2.2.4.11 Lab - Configuring Switch Security Features - ILM

7/17/2019 2.2.4.11 Lab - Configuring Switch Security Features - ILM

http://slidepdf.com/reader/full/22411-lab-configuring-switch-security-features-ilm-568e47253c441 1/15

Lab – Configuring Switch Security Features (Instructor Version)Instructor Note: Red font color or Gray highlights indicate text that appears in the instructor copy only.

Topology

Aressing Table

!e"ice Interface I# Aress Subnet $as% !efault &ateway

R1 G0/1 172.16.99.1 255.255.255.0 /!

"1 #$! 99 172.16.99.11 255.255.255.0 172.16.99.1

%&'! (& 172.16.99.) 255.255.255.0 172.16.99.1

'becti"es

#art * Set +p the Topology an Initiali,e !e"ices

#art -* Configure .asic !e"ice Settings an Verify Connecti"ity

#art /* Configure an Verify SS0 Access on S

• &onfigure ""* access.

• +odify ""* para,eters.

•

#erify the ""* configuration.#art 1* Configure an Verify Security Features on S

• &onfigure and -erify general security features.

• &onfigure and -erify port security.

.ac%groun 2 Scenario

(t is uite co,,on to loc don access and install good security features on %&s and ser-ers. (t is i,portantthat your netor infrastructure de-ices such as sitches and routers are also configured ith securityfeatures.

(n this la you ill follo so,e est practices for configuring security features on $! sitches. 3ou ill only

allo ""* and secure *44%" sessions. 3ou ill also configure and -erify port security to loc out any de-iceith a +!& address not recognied y the sitch.

Note: 4he router used ith &&! hands'on las is a &isco 191 (ntegrated "er-ices Router ("R8 ith &isco(" Release 15.28+) uni-ersal9 i,age8. 4he sitch used is a &isco &atalyst 2960 ith &isco ("Release 15.028 lanase9 i,age8. ther routers sitches and &isco (" -ersions can e used. ependingon the ,odel and &isco (" -ersion the co,,ands a-ailale and output produced ,ight -ary fro, hat isshon in the las. Refer to the Router (nterface "u,,ary 4ale at the end of this la for the correct interfaceidentifiers.

Note: +ae sure that the router and sitch ha-e een erased and ha-e no startup configurations. (f you areunsure contact your instructor or refer to the pre-ious la for the procedures to initialie and reload de-ices.

; 201) &isco and/or its affiliates. !ll rights reser-ed. 4his docu,ent is &isco %ulic. %age of 3



Lab – Configuring Switch Security Features

Instructor Note: Refer to the (nstructor $a +anual for the procedures to initialie and reload de-ices.

4e5uire 4esources

• 1 Router &isco 191 ith &isco (" Release 15.28+) uni-ersal i,age or co,parale8

• 1 "itch &isco 2960 ith &isco (" Release 15.028 lanase9 i,age or co,parale8

• 1 %& <indos 7 #ista or =% ith ter,inal e,ulation progra, such as 4era 4er,8

• &onsole cales to configure the &isco (" de-ices -ia the console ports

• >thernet cales as shon in the topology

#art * Set +p the Topology an Initiali,e !e"ices

(n %art 1 you ill set up the netor topology and clear any configurations if necessary.

Step * Cable the networ% as shown in the topology6

Step -* Initiali,e an reloa the router an switch6

(f configuration files ere pre-iously sa-ed on the router or sitch initialie and reload these de-ices ac totheir asic configurations.

#art -* Configure .asic !e"ice Settings an Verify Connecti"ity

(n %art 2 you configure asic settings on the router sitch and %&. Refer to the 4opology and !ddressing4ale at the eginning of this la for de-ice na,es and address infor,ation.

Step * Configure an I# aress on #C7A6

Step -* Configure basic settings on 46

a6 &onfigure the de-ice na,e.

b6 isale " looup.

c6 &onfigure interface (% address as shon in the !ddressing 4ale.

6 !ssign class as the pri-ileged >=>& ,ode passord.

e6 !ssign cisco as the console and -ty passord and enale login.

f6 >ncrypt plain text passords.

g6 "a-e the running configuration to startup configuration.

Step /* Configure basic settings on S6

! good security practice is to assign the ,anage,ent (% address of the sitch to a #$! other than #$! 1

or any other data #$! ith end users8. (n this step you ill create #$! 99 on the sitch and assign it an(% address.

a6 &onfigure the de-ice na,e.

b6 isale " looup.

c6 !ssign class as the pri-ileged >=>& ,ode passord.

6 !ssign cisco as the console and -ty passord and then enale login.

e6 &onfigure a default gateay for "1 using the (% address of R1.

; 201) &isco and/or its affiliates. !ll rights reser-ed. 4his docu,ent is &isco %ulic. %age - of 3




f6 >ncrypt plain text passords.

g6 "a-e the running configuration to startup configuration.

h6 &reate #$! 99 on the sitch and na,e it $anage8ent.

S1(config)# vlan 99

S1(config-vlan)# name Management

S1(config-vlan)# exit

S1(config)#

i6 &onfigure the #$! 99 ,anage,ent interface (% address as shon in the !ddressing 4ale and enalethe interface.

S1(config)# interface vlan 99

S1(config-if)# ip address 172.16.99.11 255.255.255.0

S1(config-if)# no shutdown

S1(config-if)# end

S1#

6 (ssue the show "lan co,,and on "1. <hat is the status of #$! 99? @@@@@@@@@@@@@@@@@@@@@@ !cti-e

%6 (ssue the show ip interface brief co,,and on "1. <hat is the status and protocol for ,anage,entinterface #$! 99?

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

"tatus is up and protocol is don.

<hy is the protocol don e-en though you issued the no shutown co,,and for interface #$! 99?

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

o physical ports on the sitch ha-e een assigned to #$! 99.

l6 !ssign ports A0/5 and A0/6 to #$! 99 on the sitch.

S1# config t

S1(config)# interface f0/5

S1(config-if)# switchport mode access

S1(config-if)# switchport access vlan 99

S1(config-if)# interface f0/6

S1(config-if)# switchport mode access

S1(config-if)# switchport access vlan 99

S1(config-if)# end

86 (ssue the show ip interface brief co,,and on "1. <hat is the status and protocol shoing for interface#$! 99? @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Bp and up

Note: 4here ,ay e a delay hile the port states con-erge.

Step 1* Verify connecti"ity between e"ices6

a6 Aro, %&'! ping the default gateay address on R1. <ere your pings successful? @@@@@@@@@@@@@@ 3es

b6 Aro, %&'! ping the ,anage,ent address of "1. <ere your pings successful? @@@@@@@@@@@@@@ 3es

c6 Aro, "1 ping the default gateay address on R1. <ere your pings successful? @@@@@@@@@@@@@@ 3es

6 Aro, %&'! open a e roser and go to http://172.16.99.11. (f it pro,pts you for a userna,e andpassord lea-e the userna,e lan and use class for the passord. (f it pro,pts for securedconnection anser No. <ere you ale to access the e interface on "1? @@@@@@@@@@@@@@ 3es

; 201) &isco and/or its affiliates. !ll rights reser-ed. 4his docu,ent is &isco %ulic. %age / of 3




e6 &lose the roser session on %&'!.

Note: 4he non'secure e interface *44% ser-er8 on a &isco 2960 sitch is enaled y default. ! co,,onsecurity ,easure is to disale this ser-ice as descried in %art .

#art /* Configure an Verify SS0 Access on S

Step * Configure SS0 access on S6

a6 >nale ""* on "1. Aro, gloal configuration ,ode create a do,ain na,e of CCNA7Lab6co8.

S1(config)# ip domainname !!"#$a%.com

b6 &reate a local user dataase entry for use hen connecting to the sitch -ia ""*. 4he user should ha-ead,inistrati-e le-el access.

Note: 4he passord used here is 4 a strong passord. (t is ,erely eing used for la purposes.

S1(config)# username admin privilege 15 secret sshadmin

c6 &onfigure the transport input for the -ty lines to allo ""* connections only and use the local dataasefor authentication.

S1(config)# line vt& 0 15S1(config-line)# transport input ssh

S1(config-line)# login local

S1(config-line)# exit

6 Generate an R"! crypto ey using a ,odulus of 102 its.

S1(config)# cr&pto 'e& generate rsa modulus 102(

The name for the keys will be: S1.CCN-!ab.com

" The key mo$l$s si%e is 1&' bits

" enerating 1&' bit *S keys+ keys will be non-e,ortable...

/0 (elase time was 2 secons)

S1(config)#

S1(config)# end

e6 #erify the ""* configuration and anser the uestions elo.

S1# show ip ssh

SS3 4nable - version 1.55

$thentication timeo$t: 1'& secs6 $thentication retries: 2

7inim$m e,ecte 8iffie 3ellman key si%e : 1&' bits

9/S 0eys in S4CS3 format(ssh-rsa+ base encoe):

ssh-rsa ;2N%aC1yc'48<;g<C0=>CN&g?!@AAB/r5>oAkD>CEg&/$@1semr*FE

,y&bbB;Gywv>hwSGAt$c90,0wEHfr*CeDwHcEISeck3ah$v&IAf/Dcg>i0eel$$i<'r4k

b$tnl!TmtNh4A7,riEJe/2;sDcn3/1hb;@sm?*?kK/f<LL

<hat -ersion of ""* is the sitch using? @@@@@@@@@@@@@@@@@@@@@@@ 1.99

*o ,any authentication atte,pts does ""* allo? @@@@@@@@@@@@@@@@@@@@@@@ )

<hat is the default ti,eout setting for ""*? @@@@@@@@@@@@@@@@@@@@@@@ 120 seconds

; 201) &isco and/or its affiliates. !ll rights reser-ed. 4his docu,ent is &isco %ulic. %age 1 of 3




Step -* $oify the SS0 configuration on S6

+odify the default ""* configuration.

S1# config t

S1(config)# ip ssh timeout 75

S1(config)# ip ssh authenticationretries 2

S1# show ip ssh

SS3 4nable - version 1.55

$thentication timeo$t: KF secs6 $thentication retries: '

7inim$m e,ecte 8iffie 3ellman key si%e : 1&' bits

9/S 0eys in S4CS3 format(ssh-rsa+ base encoe):

ssh-rsa ;2N%aC1yc'48<;g<C0=>CN&g?!@AAB/r5>oAkD>CEg&/$@1semr*FE

,y&bbB;Gywv>hwSGAt$c90,0wEHfr*CeDwHcEISeck3ah$v&IAf/Dcg>i0eel$$i<'r4k

b$tnl!TmtNh4A7,riEJe/2;sDcn3/1hb;@sm?*?kK/f<LL

*o ,any authentication atte,pts does ""* allo? @@@@@@@@@@@@@@@@@@@@@@@ 2

<hat is the ti,eout setting for ""*? @@@@@@@@@@@@@@@@@@@@@@@ 75 seconds

Step /* Verify the SS0 configuration on S6

a6 Bsing ""* client softare on %&'! such as 4era 4er,8 open an ""* connection to "1. (f you recei-e a,essage on your ""* client regarding the host ey accept it. $og in ith a8in for userna,e and cisco for the passord.

<as the connection successful? @@@@@@@@@@@@@@@@@@@@@@@@@ 3es

<hat pro,pt as displayed on "1? <hy?

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

"1 is shoing the pro,pt at pri-ileged >=>& ,ode ecause the pri-ilege 15 option as used henconfiguring userna,e and passord

b6 4ype e9it to end the ""* session on "1.

#art 1* Configure an Verify Security Features on S

(n %art you ill shut don unused ports turn off certain ser-ices running on the sitch and configure portsecurity ased on +!& addresses. "itches can e suCect to +!& address tale o-erflo attacs +!&spoofing attacs and unauthoried connections to sitch ports. 3ou ill configure port security to li,it thenu,er of +!& addresses that can e learned on a sitch port and disale the port if that nu,er isexceeded.

Step * Configure general security features on S6

a6 &onfigure a ,essage of the day +48 anner on "1 ith an appropriate security arning ,essage.

b6 (ssue a show ip interface brief co,,and on "1. <hat physical ports are up?

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

%orts A0/5 and A0/6

c6 "hut don all unused physical ports on the sitch. Bse the interface range co,,and.

S1(config)# interface range f0/1 ) (





S1(config-if-range)# shutdown

S1(config-if-range)# interface range f0/7 ) 2(


S1(config-if-range)# interface range g0/1 ) 2


S1(config-if-range)# end S1#

6 (ssue the show ip interface brief co,,and on "1. <hat is the status of ports A0/1 to A0/?

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

!d,inistrati-ely don.

e6 (ssue the show ip http ser"er status co,,and.

S1# show i htt server stat$s

3TTG server stat$s: 4nable

3TTG server ort: M&

3TTG server a$thentication metho: enable

3TTG server access class: &3TTG server base ath: flash:html

3TTG server hel root:

7a,im$m n$mber of conc$rrent server connections allowe: 1

Server ile time-o$t: 1M& secons

Server life time-o$t: 1M& secons

7a,im$m n$mber of re>$ests allowe on a connection: 'F

3TTG server active session mo$les: !!

3TTG sec$re server caability: Gresent

3TTG sec$re server stat$s: 4nable

3TTG sec$re server ort: 2

3TTG sec$re server cihers$ite: 2es-ee-cbc-sha es-cbc-sha rc-1'M-mF rc-1'M-sha

3TTG sec$re server client a$thentication: 8isable

3TTG sec$re server tr$stoint:

3TTG sec$re server active session mo$les: !!

<hat is the *44% ser-er status? @@@@@@@@@@@@@@@@@@@@@@@@@@@ >naled

<hat ser-er port is it using? @@@@@@@@@@@@@@@@@@@@@@@@@@@ D0

<hat is the *44% secure ser-er status? @@@@@@@@@@@@@@@@@@@@@@@@@@@ >naled

<hat secure ser-er port is it using? @@@@@@@@@@@@@@@@@@@@@@@@@@@ )

f6 *44% sessions send e-erything in plain text. 3ou ill disale the *44% ser-ice running on "1.

S1(config)# no ip http server

g6 Aro, %&'! open a e roser session to http://172.16.99.11. <hat as your result?

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

4he e page could not open. *44% connections are no refused y "1.

h6 Aro, %&'! open a secure e roser session at https://172.16.99.11. !ccept the certificate. $og in ithno userna,e and a passord of class. <hat as your result?

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

"ecure e session as successful.

; 201) &isco and/or its affiliates. !ll rights reser-ed. 4his docu,ent is &isco %ulic. %age : of 3




i6 &lose the e session on %&'!.

Step -* Configure an "erify port security on S6

a6 Record the R1 G0/1 +!& address. Aro, the R1 &$( use the show interface g;2 co,,and and recordthe +!& address of the interface.

*1# show interface g0/1igabit4thernet&E1 is $+ line rotocol is $

3arware is CN igabit 4thernet+ aress is 2&fK.&a2.1M'1 (bia

2&K.&a2.1M'1)

<hat is the +!& address of the R1 G0/1 interface?

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

(n the exa,ple ao-e it is )0f7.0da).1D21

b6 Aro, the "1 &$( issue a show 8ac aress7table co,,and fro, pri-ileged >=>& ,ode. Aind thedyna,ic entries for ports A0/5 and A0/6. Record the, elo.

A0/5 +!& address: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ )0f7.0da).1D21

A0/6 +!& address: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ 00e0.D57.1ccd

c6 &onfigure asic port security.

Note: 4his procedure ould nor,ally e perfor,ed on all access ports on the sitch. A0/5 is shon hereas an exa,ple.

) Aro, the "1 &$( enter interface configuration ,ode for the port that connects to R1.


-) "hut don the port.

S1(config-if)# shutdown

/) >nale port security on A0/5.

S1(config-if)# switchport portsecurit&

Note: >ntering the switchport port7security co,,and sets the ,axi,u, +!& addresses to 1 and the-iolation action to shutdon. 4he switchport port7security 8a9i8u8 and switchport port7security"iolation co,,ands can e used to change the default eha-ior.

1) &onfigure a static entry for the +!& address of R1 G0/1 interface recorded in "tep 2a.

S1(config-if)# switchort ort-sec$rity mac-aress ,,,,.,,,,.,,,,

xxxx.xxxx.xxxx is the actual +!& address of the router G0/1 interface8

Note: ptionally you can use the switchport portsecurit& macaddress stic'& co,,and to

add all the secure +!& addresses that are dyna,ically learned on a port up to the ,axi,u, set8 to thesitch running configuration.

3) >nale the sitch port.S1(config-if)# no shutdown

S1(config-if)# end

6 #erify port security on "1 A0/5 y issuing a show port7security interface co,,and.

S1# show portsecurit& interface f0/5

Gort Sec$rity : 4nable

Gort Stat$s : Sec$re-$

; 201) &isco and/or its affiliates. !ll rights reser-ed. 4his docu,ent is &isco %ulic. %age < of 3




@iolation 7oe : Sh$town

ging Time : & mins

ging Tye : bsol$te

Sec$reStatic ress ging : 8isable

7a,im$m 7C resses : 1

Total 7C resses : 1

Config$re 7C resses : 1

Sticky 7C resses : &

!ast So$rce ress:@lan : &&&&.&&&&.&&&&:&

Sec$rity @iolation Co$nt : &

<hat is the port status of A0/5?

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

4he status is "ecure'up hich indicates that the port is secure ut the status and protocol are up.

e6 Aro, R1 co,,and pro,pt ping %&'! to -erify connecti-ity.

*1# ping 172.16.99.*

f6 3ou ill no -iolate security y changing the +!& address on the router interface. >nter interfaceconfiguration ,ode for G0/1 and shut it don.

*1# config t

*1(config)# interface g0/1

*1(config-if)# shutdown

g6 &onfigure a ne +!& address for the interface using aaaa6bbbb6cccc as the address.

*1(config-if)# macaddress aaaa.%%%%.cccc

h6 (f possile ha-e a console connection open on "1 at the sa,e ti,e that you do this step. 3ou ill see-arious ,essages displayed on the console connection to "1 indicating a security -iolation. >nale theG0/1 interface on R1.

*1(config-if)# no shutdown

i6 Aro, R1 pri-ileged >=>& ,ode ping %&'!. <as the ping successful? <hy or hy not?

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

o the A0/5 port on "1 is shut don ecause of the security -iolation.

6 n the sitch -erify port security ith the folloing co,,ands shon elo.

S1# show portsecurit&

Sec$re Gort 7a,Sec$rer C$rrentr Sec$rity@iolation Sec$rity ction

(Co$nt) (Co$nt) (Co$nt)

--------------------------------------------------------------------

Da&EF 1 1 1 Sh$town

----------------------------------------------------------------------

Total resses in System (e,cl$ing one mac er ort) :&

7a, resses limit in System (e,cl$ing one mac er ort) :M15'

S1# show portsecurit& interface f0/5

Gort Sec$rity : 4nable

Gort Stat$s : Sec$re-sh$town

@iolation 7oe : Sh$town

ging Time : & mins

; 201) &isco and/or its affiliates. !ll rights reser-ed. 4his docu,ent is &isco %ulic. %age = of 3




ging Tye : bsol$te

Sec$reStatic ress ging : 8isable

7a,im$m 7C resses : 1

Total 7C resses : 1

Config$re 7C resses : 1

Sticky 7C resses : &

!ast So$rce ress:@lan : aaaa.bbbb.cccc:55

Sec$rity @iolation Co$nt : 1

S1# show interface f0/5

Dast4thernet&EF is own+ line rotocol is own (err-isable)

3arware is Dast 4thernet+ aress is &c5.5e'.2&F (bia &c5.5e'.2&F)

7TB 1F&& bytes+ ;= 1&&&& 0bitEsec+ 8!H 1&&& $sec+

reliability 'FFE'FF+ t,loa 1E'FF+ r,loa 1E'FF

o$t$t omitteO

S1# show portsecurit& address

Sec$re 7ac ress Table------------------------------------------------------------------------

@lan 7ac ress Tye Gorts *emaining ge

(mins)

---- ----------- ---- ----- -------------

55 2&fK.&a2.1M'1 Sec$reConfig$re Da&EF -

-----------------------------------------------------------------------

Total resses in System (e,cl$ing one mac er ort) :&

7a, resses limit in System (e,cl$ing one mac er ort) :M15'

%6 n the router shut don the G0/1 interface re,o-e the hard'coded +!& address fro, the router andre'enale the G0/1 interface.

*1(config-if)# shutdown*1(config-if)# no macaddress aaaa.%%%%.cccc

*1(config-if)# no shutdown

*1(config-if)# end

l6 Aro, R1 ping %&'! again at 172.16.99.). <as the ping successful? @@@@@@@@@@@@@@@@@ o

86 n the sitch issue the show interface f;23 co,,and to deter,ine the cause of ping failure. Recordyour findings.

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

A0/5 port on "1 is still in an error disaled state.


Dast4thernet&EF is own+ line rotocol is own (err-isable)

3arware is Dast 4thernet+ aress is &&'2.FF5.51MF (bia &&'2.FF5.51MF)

7TB 1F&& bytes+ ;= 1&&&& 0bitEsec+ 8!H 1&&& $sec+


n6 &lear the "1 A0/5 error disaled status.

S1# config t


; 201) &isco and/or its affiliates. !ll rights reser-ed. 4his docu,ent is &isco %ulic. %age > of 3




S1(config-if)# shutdown

S1(config-if)# no shutdown

Note: 4here ,ay e a delay hile the port states con-erge.

o6 (ssue the show interface f;23 co,,and on "1 to -erify A0/5 is no longer in error disaled ,ode.


Dast4thernet&EF is $+ line rotocol is $ (connecte)

3arware is Dast 4thernet+ aress is &&'2.FF5.51MF (bia &&'2.FF5.51MF)

7TB 1F&& bytes+ ;= 1&&&&& 0bitEsec+ 8!H 1&& $sec+


p6 Aro, the R1 co,,and pro,pt ping %&'! again. 3ou should e successful.

4eflection

1. <hy ould you enale port security on a sitch?

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

(t ould help pre-ent unauthoried de-ices fro, accessing your netor if they plugged into a sitch on your

netor.

2. <hy should unused ports on a sitch e disaled?

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

ne excellent reason is that a user could not connect a de-ice to the sitch on an unused port and accessthe $!.

4outer Interface Su88ary Table

4outer Interface Su88ary

4outer $oel ?thernet Interface @ ?thernet Interface @- Serial Interface @ Serial Interface @-

1D00 Aast >thernet 0/0A0/08

Aast >thernet 0/1A0/18

"erial 0/0/0 "0/0/08 "erial 0/0/1 "0/0/18

1900 Gigait >thernet 0/0G0/08

Gigait >thernet 0/1G0/18

"erial 0/0/0 "0/0/08 "erial 0/0/1 "0/0/18



"erial 0/1/0 "0/1/08 "erial 0/1/1 "0/1/18



"erial 0/0/0 "0/0/08 "erial 0/0/1 "0/0/18

2900 Gigait >thernet 0/0G0/08

Gigait >thernet 0/1G0/18

"erial 0/0/0 "0/0/08 "erial 0/0/1 "0/0/18

Note: 4o find out ho the router is configured loo at the interfaces to identify the type of router and ho ,anyinterfaces the router has. 4here is no ay to effecti-ely list all the co,inations of configurations for each routerclass. 4his tale includes identifiers for the possile co,inations of >thernet and "erial interfaces in the de-ice.4he tale does not include any other type of interface e-en though a specific router ,ay contain one. !nexa,ple of this ,ight e an (" ER( interface. 4he string in parenthesis is the legal are-iation that can eused in &isco (" co,,ands to represent the interface.

; 201) &isco and/or its affiliates. !ll rights reser-ed. 4his docu,ent is &isco %ulic. %age ; of 3




!e"ice Configs

4outer 4

*1#sh r$n

;$iling config$ration...

C$rrent config$ration : 1'2' bytesP

version 1F.'

service timestams eb$g atetime msec

service timestams log atetime msec

service asswor-encrytion

P

hostname *1

P

enable secret &HD8B331w4Ek!k8>5;ho1<7F4n*toyrMc3Bg.'

P

no i omain-look$

Pinterface igabit4thernet&E&

no i aress

sh$town

$le, a$to

see a$to

P

interface igabit4thernet&E1

i aress 1K'.1.55.1 'FF.'FF.'FF.&

$le, a$to

see a$to

P

interface Serial&E&E&

no i aress

sh$town

clock rate '&&&&&&

P

interface Serial&E&E1

no i aress

sh$town

clock rate '&&&&&&

i forwar-rotocol n

P

no i htt server

no i htt sec$re-server

P

P

P

P

P

control-lane

P

; 201) &isco and/or its affiliates. !ll rights reser-ed. 4his docu,ent is &isco %ulic. %age of 3




P

Pline con &

asswor K &2&KF'1M&F&&

login

line a$, &

line '

no activation-character

no e,ec

transort referre none

transort in$t all

transort o$t$t a telnet rlogin lab-ta mo $tn v1'& ssh

stobits 1

line K

no activation-character

no e,ec

transort referre none

transort in$t all

transort o$t$t a telnet rlogin lab-ta mo $tn v1'& ssh

line vty &

asswor K 12&14&1&M&2

login

transort in$t all

P

sche$ler allocate '&&&& 1&&&

P

en

Switch S

S1#sh r$n

;$iling config$ration...

C$rrent config$ration : 2K' bytes

version 1F.&

no service a

service timestams eb$g atetime msec

service timestams log atetime msec

service asswor-encrytion

P

hostname S1

P

enable secret &HD8B331w4Ek!k8>5;ho1<7F4n*toyrMc3Bg.'

P

$sername amin rivilege 1F secret tnhtc5'8?;hel,IHkM!=ArG@2S'int?rb*Dmf>H

P

no i omain-look$

i omain-name CCN-!ab.com

P

cryto ki tr$stoint TG-self-signe-'F2&2FM&&

enrollment selfsigne

s$bIect-name cnL9/S-Self-Signe-Certificate-'F2&2FM&&

; 201) &isco and/or its affiliates. !ll rights reser-ed. 4his docu,ent is &isco %ulic. %age - of 3




revocation-check none

rsakeyair TG-self-signe-'F2&2FM&&

P

cryto ki certificate chain TG-self-signe-'F2&2FM&&

certificate self-signe &1

2&M'&''; 2&M'&15 &&2&'&1 &'&'&1&1 2&&8&&5 'MMM DK&8&1&1 &F&F&&2&

2121'D2& '8&&2FF &&212' 5DF2'8 F2FC '8F25K 4F'8 2FK'K

552 1KF'8 2'2F222& 222F2M2 2&2&2&14 1K&82522 2&222&21 2&2&2&2&

2F25F1K &82'2&2& 212&212& 2&2&2&2& 2&F2&21 21'D2&'8 &&2FF& &212'5

DF2'8F2 FC'8 F25K4 F'82 FK'K5 521 KF'82' 2F222&22

2F2M22& 2&2&M15D 2&&8&&5 'MMM DK&8&1&1 &1&F&&&2 M1M8&&2& M1M5&'M1

M1&&C&42 1;MD14 8C8 DM'51D ;DM;C4C5 2&CD;DF 8K;25& 2M2F24F&

54&DC4 5C&F;51 '21';21 ''8FDM58 8'5&'24 44C'8 DFF21FD 8F85F

1;KFMD; M&M2;M1 C1;22;D 55'&4CK K4&811 CD&21C81 255KC& 4K';488

18KFF' 18C5FMC1 2;K'K DK&KKK 85;MC8 &55C;8C 8C51CM 8M'&8C2&

4;K&'&2 &1&&&12 F22&F12& &D&&2FF 1812&1&1 DD&&F2& &2&1&1DD 2&1D&&2

FF18'2& 1M2&1M& 181M M28441F 42F8MC1 8&KM48K8 DD&;M' 582&18&

&2FF18&4 &1&1 81MM2 8441F42 F8MC18& KM48K8D D&;M'58 2&&8&&5

'MMM DK&8&1&1 &F&F&&&2 M1M1&&5M 8FCD1C 25'1M8 M518MF F18F2'&'

4F5;F' K8;2&MC5 DK5MF5& 8528F8 CFM;M2 51';KD CC&4'D 8DD;M8

2'K'FC '22114 1'88 K4F;M& ';;1D'8 '5'1F'5 414DCC D;81

;81C5M 4M8M284C ;MF22&4 8F2F1&8 M5D&'2 K;5KM'4K '&&D1F 51M'KD

M15MD F8K1 F1'2;F51 'CFF

>$it

P

i ssh time-o$t KF

i ssh a$thentication-retries '

P

interface Dast4thernet&E1

sh$townP

interface Dast4thernet&E'

sh$town

P

interface Dast4thernet&E2

sh$town

P

interface Dast4thernet&E

sh$town

P

interface Dast4thernet&EF

switchort access vlan 55 switchort moe access

switchort ort-sec$rity

switchort ort-sec$rity mac-aress 2&fK.&a2.1M'1

P

interface Dast4thernet&E

switchort access vlan 55

switchort moe access

; 201) &isco and/or its affiliates. !ll rights reser-ed. 4his docu,ent is &isco %ulic. %age / of 3




interface Dast4thernet&E'2

sh$town

P

interface Dast4thernet&E'

sh$town

P

interface igabit4thernet&E1

sh$town

P

interface igabit4thernet&E'

sh$town

P

interface @lan1

no i aress

sh$town

P

interface @lan55

i aress 1K'.1.55.11 'FF.'FF.'FF.&

P

i efa$lt-gateway 1K'.1.55.1

no i htt server

i htt sec$re-server

P

banner mot QC=arningP Bna$thori%e ccess is Grohibite.QC

P

line con &

asswor cisco

logging synchrono$s

login

line vty & login local

transort in$t ssh

line vty F 1F

login local

transort in$t ssh

P

en


2.2.4.11 Lab - Configuring Switch Security Features - ILM

Documents

Transcript of 2.2.4.11 Lab - Configuring Switch Security Features - ILM