M11CDE Internet security Network configuration between three cities CISCO

M11CDE Skills-based Assessment 2011-12

School of Engineering & Computing Department of Computing

Internet Information Security(M11CDE)

Layered Security

Student Name: Saud Aljaloud

I certify that this is my own work yes/no and that I have read and understand the University Assessment regulations.

CU 01/11/2011 M11CDE


Submission DetailsThe details below indicate what you should submit, when you should submit it and where is should be submitted to.

Submission Date and Method

Deadline 18 st January 2012 both online and paper submission.

Submission Format:

1. Fill the online quiz for the practical test which will be available one week before the final fixed deadline.

2. Download an electronic copy of this document and where there are blanks or spaces to complete addressing information etc., please include them in the document. You submission should include the answers in the document, but do not change the document in any other way! If the document has been modified other than to include the required information your submission will be null and void.

3. Your files should be name as “SID_FIRSTNAME_SURNAME_FILENAME.xxx”. E.g. 100292_FIRSTNAME_SURNAME_ANSWERS.doc.

4. Save the configurations from all your network devices and embed them into the end of this document.

5. If you have attempted to configure VLANs, please also include a switch configuration from any one of your LAN switches. Please note that this must be a switch that you have actually configured VLANs on.

6. If you have implemented the network in Packet Tracer, you may consider submitting a copy of that as well but this is not compulsory.

Zero Tolerance for late submission:

If your work is late it will have to be marked zero according to new university policy. Please ensure you upload your work well before the deadline. You will be able to delete and update your work before the deadline.

Plagiarism Note:

As with all assessed work, both the research and written submission should be your own work. When submitting this work you are explicitly indicating that you have read the rules on plagiarism as defined in the University regulations and that all work is in fact your own, except where explicitly referenced using the accepted referencing style.

Feedback and marking:

The practical work will be marked by using the questions set in the online quiz and number of questions for each section will depend on the weightings set in the below sections. Feedbacks and marks will be provided once the online practical quiz is submitted.

CU 01/11/2011 M11CDE


Network topology

[Whilst the topology shows only two hosts on each LAN, you should configure four hosts on each LAN.]

CU 01/11/2011 M11CDE


Network Information

The WAN IP network address between Dundee and Glasgow is 209.154.17.0 with a

subnet mask of 255.255.255.0. The WAN IP network address between Edinburgh and

Glasgow is 209.154.16.0 with a subnet mask of 255.255.255.0. This is clearly shown on

the network topology.

Dundee information

The LAN for Dundee has been assigned an IP network address of 192.168.6.0

Each subnet of the above network needs to accommodate 14 host addresses. The subnet

mask will be 255.255.255.240. This is worked out by borrowing 4 bits from the final octet

and is shown in the table below.

Table 1 Custom Subnet Mask for Dundee

255 255 255 240

128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1

1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0

Use the 6th usable subnet for the LAN. Do not use subnet zero as the first usable subnet.

The table below shows how the 6th usable network can be identified.

Network Network ID First Host Last Host Broadcast Mask

0 192.168.6.0 192.168.6.1 192.168.6.14 192.168.6.15 /28

1 192.168.6.16 192.168.6.17 192.168.6.30 192.168.6.31 /28

2 192.168.6.32 192.168.6.33 192.168.6.46 192.168.6.47 /28

3 192.168.6.48 192.168.6.49 192.168.6.62 192.168.6.63 /28

4 192.168.6.64 192.168.6.65 192.168.6.78 192.168.6.79 /28

5 192.168.6.80 192.168.6.81 192.168.6.94 192.168.6.95 /28

6 192.168.6.96 192.168.6.97 192.168.6.110 192.168.6.111 /28

7 192.168.6.112 192.168.6.113 192.168.6.126 192.168.6.127 /28

You should be able to identify the pattern (or magic number from the subnet mask). If it is

not immediately apparent subtract the last non-zero octet from 256.

CU 01/11/2011 M11CDE


Edinburgh information

The LAN for Edinburgh has been assigned an IP network address of 192.168.5.0

Again, each subnet of the above network needs to accommodate 14 host addresses.

The subnet mask will be 255.255.255.240. This is worked out by borrowing 4 bits from the

final octet and is shown in the table below.

Table 1 Custom Subnet Mask for Edinburgh

255 255 255 240

128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1

1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0

Use the 4th usable subnet for the LAN. Do not use subnet zero as the first usable subnet.

You must follow the example for Dundee to complete the table for step 1 planning.

You should be able to identify the pattern (or magic number from the subnet mask). If it is

not immediately apparent subtract the last non-zero octet from 256.

CU 01/11/2011 M11CDE


The elements of the coursework are:

1. Planning and assigning addresses [30 marks]

2. Basic configuration [40 marks]

3. Security ACLs [10 marks]

4. Security VLANs [20 marks]

The basic theme is that Glasgow (GLA) is regional headquarters of the company.

Edinburgh and Dundee are branch offices. Each network associate (student) will be

responsible for an entire network. This means that using either the lab equipment in

ASG21/22 or Packet Tracer, you will configure 3 routers, 2 switches and 8 PCs.

A network address and specific number of hosts per subnet has been assigned for the

local LAN on each network (Edinburgh and Dundee). From the information provided, the

subnet address, the subnet mask, the first and last usable addresses and the broadcast

address for each site LAN need to be determined. (When using the router or Packet

Tracer - it is expected that you keep a copy of your router configuration at each stage, just

in case you run into problems).

CU 01/11/2011 M11CDE


Step 1 Planning

Using the chart below, plan the first ten usable subnets of the LAN address assigned to Edinburgh. You have been given the

first 6 addresses for Dundee, you are now expected to plan for the first 10 addresses for Edinburgh.

SubnetSubnet

Address

Subnet

Mask (/x)First Host Last Host Broadcast

0 192.168.5.0 /28 192.168.5.1 192.168.5.14 192.168.5.15

1 192.168.5.16 /28 192.168.5.17 192.168.5.30 192.168.5.31

2 192.168.5.32 /28 192.168.5.33 192.168.5.46 192.168.5.47

3 192.168.5.48 /28 192.168.5.49 192.168.5.62 192.168.5.63

4 192.168.5.64 /28 192.168.5.65 192.168.5.78 192.168.5.79

5 192.168.5.80 /28 192.168.5.81 192.168.5.94 192.168.5.95

6 192.168.5.96 /28 192.168.5.97 192.168.5.110 192.168.5.111

7 192.168.5.112 /28 192.168.5.113 192.168.5.126 192.168.5.127

8 192.168.5.128 /28 192.168.5.129 192.168.5.142 192.168.5.143

9 192.168.5.144 /28 192.168.5.145 192.168.5.158 192.168.5.159

0 192.168.5.0 /28 192.168.5.1 192.168.5.14 192.168.5.15

CU 17/11/2009 M11CDE


For the WAN links for DUN and EDN the lowest usable address on the networks must be used.

Identify and use the lowest usable WAN address for your S0 interface assigned to you for the two networks shown:

1 Dundee: S0 209.154.17.1

2 Edinburgh: S0 209.154.16.1

CU 17/11/2009 M11CDE

M11CDE Skills-based Assessment Version 1

For security reasons, all of the production workstations will be assigned the lower-half of

the IP addresses of the assigned subnet. All of the network devices and management

stations will be assigned the upper-half of the IP address numbers of the subnet assigned

for the LAN. From this upper half range of addresses, the Ethernet router interface (the

default gateway on each LAN) is to be assigned the highest usable address. Identify

the required IP address of the Ethernet interface on your two routers.

Address of your Ethernet interface on Dundee : 192.168.6.110

Address of your Ethernet interface on Edinburgh : 192.168.5.78

The host (PC) configurations must also be planned. Using the table, complete the host

information.

Branch: DUN IP Address Range

Production Host Range

(Lower half)192.168.6.97 - 192.168.6.103

Management Host Range

(Upper half)192.168.6.104 - 192.168.6.110

[5 marks for ranges of addresses]

Supply addresses for a production and management host.

Production Host (1)

IP Address 192.168.6.97

Subnet Mask 255.255.255.240.

Default Gateway 192.168.6.110

Management Host (1)

IP Address 192.168.6.104

Subnet Mask 255.255.255.240.


Branch: EDN IP Address Range

Production Host Range

(Lower half)192.168.5.65 - 192.168.5.71

Management Host Range

(Upper half)192.168.5.72 - 192.168.5.78

CU 17/11/2009 M11CDE


Supply addresses for a production and management host.

Production Host (1)

IP Address 192.168.5.65

Subnet Mask 255.255.255.240.


Management Host (1)

IP Address 192.168.5.72

Subnet Mask 255.255.255.240.


CU 17/11/2009 M11CDE


Step 2 Basic Configuration

Apply a basic configuration to the router. This configuration should include all the normal

configuration items. You must supply one router configuration file. This will be either

Dundee or Edinburgh. The router configuration files will be marked as follows:

Basic Configuration

Router name

Console and VTY configuration and passwords (use ‘cisco’, ‘class’ and ‘berril’ for

console, secret and VTY passwords respectively)

Interface configurations

DTE/DCE identified appropriately and clockrates set only on DCE

Routing correct and working (RIP is fine)

Host tables

Banner display before login – warn of unauthorised access

Basic Configuration (40 marks)

Security (ACLS - Marked as part of step 3)

1. ACLs correct and applied to correct interface in correct direction [10]

2. ACLs correct but not applied to correct interface or direction [7 - 9]

3. ACLs attempted but some errors or wrong placement [4 - 6]

4. ACLs attempted but incorrect and not applied properly [1- 3]

5. ACLs not attempted [0]

ACL Total (Total 10 marks)

CU 17/11/2009 M11CDE


Step 3 Security

There are several security concerns in the Internetwork. Develop Access Control Lists

(ACLs) to address security issues. The following problems must be addressed:

1. The production hosts in both the Edinburgh and Dundee networks are permitted

HTTP access to the 172.16.0.0 network, management hosts are permitted no

access to this network.

2. The company has discovered an Internet Web server at 198.145.7.1 that is known

to contain viruses. All hosts are banned from reaching this site.

The ACLs are worth 10 marks.

CU 17/11/2009 M11CDE


Step 4 VLANs

This step is the final 20% of the coursework mark. To achieve this step you should

consider how you might use a VLAN to separate the production and management LANs.

The goal is that neither network should be able to see the other network traffic. There is

no additional guidance on this part of the skills test as you are expected to identify:

1. An appropriate VLAN number to use for each VLAN.

2. An appropriate VLAN configuration.

3. Implement the VLAN and provide the switch configuration file(s) to show that the

VLAN has been implemented.

VLAN Marks

The VLAN component will be marked as follows:

VLAN configured and correct configuration supplied [20]

VLAN identified but configuration incomplete or incorrect [10 – 15]

VLAN attempted [5 – 10 depending on level of attempt]

VLAN not attempted [0]

VLAN (Total 20 marks)

Appendix

Network device configurations……

CU 17/11/2009 M11CDE


Configuration of Edinburgh Router:

Press RETURN to get started.

Warn of unauthorised access

User Access Verification

Password:

EDN>enPassword: EDN#sh runBuilding configuration...

Current configuration : 1179 bytes!version 12.2no service timestamps log datetime msecno service timestamps debug datetime msecno service password-encryption!hostname EDN!!!enable secret 5 $1$mERr$9cTjUIEqNGurQiFU.ZeCi1!!!!!!!!!!ip host 209.154.17.2 192.168.6.104 ip host DUN 209.154.17.2 192.168.6.104 ip host GLA 209.154.16.1 209.154.17.1 !!!!!!interface FastEthernet0/0 ip address 192.168.5.78 255.255.255.240 ip access-group 101 in duplex auto speed auto!interface FastEthernet1/0 no ip address duplex auto speed auto shutdown!

CU 17/11/2009 M11CDE


interface Serial2/0 ip address 209.154.16.2 255.255.255.0!interface Serial3/0 no ip address shutdown!interface FastEthernet4/0 no ip address shutdown!interface FastEthernet5/0 no ip address shutdown!router rip network 172.16.0.0 network 192.168.5.0 network 192.168.6.0 network 209.154.16.0 network 209.154.17.0!ip classless!!access-list 101 deny tcp 192.168.5.72 0.0.0.7 172.16.0.0 0.0.255.255 eq wwwaccess-list 101 permit tcp 192.168.5.64 0.0.0.7 172.16.0.0 0.0.255.255 eq www!banner motd ^C Warn of unauthorised access ^C!!!!line con 0 password cisco loginline vty 0 4 password berril login!!!end

EDN#

CU 17/11/2009 M11CDE


Configuration of Dundee Router:

Restricted Rights Legend

Use, duplication, or disclosure by the Government issubject to restrictions as set forth in subparagraph(c) of the Commercial Computer Software - RestrictedRights clause at FAR sec. 52.227-19 and subparagraph(c) (1) (ii) of the Rights in Technical Data and ComputerSoftware clause at DFARS sec. 252.227-7013.

cisco Systems, Inc. 170 West Tasman Drive San Jose, California 95134-1706

Cisco Internetwork Operating System SoftwareIOS (tm) PT1000 Software (PT1000-I-M), Version 12.2(28), RELEASE SOFTWARE (fc5)Technical Support: http://www.cisco.com/techsupportCopyright (c) 1986-2005 by cisco Systems, Inc.Compiled Wed 27-Apr-04 19:01 by miwang

PT 1001 (PTSC2005) processor (revision 0x200) with 60416K/5120K bytes of memory.Processor board ID PT0123 (0123)PT2005 processor: part number 0, mask 01Bridging software.X.25 software, Version 3.0.0.4 FastEthernet/IEEE 802.3 interface(s)2 Low-speed serial(sync/async) network interface(s)32K bytes of non-volatile configuration memory.63488K bytes of ATA CompactFlash (Read/Write)

Press RETURN to get started!

%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up


%LINK-5-CHANGED: Interface Serial3/0, changed state to up

%LINK-5-CHANGED: Interface FastEthernet1/0, changed state to administratively down

%SYS-5-CONFIG_I: Configured from console by console

%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial3/0, changed state to up Warn of unauthorised access


Password:

DUN>enPassword:

CU 17/11/2009 M11CDE


DUN#sh runBuilding configuration...

Current configuration : 1218 bytes!version 12.2no service timestamps log datetime msecno service timestamps debug datetime msecno service password-encryption!hostname DUN!!!enable secret 5 $1$mERr$9cTjUIEqNGurQiFU.ZeCi1!!!!!!!!!!ip host EDN 209.154.16.2 192.168.5.72 ip host GLA 209.154.16.1 209.154.17.1 !!!!!!interface FastEthernet0/0 ip address 192.168.6.110 255.255.255.240 ip access-group 102 in duplex auto speed auto!interface FastEthernet1/0 no ip address duplex auto speed auto shutdown!interface Serial2/0 no ip address ipv6 ospf cost 781 shutdown!interface Serial3/0 ip address 209.154.17.2 255.255.255.0 ipv6 ospf cost 781!interface FastEthernet4/0 no ip address shutdown!interface FastEthernet5/0

CU 17/11/2009 M11CDE


no ip address shutdown!router rip network 172.16.0.0 network 192.168.5.0 network 192.168.6.0 network 209.154.16.0 network 209.154.17.0!ip classless!!access-list 102 permit ip any anyaccess-list 102 permit tcp 192.168.6.96 0.0.0.7 172.16.0.0 0.0.255.255 eq wwwaccess-list 102 deny tcp 192.168.6.104 0.0.0.7 172.16.0.0 0.0.255.255 eq www!banner motd ^C Warn of unauthorised access ^C!!!!line con 0 password cisco loginline vty 0 4 password berril login!!!end

DUN#DUN#

CU 17/11/2009 M11CDE


Configuration of Glasgow Router:


Password: Password:

GLA>enPassword: GLA#sh runBuilding configuration...

Current configuration : 910 bytes!version 12.2no service timestamps log datetime msecno service timestamps debug datetime msecno service password-encryption!hostname GLA!!!enable secret 5 $1$mERr$9cTjUIEqNGurQiFU.ZeCi1!!!!!!!!!!ip host DUN 192.168.6.104 209.154.17.2 ip host EDN 192.168.5.72 209.154.16.2 !!!!!!interface FastEthernet0/0 ip address 172.16.1.1 255.255.0.0 ip access-group 10 out duplex auto speed auto!interface Serial2/0 ip address 209.154.16.1 255.255.255.0 clock rate 9600!interface Serial3/0 ip address 209.154.17.1 255.255.255.0 clock rate 9600!router rip network 172.16.0.0 network 192.168.5.0

CU 17/11/2009 M11CDE


network 192.168.6.0 network 209.154.16.0 network 209.154.17.0!ip classless!!access-list 10 permit anyaccess-list 10 deny host 198.145.7.1!banner motd ^C Warn of unauthorised access ^C!!!!line con 0 password cisco loginline vty 0 4 password berril login!!!end

GLA#GLA#

CU 17/11/2009 M11CDE


SwitchDun(config)#interface FastEthernet0/1SwitchDun(config-if)#SwitchDun(config-if)#SwitchDun(config-if)#switchport trunk allowed vlan add 1SwitchDun(config-if)#SwitchDun(config-if)#endSwitchDun#%SYS-5-CONFIG_I: Configured from console by consolecopy running-config startup-configDestination filename [startup-config]? Building configuration...[OK]SwitchDun#SwitchDun#copy running-config startup-configDestination filename [startup-config]? Building configuration...[OK]SwitchDun#SwitchDun#configure terminalEnter configuration commands, one per line. End with CNTL/Z.SwitchDun(config)#SwitchDun(config)#interface FastEthernet0/1SwitchDun(config-if)#SwitchDun(config-if)#SwitchDun(config-if)#switchport trunk allowed vlan add 1002SwitchDun(config-if)#%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to upduplex autoSwitchDun(config-if)#SwitchDun(config-if)#exitSwitchDun(config)#SwitchDun(config)#endSwitchDun#%SYS-5-CONFIG_I: Configured from console by consolecopy running-config startup-configDestination filename [startup-config]? Building configuration...[OK]SwitchDun#

SwitchDun con0 is now available


CU 17/11/2009 M11CDE


%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to down

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down
























CU 17/11/2009 M11CDE





SwitchDun>SwitchDun>sh run ^% Invalid input detected at '^' marker.

SwitchDun>enSwitchDun#sh runBuilding configuration...

Current configuration : 599 bytes!version 12.1no service timestamps log datetime msecno service timestamps debug datetime msecno service password-encryption!hostname SwitchDun!!!interface FastEthernet0/1 switchport access vlan 20 switchport trunk allowed vlan 1-1002 switchport mode trunk!interface FastEthernet1/1 switchport access vlan 10!interface FastEthernet2/1 switchport access vlan 10!interface FastEthernet3/1 switchport access vlan 20!interface FastEthernet4/1 switchport access vlan 20!interface Vlan1 no ip address shutdown!!line con 0!line vty 0 4 loginline vty 5 15 login!!

CU 17/11/2009 M11CDE


end

SwitchDun#SwitchDun#

-------------------Destination filename [startup-config]? Building configuration...[OK]SwitchEDN#SwitchEDN#sh runBuilding configuration...

Current configuration : 521 bytes!version 12.1no service timestamps log datetime msecno service timestamps debug datetime msecno service password-encryption!hostname SwitchEDN!!!interface FastEthernet0/1 shutdown!interface FastEthernet1/1 switchport access vlan 10!interface FastEthernet2/1 switchport access vlan 10!interface FastEthernet3/1 switchport access vlan 20!interface FastEthernet4/1 switchport access vlan 20!interface Vlan1 no ip address shutdown!!line con 0!line vty 0 4 loginline vty 5 15 login!!end

SwitchEDN#SwitchEDN#

CU 17/11/2009 M11CDE


SwitchEDN#SwitchEDN#configure terminalEnter configuration commands, one per line. End with CNTL/Z.SwitchEDN(config)#interface FastEthernet0/1SwitchEDN(config-if)#no shutdown



SwitchEDN(config-if)#SwitchEDN(config-if)#exitSwitchEDN(config)#interface FastEthernet0/1SwitchEDN(config-if)#SwitchEDN(config-if)#exitSwitchEDN(config)#interface FastEthernet0/1SwitchEDN(config-if)#SwitchEDN(config-if)#exitSwitchEDN(config)#SwitchEDN(config)#interface FastEthernet0/1SwitchEDN(config-if)#%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down


SwitchEDN(config-if)#switchport mode trunkSwitchEDN(config-if)#SwitchEDN(config-if)#exitSwitchEDN(config)#interface FastEthernet0/1SwitchEDN(config-if)#SwitchEDN(config-if)#exitSwitchEDN(config)#interface FastEthernet0/1SwitchEDN(config-if)#SwitchEDN(config-if)#switchport mode trunkSwitchEDN(config-if)#

SwitchEDN con0 is now available


CU 17/11/2009 M11CDE


SwitchEDN>enableSwitchEDN#configure terminalEnter configuration commands, one per line. End with CNTL/Z.SwitchEDN(config)#interface FastEthernet0/1SwitchEDN(config-if)#

SwitchEDN con0 is now available


SwitchEDN>SwitchEDN>enSwitchEDN#sh runBuilding configuration...

Current configuration : 534 bytes!version 12.1no service timestamps log datetime msecno service timestamps debug datetime msecno service password-encryption!hostname SwitchEDN!!!interface FastEthernet0/1 switchport mode trunk!interface FastEthernet1/1 switchport access vlan 10!interface FastEthernet2/1 switchport access vlan 10!interface FastEthernet3/1 switchport access vlan 20!interface FastEthernet4/1 switchport access vlan 20!

CU 17/11/2009 M11CDE


interface Vlan1 no ip address shutdown!!line con 0!line vty 0 4 loginline vty 5 15 login!!end

SwitchEDN#

CU 17/11/2009 M11CDE

M11CDE Internet security Network configuration between three cities CISCO

Documents

immediately

ip address

console copy

management

ip network

config destination

interface

interface