Lab –Configuring Switch Security Features
Topology
Addressing
Table
|
Device
|
Interface
|
IP Address
|
Subnet Mask
|
Default Gateway
|
|
R1
|
G0/1
|
172.16.99.1
|
255.255.255.0
|
N/A
|
|
S1
|
VLAN 99
|
172.16.99.11
|
255.255.255.0
|
172.16.99.1
|
|
PC-A
|
NIC
|
172.16.99.3
|
255.255.255.0
|
172.16.99.1
|
Objectives
Part 1: Set Up the Topology and
Initialize Devices
Part 2: Configure Basic Device
Settings and Verify Connectivity
Part 3: Configure and Verify SSH
Access on S1
·
Configure SSH access.
·
Modify SSH parameters.
·
Verifythe SSH configuration.
Part 4: Configure and VerifySecurity
Features on S1
·
Configure and verify general security
features.
·
Configure and verify port
security.
Background
/ Scenario
It is quite common to lock down access
and install good security featureson PCs and servers. It is important that your
network infrastructure devices, such as switches and routers,are also configured
with security features.
In this lab, you will follow some best
practices for configuring security features on LAN switches. You will only
allow SSH and secure HTTPS sessions. You will also configure and verify port
security to lock out any device with a MAC address not recognized by the
switch.
Note: The router used with CCNA hands-on labsis
a Cisco 1941 Integrated Services Router (ISR) with Cisco IOS Release 15.2(4)M3 (universalk9
image). The switch used is a Cisco Catalyst 2960 with Cisco IOS Release 15.0(2)
(lanbasek9 image). Other routers, switches, and Cisco IOS versions can be used.
Depending on the model and Cisco IOS version, the commands available and output
produced might vary from what is shown in the labs.Refer to the Router
Interface Summary Table at the end of this lab for the correct interface
identifiers.
Note:Make sure that the router and switch have been erased and have no
startup configurations. If you are unsure, contact your instructor or refer to
the previous lab for the procedures to initialize and reload devices.
Required
Resources
·
1 Router (Cisco 1941 with Cisco
IOS Release 15.2(4)M3 universal image or comparable)
·
1 Switch (Cisco 2960 with Cisco
IOS Release 15.0(2) lanbasek9 image or comparable)
·
1 PC (Windows 7, Vista, or XP
with terminal emulation program, such as Tera Term)
·
Console cables to configure the
Cisco IOS devices via the console ports
·
Ethernet cables as shown in the
topology
Part 1: Set Up the Topology and Initialize Devices
In Part 1, you will set up the network
topology and clear any configurations if necessary.
Step 1: Cable the network as shown in the topology.
Step 2: Initialize and reload the router and switch.
If configuration files were previously
saved on the router or switch, initialize and reload these devices back to
their basic configurations.
Part 2: Configure Basic Device Settings and Verify Connectivity
In Part 2, you configure basic settings
on the router, switch, and PC. Refer to the Topology and Addressing Table at
the beginning of this lab for device names and address information.
Step 1: Configure an IP address on PC-A.
Step 2: Configure basic settings on R1.
a. Configure the device name.
b. Disable DNS lookup.
c. Configure interface IP address as shown in the Addressing Table.
d. Assign classas the
privileged EXEC mode password.
e. Assign cisco as the
console and vty password and enable login.
f. Encrypt plain text passwords.
g. Save the running configuration to startup configuration.
Step 3: Configure basic settings on S1.
A good security practice is to assign the
management IP address of the switch to a VLAN other than VLAN 1 (or any other
data VLAN with end users). In this step, you will create VLAN 99 on the switch
and assign it an IP address.
a. Configure the device name.
b. Disable DNS lookup.
c. Assign class as the
privileged EXEC mode password.
d. Assign cisco as the
console and vty password and then enable login.
e. Configure a default gateway for S1 using the IP address of R1.
f. Encrypt plain text passwords.
g. Save the running configuration to startup configuration.
h. Create VLAN 99 on the switch and name it Management.
S1(config)# vlan
99
S1(config-vlan)# name Management
S1(config-vlan)# exit
S1(config)#
i. Configure the VLAN 99 management interface IP address, as shown in
the Addressing Table, and enable the interface.
S1(config)# interface
vlan 99
S1(config-if)# ip address 172.16.99.11 255.255.255.0
S1(config-if)# no shutdown
S1(config-if)# end
S1#
j. Issue theshow vlan command
on S1. What is the status of VLAN 99? __Active____________________
k. Issue theshow ip interface
brief command on S1. What is the status and protocol for management interface
VLAN 99?
________Status “UP”
and Protocol “Down”____________________________________________________________________________
Why is the protocol down, even though you
issued the no shutdowncommand for interface
VLAN 99?
___No Physical ports on the switch have
been assigned to vlan 99_________________________________________________________________________________
l. Assign ports F0/5 and F0/6 to VLAN 99 on the switch.
S1# config
t
S1(config)# interface
f0/5
S1(config-if)# switchport mode access
S1(config-if)# switchport access vlan 99
S1(config-if)# interface f0/6
S1(config-if)# switchport mode access
S1(config-if)# switchport access vlan 99
S1(config-if)# end
m.
Issue theshow ip interface brief command on S1.
What is the status and protocol showing for interface VLAN 99? __Status
“UP” and Protocol “UP”_____________________________________________
Note: There may be a delay while the port states converge.
Step 4: Verify connectivity between devices.
a.
From PC-A, ping the default
gateway address on R1. Were your pings successful?_ Success_____________
b. From PC-A, ping the management address of S1. Were your pings
successful? ___ Success
___________
c.
From S1, ping the
default gateway address on R1. Were your pings successful? ___ Success ___________
d.
From PC-A, open a web
browser and go to http://172.16.99.11. If it prompts you for a username and
password, leave the username blank and use classfor
the password. If it prompts for secured connection, answer No. Were you able to access the web interface on S1? _ In a real switch the answer is
Yes,but in Packet Tracer switch the answer No,Because a Web access or web
server can’t be implement on a Packet Tracer switch_____________
e. Close the browser session on PC-A.
Note: The non-secure web interface (HTTP server) on a Cisco 2960 switch
is enabled by default. A common security measure is to disable this service,as
described in Part 4.
Part 3: Configure and Verify SSH Access on S1
Step 1: Configure SSH access on S1.
a. Enable SSH on S1.From global configuration mode, create a domain
name of CCNA-Lab.com.
S1(config)# ip
domain-name CCNA-Lab.com
b. Create a local user database entry for use when connecting to the
switch via SSH. The user should have administrative level access.
Note: The password used here is NOT a strong password. It is merely
being used for lab purposes.
S1(config)# username
admin privilege 15 secret sshadmin
c. Configure the transport input for the vty lines to allow SSH
connections only, and use the local database for authentication.
S1(config)# line
vty 0 15
S1(config-line)# transport input ssh
S1(config-line)# login local
S1(config-line)# exit
d. Generate an RSA crypto key using a modulus of 1024 bits.
S1(config)# crypto
key generate rsa modulus 1024
The name for the keys will be:
S1.CCNA-Lab.com
% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will
be non-exportable...
[OK] (elapsed time was 3 seconds)
S1(config)#
S1(config)# end
e. Verify the SSH configuration and answer the questions below.
S1# show
ip ssh
What version of SSH is the switch using?____1.99___________________
How many authentication attempts does SSH
allow?_______3________________
What is the default timeout setting for
SSH?_____120 Secs__________________
Step 2: Modify the SSH configuration on S1.
Modify the default SSH configuration.
S1# config
t
S1(config)# ip
ssh time-out 75
S1(config)# ip
ssh authentication-retries 2
How many authentication attempts does SSH
allow? ____2___________________
What is the timeout setting for SSH?
_______75 Secs________________
Step 3: Verify the SSH configuration on S1.
a. Using SSH client software on PC-A (such as Tera Term), open an SSH
connection to S1. If you receive a message on your SSH client regarding the
host key, accept it. Login with admin for
username and sshadmin for the
password.
Was the connection successful?____Yes,Success____________________
What prompt was displayed on S1? Why?
S1 is showing the Prompt at privileged EXEC mode
because privilege 15 Option was used when configuring unsername and
password,that’s why the # Simbol appears on the prompt______________________________________________________________________________
____________________________________________________________________________________
b.
Type exit to end the SSH session on S1.
Part 4: Configure and Verify Security Features on S1
In Part 4, you will shut down unused
ports, turn off certain services running on the switch, and configure port
security based on MAC addresses. Switches can be subject to MAC address table
overflow attacks, MAC spoofing attacks, and unauthorized connections to switch
ports.You will configure port security to limit the number of MAC addresses
that can be learned on a switch port and disable the port if that number is
exceeded.
Step 1: Configure general security featureson S1.
a. Configure a message of the day (MOTD) banner on S1 with an
appropriate security warning message.
b. Issue a show ip interface brief
command on S1. What physical ports are up?
_FastEthernet 0/5 and FastEthernet 0/6 message UP________________________________________________________________________________
c. Shut down all unused physical ports on the switch. Use the interface range command.
S1(config)# interface
range f0/1 – 4
S1(config-if-range)# shutdown
S1(config-if-range)# interface range f0/7 – 24
S1(config-if-range)# shutdown
S1(config-if-range)# interface range g0/1 – 2
S1(config-if-range)# shutdown
S1(config-if-range)# end
S1#
d. Issue theshow ip interface brief
command on S1. What is the status of ports F0/1 to F0/4?
__Administratively Down__________________________________________________________________________________
e. Issue theshow ip http server
status command.
What is the HTTP server status? __In a be
by default_________________________
What server port is it using? __ In a be by default _________________________
What is the HTTP secure server status? _____ In a be by default ______________________
What secure server port is it using?____ In a be by default _______________________
f. HTTP sessions send everything in plain text. You will disable the
HTTP service running on S1.
S1(config)# no
ip http server
g. From PC-A, open a web browser session to http://172.16.99.11. What
was your result?
_on
a real switch if you disable the http service,the web page could not open Http
connections will be refused_________________________________________________________________________________
h. From PC-A, open a secure web browser session athttps://172.16.99.11.
Accept the certificate. Login with no username and a password of class. What was your result?
___on a real switch secure web session
will be successfull_________________________________________________________________________________
i. Close the web session on PC-A.
Step 2: Configure and verify port security on S1.
a. Record the R1 G0/1 MAC address. From the R1 CLI, use the show interface g0/1 command and record
the MAC address of the interface.
R1# show
interface g0/1
GigabitEthernet0/1 is up, line protocol is up
Hardware
is CN Gigabit Ethernet, address is 30f7.0da3.1821 (bia 3047.0da3.1821)
What is the MAC address of the R1 G0/1
interface? __0010.fs67.54dr.________________________________________
b. From the S1 CLI, issue a show
mac address-table command from privileged EXEC mode. Find the dynamic
entries for ports F0/5 and F0/6. Record them below.
F0/5 MAC address: ____0010.fs67.54dr.__________________________________________________
F0/6 MAC address: ____0020.0a25.5320__________________________________________________
c. Configure basic port security.
Note: This procedure would normally be performed on all access ports on
the switch. F0/5 is shown here as an example.
1) From the S1 CLI, enter interface configuration mode for the port
that connects to R1.
S1(config)#interface
f0/5
2) Shut down the port.
S1(config-if)# shutdown
3) Enable port security on F0/5.
S1(config-if)# switchport port-security
Note: Entering the switchport port-security command sets the maximum MAC addresses to 1 and the violation
action to shutdown. The switchport
port-security maximum and switchport
port-security violation commands can be used to change the default behavior.
4) Configure a static entry for the MAC address of R1 G0/1 interface
recorded in Step 2a.
S1(config-if)# switchport port-security
mac-address xxxx.xxxx.xxxx
(xxxx.xxxx.xxxx
is the actual MAC address of the router G0/1 interface)
Note: Optionally, you can use the switchport port-security mac-address
stickycommand to add all the secure MAC addresses
that are dynamically learned on a port (up to the maximum set) to the switch running
configuration.
5) Enable the switch port.
S1(config-if)# no shutdown
S1(config-if)# end
d. Verify port security on S1 F0/5 by issuing a show port-security interfacecommand.
S1# show
port-security interface f0/5
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 1
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0000.0000.0000:0
Security Violation Count : 0
What is the port status of F0/5? ___Secure-Up________________________
e. From R1 command prompt, ping PC-A to verify connectivity.
R1# ping
172.16.99.3
f. You will now violate security by changing the MAC address on the
router interface. Enter interface configuration mode for G0/1 and shut it down.
R1# config
t
R1(config)# interface
g0/1
R1(config-if)# shutdown
g. Configure a new MAC address for the interface, using aaaa.bbbb.cccc as the address.
R1(config-if)# mac-address aaaa.bbbb.cccc
h. If possible, have a console connection open on S1 at the same time that
you do this step. You will see various messages displayed on the console
connection to S1 indicating a security violation. Enable the G0/1 interface on
R1.
R1(config-if)# no shutdown
i. From R1 privilegedEXEC mode, ping PC-A. Was the ping successful? Why
or why not?
__No,the F0/5 port on S1 is Shutdown
because of the security violation__________________________________________________________________________________
j. On the switch, verify port security with the following commands
shown below.
S1#show
port-security
Secure Port MaxSecureAddr CurrentAddr
SecurityViolation Security Action
(Count) (Count) (Count)
--------------------------------------------------------------------
Fa0/5 1 1 1 Shutdown
----------------------------------------------------------------------
Total Addresses in System (excluding one
mac per port) :0
Max Addresses limit in System (excluding
one mac per port) :8192
S1# show
port-security interface f0/5
Port Security : Enabled
Port Status : Secure-shutdown
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 1
Sticky MAC Addresses : 0
Last Source Address:Vlan : aaaa.bbbb.cccc:99
Security Violation Count : 1
S1# show
interface f0/5
FastEthernet0/5 is down, line protocol is down (err-disabled)
Hardware is Fast Ethernet, address is
0cd9.96e2.3d05 (bia 0cd9.96e2.3d05)
MTU
1500 bytes, BW 10000 Kbit/sec, DLY 1000 usec,
reliability 255/255, txload 1/255, rxload
1/255
<output omitted>
S1# show
port-security address
Secure Mac Address Table
------------------------------------------------------------------------
Vlan
Mac Address Type Ports Remaining Age
(mins)
----
----------- ---- -----
-------------
99 30f7.0da3.1821 SecureConfigured Fa0/5 -
-----------------------------------------------------------------------
Total Addresses in System (excluding one
mac per port) :0
Max Addresses limit in System (excluding
one mac per port) :8192
k. On the router, shut down the G0/1 interface, remove the hard-coded
MAC address from the router, and re-enable the G0/1 interface.
R1(config-if)# shutdown
R1(config-if)# no mac-address aaaa.bbbb.cccc
R1(config-if)# no shutdown
R1(config-if)# end
l. From R1, ping PC-A again at 172.16.99.3. Was the ping successful? __Success_______________
m. On the Switch, issue theshow
interface f0/5 command to determine the cause of ping failure. Record your
findings.
__FastEthernet 0/5 is down,line
protocol is down (err-disabled)__________________________________________________________________________________
n. Clear the S1 F0/5 error disabled status.
S1# config
t
S1(config)# interface
f0/5
S1(config-if)# shutdown
S1(config-if)# no shutdown
Note: There may be a delay while the port states converge.
o. Issue theshow interface f0/5
command on S1 to verify F0/5 is no longer in error disabled mode.
S1# show
interface f0/5
FastEthernet0/5 is up, line protocol is up (connected)
Hardware is Fast Ethernet, address is 0023.5d59.9185 (bia
0023.5d59.9185)
MTU
1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
p. From the R1 command prompt, ping PC-A again. You should be
successful.
Reflection
1. Why would you enable port security on a switch?
__It would
help prevent Unauthorized devices from accessing your network,If they plugged
into a switch on your network ___________________________________________________________________________________
_______________________________________________________________________________________
2. Why should unused ports on a switch be disabled?
__a user could not connect a device to
the switch on an unused port and access the LAN_____________________________________________________________________________________
_______________________________________________________________________________________
Router
Interface Summary Table
|
Router Interface Summary
|
||||
|
Router Model
|
Ethernet Interface #1
|
Ethernet Interface #2
|
Serial Interface #1
|
Serial Interface #2
|
|
1800
|
Fast Ethernet 0/0 (F0/0)
|
Fast Ethernet 0/1 (F0/1)
|
Serial 0/0/0 (S0/0/0)
|
Serial 0/0/1 (S0/0/1)
|
|
1900
|
Gigabit Ethernet 0/0 (G0/0)
|
Gigabit Ethernet 0/1 (G0/1)
|
Serial 0/0/0 (S0/0/0)
|
Serial 0/0/1 (S0/0/1)
|
|
2801
|
Fast Ethernet 0/0 (F0/0)
|
Fast Ethernet 0/1 (F0/1)
|
Serial 0/1/0 (S0/1/0)
|
Serial 0/1/1 (S0/1/1)
|
|
2811
|
Fast Ethernet 0/0 (F0/0)
|
Fast Ethernet 0/1 (F0/1)
|
Serial 0/0/0 (S0/0/0)
|
Serial 0/0/1 (S0/0/1)
|
|
2900
|
Gigabit Ethernet 0/0 (G0/0)
|
Gigabit Ethernet 0/1 (G0/1)
|
Serial 0/0/0 (S0/0/0)
|
Serial 0/0/1 (S0/0/1)
|
|
Note: To find out how the router is configured, look at the interfaces
to identify the type of router and how many interfaces the router has. There
is no way to effectively list all the combinations of configurations for each
router class. This table includes identifiers for the possible combinations
of Ethernet and Serial interfaces in the device. The table does not include
any other type of interface, even though a specific router may contain one.
An example of this might be an ISDN BRI interface. The string in parenthesis
is the legal abbreviation that can be used in Cisco IOS commands to represent
the interface.
|
||||
| 
0 comments:
Post a Comment