For Classroom Use Only! - TRCAutomation.Solutions...Cisco ASDM-IDM Launcher v7.6.2 Firefox About...
Transcript of For Classroom Use Only! - TRCAutomation.Solutions...Cisco ASDM-IDM Launcher v7.6.2 Firefox About...
L03 - Introduction to Network Security
For Classroom Use Only!
Important User Information
This documentation, whether, illustrative, printed, “online” or electronic (hereinafter “Documentation”) is intended for use only as a learning aid when using Rockwell Automation approved demonstration hardware, software and firmware. The Documentation should only be used as a learning tool by qualified professionals. The variety of uses for the hardware, software and firmware (hereinafter “Products”) described in this Documentation, mandates that those responsible for the application and use of those Products must satisfy themselves that all necessary steps have been taken to ensure that each application and actual use meets all performance and safety requirements, including any applicable laws, regulations, codes and standards in addition to any applicable technical documents. In no event will Rockwell Automation, Inc., or any of its affiliate or subsidiary companies (hereinafter “Rockwell Automation”) be responsible or liable for any indirect or consequential damages resulting from the use or application of the Products described in this Documentation. Rockwell Automation does not assume responsibility or liability for damages of any kind based on the alleged use of, or reliance on, this Documentation. No patent liability is assumed by Rockwell Automation with respect to use of information, circuits, equipment, or software described in the Documentation.
Except as specifically agreed in writing as part of a maintenance or support contract, equipment users are responsible for:
• properly using, calibrating, operating, monitoring and maintaining all Products consistent with all Rockwell Automation
or third-party provided instructions, warnings, recommendations and documentation;
• ensuring that only properly trained personnel use, operate and maintain the Products at all times;
• staying informed of all Product updates and alerts and implementing all updates and fixes; and • all other factors affecting the Products that are outside of the direct control of Rockwell Automation.
Reproduction of the contents of the Documentation, in whole or in part, without written permission of Rockwell Automation is prohibited. Throughout this manual we use the following notes to make you aware of safety considerations:
Identifies information about practices or circumstances that can cause an explosion in a hazardous environment, which may lead to personal injury or death, property damage, or economic loss.
Identifies information that is critical for successful application and understanding of the product.
Identifies information about practices or circumstances that can lead to personal injury or death, property damage, or economic loss. Attentions help you: • identify a hazard • avoid a hazard • recognize the consequence
Labels may be located on or inside the drive to alert people that dangerous voltage may be present.
Labels may be located on or inside the drive to alert people that surfaces may be dangerous temperatures.
3 of 66
Introduction to Network Security
Contents
Before you begin ........................................................................................................................................... 5
Lab Network Hardware ..................................................................................................................................................................... 5
About this lab .................................................................................................................................................................................... 5
Lab 1 ............................................................................................................................................................. 6
Lab 1 Network Layout ....................................................................................................................................................................... 6
About this lab .................................................................................................................................................................................... 7
Lab 1 Steps ....................................................................................................................................................................................... 7
Certificates and encryption, benefits of cryptographic firmware (5 Minutes) .................................................................................... 7
Lab 2 ........................................................................................................................................................... 15
Lab 2 Network Layout ..................................................................................................................................................................... 15
About this lab .................................................................................................................................................................................. 15
Lab 2 Steps ..................................................................................................................................................................................... 16
Port Security (10 Minutes) .............................................................................................................................................................. 16
Lab 3 ........................................................................................................................................................... 24
Lab 3 Network Layout ..................................................................................................................................................................... 24
About this lab .................................................................................................................................................................................. 25
Lab 3 Steps ..................................................................................................................................................................................... 25
Stratix 5950 Access Control Lists (ACL) (15 Minutes) .................................................................................................................... 25
Lab 4 ........................................................................................................................................................... 31
About this lab .................................................................................................................................................................................. 32
Lab 4 Steps ..................................................................................................................................................................................... 32
Lab 5 ........................................................................................................................................................... 38
Lab 5 Network Layout – Same as Lab 4 ......................................................................................................................................... 38
About this lab .................................................................................................................................................................................. 39
Lab 5 Steps ..................................................................................................................................................................................... 39
Following “Policy 1.a” (5 Minutes) ................................................................................................................................................... 39
4 of 66
Instructor only – Lab Reset ......................................................................................................................... 43
Network Layout – Start of lab .......................................................................................................................................................... 43
Device IP address assignment ....................................................................................................................................................... 44
README ......................................................................................................................................................................................... 44
Step 1................................................................................................................................................ Error! Bookmark not defined.
Restore Stratix 5950 Access Rules ................................................................................................................................................ 44
Reset Port Security Settings on Stratix 5400 .................................................................................................................................. 47
Restart the VM ................................................................................................................................................................................ 50
Instructor Only – Lab Setup ........................................................................................................................ 50
Tools & prerequisites ...................................................................................................................................................................... 50
Network Layout – Start of lab (Wait to connect cables till end of setup) Return to 5950 Restore ............................................... 51
Device IP address assignment ....................................................................................................................................................... 51
README ......................................................................................................................................................................................... 52
Prepare Stratix 5400 for the lab ...................................................................................................................................................... 52
Prepare Stratix 5700 for the lab ...................................................................................................................................................... 55
Prepare Stratix 5950 for the lab ...................................................................................................................................................... 57
5950 FirePOWER Restore .............................................................................................................................................................. 62
Prepare 1756-L73 for the lab .......................................................................................................................................................... 65
Prepare 1769-L24ER for the lab ..................................................................................................................................................... 65
5 of 66
Before you begin
Lab Network Hardware
The lab network consists of the following hardware:
� Stratix 5700
� Stratix 5400
� Stratix 5950
� Stratix 5900
� Stratix 2000
� 1756 ControlLogix Chassis
� 1756-L73 v30.012
� 1756-EN2T
� 1769-L24ER-QB1B v30.012
The lab employs the following software:
� Windows 10
� RSLinx Classic v3.90
� Studio 5000 v30
� FactoryTalk View Site Edition Client v9.00
� Cisco ASDM-IDM Launcher v7.6.2
� Firefox
About this lab
This lab is written to introduce the different features and benefits that Rockwell Automation EtherNet/IP products offer to harden
EtherNet/IP networks. This lab will focus on managed Stratix switches along with the Stratix 5950 Security Appliance to provide
network security to the lab network. There will be 5 labs to complete and accompanying each lab will be a short discussion by
the lab proctor.
6 of 66
Lab 1
Lab 1 Network Layout
192.168.1.254
192.168.1.69
192.168.1.149
192.168.1.1
192.168.1.2
192.168.1.56
7 of 66
About this lab
In this lab we will be exploring a standard security feature offered by Stratix managed switches called certificates. Some people
may notice that when using the Stratix device manager a new warning appears showing that the site is not secure. These
warnings relate to the usage of security certificates in the Stratix switch when using a secure web page. The lab will explore what
a certificate is, how to view it and why Firefox would consider the Stratix web page not secure.
Lab 1 Steps
Certificates and encryption, benefits of cryptographic firmware (5 Minutes)
1. From the Desktop, double click the Firefox icon
2. On the top toolbar click the Stratix 5400 bookmark. This attempts to connect to the secure address of the Stratix
5400 switch at 192.168.1.1
3. Read the message that is shown stating that the connection is not secure
Each web browser presents this information differently but all relay the same important message
8 of 66
4. In the top left corner near the URL, click on the Information button as shown
5. Click on the arrow next to the message 192.168.1.1 Connection is Not Secure
6. Read the message that is displayed, this defines what the Connection is Not Secure warning actually means
7. Click the Advanced button below the Your connection is not secure warning
9 of 66
8. Review the items that are presented in the Advanced section
The three items of interest are:
� 192.168.1.1 uses an invalid security certificate
� The certificate is not trusted because it is self-signed
� The certificate is not valid for the name 192.168.1.1
9. Click Add Exception…
10 of 66
10. Click View
11. Under the General tab review the basic information of the certificiate provided by the switch
The certificate information is provided when accessing web sites and URLs that begin with HTTPS (Hyper Text Transfer
Protocol Secure). We will be discussing the differences between traditional HTTP and HTTPS after this lab as well as the
items we see on this screen. If desired, review the Details tab, this is an optional step.
11 of 66
12. Click Close
13. Click Confirm Security Exception at the bottom
This adds an expcetion to gain access to the Device Manager. This should only be done for trusted devices.
12 of 66
14. You will now be presented with the Stratix 5400 switch login page. Notice now at the top near the URL there is a
lock with a yellow warning sign
This indicates that you have added an expcetion for this site which allows you to access the Device Manager securely
15. Click on the Proper HTTPS bookmark at the top of the page
This navigates to https://rockwellautomation.custhelp.com
16. Notice the green lock located next to the URL then click on the information icon
17. Notice that this web page indicates there is a Secure Connection, click on the Arrow
13 of 66
18. Click More Information
19. Click View Certificate
14 of 66
20. Review the information provided from this certificate
This certificate is issued by a trusted Certificate Authority, in this case Symantic Corporation, this is why the connection
is considered secure, safe, or trusted
21. Close the windows using the X in the top right of the window and leave Firefox open for the next lab (You can
minimize Firefox).
22. This concludes lab 1; Please stop here and await the lab 1 discussion prior to moving to lab 2
15 of 66
Lab 2
Lab 2 Network Layout
About this lab
In this lab we will be connecting our newly purchased 1769-L24 as part of our machine commissioning process. During this
connection process we will be exploring a security feature in the Stratix managed switches called port security. This is just one of
the many network security features that the Stratix managed switches offer to secure the network and increase the overall
security posture of the network.
192.168.1.254
192.168.1.1
192.168.1.2
192.168.1.69
192.168.1.149
192.168.1.56
16 of 66
Lab 2 Steps
Port Security (10 Minutes)
1. Open RSLinx Classic from the desktop
2. Click on the RSWho button
3. Click the ( + ) next to the driver named NETSEC-Lab
4. RSLinx Classic should see the following devices:
� 192.168.1.1 – Stratix 5400
� 192.168.1.2 – Stratix 5700
� 192.168.1.56 – 1756-EN2T
Devices not seen should appear with a Red X or Yellow ?
5. From the taskbar maximize the NETSEC_HMI by clicking on the shown graphic:
We’ve already opened the NETSEC_HMI from the desktop, you just need to bring it to focus in Windows
6. Login to the HMI with the following credentials:
� Username: labuser
� Password: rockwell
17 of 66
The initial HMI screen monitors the status of the network from the 1756-L73 controller. Any network issues are
indicated with a flashing Black/Red connection and a graphic over the device that is not connecting to the 1756-L73
7. The HMI screen indicates a connection issue between the 1769-L24 and the 1756-L73
Since the device is still disconnected, the connection cannot establish
8. Connect the cable from the 1769-L24 to the Stratix 2000 unmanaged switch using any port (shown below)
18 of 66
9. Return to the HMI with the network monitoring display. Take note that a connection issue is still present but
there is also an additional message on the display.
This message is generated by the switch using an Add-on-Instruction in the controller and indicates there is an
unauthorized device connected to the switch. We need to ensure that this is not a true security concern.
10. Move the mouse over the picture of the Stratix 5400 and click on it
This launches the Stratix 5400 diagnostic faceplate
19 of 66
11. From the display of the faceplate we can see that there is a fault or alarm on port 4
12. Click on the Alarms tab at the top
20 of 66
13. Click on Page 2 at the top then click the right or left arrows shown in the red box below to select Gi 1/4 as
shown below
The bottom of the faceplate indicates which ports are currently reporting faults, you may not see the Link Fault
alarm
14. Review the list of Port Alarms to confirm that Port 4 is causing the alarm, note that you may not see the
Link Fault alarm
The faceplate tells us exactly what we suspected, port 4 has an unauthorized device connected to it via a port security
violation. We know that we just connected our 1769-L24 to the Stratix 2000 which is connected to port 4 of the Stratix
5400. We must not be allowing enough MAC addresses to connect to port 4 of the Stratix 5400
21 of 66
15. Maximize Firefox from the taskbar
16. Click the Stratix 5400 bookmark at the top in the bookmark bar
17. Log into the switch using rockwell for the username and password
18. From the top menu go to Monitor � Syslog
The Syslog logs a variety of messages from the switch ranging from critical alarms to informational and debugging
messages
22 of 66
19. Take note of the current messages that are appearing at the bottom of the syslog, if needed resize the
Description column
Your message will read similarly, your MAC address displayed will vary:
%PORT_SECUIRTY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address
ABCD.ABCD.ABCD on port GigabitEthernet1/4
Because we are using the Automation Device smartport we are limiting the amount of MAC addresses allowed through the
particular port. We didn’t consider that we would be using an unmanaged switch on this port with multiple devices
20. On the Stratix Device Manager go to Configure � Port Security
23 of 66
21. Select port Gi1/4 and select Edit
22. Change the Maximum MAC Count Allowed from 2 to 3 then click OK
23. Maximize the HMI from the task bar by clicking the
24. Verify that the !!!!Unauthorized device detected!!!! message is no longer present and the alarms page
lists no Port Alarms (This may take a moment)
You will also notice that the HMI is reporting that a connection problem still persists for the 1769-L24
25. This concludes lab 2; Please stop here and await the lab 2 discussion prior to moving to lab 3
24 of 66
Lab 3
Lab 3 Network Layout
192.168.1.254
192.168.1.69
192.168.1.149
192.168.1.1
192.168.1.2
192.168.1.56
25 of 66
About this lab
In this lab we will be reviewing the firewall portion of the Stratix 5950 configuration. The firewall can be configured to block many
types of traffic and provide a strong security boundary between the inside and outside networks. We will be ensuring that the
proper traffic flows are permitted through the firewall to complete the commissioning of our new machine.
Lab 3 Steps
Stratix 5950 Access Control Lists (ACL) (15 Minutes)
1. Maximize RSLinx Classic from the task bar
2. Verify that RSLinx Classic can now see all four devices
Recall previously in Lab 2 RSLinx Classic could not connect to the 1769-L24
The Engineering PC has good communication to both the 1756-EN2T (1756-L73) and the 1769-L24. However if we review
the HMI screen a connection issue is still reported between the 1769-L24 and the 1756-L73 controller. We verified this at
the end of the last lab but if you would like return to the HMI and verify the communication issue again you can.
3. From the desktop, double click the Cisco ASDM-IDM Launcher
4. On the login screen for the Cisco ASDM-IDM Launcher enter rockwell for the password
26 of 66
5. Click Continue for both of the certificate warnings that appear (This may take a few moments)
6. At the bottom right of the Home page, click on the maximize button for the latest ASDM Syslog Messages
27 of 66
7. Review the log messages, specifically the messages that appear in yellow. If needed click the red Stop
button on the right to stop messages from scrolling
Look for messages with a Source IP of 192.168.1.56 and a Destination IP of 192.168.1.69
The firewall log is informing us that a connection from 192.168.1.56 to 192.168.1.69 is being blocked. These addresses
correlate to our 1756-L73 and our 1769-L24 controllers. This is likely why our HMI is still reporting a connection problem.
8. Click Configuration at the top of the Cisco ASDM
9. In the bottom left, click Firewall
10. Click on the second rule on the inside1 interface and click Edit
28 of 66
11. Click the button to the right of Destination under Destination Criteria
12. Double click on the 1769-L24 network object as highlighted below, verify that the entry was added to the
Destination -> section then click OK
29 of 66
13. Click OK on the Edit Access Rule page
14. Click Apply at the bottom of the Firewall Access Rules page
15. Maximize the HMI from the taskbar
16. The HMI should no longer indicate that the 1769-L24 is experiencing connection issues
That’s great! But what did we do? The Stratix 5950 was pre-configured for our lab to have Network Objects (Logical names
for IP addresses) and Service Objects (Logical names for source/destination port pairs). We added our 1769-L24 controller
to a pre-existing rule in the Firewall. This pre-existing rule allows TCP CIP connections from the inside to pass through the
Firewall to whatever devices we specify in the destination field. We will discuss this more at the end of the lab.
30 of 66
17. From the desktop open the Command Prompt
18. In the Command Prompt enter the following command:
� Ping 192.168.1.56
19. Take note of the results, if time permits review the Stratix 5950 Firewall rules to determine why the ping failed. You can
also spend time trying other methods to access the 1756-L73, such as HTTP.
20. This concludes lab 3; Please stop here and await the lab 3 discussion prior to moving to lab
31 of 66
Lab 4
Lab 4 Network Layout (Same as Lab 3)
192.168.1.254
192.168.1.69
192.168.1.149
192.168.1.1
192.168.1.2
192.168.1.56
32 of 66
About this lab
In this lab we will continue our commissioning process and make edits to our 1769-L24 controller that we are installing. We will be exploring the Deep Packet Inspection (DPI) configuration of the Stratix 5950 and what effect it is having on our CIP traffic. We will be using a combination of Studio 5000 and Cisco ASDM to complete the lab.
Lab 4 Steps
Deep Packet Inspection (DPI) using the Stratix 5950 (15 Minutes)
1. From the desktop, open Studio 5000
2. Under the Recent Projects click on NETSEC_L73_v30
As part of our commissioning process we need to download a new program to our 1756-L73 ControlLogix controller
33 of 66
3. At the top, click on the Communications menu then select Download
You’ll notice an error message appear stating that Studio 5000 can no longer communicate with RSLinx and that Logix
Designer has been taken offline.
All we did is download to the controller…why would we lose connection with our controller? Let’s investigate...
4. Click OK for both errors
5. Maximize ASDM from the task bar
6. In the top of ASDM click on Monitoring
7. In the bottom left of the ASDM window click on ASA FirePOWER Monitoring
8. On the left side click on Real Time Eventing
34 of 66
9. In the center of the ASDM window, events should be shown, move your mouse over one and select View
Details
10. Review the items on the page, the details of this event contain a wealth of information. For our purposes of
commissioning this machine we want to look under the Policy details. These details inform us as to what
Policy and Rule blocked us from downloading to the controller
We now know what Policy and Rule blocked us, now we need to go ahead and review how this is configured to ensure it is
correct
11. At the top of the ASDM window click on Configuration
12. In the bottom left of the ASDM window clock on ASA FirePOWER Configuration
35 of 66
13. On the left, expand Policies using the ( + ) button and click Access Control Policy
14. Under the Access Control Policy (ACP) list, click on the pencil on the right hand side for the Block PAC
Changes ACP
15. Under the Standard Rules heading click the pencil on the right side for Rule Policy 1.a to 1756-L73
16. Click on the Networks tab and review the options presented
This is where the Source and Destination networks are defined for our DPI policies and rules. Notice we are using this rule
for any source network and just the 1756-L73 as the destination network
36 of 66
17. Once done reviewing the Networks tab, click on the Applications tab
18. On the Applications tab we configure specific applications that we want to block
Note: It may take a moment to load the Application Filters
19. In the Application Filters search box, type cip which will return the results that are specific to the Common
Industrial Protocol (CIP).
The below screenshot calls out the available application filters for CIP on the left side of the ASDM window. On the right
side of the ASDM window we can review what filter we currently have selected and at the top for the action we define what
we want to happen for that specific application.
37 of 66
20. Click the checkbox next to CIP RA Admin and review the items that are included in the filter
To summarize what these items have shown, we are blocking all CIP RA Admin traffic from any outside network with a
destination of the 1756-L73. Based on the name of the rule, Policy 1.a, we can assume there are rules and procedures in
place to prevent remote downloading.
21. If time permits, explore the FirePOWER configuration using ASDM, otherwise close ASDM, if prompted to
save, click Save
22. This concludes lab 4; Please stop here and await the lab 4 discussion prior to moving to lab 5
38 of 66
Lab 5
Lab 5 Network Layout – Same as Lab 4
192.168.1.254
192.168.1.69
192.168.1.149
192.168.1.1
192.168.1.2
192.168.1.56
39 of 66
About this lab
In this lab we will be following a made up policy called “Policy 1.a”. This policy was defined by your company’s security staff and
is a part of the Policies and Procedures portion of the Defense-in-Depth strategy. The “Policy 1.a” defines that in order to perform
any administrative maintenance on a PLC program, the maintenance engineer must be connected to the local switch and have
line of sight of the PLC in question. This policy was put in place to avoid remotely performing administrative actions on a PLC
through the entirety of the enterprise or industrial network. We will be following the policy by opening a maintenance port on the
local Stratix 5700 switch so that we can connect closer to the PLC by accessing the switch in the same cell.
Lab 5 Steps
Following “Policy 1.a” (5 Minutes)
1. Maximize the HMI from the task bar and login if needed
Username: labuser
Password: rockwell
2. Hover the mouse over the Stratix 5700, you will notice that it highlights. This is because the Stratix 5700
contains a button to open a new display
3. Attempt to click the button (click on the Stratix 5700)
Nothing should happen, we need to login prior to using this display. This display is reserved only for maintenance and we do not want all users to have access to it.
40 of 66
4. In the bottom right of the display click the Login button
5. In the login field, enter the following credentials
� User name: maint
� Password: rockwell
6. Once the Login/Logout process is completed, click the Stratix 5700 button again
The Maint display is opened which will allow us to programmatically enable a port so we can download our new program to
the 1756-L73
7. Click the Enable Maintenance Port button
41 of 66
8. Notice that two items change on the display:
The Stratix 5700 now has a green port with an M labeled on top of it indicating it is now a maintenance port and the button
has changed status to Maintenance Port Enabled
9. We need to connect the PC into port 16 of the Stratix 5700 switch. Move the PC, connected to port 3 of the
Stratix 2000, to port 16 of the Stratix 5700.
10. Maximize Studio 5000
42 of 66
11. At the top, click on the Communications menu then select Download
You’ll notice that this time we did not lose communication with the controller. This is because we are connected locally to
the cell and have direct access to the controller via the Stratix 5700
12. Maximize RSLinx Classic and browse the NETSEC-Lab, Ethernet driver
Take note that two devices now appear with Red Xs. Why is that? Be prepared to answer this question in the following
discussion.
15. This concludes lab 5; Please stop here and await the lab 5 discussion
43 of 66
Instructor only – Lab Reset
Network Layout – Start of lab
Stratix 5400 Port 1 Connects to Stratix 5950 Port 1
Stratix 5400 Port 3 Connects to Stratix 5950 Management (Mgmt)
Stratix 5400 Port 4 Connects to Stratix 2000
Stratix 2000 Port 3 Connects to Computer
Stratix 2000 Port 2 Is disconnected from 1769-L24
Stratix 5700 Port 1 Connects to 1756-EN2T
Stratix 5700 Port Gigabit 1 Connects to Stratix 5950 Port 2
Stratix 5400
Stratix 5950
Stratix 5700
1756-L73
Stratix 2000
1769-L24
192.168.1.254
192.168.1.69
192.168.1.149
192.168.1.1
192.168.1.2 192.168.1.56
44 of 66
Device IP address assignment
1756-EN2T DHCP Persistence 192.168.1.56
Stratix 5700 Static via config file 192.168.1.2
Stratix 5950 BVI Static via conig file 192.168.1.254
Stratix 5950 Mgmt Static via lab setup 192.168.1.253
Stratix 5400 Static via config 192.168.1.1
Computer Static via VM 192.168.1.149
1769-L24ER Static via lab setup 192.168.1.69
README
For the beginning of each event and after each lab please perform the lab reset procedure. Only use the lab setup procedure IF
AND ONLY IF a device does not respond at its configured IP address or other unforeseen issues occur. Prior to starting the
bellow steps ensure that the cable are connected as shown above.
Disconnect Devices
1. Disconnect the 1769-L24 controller from the Stratix 2000
2. Move the PCs EtherNet cable from the Stratix 5700 port 16 back to the Stratix 2000
Restore Stratix 5950 Access Rules
1. Open Cisco ASDM-IDM Launcher from the desktop
2. On the login screen for the Cisco ASDM-IDM Launcher enter rockwell for the password
45 of 66
3. Click Continue for both of the certificate warnings that may appear (This may take a few moments)
4. Click Tools ���� Restore Configurations
5. On the Restore Configurations menu click the Browse Local… button
6. Navigate to C:\Users\Labuser\Documents\Lab Files\Stratix 5950\Firewall Config and select
NETSEC_5950_FW and click Select file
46 of 66
7. Click Next
8. On the next Restore Configurations screen check box Running Configuration and Start-up
configuration and click Restore
9. If an error appears relating to failover pair click Yes
10. Click Replace on the Running Configuration Restore screen
47 of 66
11. After a short time the Restore Progress will be complete. Sometimes this step gets stuck at 98% - If this
happens it is OK to close the window, the restore should be successful
Reset Port Security Settings on Stratix 5400
1. Open Firefox from the desktop
2. On the top toolbar click the Stratix 5400 bookmark. This connects to the secure address of the Stratix 5400
switch at 192.168.1.1
48 of 66
3. Log into the switch using rockwell as the username and password
4. On the Stratix Device Manager go to Configure � Port Security
5. Select port Gi1/4 and select Edit
6. Uncheck the box for Enable and change the Maximum MAC Count Allowed from 3 to 2 then click OK
49 of 66
7. Select port Gi1/4 and select Edit
8. Click the Enable check box and click OK
9. Close Firefox
10. Disconnect the cable in port Gi 1/4, wait a moment and reconnect the cable
50 of 66
Restart the VM
Instructor Only – Lab Setup
Tools & prerequisites
� Software programs required
� RSLinx Classic v3.90
� Studio 5000 Logix Designer v30
� Firefox
� FactoryTalk View Site Edition Client
� Cisco Adaptive Security Device Manager (ASDM)
� Hardware devices required
� NET-SEC Demo Box
� Stratix 5950 demo stand
� Files required
� Stratix_5950_Lab Files
� Config - NETSEC_5950_FW
� FirePOWER - NETSEC_FP-2017-08-31T11-09-42.tgz
� Stratix5700: Config.text
� Stratix5400: Config.text
51 of 66
Network Layout – Start of lab (Wait to connect cables till end of setup) Return to 5950 Restore
Stratix 5400 Port 1 Connects to Stratix 5950 Port 1
Stratix 5400 Port 3 Connects to Stratix 5950 Management
Stratix 5400 Port 4 Connects to Stratix 2000
Stratix 2000 Port 3 Connects to Computer
Stratix 2000 Port 2 Is disconnected from 1769-L24
Stratix 5700 Port 1 Connects to 1756-EN2T
Stratix 5700 Port Gigabit 1 Connects to Stratix 5950 Port 2
Device IP address assignment
1756-EN2T DHCP Persistence 192.168.1.56
Stratix 5700 Static via config file 192.168.1.2
Stratix 5950 BVI Static via conig file 192.168.1.254
52 of 66
Stratix 5950 Mgmt Static via lab setup 192.168.1.253
Stratix 5400 Static via config 192.168.1.1
Computer Static via VM 192.168.1.149
1769-L24ER Static via lab setup 192.168.1.69
README
The lab setup should not need to be completed for each lab/event. The lab setup is ONLY for an event where the hardware
cannot be accessed at its configured IP address. At the start of each event the lab reset procedure should be completed which
will leave the hardware in a lab-ready state.
Prepare Stratix 5400 for the lab
Only perform this setup if the RESET procedure did not work
1. Factory reset the switch by pressing and holding the Express Setup button with a paper clip until the Setup
status indicator flashes alternating green and red during seconds 16...20, and then release.
2. While the Stratix 5400 is resetting, right click the Change to 169 address.bat located in
C:\Users\Labuser\Documents\Lab Files\Stratix\Setup\IP Address batch files and select Run as
Administrator
3. Disconnect all cables from the Stratix 5400
4. Once the Stratix 5400 is fully booted, press the express setup button with a paper clip and release
5. Connect the computer to the port that is flashing green
6. Open Firefox from the desktop
7. In the URL web bar type in 169.254.0.1
8. Click Advanced then click Add Exception
9. Uncheck the check box for Permanently store this exception
10. Click Confirm Security Exception
11. Login with the default credentials
� Username: blank (Leave field empty)
� Password: switch
53 of 66
12. On the express setup page fill in the parameters below and click Submit
� For the password enter rockwell
13. Enter the below credentials when prompted
� User Name: rockwell
� Password: rockwell
14. Go to Admin � Load/Save
15. Click Browse and navigate to C:\Users\Labuser\Documents\Lab Files\Stratix\Stratix Configs\Stratix 5400
54 of 66
16. Select config.text and click Open
17. Click Upload
18. The following message should appear in the top right
19. Disconnect from the Stratix 5400. The initial lab setup should be complete. We will verify the configuration
55 of 66
after all devices are loaded.
Prepare Stratix 5700 for the lab
Only perform this setup if the RESET procedure did not work
1. Factory reset the switch by pressing and holding the Express Setup button with a paper clip until the Setup
status indicator flashes alternating green and red during seconds 16...20, and then release.
2. (Skip if this was done for the Stratix 5400 setup) While the Stratix 5700 is resetting, right click the Change to
169 address.bat located in C:\Users\Labuser\Documents\Lab Files\Stratix\Setup\IP Address batch files and
select Run as Administrator
3. Disconnect all cables from the Stratix 5700
4. Once the Stratix 5700 is fully booted, press the express setup button with a paper clip and release
5. Connect the computer to the port that is flashing green
6. Open Firefox from the desktop
7. In the URL web bar type in 169.254.0.1
8. Click Advanced then click Add Exception
9. Uncheck the check box for Permanently store this exception
10. Click Confirm Security Exception
11. Login with the default credentials
� Username: blank
� Password: switch
12. On the express setup page fill in the parameters below and click Submit
� For the password enter rockwell
56 of 66
13. Enter the below credentials when prompted
� User Name: rockwell
� Password: rockwell
14. Go to Admin � Load/Save
15. Click Browse and navigate to C:\Users\Labuser\Documents\Lab Files\Stratix\Stratix Configs\Stratix 5700
16. Select config.text and click Open
57 of 66
17. Click Upload
18. The following messages should appear in the top right
19. Once both the Stratix 5400 (Above) and the Stratix 5700 have had their configuration files loaded cycle
power to the demo box. Do not cycle power to the Stratix 5950.
Prepare Stratix 5950 for the lab
Only perform this setup if the RESET procedure did not work
1. Factory Reset the Stratix 5950 by using a paperclip or small screw driver and holding the express setup
button for 4 seconds and releasing, please wait at least 30 seconds after releasing to confirm success of the
reset. The Stratix 5950 should begin a reboot cycle, you should hear the hardware bypass enable and the
58 of 66
Port LEDs will begin flashing. Please allow 5 minutes or more for the Stratix 5950 to full boot. The Stratix
5950 is fully booted when the Port LEDs stop flashing.
2. Disconnect all cables from the Stratix 5950 if any are present
3. Connect the PC to the Management port of the Stratix 5950
4. Open Cisco ASDM-IDM Launcher from the desktop
5. For the login details enter 169.254.0.1 for the IP address and leave the username and password blank then
click OK
6. Click Continue for any security exception warnings (There may be two)
7. If the following error occurs click Cancel
59 of 66
8. Once ASDM finishes loading run through the Device Setup, it should start automatically
� Step 1: Click Next
� Step 2: enter rockwell for the New Password: and Confirm New Password: then click Next
� Step 3: Enter 192.168.1.254 for the Management IP Address: and select 255.255.255.0 for the Subnet Mask: then
click Next
� Step 4-8: Click Next
� Step 9: If prompted, accept the agreement and click Next, otherwise just click Next
� Step 10: Under IPv4 enter 192.168.1.253 for IP Address: Select 255.255.255.0 for Subnet Mask: Enter 192.168.1.1 for
Gateway: then click Next
� Step 11: Click Finish
9. The following page may appear for at least 30 seconds, be patient and it will finish
10. When prompted enter the Password: of rockwell while leaving the username field empty
11. Click the Tools menu at the top and select Restore Configurations
60 of 66
12. On the Restore Configurations menu click the Browse Local… button
13. Navigate to C:\Users\Labuser\Documents\Lab Files\Stratix 5950\Firewall Config and select
NETSEC_5950_FW and click Select file
14. Click Next
61 of 66
15. On the next Restore Configurations screen check box Running Configuration and Start-up
configuration and click Restore
16. If an error appears relating to failover pair click Yes
17. Click Replace on the Running Configuration Restore screen
18. After a short time the Restore Progress will be complete. Sometimes this step gets stuck at 98% - If this
happens it is OK to close the window, the restore should be successful
62 of 66
19. The Stratix 5950 will no longer be accessible from the 169.254.0.1 address. This should conclude the usage
of this address range. Navigate to C:\Users\Labuser\Documents\Lab Files\Stratix\Setup\IP Address batch
files and right click the Change to 192 address.bat and select Run as Administrator
20. Connect all cables as shown from the beginning of this setup section
5950 FirePOWER Restore
Only perform this setup if the RESET procedure did not work
1. Once the Stratix 5950 is fully booted and all cables are connected open Cisco ASDM-IDM Launcher
2. Connect using the following credentials:
� Device IP Address / Name: 192.168.1.254
� Username: rockwell
� Password: rockwell
63 of 66
3. Click Continue for the two Security Warnings
4. Click Configuration
5. Click ASA FirePOWER Configuration
6. Expand Tools then click Backup Restore
7. Click Upload Backup in the top right of the window
8. Click Choose File
9. Navigate to C:\Users\Labuser\Documents\Lab Files\Stratix\Stratix 5950\FirePOWER Backup and select the
file NETSEC_FP-2017-08-31T11-09-42.tgz then click Open
10. Click Upload Backup
64 of 66
11. The following display will appear indicating completion
12. Click the Backup Management tab
13. Allow 1-3 minutes for the backup to appear here, it should appear as follows once complete
14. Click the checkbox next to the backup with the file name starting with NETSEC and click Restore
15. Click Restore on the next prompt
16. Allow at least 15 minutes for this process to complete. It is crucial that power is not lost to the device during
this process. During the process ASDM may appear to lose communication with the Stratix 5950. It may be
best to continue with the lab setup and return here to finish the Stratix 5950 setup
17. Refresh ASDM after waiting and another Security Warning may appear, click Continue
18. Expand Policies then click Access Control Policy
19. Verify that the Block PAC Changes policy is present and Applied to Device
20. The Stratix 5950 setup is complete, close ASDM
65 of 66
Prepare 1756-L73 for the lab
Only perform this setup if the RESET procedure did not work
1. Connect the PC directly to the 1756-EN2T
2. Navigate to C:\Users\Labuser\Documents\Lab Files\PACs\ACD and double click the
NETSEC_L73_v30.acd file
3. Click Communications � Download
Prepare 1769-L24ER for the lab
Only perform this setup if the RESET procedure did not work
1. Connect the Ethernet cable from the 1769-L24ER to the Stratix 2000 switch
2. Assign an address to the 1769-L24 module using either a USB cable or the BOOTP/DHCP Utility
3. Navigate to C:\Users\Labuser\Documents\Lab Files\PACs\ACD and double click the
NETSEC_L24_v30.acd file
4. Click Communications � Download
66 of 66
5. Once complete disconnect the cable from the 1769-L24ER to the Stratix 2000 switch
Publication XXXX-XX###X-EN-P — Month Year Copyright© 2017 Rockwell Automation, Inc. All rights reserved.
Supersedes Publication XXXX-XX###X-EN-P — Month Year