S1#show ip interface brief
Interface IP-Address OK? Method Status Protocol
[ ... ]
Vlan1 unassigned YES manual administratively down down
Vlan99 172.16.99.11 YES manual up down
S1#
What is the status and protocol for management interface VLAN 99? Status is up, and protocol is down.
Why is the protocol down, even though you issued the no shutdown command for interface VLAN 99? No physical ports on the switch have been assigned to VLAN 99
Assign ports F0/5 and F0/6 to VLAN 99 on the switch.
S1#show ip interface brief
Interface IP-Address OK? Method Status Protocol
[ ... ]
Vlan1 unassigned YES manual administratively down down
Vlan99 172.16.99.11 YES manual up up
S1#
Step 4: Verify connectivity between devices.
From PC, ping the default gateway address on R1.
PC>ping 172.16.99.1
Pinging 172.16.99.1 with 32 bytes of data:
Reply from 172.16.99.1: bytes=32 time=1ms TTL=255
Reply from 172.16.99.1: bytes=32 time=0ms TTL=255
Reply from 172.16.99.1: bytes=32 time=0ms TTL=255
Reply from 172.16.99.1: bytes=32 time=0ms TTL=255
Ping statistics for 172.16.99.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 1ms, Average = 0ms
PC>
From PC, ping the management address of S1.
PC>ping 172.16.99.11
Pinging 172.16.99.11 with 32 bytes of data:
Reply from 172.16.99.11: bytes=32 time=1ms TTL=255
Reply from 172.16.99.11: bytes=32 time=0ms TTL=255
Reply from 172.16.99.11: bytes=32 time=0ms TTL=255
Reply from 172.16.99.11: bytes=32 time=0ms TTL=255
Ping statistics for 172.16.99.11:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 1ms, Average = 0ms
PC>
From S1, ping the default gateway address on R1.
S1#ping 172.16.99.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.99.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/1 ms
S1#
Step 5 : Configure and Verify SSH Access on S1
Enable SSH on S1. From global configuration mode, create a domain name of kelaspar.ir .
S1(config)#ip domain-name kelaspar.ir
Create a local user database entry for use when connecting to the switch via SSH. The user should have administrative level access.
Generate an RSA crypto key using a modulus of 1024 bits.
S1(config)#crypto key generate rsa
The name for the keys will be: S1.kelaspar.ir
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
S1(config)#
Verify the SSH configuration and answer the questions below.
S1#show ip ssh
SSH Enabled - version 1.99
Authentication timeout: 120 secs; Authentication retries: 3
S1#
What version of SSH is the switch using? 1.99
How many authentication attempts does SSH allow? 3
What is the default timeout setting for SSH? 120 seconds
Part 7 : Configure and Verify Security Features on S1
Configure a message of the day (MOTD) banner on S1 with an appropriate security warning message.
S1(config)#banner motd #
Enter TEXT message. End with the character '#'.
Unauthorized access is strictly prohibited. #
S1(config)#
Shut down all unused physical ports on the switch. Use the interface range command.
S1(config)#interface range fastEthernet 0/1-4, fastEthernet 0/7-24, gigabitEthernet 0/1-2
S1(config-if-range)#shutdown
Issue the show ip interface brief command on S1. What is the status of ports F0/1 to F0/4? Administratively down.
Issue the show ip http server status command.
S1# show ip http server status
HTTP server status: Enabled
HTTP server port: 80
HTTP server authentication method: enable
HTTP server access class: 0
HTTP server base path: flash:html
HTTP server help root:
Maximum number of concurrent server connections allowed: 16
Server idle time-out: 180 seconds
Server life time-out: 180 seconds
Maximum number of requests allowed on a connection: 25
HTTP server active session modules: ALL
HTTP secure server capability: Present
HTTP secure server status: Enabled
HTTP secure server port: 443
HTTP secure server ciphersuite: 3des-ede-cbc-sha des-cbc-sha rc4-128-md5 rc4-128-sha
HTTP secure server client authentication: Disabled
HTTP secure server trustpoint:
HTTP secure server active session modules: ALL
What is the HTTP server status? Enabled
What server port is it using? 80
What is the HTTP secure server status? Enabled
What secure server port is it using? 443
HTTP sessions send everything in plain text. You will disable the HTTP service running on S1.
S1(config)# no ip http server
Configure and verify port security on S1. Record the R1 fa0/1 MAC address. From the R1 CLI, use the show interface fa0/1 command and record the MAC address of the interface.
R1#show interfaces fastEthernet 0/1
FastEthernet0/1 is administratively down, line protocol is down (disabled)
Hardware is Lance, address is 0001.4262.c002 (bia 0001.4262.c002)
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
ARP type: ARPA, ARP Timeout 04:00:00,
Last input 00:00:08, output 00:00:05, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0 (size/max/drops); Total output drops: 0
Queueing strategy: fifo
Output queue :0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 input packets with dribble condition detected
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 2 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
R1#
What is the MAC address of the R1 fa0/1 interface? 0001.4262.c002
From the S1 CLI, issue a show mac address-table command from privileged EXEC mode. Find the dynamic entries for ports F0/5 and F0/6. Record them below.
S1#show mac-address-table
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
99 0001.4262.c001 DYNAMIC Fa0/5
99 000c.cfde.1237 DYNAMIC Fa0/6
S1#
From the S1 CLI, enter interface configuration mode for the port that connects to R1 and shut down the port.
Verify port security on S1 F0/5 by issuing a show port-security interface command.
S1#show port-security interface fastEthernet 0/5
Port Security : Enabled
Port Status : Secure-shutdown
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 1
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0001.4262.C001:99
Security Violation Count : 1
What is the port status of F0/5? The status is Secure-up, which indicates that the port is secure, but the status and protocol are up.