Rohit Pardasani CCIE # 21282 Author- Rohit Pardasani Triple CCIE # 21282 (R/S , SP and Security) CCNA Security V3 Lab Guide
Nov 08, 2014
Rohit Pardasani CCIE # 21282
Copyrights ACIT Education Pvt Ltd 2010-2011 Website: http://www.acit.in; Email: [email protected]
Author- Rohit Pardasani
Triple CCIE # 21282
(R/S , SP and Security)
CCNA Security V3
Lab Guide
Rohit Pardasani CCIE # 21282
Copyrights ACIT Education Pvt Ltd 2010-2011 Website: http://www.acit.in; Email: [email protected]
A Note from the Author I would like to take this opportunity to thank you for participating in the CCNA Security training from ACIT Education Pvt Ltd. I have based the book pattern on the CCNA Security Blueprint. It is broken down into 5 Modules. There are in total 66 lab exercises. These labs give you the foundation to attempt the CCNA Security Exam. This book also contains a complete Solution video in which I have configured and explained each topic in detail.
Rohit Pardasani
CCIE # 21282 ( R/S, SP, Security)
Rohit Pardasani CCIE # 21282
Copyrights ACIT Education Pvt Ltd 2010-2011 Website: http://www.acit.in; Email: [email protected]
ACIT Bootcamps
• Instructed by a Well-known Triple CCIE Instructor. • 5 days of intense CCNA Security® Training. • Covers all the topics listed in the CCNA® Security Blue Print. • Each topic will be discussed in the class room environment by our expert instructor. • Mock Test will be conducted and graded during the last day to analyze your knowledge and readiness. • Includes our CCNA® Security Lab Guide for free. • Access to our expert instructor staff after the CCNA® Security BootCamp. • For a group of eight or more, we can bring this bootcamp to your office anywhere in the world. • Excellent Retake Policy, which allows you to retake this course for free for up to one year, as far as there is a seat available in the class. • Compliant with latest CCNA Security changes announced by Cisco systems.
For International Customers ACIT is offering attractive and convenient travel package for our customers traveling from around the world to attend our training programs. ACIT will assign a dedicated account manager to work with our delegates travel needs. Single point of contact will make your travel and learning experience unique and easy. Please check our online schedule and contact us for any training requirements in international locations.
Disclaimer CCNA®, Cisco® IOS®, Cisco® Systems, the Cisco® logo, and Networking Academy are registered trademarks or trademarks of Cisco® Systems Inc. .
Rohit Pardasani CCIE # 21282
Copyrights ACIT Education Pvt Ltd 2010-2011 Website: http://www.acit.in; Email: [email protected]
Table of Contents: Module 1: Basic Router Configuration. Control Administrative Access for Routers. Configure Administrative Roles. Create Banners on Routers. Configure SSH access. Create various privileges. SDM access.
Module 2: Rip Authentication NTP Syslog ACS with Tacacs and Radius authentication using CLI and SDM
Module 3: Eigrp Authentication CBAC Zone-Based Firewall using SDM IOS IPS
Module 4: Site to Site VPN using CLI Site to Site VPN using SDM Easy VPN Server using CLI Easy VPN Server using SDM
Module 5: Port-Security Storm-Control SPAN One Step LockDown.
Rohit Pardasani CCIE # 21282
Copyrights ACIT Education Pvt Ltd 2010-2011 Website: http://www.acit.in; Email: [email protected]
CCNA Security Lab Guide
Module 1:
Objective
1.1 Assign Router1 a hostname of R1
Solution:
R1
Router>enable
Router#config terminal
Router(config)#hostname R1
Rohit Pardasani CCIE # 21282
Copyrights ACIT Education Pvt Ltd 2010-2011 Website: http://www.acit.in; Email: [email protected]
R1(config)#
1.2 Configure ip address on R1 router on int ser0/0 with
12.0.0.1/24. Verify if clock rate is required.
Solution:
R1# conf terminal
R1(config)#interface Serial0/0
R1(config-if)#ip add 12.0.0.1 255.255.255.0
R1(config-if)#no shut
R1(config-if)#exit
R1(config)#exit
R1#show controllers serial0/0
Interface Serial0/0
Hardware is PowerQUICC MPC860
DTE V.35 clocks stopped.
(Since it is DTE , no clock rate is required.)
1.3 Configure Router2 with a hostname R2
Solution:
R2
Router>enable
Router#Config Terminal
Rohit Pardasani CCIE # 21282
Copyrights ACIT Education Pvt Ltd 2010-2011 Website: http://www.acit.in; Email: [email protected]
Router(config)#hostname R2
R2(config)#
1.4 Configure ip address on R2 on int ser0/0 with 12.0.0.2/24
Solution:
R2(config)#interface Serial0/0
R2(config-if)#ip add 12.0.0.2 255.255.255.0
R2(config-if)#no shut
R2(config-if)#exit
R2(config)#exit
1.5 Configure R2 serial0/0 with clock rate 64000 as R2 is DCE.
Verify before adding it with the command sh controller s
serial0/0 on R2.
Solution:
R2#show controllers serial0/0
Interface Serial0/0
Hardware is PowerQUICC MPC860
DCE V.35, no clock
(Since it is DCE , clock rate is required)
R2#config terminal
R2(config)#interface serial0/0
R2(config-if)#clock rate 64000
Rohit Pardasani CCIE # 21282
Copyrights ACIT Education Pvt Ltd 2010-2011 Website: http://www.acit.in; Email: [email protected]
R2(config-if)#exit
R2(config)#exit
1.6 Save both R1 and R2 by issuing the wr command in
privilege mode.
Solution:
R1# wr
R2#wr
1.7 Configure enable password cisco on both routers
Solution:
R1#conf t
R1(config)# enable password cisco
R1(config)#exit
R1#exit
R2#conf t
R2(config)# enable password cisco
R2(config)#exit
R2#exit
1.8 Verify where it is used.
Solution:
R1>enable
Rohit Pardasani CCIE # 21282
Copyrights ACIT Education Pvt Ltd 2010-2011 Website: http://www.acit.in; Email: [email protected]
Here it will ask you for the password which you have set using enable password
command.
R1#
R2>enable
Here it will ask you for the password which you have set using enable password
command.
R2#
1.9 Configure enable secret acitedu on both routers
Solution:
Now set the enable secret password on R1
R1#config terminal
R1(config)#enable secret acitedu
R1(config)#exit
R1#exit
Now set the enable secret password on R2
R2#config terminal
R2(config)#enable secret acitedu
R2(config)#exit
R2#exit
1.10 Verify where it is used and which one takes preference.
Solution:
R1>enable
Here it will ask you for the password which you have set using enable secret
Rohit Pardasani CCIE # 21282
Copyrights ACIT Education Pvt Ltd 2010-2011 Website: http://www.acit.in; Email: [email protected]
command. Enable secret takes preference over enable password command.
Try putting cisco as the password ..It will not work
Now try putting acitedu as the password. It works.
R1#
Now try the same on R2
R2>enable
Here it will ask you for the password which you have set using enable secret
command. Enable secret takes preference over enable password command.
Try putting cisco as the password ..It will not work.
Now try putting acitedu as the password. It works.
R2#
1.11 Change the minimum password length to 10 characters on
R1
Solution:
R1#config terminal
R1(config)#security password min-length 10
R1(config)#exit
R1#
1.12 Verify it by changing the enable password to cisco12345
and enable secret passwords to acitedu123 on R1.
Solution:
R1#config terminal
Rohit Pardasani CCIE # 21282
Copyrights ACIT Education Pvt Ltd 2010-2011 Website: http://www.acit.in; Email: [email protected]
R1(config)#enable secret acitedu
It will not work as the password length is less than 10
R1(config)#enable password cisco
It will not work as the password length is less than 10
Now put secret password as acitedu123
And enable password as cisco12345
R1(config)#enable password cisco12345
R1(config)#enable secret acitedu123
R1(config)#exit
R1#
1.13 Configure R1 with the line console password as
console123 and line vty password to vty1234567
Solution:
This task solution is given together with task 1.14
1.14 Verify where line console and line vty password is used
Solution:
R1#config terminal
R1(config)#line con 0
R1(config-line)#password console123
R1(config-line)#exit
R1(config)#exit
R1#exit
Rohit Pardasani CCIE # 21282
Copyrights ACIT Education Pvt Ltd 2010-2011 Website: http://www.acit.in; Email: [email protected]
It will directly reach un privilege mode. It will not ask for a password as you have
not given login in the line con 0.
Now put login under line con 0
R1#config terminal
R1(config)#line con 0
R1(config-line)#login
R1(config-line)#exit
R1(config)#exit
R1#exit
Now it will ask you the console password.
Now configure vty.
R1#config terminal
R1(config)#line vty 0 4
R1(config-line)#password vty1234567
R1(config-line)#exit
R1(config)#exit
R1#exit
Telnet from R2 to R1. It will ask for the password .Give vty1234567.It will work
without you giving login under the line vty 0 4. As it is default.
1.15 Ensure that all passwords on R1 are stored in encrypted
format.
Solution:
R1# sh run
Rohit Pardasani CCIE # 21282
Copyrights ACIT Education Pvt Ltd 2010-2011 Website: http://www.acit.in; Email: [email protected]
All passwords will be seen in clear text..
R1#config terminal
R1(config)#service password-encryption
R1(config)#exit
R1#sh run
Now you will see all passwords in encrypted format.
1.16 Create a username rohit password acit123456 on R1
Solution:
R1#config terminal
R1(config)#username rohit password acit123456
1.17 Ensure that console and telnet connections on R1 are now
asking username and password.
Solution:
R1#config terminal
R1(config)# line vty 0 4
R1(config-line)#login local
R1(config-line)#exit
R1(config)# line con 0
R1(config-line)#login local
R1(config-line)#exit
R1(config)#exit
R1#exit
Rohit Pardasani CCIE # 21282
Copyrights ACIT Education Pvt Ltd 2010-2011 Website: http://www.acit.in; Email: [email protected]
It will now ask you for username and password.
Telnet from R2 to R1. It will ask you for username and password.
1.18 Block telnet attempts on R1 for 2 min if authentication fails
2 times within 1 minute. Log successful attempts and
unsuccessful attempts.
Solution:
R1#config terminal
R1(config)# login block-for 120 attempts 2 within 60
R1(config)#login on-failure log
R1(config)#login on-success log
R1(config)#exit
R1#
Now telnet from R2 and give correct username and password .You will see a log
on R1.Now again telnet from R2 to R1 and give wrong username and password
twice. Now you will be blocked for 2 minutes and a log will also come. You can
verify the blocking by doing telnet from R2 to R1 again.
Now once you are blocked, no one can telnet R1. Even the administrator will be
blocked. Thus we can omit the administrator’s ip from the blocking by issuing the
command below
R1(config)#login quiet-mode access-class 101
R1(config)#access-list 101 permit ip host 1.1.1.1 any.
You can verify this by creating a loopback on R1 with ip 1.1.1.1/32 and doing
telnet from R1 to R1 using source as loopback after R2 has been blocked.
Rohit Pardasani CCIE # 21282
Copyrights ACIT Education Pvt Ltd 2010-2011 Website: http://www.acit.in; Email: [email protected]
i.e R1# telnet 12.0.0.1 /source loop0
1.19 Set the inactivity time to 1 minute 10 secs on console and
vty.
Solution:
R1#config terminal
R1(config)#line con 0
R1(config-line)#exec-timeout 1 10
R1(config-line)#exit
R1(config)#line vty 0 4
R1(config-line)#exec-timeout 1 10
R1(config-line)#exit
R1(config)#exit
R1#
Telnet from R2 to R1.Login by giving correct username and password. Wait till
1minute 10 seconds. You will be logged out as you were idle.
1.20 Create a username ccnasec with password ccnasec123
and privilege 3.
Solution:
R1#config terminal
R1(config)#username ccnasec privilege 3 password ccnasec123
1.21 Assign privilege level 3 the permission to issue show run.
Assign privilege level 3 the permission to go to config
Rohit Pardasani CCIE # 21282
Copyrights ACIT Education Pvt Ltd 2010-2011 Website: http://www.acit.in; Email: [email protected]
terminal and to go to interface and to do shut and no shut
the interface . Also give privilege level 3 permission to add
static routes and remove static route.
Solution:
R1(config)#privilege interface level 3 shutdown
R1(config)#privilege interface level 3 no shutdown
R1(config)#privilege configure level 3 ip route
R1(config)#privilege configure level 3 interface
R1(config)#privilege configure level 3 no ip route
R1(config)#privilege exec level 3 configure terminal
R1(config)#privilege exec level 3 show ip route
Now telnet from R2 to R1 and log in with username ccnasec and password
ccnasec123. Check if you can do show ip route
When you do show ? You will see additional commands of show as well. This is
because it inherits other basic privileges of level 0 and 1.
Check if can go to config terminal.
Check if you can add static route by giving the command
Ip route 1.1.1.1 255.255.255.255 serial0/0
No Ip route 1.1.1.1 255.255.255.255 serial0/0
Check by going to int fas 0/0
Check by shutting the interface fa0/0 and then doing no shut.
You will see that in the int fa0/0 there is no ip address command .This is because
we didn’t give ip address permission.
Rohit Pardasani CCIE # 21282
Copyrights ACIT Education Pvt Ltd 2010-2011 Website: http://www.acit.in; Email: [email protected]
1.22 Create username ccie with password ccie123456 and
assign it to a role called MYVIEW. This user should only
have rights to do show ip route and show ip int brief.
Solution:
R1#config terminal
R1(config)#aaa new-model
R1(config)#aaa authentication login default local
R1(config)#username ccie view MYVIEW password ccie123456
Now create a view called MYVIEW
R1(config)#exit
R1#enable view
It will ask you for a password. Put the password acitedu. This is your enable
secret password.
R1#config terminal
R1(config)#parser view MYVIEW
R1(config-view)#secret view123
R1(config-view)#commands exec include show ip route
R1(config-view)#commands exec include show ip int brief
R1(config-view)#exit
R1(config)#exit
R1#wr
Now Telnet from R2 to R1. It will ask you for username and password. Put
username as ccie and password as ccie123456. Once you log on you will reach
unprivileged mode. Since this user does not know the enable password which
Rohit Pardasani CCIE # 21282
Copyrights ACIT Education Pvt Ltd 2010-2011 Website: http://www.acit.in; Email: [email protected]
the administrator will not give him.He will log on with the enable view MYVIEW
command which is given below.
R1>enable view MYVIEW
Put the password of the view which is view123. Now you will be able to only use
two commands i.e show ip route and show ip int brief.
1.23 Create an MOTD banner “Welcome to MOTD”
Create an exec banner “Welcome to exec”
Verify both the banners
Solution:
R1#conf terminal
R1(config)#banner motd $ Welcome to MOTD $
R1(config)#banner exec $ Welcome to MOTD $
R1(config)#exit
R1#
Now telnet from R2 to R1. You will see the banner message of MOTD. After you
log in with username and password you will see the EXEC message.
1.24 Prepare the router for SDM access. Verify if SDM opens.
Solution:
R1#config terminal
R1(config)#ip http server
R1(config)#ip http secure-server (if u want to access router via https)
R1(config)#ip http authentication local
Rohit Pardasani CCIE # 21282
Copyrights ACIT Education Pvt Ltd 2010-2011 Website: http://www.acit.in; Email: [email protected]
(Since aaa new-model was enabled earlier)
To verify Give ip 10.0.0.1/24 to R1 interface fas0/0
Now connect a PC to R1 fas0/0 and give the PC an ip 10.0.0.110/24 with
gateway as 10.0.0.1.
Open Internet Explorer and type http://10.0.0.1
You SDM will open after you give username rohit and password acit123456.
It will not work as http access requires privilege mode 15.
Now assign username rohit with privilege 15.
R1(config)#username rohit privilege 15 password acit123456
Now Open Internet Explorer and type http://10.0.0.1
It will work.
1.25 Configure R2 for SSH access. Create username cisco and
password as cisco12345. Use domain name “acit.in” and
Configure the RSA keys with 1024 for the number of modulus
bits. Verify by doing ssh from R1.
Solution:
R2#config terminal
R2(config)#username cisco password cisco12345
R2(config)#ip domain-name acit.in
R2(config)#crypto key generate rsa general-keys modulus 1024
R2(config)#line vty 0 4
R2(config-line)#login local
R2(config-line)#exit
Rohit Pardasani CCIE # 21282
Copyrights ACIT Education Pvt Ltd 2010-2011 Website: http://www.acit.in; Email: [email protected]
R2(config)#
Now do ssh from R1 to R2 using the following command.
R1#ssh –l cisco 12.0.0.2
Put the password as cisco12345 and it will work.
Rohit Pardasani CCIE # 21282
Copyrights ACIT Education Pvt Ltd 2010-2011 Website: http://www.acit.in; Email: [email protected]
Module 2:
Objective
2.1 Erase all routers before you start your lab.
Solution:
R1#erase startup-config
R1#reload
R2#erase startup-config
R2#reload
R3#erase startup-config
R3#reload
Rohit Pardasani CCIE # 21282
Copyrights ACIT Education Pvt Ltd 2010-2011 Website: http://www.acit.in; Email: [email protected]
2.2 Configure R1 router with the hostname as R1.Configure
interface fastethernet0/0 with ip address as 10.0.0.1/24 and serial
0/0 with ip address as 12.0.0.1/24.
Solution:
R1
Router>en
Router#config t
Router(config)#hostname R1
R1(config)#interface fa0/0
R1(config-if)#ip add 10.0.0.1 255.255.255.0
R1(config-if)#no shutdown
R1(config)#interface serial 0/0
R1(config-if)#ip address 12.0.0.1 255.255.255.0
R1(config-if)#no shutdown
2.3 Configure R2 router with the hostname as R2.Configure
interface serial 0/0 with ip address as 12.0.0.2/24 and make this
interface DCE. Configure interface serial0/1 with the ip address
23.0.0.2/24 and make this interface DCE.
Solution:
R2:
Router>en
Router#config t
Rohit Pardasani CCIE # 21282
Copyrights ACIT Education Pvt Ltd 2010-2011 Website: http://www.acit.in; Email: [email protected]
Router(config)#hostname R2
R2(config)#interface serial 0/0
R2(config-if)#ip address 12.0.0.1 255.255.255.0
R2(config-if)#clock rate 64000
R2(config-if)#no shutdown
R2(config)#interface serial 0/1
R2(config-if)#ip address 23.0.0.2 255.255.255.0
R2(config-if)#clock rate 64000
R2(config-if)#no shutdown
2.4 Configure R3 router with the hostname as R3.Configure
interface loopback0 with ip address 3.3.3.3/32 and serial 0/0 with
ip address as 23.0.0.3/24.
Solution:
R3:
Router>en
Router#config t
Router(config)#hostname R3
R3(config)#interface loop 0
R3(config-if)#ip address 3.3.3.3 255.255.255.255
R3(config)#interface serial 0/0
R3(config-if)#ip address 23.0.0.3 255.255.255.0
R3(config-if)#no shutdown
Rohit Pardasani CCIE # 21282
Copyrights ACIT Education Pvt Ltd 2010-2011 Website: http://www.acit.in; Email: [email protected]
2.5 Configure RIPv2 as the routing protocol on all routers and
configure authentication between R1 and R2 using the strongest
possible method with password as ACIT and key id as 1.
Configure authentication between R2 and R3 using clear
text.Use password as ROHIT. Make sure you are able to ping
from R1 to R3.
Solution:
R1(config)#router rip
R1(config-router)#version 2
R1(config-router)#no auto-summary
R1(config-router)#network 12.0.0.0
R1(config-router)#network 10.0.0.0
R1(config-router)#exit
R1(config)#key chain RIP12
R1(config-keychain)#key 1
R1(config-keychain-key)#key-string ACIT
R1(config-keychain-key)#exit
R1(config-keychain)#exit
R1(config)#int se0/0
R1(config-if)#ip rip authentication mode md5
R1(config-if)#ip rip authentication key-chain RIP12
R1(config-if)#exit
R1(config)#exit
R1#wr
Rohit Pardasani CCIE # 21282
Copyrights ACIT Education Pvt Ltd 2010-2011 Website: http://www.acit.in; Email: [email protected]
Now Configure R2.
R2(config)#router rip
R2(config-router)#version 2
R2(config-router)#no auto-summary
R2(config-router)#network 12.0.0.0
R2(config-router)#network 23.0.0.0
R2(config-router)#exit
R2(config)#key chain RIP12
R2(config-keychain)#key 1
R2(config-keychain-key)#key-string ACIT
R2(config-keychain-key)#exit
R2(config)#key chain RIP23
R2(config-keychain)#key 1
R2(config-keychain-key)#key-string ROHIT
R2(config-keychain)#exit
R2(config)#int se0/0
R2(config-if)#ip rip authentication mode md5
R2(config-if)#ip rip authentication key-chain RIP12
R2(config)#int se0/1
R2(config-if)#ip rip authentication mode text
R2(config-if)#ip rip authentication key-chain RIP23
R2(config-if)#exit
R2(config)#exit
Rohit Pardasani CCIE # 21282
Copyrights ACIT Education Pvt Ltd 2010-2011 Website: http://www.acit.in; Email: [email protected]
R2#wr
Now Configure R3
R3(config)#router rip
R3(config-router)#version 2
R3(config-router)#no auto-summary
R3(config-router)#network 23.0.0.0
R3(config-router)#network 3.0.0.0
R3(config-router)#exit
R3(config)#key chain RIP23
R3(config-keychain)#key 1
R3(config-keychain-key)#key-string ROHIT
R3(config-keychain)#exit
R3(config)#int se0/0
R3(config-if)#ip rip authentication mode text
R3(config-if)#ip rip authentication key-chain RIP23
R3(config-if)#exit
R3(config)#exit
R3#wr
To Verify if the Rip routes have come properly, issue the show ip route.
Make sure your key in the key chain is correctly configured. Issue the show key
chain to verify the password.
2.6 Configure R2 as the ntp server with stratum value of 2 and
configure ntp authentication with password as CISCO. Configure
Rohit Pardasani CCIE # 21282
Copyrights ACIT Education Pvt Ltd 2010-2011 Website: http://www.acit.in; Email: [email protected]
R1 from command line as the ntp client of R2. And Configure R3
as the ntp client of R2 using SDM. Change the clock time on R2
as todays date and time. Verify with the clients have
synchronized .
Solution:
R1(config)#ntp authenticate
R1(config)#ntp authentication-key 1 md5 CISCO
R1(config)#ntp trusted-key 1
R1(config)#ntp server 12.0.0.2 key 1
R2#configure terminal
R2(config)#ntp master 2
R2(config)#ntp authentication-key 1 md5 CISCO
R3#config terminal
R3(config)#ip http server
Access R3 via SDM .
Once SDM starts Go to Additional Tasks
Open Router Properties and then NTP.
Click on ADD
Choose Ntp Server ip address as 23.0.0.2
Click on Authentication key
Key Number As 1
Key Value as CISCO
Click on OK
Click on SAVE Tab on the TOP.
Rohit Pardasani CCIE # 21282
Copyrights ACIT Education Pvt Ltd 2010-2011 Website: http://www.acit.in; Email: [email protected]
Verify on R3 by doing show run if the ntp configuration has come.
Now verify R1 if the time has synchronized with R2 by giving show ntp
association detail. You will get the following output:
R1#sh ntp associations detail
12.0.0.2 configured, authenticated, our_master, sane, valid, stratum 2
ref ID 127.127.7.1, time D12123E6.20435B6D (21:53:42.126 Tue Mar 8 2011)
our mode client, peer mode server, our poll intvl 64, peer poll intvl 64
root delay 0.00 msec, root disp 0.03, reach 377, sync dist 14.618
delay 28.96 msec, offset 1.5571 msec, dispersion 0.11
precision 2**18, version 3
org time D12123E7.BED7556D (21:53:43.745 UTC Tue Mar 8 2011)
rcv time D12123E7.C226B1B9 (21:53:43.758 UTC Tue Mar 8 2011)
xmt time D12123E7.BAA98CDE (21:53:43.729 UTC Tue Mar 8 2011)
filtdelay = 28.96 29.19 28.92 28.95 29.02 30.36 28.96 28.98
filtoffset = 1.56 1.68 1.55 1.62 1.69 0.76 1.53 1.52
filterror = 0.02 0.99 1.97 2.94 3.92 4.90 5.87 6.85
Here it show that R1 is authentication R2 and it has synchronized and it is valid.
Now check R3 the same way.
2.7 Install Kiwi application on PC1 and give the PC1 an ip of
10.0.0.110/24 with gateway as 10.0.0.1 and configure R1 using
CLI to send all informational syslog messages to the Kiwi syslog
server. Configure R2 using SDM to send all informational syslog
messages to kiwi syslog server. Verify in the kiwi syslog server
if they have come.
Rohit Pardasani CCIE # 21282
Copyrights ACIT Education Pvt Ltd 2010-2011 Website: http://www.acit.in; Email: [email protected]
Solution:
Install Kiwi software on your PC. Now configure R1 via CLI.
R1#config Terminal
R1(config)#logging host 10.0.0.110
R1(config)#logging trap informational
Now configure Syslog on R2 via SDM
Connect to R2 via SDM
GO to Additional Tasks
Click on Router properties
Click on Logging
Click on EDIT
Enable Logging Level Checkbox and choose level as informational
Click on ADD and type the ip address of KIWI which is 10.0.0.110
Disble logging Buffered checkbox and click on OK and apply and then Click on
SAVE Button on Top.
Now verify if the logs are coming by going to R1 and R2 router and doing shut
and no shut to int fas0/1.
You will now see logs coming to KIWI syslog server.
2.8 Install ACS server on PC1. Configure R1 with a username
rohit and password acit in the local user database . Configure a
username called user1 and password user1 in the ACS server.
Configure R1 to ask for authentication whenever you connect to
console. This authentication should first use Tacacs+ for
authentication and if tacacs+ server fails it should use the local
Rohit Pardasani CCIE # 21282
Copyrights ACIT Education Pvt Ltd 2010-2011 Website: http://www.acit.in; Email: [email protected]
database for authentication. USE CLI method to achieve this
task.
Solution:
Install ACS on your PC
R1#config terminal
R1(config)#username rohit password acit
Now create an account on ACS server.
Open ACS and click on User Setup
Type the username as user1 and click on Add/Edit
Enter the password as user1 and click on Submit
R1(config)#aaa new-model
R1(config)#aaa authentication login default group tacacs+ local
R1(config)#tacacs-server host 10.0.0.110 key cisco
Now add R1 as a client on ACS server.
Click on Network Configuration Tab
Choose AAA server name as ACS123
Choose AAA Server ip address as 10.0.0.110
Type key as cisco
Choose AAA server type as CiscoSecure ACS
Click on Submit and Apply.
Now click on ADD entry on AAA clients Column
Choose AAA client hostname as R1
Choose AAA client ip address as 10.0.0.1
Rohit Pardasani CCIE # 21282
Copyrights ACIT Education Pvt Ltd 2010-2011 Website: http://www.acit.in; Email: [email protected]
Choose the shared secret as cisco
Choose Authenticate using Tacacs+ (Cisco IOS)
Click on Submit and Apply
Now verify.
R1(config)#exit
R1#exit
Here it will ask for username and password.
Try with username rohit and password as acit.
It will not work as the tacacs+ server is reachable and it takes preference over
local database.Now try with username user1 and password user1. It will work.
Now shut interface fas 0/0 of R1 so that the tacscs+ server becomes un-
reachable. Now try again.
This time username user1 will not work as the tacacs+ server is un-reachable but
username rohit and password acit would work.
Now start the interface Fas0/0 again on R1 before going to next lab.
2.9 Configure R1 in such a way that it uses Tacacs+ for
authentication whenever anyone remotely accesses R1.If Tacscs
fails it should use line password for authentication. USE CLI
method to achieve this task.
Solution:
R1#config terminal
R1(config)#aaa authentication login REMOTE group tacacs+ line
R1(config)#line vty 0 4
Rohit Pardasani CCIE # 21282
Copyrights ACIT Education Pvt Ltd 2010-2011 Website: http://www.acit.in; Email: [email protected]
R1(config-line)#login authentication REMOTE
R1(config-line)#password cisco
R1(config-line)#exit
R1(config)#exit
R1#
Now Verify
R2#telnet 12.0.0.1
Here log in with username user1 and password user1.
You will be able to log on.
Now shut down int fas 0/0 on R1 so that tacacs+ server is un-reachable.
Now try again from R2.
This time it will not ask you for username. It will just ask for the password . Put
password as cisco. It will work.
Now start the interface Fas0/0 again on R1 before going to next lab.
2.10 Configure R3 in such a way that it uses Radius for
authentication whenever anyone remotely accesses R3.If
Radius fails it should use enable password for authentication.
USE CLI method to achieve this task.
Solution:
R3(config)#aaa new-model
R3(config)#aaa authentication login default group radius enable
R3(config)#radius-server host 10.0.0.110 key cisco
R3(config)#enable secret cisco
Rohit Pardasani CCIE # 21282
Copyrights ACIT Education Pvt Ltd 2010-2011 Website: http://www.acit.in; Email: [email protected]
Now add R3 as a client of the ACs server.
Now click on ADD entry on AAA clients Column
Choose AAA client hostname as R3
Choose AAA client ip address as 23.0.0.3
Choose the shared secret as cisco
Choose Authenticate using RADIUS (Cisco IOS/PIX 6.0)
Click on Submit and Apply
Now verify.
R2#telnet 23.0.0.3
Here log in with username user1 and password user1.
You will be able to log on.
Now shut down int fas 0/0 on R1 so that radius server is un-reachable.
Now try again from R2
This time it will ask you for username and password. Put the username as
anyword as it does not matter but put the password as the enable secret
password which is cisco.
It will work.
Now start the interface Fas0/0 again on R1 before going to next lab.
2.11 Ensure that R3 will not ask for any type of authentication
for console access. USE CLI method to achieve this task.
Solution:
Before you start this Lab log of from R3 and check if you are asked to
Rohit Pardasani CCIE # 21282
Copyrights ACIT Education Pvt Ltd 2010-2011 Website: http://www.acit.in; Email: [email protected]
authenticate. You are asked to authenticate as the command aaa
authentication login default group radius enable gets applied to line console
0 automatically. You will see that it ask you for username and password.
R3#config terminal
R3(config)#
R3(config)#aaa authentication login CON none
R3(config)#line console 0
R3(config-line)#login authentication CON
R3(config-line)#exit
R3(config)#exit
R3#
Now verify by logging out from R3
R3#exit
Here it does not ask for username but only enable secret password.
R3>
2.12 Configure R2 in such a way that it uses Tacacs+ for
authentication for any type of connection. USE SDM to achieve
this task.
Solution:
Add R2 as a client on ACS server.
Click on Network Configuration Tab
Now click on ADD entry on AAA clients Column
Choose AAA client hostname as R2
Rohit Pardasani CCIE # 21282
Copyrights ACIT Education Pvt Ltd 2010-2011 Website: http://www.acit.in; Email: [email protected]
Choose AAA client ip address as 12.0.0.2
Choose the shared secret as cisco
Choose Authenticate using Tacacs+ (Cisco IOS)
Click on Submit and Apply
Now log on R2 via SDM
Once SDM starts Go to Additional Tasks
Click on AAA
Click on Enable AAA
You will get a error message that you need a username to be created having
privilege 15. Create one on R2
R2(config)#username ccnasec privilege 15 password ccnasec
Now try again via SDM by clicking on Enable AAA
It will add some commands automatically. This is just a prevention so that you do
not get locked out of the router.
Now Click on AAA servers under AAA tab and click on ADD
Choose Server type as Tacacs+
Put Server IP as 10.0.0.110
And Key as cisco
Now Click on login under Authentication Policies and click on Edit
Click on Add and Choose Group Tacacs+
Move the tacacs+ up and local below .
Now do ok.
Now verify by logging out of R2
Rohit Pardasani CCIE # 21282
Copyrights ACIT Education Pvt Ltd 2010-2011 Website: http://www.acit.in; Email: [email protected]
R2#exit
Here it will ask for username and password. Use username as user1 and
password user1.