Lab – Configuring Switch Security Features (Instructor Ve rsion) Instructor Note: Red font color or Gray highlights indicate text that appears in the instructor copy only. Topology Aressing Table !e"ice Interface I# Aress Subnet $as% !efault &ateway R1 G0/1 172.16.99.1 255.255.255.0 /! "1 #$!99 172.16.99.11 255.255.255.0 172.16.99.1 %&'! (& 172.16.99.) 255.255.255.0 172.16.99.1 'becti"es #art * Set +p the Topology anInitiali,e !e"ices #art -* Configure .asic !e"ice Settings anVerify Connecti"ity #art /* Configure anVerify SS0 Access on S• &onfigure ""* access. • +odify ""* para,eters. • #erify the ""* configuration. #art 1* Configure anVerify Security Features on S• &onfigure and -erify general security features. • &onfigure and -erify port security. .ac%groun2 Scenario (t is uite co,,on to locdon access and install good security features on %&s and ser-ers. (t is i,portant that your netorinfrastructure de-icessuch as sitches and routersare also configured ith security features. (n this layou ill folloso,e est practices for configuring security features on $!sitches. 3 ou ill only allo""* and secure *44%" sessions. 3o u ill also configure and -erify port security to locout any de-ice ith a +!& address not recognied y the sitch. Note: 4he router used ith &&! hands'on las is a &isco 191 (ntegrated "er-ices Router ("R8 ith &isco (" Release 15.28+) uni-ersal9 i,age8. 4he sitch used is a &isco &atalyst 2960 ith &isco (" Release 15.028 lanase9 i,age8. ther routerssitchesand &isco (" -ersions can e used. epending on the ,odel and &isco (" -ersionthe co,,ands a-ailale and output produced ,ight -ary fro, hat is shon in the las. Refer to the Router (nterface "u,,ary 4a le at the end of this lafor the correct interface identifiers. Note: +ae sure that the router and sitch ha-e een erased and h a-e no startup configurations. (f you are unsurecontact your instructor or refer to the pre-ious lafor the procedures to initialie and reload de-ices. ; 201) &isco and/or its affiliates. !ll rights reser-ed. 4his docu,ent is &isco %ulic. %age of 3
15
Embed
2.2.4.11 Lab - Configuring Switch Security Features - ILM
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
7/17/2019 2.2.4.11 Lab - Configuring Switch Security Features - ILM
Lab – Configuring Switch Security Features (Instructor Version)Instructor Note: Red font color or Gray highlights indicate text that appears in the instructor copy only.
#art -* Configure .asic !e"ice Settings an Verify Connecti"ity
#art /* Configure an Verify SS0 Access on S
• &onfigure ""* access.
• +odify ""* para,eters.
•
#erify the ""* configuration.#art 1* Configure an Verify Security Features on S
• &onfigure and -erify general security features.
• &onfigure and -erify port security.
.ac%groun 2 Scenario
(t is uite co,,on to loc don access and install good security features on %&s and ser-ers. (t is i,portantthat your netor infrastructure de-ices such as sitches and routers are also configured ith securityfeatures.
(n this la you ill follo so,e est practices for configuring security features on $! sitches. 3ou ill only
allo ""* and secure *44%" sessions. 3ou ill also configure and -erify port security to loc out any de-iceith a +!& address not recognied y the sitch.
Note: 4he router used ith &&! hands'on las is a &isco 191 (ntegrated "er-ices Router ("R8 ith &isco(" Release 15.28+) uni-ersal9 i,age8. 4he sitch used is a &isco &atalyst 2960 ith &isco ("Release 15.028 lanase9 i,age8. ther routers sitches and &isco (" -ersions can e used. ependingon the ,odel and &isco (" -ersion the co,,ands a-ailale and output produced ,ight -ary fro, hat isshon in the las. Refer to the Router (nterface "u,,ary 4ale at the end of this la for the correct interfaceidentifiers.
Note: +ae sure that the router and sitch ha-e een erased and ha-e no startup configurations. (f you areunsure contact your instructor or refer to the pre-ious la for the procedures to initialie and reload de-ices.
; 201) &isco and/or its affiliates. !ll rights reser-ed. 4his docu,ent is &isco %ulic. %age of 3
7/17/2019 2.2.4.11 Lab - Configuring Switch Security Features - ILM
• 1 %& <indos 7 #ista or =% ith ter,inal e,ulation progra, such as 4era 4er,8
• &onsole cales to configure the &isco (" de-ices -ia the console ports
• >thernet cales as shon in the topology
#art * Set +p the Topology an Initiali,e !e"ices
(n %art 1 you ill set up the netor topology and clear any configurations if necessary.
Step * Cable the networ% as shown in the topology6
Step -* Initiali,e an reloa the router an switch6
(f configuration files ere pre-iously sa-ed on the router or sitch initialie and reload these de-ices ac totheir asic configurations.
#art -* Configure .asic !e"ice Settings an Verify Connecti"ity
(n %art 2 you configure asic settings on the router sitch and %&. Refer to the 4opology and !ddressing4ale at the eginning of this la for de-ice na,es and address infor,ation.
Step * Configure an I# aress on #C7A6
Step -* Configure basic settings on 46
a6 &onfigure the de-ice na,e.
b6 isale " looup.
c6 &onfigure interface (% address as shon in the !ddressing 4ale.
6 !ssign class as the pri-ileged >=>& ,ode passord.
e6 !ssign cisco as the console and -ty passord and enale login.
f6 >ncrypt plain text passords.
g6 "a-e the running configuration to startup configuration.
Step /* Configure basic settings on S6
! good security practice is to assign the ,anage,ent (% address of the sitch to a #$! other than #$! 1
or any other data #$! ith end users8. (n this step you ill create #$! 99 on the sitch and assign it an(% address.
a6 &onfigure the de-ice na,e.
b6 isale " looup.
c6 !ssign class as the pri-ileged >=>& ,ode passord.
6 !ssign cisco as the console and -ty passord and then enale login.
e6 &onfigure a default gateay for "1 using the (% address of R1.
; 201) &isco and/or its affiliates. !ll rights reser-ed. 4his docu,ent is &isco %ulic. %age - of 3
7/17/2019 2.2.4.11 Lab - Configuring Switch Security Features - ILM
o physical ports on the sitch ha-e een assigned to #$! 99.
l6 !ssign ports A0/5 and A0/6 to #$! 99 on the sitch.
S1# config t
S1(config)# interface f0/5
S1(config-if)# switchport mode access
S1(config-if)# switchport access vlan 99
S1(config-if)# interface f0/6
S1(config-if)# switchport mode access
S1(config-if)# switchport access vlan 99
S1(config-if)# end
86 (ssue the show ip interface brief co,,and on "1. <hat is the status and protocol shoing for interface#$! 99? @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Bp and up
Note: 4here ,ay e a delay hile the port states con-erge.
Step 1* Verify connecti"ity between e"ices6
a6 Aro, %&'! ping the default gateay address on R1. <ere your pings successful? @@@@@@@@@@@@@@ 3es
b6 Aro, %&'! ping the ,anage,ent address of "1. <ere your pings successful? @@@@@@@@@@@@@@ 3es
c6 Aro, "1 ping the default gateay address on R1. <ere your pings successful? @@@@@@@@@@@@@@ 3es
6 Aro, %&'! open a e roser and go to http://172.16.99.11. (f it pro,pts you for a userna,e andpassord lea-e the userna,e lan and use class for the passord. (f it pro,pts for securedconnection anser No. <ere you ale to access the e interface on "1? @@@@@@@@@@@@@@ 3es
; 201) &isco and/or its affiliates. !ll rights reser-ed. 4his docu,ent is &isco %ulic. %age / of 3
7/17/2019 2.2.4.11 Lab - Configuring Switch Security Features - ILM
Note: 4he non'secure e interface *44% ser-er8 on a &isco 2960 sitch is enaled y default. ! co,,onsecurity ,easure is to disale this ser-ice as descried in %art .
#art /* Configure an Verify SS0 Access on S
Step * Configure SS0 access on S6
a6 >nale ""* on "1. Aro, gloal configuration ,ode create a do,ain na,e of CCNA7Lab6co8.
S1(config)# ip domainname !!"#$a%.com
b6 &reate a local user dataase entry for use hen connecting to the sitch -ia ""*. 4he user should ha-ead,inistrati-e le-el access.
Note: 4he passord used here is 4 a strong passord. (t is ,erely eing used for la purposes.
*o ,any authentication atte,pts does ""* allo? @@@@@@@@@@@@@@@@@@@@@@@ 2
<hat is the ti,eout setting for ""*? @@@@@@@@@@@@@@@@@@@@@@@ 75 seconds
Step /* Verify the SS0 configuration on S6
a6 Bsing ""* client softare on %&'! such as 4era 4er,8 open an ""* connection to "1. (f you recei-e a,essage on your ""* client regarding the host ey accept it. $og in ith a8in for userna,e and cisco for the passord.
<as the connection successful? @@@@@@@@@@@@@@@@@@@@@@@@@ 3es
"1 is shoing the pro,pt at pri-ileged >=>& ,ode ecause the pri-ilege 15 option as used henconfiguring userna,e and passord
b6 4ype e9it to end the ""* session on "1.
#art 1* Configure an Verify Security Features on S
(n %art you ill shut don unused ports turn off certain ser-ices running on the sitch and configure portsecurity ased on +!& addresses. "itches can e suCect to +!& address tale o-erflo attacs +!&spoofing attacs and unauthoried connections to sitch ports. 3ou ill configure port security to li,it thenu,er of +!& addresses that can e learned on a sitch port and disale the port if that nu,er isexceeded.
Step * Configure general security features on S6
a6 &onfigure a ,essage of the day +48 anner on "1 ith an appropriate security arning ,essage.
b6 (ssue a show ip interface brief co,,and on "1. <hat physical ports are up?
4he e page could not open. *44% connections are no refused y "1.
h6 Aro, %&'! open a secure e roser session at https://172.16.99.11. !ccept the certificate. $og in ithno userna,e and a passord of class. <hat as your result?
Note: 4his procedure ould nor,ally e perfor,ed on all access ports on the sitch. A0/5 is shon hereas an exa,ple.
) Aro, the "1 &$( enter interface configuration ,ode for the port that connects to R1.
S1(config)# interface f0/5
-) "hut don the port.
S1(config-if)# shutdown
/) >nale port security on A0/5.
S1(config-if)# switchport portsecurit&
Note: >ntering the switchport port7security co,,and sets the ,axi,u, +!& addresses to 1 and the-iolation action to shutdon. 4he switchport port7security 8a9i8u8 and switchport port7security"iolation co,,ands can e used to change the default eha-ior.
1) &onfigure a static entry for the +!& address of R1 G0/1 interface recorded in "tep 2a.
4he status is "ecure'up hich indicates that the port is secure ut the status and protocol are up.
e6 Aro, R1 co,,and pro,pt ping %&'! to -erify connecti-ity.
*1# ping 172.16.99.*
f6 3ou ill no -iolate security y changing the +!& address on the router interface. >nter interfaceconfiguration ,ode for G0/1 and shut it don.
*1# config t
*1(config)# interface g0/1
*1(config-if)# shutdown
g6 &onfigure a ne +!& address for the interface using aaaa6bbbb6cccc as the address.
*1(config-if)# macaddress aaaa.%%%%.cccc
h6 (f possile ha-e a console connection open on "1 at the sa,e ti,e that you do this step. 3ou ill see-arious ,essages displayed on the console connection to "1 indicating a security -iolation. >nale theG0/1 interface on R1.
*1(config-if)# no shutdown
i6 Aro, R1 pri-ileged >=>& ,ode ping %&'!. <as the ping successful? <hy or hy not?
ne excellent reason is that a user could not connect a de-ice to the sitch on an unused port and accessthe $!.
4outer Interface Su88ary Table
4outer Interface Su88ary
4outer $oel ?thernet Interface @ ?thernet Interface @- Serial Interface @ Serial Interface @-
1D00 Aast >thernet 0/0A0/08
Aast >thernet 0/1A0/18
"erial 0/0/0 "0/0/08 "erial 0/0/1 "0/0/18
1900 Gigait >thernet 0/0G0/08
Gigait >thernet 0/1G0/18
"erial 0/0/0 "0/0/08 "erial 0/0/1 "0/0/18
2D01 Aast >thernet 0/0A0/08
Aast >thernet 0/1A0/18
"erial 0/1/0 "0/1/08 "erial 0/1/1 "0/1/18
2D11 Aast >thernet 0/0A0/08
Aast >thernet 0/1A0/18
"erial 0/0/0 "0/0/08 "erial 0/0/1 "0/0/18
2900 Gigait >thernet 0/0G0/08
Gigait >thernet 0/1G0/18
"erial 0/0/0 "0/0/08 "erial 0/0/1 "0/0/18
Note: 4o find out ho the router is configured loo at the interfaces to identify the type of router and ho ,anyinterfaces the router has. 4here is no ay to effecti-ely list all the co,inations of configurations for each routerclass. 4his tale includes identifiers for the possile co,inations of >thernet and "erial interfaces in the de-ice.4he tale does not include any other type of interface e-en though a specific router ,ay contain one. !nexa,ple of this ,ight e an (" ER( interface. 4he string in parenthesis is the legal are-iation that can eused in &isco (" co,,ands to represent the interface.
; 201) &isco and/or its affiliates. !ll rights reser-ed. 4his docu,ent is &isco %ulic. %age ; of 3
7/17/2019 2.2.4.11 Lab - Configuring Switch Security Features - ILM