTG server hel root:
7a,im$m n$mber of conc$rrent server connections allowe: 1
Server ile time-o$t: 1M& secons
Server life time-o$t: 1M& secons
7a,im$m n$mber of re>$ests allowe on a connection: 'F
3TTG server active session mo$les: !!
3TTG sec$re server caability: Gresent
3TTG sec$re server stat$s: 4nable
3TTG sec$re server ort: 2
3TTG sec$re server cihers$ite: 2es-ee-cbc-sha es-cbc-sha rc-1'M-mF rc-1'M-sha
3TTG sec$re server client a$thentication: 8isable
3TTG sec$re server tr$stoint:
3TTG sec$re server active session mo$les: !!
<hat is the *44% ser-er status? @@@@@@@@@@@@@@@@@@@@@@@@@@@ >naled
<hat ser-er port is it using? @@@@@@@@@@@@@@@@@@@@@@@@@@@ D0
<hat is the *44% secure ser-er status? @@@@@@@@@@@@@@@@@@@@@@@@@@@ >naled
<hat secure ser-er port is it using? @@@@@@@@@@@@@@@@@@@@@@@@@@@ )
f6 *44% sessions send e-erything in plain text. 3ou ill disale the *44% ser-ice running on "1.
S1(config)# no ip http server
g6 Aro, %&'! open a e roser session to http://172.16.99.11. <hat as your result?
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
4he e page could not open. *44% connections are no refused y "1.
h6 Aro, %&'! open a secure e roser session at https://172.16.99.11. !ccept the certificate. $og in ithno userna,e and a passord of class. <hat as your result?
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
"ecure e session as successful.
; 201) &isco and/or its affiliates. !ll rights reser-ed. 4his docu,ent is &isco %ulic. %age : of 3
7/17/2019 2.2.4.11 Lab - Configuring Switch Security Features - ILM
http://slidepdf.com/reader/full/22411-lab-configuring-switch-security-features-ilm-568e47253c441 7/15
Lab – Configuring Switch Security Features
i6 &lose the e session on %&'!.
Step -* Configure an "erify port security on S6
a6 Record the R1 G0/1 +!& address. Aro, the R1 &$( use the show interface g;2 co,,and and recordthe +!& address of the interface.
*1# show interface g0/1igabit4thernet&E1 is $+ line rotocol is $
3arware is CN igabit 4thernet+ aress is 2&fK.&a2.1M'1 (bia
2&K.&a2.1M'1)
<hat is the +!& address of the R1 G0/1 interface?
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
(n the exa,ple ao-e it is )0f7.0da).1D21
b6 Aro, the "1 &$( issue a show 8ac aress7table co,,and fro, pri-ileged >=>& ,ode. Aind thedyna,ic entries for ports A0/5 and A0/6. Record the, elo.
A0/5 +!& address: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ )0f7.0da).1D21
A0/6 +!& address: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ 00e0.D57.1ccd
c6 &onfigure asic port security.
Note: 4his procedure ould nor,ally e perfor,ed on all access ports on the sitch. A0/5 is shon hereas an exa,ple.
) Aro, the "1 &$( enter interface configuration ,ode for the port that connects to R1.
S1(config)# interface f0/5
-) "hut don the port.
S1(config-if)# shutdown
/) >nale port security on A0/5.
S1(config-if)# switchport portsecurit&
Note: >ntering the switchport port7security co,,and sets the ,axi,u, +!& addresses to 1 and the-iolation action to shutdon. 4he switchport port7security 8a9i8u8 and switchport port7security"iolation co,,ands can e used to change the default eha-ior.
1) &onfigure a static entry for the +!& address of R1 G0/1 interface recorded in "tep 2a.
S1(config-if)# switchort ort-sec$rity mac-aress ,,,,.,,,,.,,,,
xxxx.xxxx.xxxx is the actual +!& address of the router G0/1 interface8
Note: ptionally you can use the switchport portsecurit& macaddress stic'& co,,and to
add all the secure +!& addresses that are dyna,ically learned on a port up to the ,axi,u, set8 to thesitch running configuration.
3) >nale the sitch port.S1(config-if)# no shutdown
S1(config-if)# end
6 #erify port security on "1 A0/5 y issuing a show port7security interface co,,and.
S1# show portsecurit& interface f0/5
Gort Sec$rity : 4nable
Gort Stat$s : Sec$re-$
; 201) &isco and/or its affiliates. !ll rights reser-ed. 4his docu,ent is &isco %ulic. %age < of 3
7/17/2019 2.2.4.11 Lab - Configuring Switch Security Features - ILM
http://slidepdf.com/reader/full/22411-lab-configuring-switch-security-features-ilm-568e47253c441 8/15
Lab – Configuring Switch Security Features
@iolation 7oe : Sh$town
ging Time : & mins
ging Tye : bsol$te
Sec$reStatic ress ging : 8isable
7a,im$m 7C resses : 1
Total 7C resses : 1
Config$re 7C resses : 1
Sticky 7C resses : &
!ast So$rce ress:@lan : &&&&.&&&&.&&&&:&
Sec$rity @iolation Co$nt : &
<hat is the port status of A0/5?
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
4he status is "ecure'up hich indicates that the port is secure ut the status and protocol are up.
e6 Aro, R1 co,,and pro,pt ping %&'! to -erify connecti-ity.
*1# ping 172.16.99.*
f6 3ou ill no -iolate security y changing the +!& address on the router interface. >nter interfaceconfiguration ,ode for G0/1 and shut it don.
*1# config t
*1(config)# interface g0/1
*1(config-if)# shutdown
g6 &onfigure a ne +!& address for the interface using aaaa6bbbb6cccc as the address.
*1(config-if)# macaddress aaaa.%%%%.cccc
h6 (f possile ha-e a console connection open on "1 at the sa,e ti,e that you do this step. 3ou ill see-arious ,essages displayed on the console connection to "1 indicating a security -iolation. >nale theG0/1 interface on R1.
*1(config-if)# no shutdown
i6 Aro, R1 pri-ileged >=>& ,ode ping %&'!. <as the ping successful? <hy or hy not?
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
o the A0/5 port on "1 is shut don ecause of the security -iolation.
6 n the sitch -erify port security ith the folloing co,,ands shon elo.
S1# show portsecurit&
Sec$re Gort 7a,Sec$rer C$rrentr Sec$rity@iolation Sec$rity ction
(Co$nt) (Co$nt) (Co$nt)
--------------------------------------------------------------------
Da&EF 1 1 1 Sh$town
----------------------------------------------------------------------
Total resses in System (e,cl$ing one mac er ort) :&
7a, resses limit in System (e,cl$ing one mac er ort) :M15'
S1# show portsecurit& interface f0/5
Gort Sec$rity : 4nable
Gort Stat$s : Sec$re-sh$town
@iolation 7oe : Sh$town
ging Time : & mins
; 201) &isco and/or its affiliates. !ll rights reser-ed. 4his docu,ent is &isco %ulic. %age = of 3
7/17/2019 2.2.4.11 Lab - Configuring Switch Security Features - ILM
http://slidepdf.com/reader/full/22411-lab-configuring-switch-security-features-ilm-568e47253c441 9/15
Lab – Configuring Switch Security Features
ging Tye : bsol$te
Sec$reStatic ress ging : 8isable
7a,im$m 7C resses : 1
Total 7C resses : 1
Config$re 7C resses : 1
Sticky 7C resses : &
!ast So$rce ress:@lan : aaaa.bbbb.cccc:55
Sec$rity @iolation Co$nt : 1
S1# show interface f0/5
Dast4thernet&EF is own+ line rotocol is own (err-isable)
3arware is Dast 4thernet+ aress is &c5.5e'.2&F (bia &c5.5e'.2&F)
7TB 1F&& bytes+ ;= 1&&&& 0bitEsec+ 8!H 1&&& $sec+
reliability 'FFE'FF+ t,loa 1E'FF+ r,loa 1E'FF
o$t$t omitteO
S1# show portsecurit& address
Sec$re 7ac ress Table------------------------------------------------------------------------
@lan 7ac ress Tye Gorts *emaining ge
(mins)
---- ----------- ---- ----- -------------
55 2&fK.&a2.1M'1 Sec$reConfig$re Da&EF -
-----------------------------------------------------------------------
Total resses in System (e,cl$ing one mac er ort) :&
7a, resses limit in System (e,cl$ing one mac er ort) :M15'
%6 n the router shut don the G0/1 interface re,o-e the hard'coded +!& address fro, the router andre'enale the G0/1 interface.
*1(config-if)# shutdown*1(config-if)# no macaddress aaaa.%%%%.cccc
*1(config-if)# no shutdown
*1(config-if)# end
l6 Aro, R1 ping %&'! again at 172.16.99.). <as the ping successful? @@@@@@@@@@@@@@@@@ o
86 n the sitch issue the show interface f;23 co,,and to deter,ine the cause of ping failure. Recordyour findings.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
A0/5 port on "1 is still in an error disaled state.
S1# show interface f0/5
Dast4thernet&EF is own+ line rotocol is own (err-isable)
3arware is Dast 4thernet+ aress is &&'2.FF5.51MF (bia &&'2.FF5.51MF)
7TB 1F&& bytes+ ;= 1&&&& 0bitEsec+ 8!H 1&&& $sec+
reliability 'FFE'FF+ t,loa 1E'FF+ r,loa 1E'FF
n6 &lear the "1 A0/5 error disaled status.
S1# config t
S1(config)# interface f0/5
; 201) &isco and/or its affiliates. !ll rights reser-ed. 4his docu,ent is &isco %ulic. %age > of 3
7/17/2019 2.2.4.11 Lab - Configuring Switch Security Features - ILM
http://slidepdf.com/reader/full/22411-lab-configuring-switch-security-features-ilm-568e47253c441 10/15
Lab – Configuring Switch Security Features
S1(config-if)# shutdown
S1(config-if)# no shutdown
Note: 4here ,ay e a delay hile the port states con-erge.
o6 (ssue the show interface f;23 co,,and on "1 to -erify A0/5 is no longer in error disaled ,ode.
S1# show interface f0/5
Dast4thernet&EF is $+ line rotocol is $ (connecte)
3arware is Dast 4thernet+ aress is &&'2.FF5.51MF (bia &&'2.FF5.51MF)
7TB 1F&& bytes+ ;= 1&&&&& 0bitEsec+ 8!H 1&& $sec+
reliability 'FFE'FF+ t,loa 1E'FF+ r,loa 1E'FF
p6 Aro, the R1 co,,and pro,pt ping %&'! again. 3ou should e successful.
4eflection
1. <hy ould you enale port security on a sitch?
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
(t ould help pre-ent unauthoried de-ices fro, accessing your netor if they plugged into a sitch on your
netor.
2. <hy should unused ports on a sitch e disaled?
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
ne excellent reason is that a user could not connect a de-ice to the sitch on an unused port and accessthe $!.
4outer Interface Su88ary Table
4outer Interface Su88ary
4outer $oel ?thernet Interface @ ?thernet Interface @- Serial Interface @ Serial Interface @-
1D00 Aast >thernet 0/0A0/08
Aast >thernet 0/1A0/18
"erial 0/0/0 "0/0/08 "erial 0/0/1 "0/0/18
1900 Gigait >thernet 0/0G0/08
Gigait >thernet 0/1G0/18
"erial 0/0/0 "0/0/08 "erial 0/0/1 "0/0/18
2D01 Aast >thernet 0/0A0/08
Aast >thernet 0/1A0/18
"erial 0/1/0 "0/1/08 "erial 0/1/1 "0/1/18
2D11 Aast >thernet 0/0A0/08
Aast >thernet 0/1A0/18
"erial 0/0/0 "0/0/08 "erial 0/0/1 "0/0/18
2900 Gigait >thernet 0/0G0/08
Gigait >thernet 0/1G0/18
"erial 0/0/0 "0/0/08 "erial 0/0/1 "0/0/18
Note: 4o find out ho the router is configured loo at the interfaces to identify the type of router and ho ,anyinterfaces the router has. 4here is no ay to effecti-ely list all the co,inations of configurations for each routerclass. 4his tale includes identifiers for the possile co,inations of >thernet and "erial interfaces in the de-ice.4he tale does not include any other type of interface e-en though a specific router ,ay contain one. !nexa,ple of this ,ight e an (" ER( interface. 4he string in parenthesis is the legal are-iation that can eused in &isco (" co,,ands to represent the interface.
; 201) &isco and/or its affiliates. !ll rights reser-ed. 4his docu,ent is &isco %ulic. %age ; of 3
7/17/2019 2.2.4.11 Lab - Configuring Switch Security Features - ILM
http://slidepdf.com/reader/full/22411-lab-configuring-switch-security-features-ilm-568e47253c441 11/15
Lab – Configuring Switch Security Features
!e"ice Configs
4outer 4
*1#sh r$n
;$iling config$ration...
C$rrent config$ration : 1'2' bytesP
version 1F.'
service timestams eb$g atetime msec
service timestams log atetime msec
service asswor-encrytion
P
hostname *1
P
enable secret &HD8B331w4Ek!k8>5;ho1<7F4n*toyrMc3Bg.'
P
no i omain-look$
Pinterface igabit4thernet&E&
no i aress
sh$town
$le, a$to
see a$to
P
interface igabit4thernet&E1
i aress 1K'.1.55.1 'FF.'FF.'FF.&
$le, a$to
see a$to
P
interface Serial&E&E&
no i aress
sh$town
clock rate '&&&&&&
P
interface Serial&E&E1
no i aress
sh$town
clock rate '&&&&&&
i forwar-rotocol n
P
no i htt server
no i htt sec$re-server
P
P
P
P
P
control-lane
P
; 201) &isco and/or its affiliates. !ll rights reser-ed. 4his docu,ent is &isco %ulic. %age of 3
7/17/2019 2.2.4.11 Lab - Configuring Switch Security Features - ILM
http://slidepdf.com/reader/full/22411-lab-configuring-switch-security-features-ilm-568e47253c441 12/15
Lab – Configuring Switch Security Features
P
Pline con &
asswor K &2&KF'1M&F&&
login
line a$, &
line '
no activation-character
no e,ec
transort referre none
transort in$t all
transort o$t$t a telnet rlogin lab-ta mo $tn v1'& ssh
stobits 1
line K
no activation-character
no e,ec
transort referre none
transort in$t all
transort o$t$t a telnet rlogin lab-ta mo $tn v1'& ssh
line vty &
asswor K 12&14&1&M&2
login
transort in$t all
P
sche$ler allocate '&&&& 1&&&
P
en
Switch S
S1#sh r$n
;$iling config$ration...
C$rrent config$ration : 2K' bytes
version 1F.&
no service a
service timestams eb$g atetime msec
service timestams log atetime msec
service asswor-encrytion
P
hostname S1
P
enable secret &HD8B331w4Ek!k8>5;ho1<7F4n*toyrMc3Bg.'
P
$sername amin rivilege 1F secret tnhtc5'8?;hel,IHkM!=ArG@2S'int?rb*Dmf>H
P
no i omain-look$
i omain-name CCN-!ab.com
P
cryto ki tr$stoint TG-self-signe-'F2&2FM&&
enrollment selfsigne
s$bIect-name cnL9/S-Self-Signe-Certificate-'F2&2FM&&
; 201) &isco and/or its affiliates. !ll rights reser-ed. 4his docu,ent is &isco %ulic. %age - of 3
7/17/2019 2.2.4.11 Lab - Configuring Switch Security Features - ILM
http://slidepdf.com/reader/full/22411-lab-configuring-switch-security-features-ilm-568e47253c441 13/15
Lab – Configuring Switch Security Features
revocation-check none
rsakeyair TG-self-signe-'F2&2FM&&
P
cryto ki certificate chain TG-self-signe-'F2&2FM&&
certificate self-signe &1
2&M'&''; 2&M'&15 &&2&'&1 &'&'&1&1 2&&8&&5 'MMM DK&8&1&1 &F&F&&2&
2121'D2& '8&&2FF &&212' 5DF2'8 F2FC '8F25K 4F'8 2FK'K
552 1KF'8 2'2F222& 222F2M2 2&2&2&14 1K&82522 2&222&21 2&2&2&2&
2F25F1K &82'2&2& 212&212& 2&2&2&2& 2&F2&21 21'D2&'8 &&2FF& &212'5
DF2'8F2 FC'8 F25K4 F'82 FK'K5 521 KF'82' 2F222&22
2F2M22& 2&2&M15D 2&&8&&5 'MMM DK&8&1&1 &1&F&&&2 M1M8&&2& M1M5&'M1
M1&&C&42 1;MD14 8C8 DM'51D ;DM;C4C5 2&CD;DF 8K;25& 2M2F24F&
54&DC4 5C&F;51 '21';21 ''8FDM58 8'5&'24 44C'8 DFF21FD 8F85F
1;KFMD; M&M2;M1 C1;22;D 55'&4CK K4&811 CD&21C81 255KC& 4K';488
18KFF' 18C5FMC1 2;K'K DK&KKK 85;MC8 &55C;8C 8C51CM 8M'&8C2&
4;K&'&2 &1&&&12 F22&F12& &D&&2FF 1812&1&1 DD&&F2& &2&1&1DD 2&1D&&2
FF18'2& 1M2&1M& 181M M28441F 42F8MC1 8&KM48K8 DD&;M' 582&18&
&2FF18&4 &1&1 81MM2 8441F42 F8MC18& KM48K8D D&;M'58 2&&8&&5
'MMM DK&8&1&1 &F&F&&&2 M1M1&&5M 8FCD1C 25'1M8 M518MF F18F2'&'
4F5;F' K8;2&MC5 DK5MF5& 8528F8 CFM;M2 51';KD CC&4'D 8DD;M8
2'K'FC '22114 1'88 K4F;M& ';;1D'8 '5'1F'5 414DCC D;81
;81C5M 4M8M284C ;MF22&4 8F2F1&8 M5D&'2 K;5KM'4K '&&D1F 51M'KD
M15MD F8K1 F1'2;F51 'CFF
>$it
P
i ssh time-o$t KF
i ssh a$thentication-retries '
P
interface Dast4thernet&E1
sh$townP
interface Dast4thernet&E'
sh$town
P
interface Dast4thernet&E2
sh$town
P
interface Dast4thernet&E
sh$town
P
interface Dast4thernet&EF
switchort access vlan 55 switchort moe access
switchort ort-sec$rity
switchort ort-sec$rity mac-aress 2&fK.&a2.1M'1
P
interface Dast4thernet&E
switchort access vlan 55
switchort moe access
; 201) &isco and/or its affiliates. !ll rights reser-ed. 4his docu,ent is &isco %ulic. %age / of 3
7/17/2019 2.2.4.11 Lab - Configuring Switch Security Features - ILM
http://slidepdf.com/reader/full/22411-lab-configuring-switch-security-features-ilm-568e47253c441 14/15
7/17/2019 2.2.4.11 Lab - Configuring Switch Security Features - ILM
http://slidepdf.com/reader/full/22411-lab-configuring-switch-security-features-ilm-568e47253c441 15/15
Lab – Configuring Switch Security Features
interface Dast4thernet&E'2
sh$town
P
interface Dast4thernet&E'
sh$town
P
interface igabit4thernet&E1
sh$town
P
interface igabit4thernet&E'
sh$town
P
interface @lan1
no i aress
sh$town
P
interface @lan55
i aress 1K'.1.55.11 'FF.'FF.'FF.&
P
i efa$lt-gateway 1K'.1.55.1
no i htt server
i htt sec$re-server
P
banner mot QC=arningP Bna$thori%e ccess is Grohibite.QC
P
line con &
asswor cisco
logging synchrono$s
login
line vty & login local
transort in$t ssh
line vty F 1F
login local
transort in$t ssh
P
en
; 201) &isco and/or its affiliates. !ll rights reser-ed. 4his docu,ent is &isco %ulic. %age 3 of 3