Lab – Configuring Switch Security Features

Cisco Packet Tracer

Topology

Addressing Table

Step 1: Configure an IP address on PC.

PC>ipconfig

FastEthernet0 Connection:(default port)

   Link-local IPv6 Address.........: FE80::20C:CFFF:FEDE:1237
   IP Address......................: 172.16.99.3
   Subnet Mask.....................: 255.255.255.0
   Default Gateway.................: 172.16.99.1

PC>

Step 2: Configure basic settings on R1.

  • Configure the device name.

Router>
Router>enable
Router#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#hostname R1
R1(config)#
  • Disable DNS lookup.

R1(config)#no ip domain-lookup 
  • Configure interface IP address as shown in the Addressing Table.

R1(config)#interface fastEthernet 0/0
R1(config-if)#ip address 172.16.99.1 255.255.255.0
R1(config-if)#no shut
  • Assign class as the privileged EXEC mode password.

R1(config)#enable secret class
  • Assign cisco as the console and vty password and enable login.

R1(config)#line console 0
R1(config-line)#password cisco
R1(config-line)#login
R1(config-line)#exit
R1(config)#line vty 0 4
R1(config-line)#password cisco
R1(config-line)#login
R1(config-line)#exit
R1(config)#
  • Encrypt plain text passwords.

R1(config)#service password-encryption 
  • Save the running configuration to startup configuration.

R1#copy running-config startup-config 
Destination filename [startup-config]? 
Building configuration...
[OK]
R1#

Step 3: Configure basic settings on S1.

  • Configure the device name.

Switch>enable 
Switch#configure terminal 
Switch(config)#hostname S1
S1(config)#
  • Disable DNS lookup.

S1(config)#no ip domain-lookup 
  • Assign class as the privileged EXEC mode password.

S1(config)#enable secret class
  • Assign cisco as the console and vty password and then enable login.

S1(config)#line console 0
S1(config-line)#password cisco
S1(config-line)#login
S1(config-line)#exit
S1(config)#line vty 0 4
S1(config-line)#password cisco
S1(config-line)#login
S1(config-line)#exit
S1(config)#
  • Configure a default gateway for S1 using the IP address of R1.

S1(config)#ip default-gateway 172.16.99.1
  • Encrypt plain text passwords.

S1(config)#service password-encryption
  • Save the running configuration to startup configuration.

S1#copy running-config startup-config 
Destination filename [startup-config]? 
Building configuration...
[OK]
S1#
  • Create VLAN 99 on the switch and name it Management.

S1(config)#vlan 99
S1(config-vlan)#name anagement
S1(config-vlan)#exit
S1(config)#
  • Configure the VLAN 99 management interface IP address, as shown in the Addressing Table, and enable the interface.

S1(config)#interface vlan 99
S1(config-if)#ip address 172.16.99.11 255.255.255.0
S1(config-if)#no shutdown 
S1(config-if)#end
S1#
  • Issue the show vlan command on S1.

S1#show vlan 

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/1, Fa0/2, Fa0/3, Fa0/4
                                                Fa0/5, Fa0/6, Fa0/7, Fa0/8
                                                Fa0/9, Fa0/10, Fa0/11, Fa0/12
                                                Fa0/13, Fa0/14, Fa0/15, Fa0/16
                                                Fa0/17, Fa0/18, Fa0/19, Fa0/20
                                                Fa0/21, Fa0/22, Fa0/23, Fa0/24
                                                Gig0/1, Gig0/2
99   anagement                        active    
1002 fddi-default                     act/unsup 
1003 token-ring-default               act/unsup 
1004 fddinet-default                  act/unsup 
1005 trnet-default                    act/unsup 

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1    enet  100001     1500  -      -      -        -    -        0      0
99   enet  100099     1500  -      -      -        -    -        0      0
1002 fddi  101002     1500  -      -      -        -    -        0      0   
1003 tr    101003     1500  -      -      -        -    -        0      0   
1004 fdnet 101004     1500  -      -      -        ieee -        0      0   
1005 trnet 101005     1500  -      -      -        ibm  -        0      0   

Remote SPAN VLANs
------------------------------------------------------------------------------


Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------
S1#

What is the status of VLAN 99? Active

  • Issue the show ip interface brief command on S1.

S1#show ip interface brief 
Interface              IP-Address      OK? Method Status                Protocol
 
[ ... ]                 
 
Vlan1                  unassigned      YES manual administratively down down
 
Vlan99                 172.16.99.11    YES manual up                    down
S1#

What is the status and protocol for management interface VLAN 99? Status is up, and protocol is down.

Why is the protocol down, even though you issued the no shutdown command for interface VLAN 99? No physical ports on the switch have been assigned to VLAN 99

  • Assign ports F0/5 and F0/6 to VLAN 99 on the switch.

S1(config)#interface range fastEthernet 0/5-6
S1(config-if-range)#switchport mode access 
S1(config-if-range)#switchport access vlan 99
S1(config-if-range)#end
S1#
  • Issue the show ip interface brief command on S1.

S1#show ip interface brief 
Interface              IP-Address      OK? Method Status                Protocol
 
[ ... ]                 
 
Vlan1                  unassigned      YES manual administratively down down
 
Vlan99                 172.16.99.11    YES manual up                    up
S1#

Step 4: Verify connectivity between devices.

  • From PC, ping the default gateway address on R1.

PC>ping 172.16.99.1

Pinging 172.16.99.1 with 32 bytes of data:

Reply from 172.16.99.1: bytes=32 time=1ms TTL=255
Reply from 172.16.99.1: bytes=32 time=0ms TTL=255
Reply from 172.16.99.1: bytes=32 time=0ms TTL=255
Reply from 172.16.99.1: bytes=32 time=0ms TTL=255

Ping statistics for 172.16.99.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 1ms, Average = 0ms

PC>
  • From PC, ping the management address of S1.

PC>ping 172.16.99.11

Pinging 172.16.99.11 with 32 bytes of data:

Reply from 172.16.99.11: bytes=32 time=1ms TTL=255
Reply from 172.16.99.11: bytes=32 time=0ms TTL=255
Reply from 172.16.99.11: bytes=32 time=0ms TTL=255
Reply from 172.16.99.11: bytes=32 time=0ms TTL=255

Ping statistics for 172.16.99.11:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 1ms, Average = 0ms

PC>
  • From S1, ping the default gateway address on R1.

S1#ping 172.16.99.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.99.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/1 ms

S1#

Step 5 : Configure and Verify SSH Access on S1

  • Enable SSH on S1. From global configuration mode, create a domain name of kelaspar.ir .

S1(config)#ip domain-name kelaspar.ir
  • Create a local user database entry for use when connecting to the switch via SSH. The user should have administrative level access.

S1(config)#username admin privilege 15 secret sshadmin
  • Configure the transport input for the vty lines to allow SSH connections only, and use the local database for authentication.

S1(config)#line vty 0 4
S1(config-line)#transport input ssh
S1(config-line)#login local
S1(config-line)#exit
S1(config)#
  • Generate an RSA crypto key using a modulus of 1024 bits.

S1(config)#crypto key generate rsa 
The name for the keys will be: S1.kelaspar.ir
Choose the size of the key modulus in the range of 360 to 2048 for your
  General Purpose Keys. Choosing a key modulus greater than 512 may take
  a few minutes.

How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

S1(config)#
  • Verify the SSH configuration and answer the questions below.

S1#show ip ssh
SSH Enabled - version 1.99
Authentication timeout: 120 secs; Authentication retries: 3
S1#

What version of SSH is the switch using? 1.99

How many authentication attempts does SSH allow? 3

What is the default timeout setting for SSH? 120 seconds

Step 6 : Modify the SSH configuration on S1.

  • Modify the default SSH configuration.

S1#configure terminal 
S1(config)#ip ssh time-out 75
S1(config)#ip ssh authentication-retries 2
S1(config)#

Part 7 : Configure and Verify Security Features on S1

  • Configure a message of the day (MOTD) banner on S1 with an appropriate security warning message.

S1(config)#banner motd #
Enter TEXT message.  End with the character '#'.
Unauthorized access is strictly prohibited. #

S1(config)#
  • Shut down all unused physical ports on the switch. Use the interface range command.

S1(config)#interface range fastEthernet 0/1-4, fastEthernet 0/7-24, gigabitEthernet 0/1-2
S1(config-if-range)#shutdown 

Issue the show ip interface brief command on S1. What is the status of ports F0/1 to F0/4? Administratively down.

  • Issue the show ip http server status command.

S1# show ip http server status

HTTP server status: Enabled
HTTP server port: 80
HTTP server authentication method: enable
HTTP server access class: 0
HTTP server base path: flash:html
HTTP server help root:
Maximum number of concurrent server connections allowed: 16
Server idle time-out: 180 seconds
Server life time-out: 180 seconds
Maximum number of requests allowed on a connection: 25
HTTP server active session modules: ALL
HTTP secure server capability: Present
HTTP secure server status: Enabled
HTTP secure server port: 443
HTTP secure server ciphersuite: 3des-ede-cbc-sha des-cbc-sha rc4-128-md5 rc4-128-sha
HTTP secure server client authentication: Disabled
HTTP secure server trustpoint:
HTTP secure server active session modules: ALL

What is the HTTP server status? Enabled

What server port is it using? 80

What is the HTTP secure server status? Enabled

What secure server port is it using? 443

  • HTTP sessions send everything in plain text. You will disable the HTTP service running on S1.

S1(config)# no ip http server
  • Configure and verify port security on S1. Record the R1 fa0/1 MAC address. From the R1 CLI, use the show interface fa0/1 command and record the MAC address of the interface.

R1#show interfaces fastEthernet 0/1
FastEthernet0/1 is administratively down, line protocol is down (disabled)
  Hardware is Lance, address is 0001.4262.c002 (bia 0001.4262.c002)
  MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  ARP type: ARPA, ARP Timeout 04:00:00, 
  Last input 00:00:08, output 00:00:05, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0 (size/max/drops); Total output drops: 0
  Queueing strategy: fifo
  Output queue :0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     0 packets input, 0 bytes, 0 no buffer
     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     0 input packets with dribble condition detected
     0 packets output, 0 bytes, 0 underruns
     0 output errors, 0 collisions, 2 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier
     0 output buffer failures, 0 output buffers swapped out
R1#

What is the MAC address of the R1 fa0/1 interface? 0001.4262.c002

  • From the S1 CLI, issue a show mac address-table command from privileged EXEC mode. Find the dynamic entries for ports F0/5 and F0/6. Record them below.

S1#show mac-address-table 
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----

  99    0001.4262.c001    DYNAMIC     Fa0/5
  99    000c.cfde.1237    DYNAMIC     Fa0/6
S1#
  • From the S1 CLI, enter interface configuration mode for the port that connects to R1 and shut down the port.

S1(config)#interface fastEthernet 0/5
S1(config-if)#shutdown 
  • Enable port security on F0/5.

S1(config-if)#switchport port-security 
  • Configure a static entry for the MAC address of R1 fa0/1 interface.

S1(config-if)#switchport port-security mac-address 0001.4262.c002
  • Enable the fa0/5 port.

S1(config)#interface fastEthernet 0/5
S1(config-if)#no shutdown 
  • Verify port security on S1 F0/5 by issuing a show port-security interface command.

S1#show port-security interface fastEthernet 0/5
Port Security              : Enabled
Port Status                : Secure-shutdown
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 1
Configured MAC Addresses   : 1
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 0001.4262.C001:99
Security Violation Count   : 1

What is the port status of F0/5? The status is Secure-up, which indicates that the port is secure, but the status and protocol are up.

Last updated