Lab 11 : Configuring Switch Security Features

Yaser Rahmati | یاسر رحمتی

Topology

Objectives

Configure and Verify SSH Access on ESW1
- Configure SSH access
- Modify SSH parameters
- Verify the SSH configuration
Configure and Verify Security Features on ESW1
- Configure and verify general security features
- Configure and verify port security

Task 1

Configure an IP address on PC-1

PC-1> ip 172.16.99.100 255.255.255.0 172.16.99.1
Checking for duplicate address...
PC1 : 172.16.99.100 255.255.255.0 gateway 172.16.99.1

PC-1> show ip

NAME        : PC-1[1]
IP/MASK     : 172.16.99.100/24
GATEWAY     : 172.16.99.1
DNS         :
MAC         : 00:50:79:66:68:00
LPORT       : 10001
RHOST:PORT  : 127.0.0.1:10002
MTU:        : 1500

PC-1>

Task 2

Configure interface IP address as shown in the topology.
Assign class as the privileged EXEC mode password.
Assign cisco as the console and vty password and enable login.
Encrypt plain text passwords.
Save the running configuration to startup configuration.

R1#configure terminal
R1(config)#interface fastEthernet 0/0
R1(config-if)#ip address 172.16.99.1 255.255.255.0
R1(config-if)#no shut
R1(config-if)#exit
R1(config)#enable secret class
R1(config)#line vty 0 4
R1(config-line)#password cisco
R1(config-line)#login
R1(config-line)#exit
R1(config)#line console 0
R1(config-line)#password cisco
R1(config-line)#login
R1(config-line)#exit
R1(config)#service password-encryption
R1(config)#exit
R1#write memory
Building configuration...
[OK]
R1#

Task 3

Configure SSH access on ESW1.
- Enable SSH on ESW1. Create a domain name of KELASPAR.
- Create a local user database entry for use when connecting to the switch via SSH. The user should have administrative level access.
- Configure the transport input for the vty lines to allow SSH connections only.
- Generate an RSA crypto key using a modulus of 1024 bits.

ESW1#configure terminal
ESW1(config)#hostname SWLAN
SWLAN(config)#ip domain-name KELASPAR
SWLAN(config)#username yaser privilege 15 secret rahmati
SWLAN(config)#line vty 0 15
SWLAN(config-line)#transport input ssh
SWLAN(config-line)#login local
SWLAN(config-line)#exit
SWLAN(config)#crypto key generate rsa
The name for the keys will be: SWLAN.KELASPAR
Choose the size of the key modulus in the range of 360 to 2048 for your
  General Purpose Keys. Choosing a key modulus greater than 512 may take
  a few minutes.

How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

SWLAN(config)#
*Mar  1 00:02:08.147: %SSH-5-ENABLED: SSH 1.99 has been enabled
SWLAN(config)#

Task 4

Verify the SSH configuration and answer the questions below.

SWLAN#show ip ssh
SSH Enabled - version 1.99
Authentication timeout: 120 secs; Authentication retries: 3

Question 1: What version of SSH is the switch using?

1.99

Question 2: How many authentication attempts does SSH allow?

3

Task 5

Create VLAN 99 on the switch and name it Management.

SWLAN#configure terminal
SWLAN(config)#vlan 99
SWLAN(config-vlan)#name management
SWLAN(config-vlan)#exit
SWLAN(config)#

Task 6

Configure the VLAN 99 management interface IP address and enable the interface.

SWLAN(config)#interface vlan 99
SWLAN(config-if)#ip address 172.16.99.11 255.255.255.0
SWLAN(config-if)#no shutdown
SWLAN(config-if)#end
SWLAN#

Task 7

Issue the show vlan command on ESW1.

SWLAN#vlan database
% Warning: It is recommended to configure VLAN from config mode,
  as VLAN database mode is being deprecated. Please consult user
  documentation for configuring VTP/VLAN in config mode.

SWLAN(vlan)#show
  VLAN ISL Id: 1
    Name: default
    Media Type: Ethernet
    VLAN 802.10 Id: 100001
    State: Operational
    MTU: 1500
    Translational Bridged VLAN: 1002
    Translational Bridged VLAN: 1003

  VLAN ISL Id: 99
    Name: management
    Media Type: Ethernet
    VLAN 802.10 Id: 100099
    State: Operational
    MTU: 1500

  VLAN ISL Id: 1002
    Name: fddi-default
    Media Type: FDDI
    VLAN 802.10 Id: 101002
    State: Operational
    MTU: 1500
    Bridge Type: SRB
    Translational Bridged VLAN: 1
    Translational Bridged VLAN: 1003

  VLAN ISL Id: 1003
    Name: token-ring-default
    Media Type: Token Ring
    VLAN 802.10 Id: 101003
    State: Operational
    MTU: 1500
    Bridge Type: SRB
    Ring Number: 0
    Bridge Number: 1
    Parent VLAN: 1005
    Maximum ARE Hop Count: 7
    Maximum STE Hop Count: 7
    Backup CRF Mode: Disabled
    Translational Bridged VLAN: 1
    Translational Bridged VLAN: 1002

  VLAN ISL Id: 1004
    Name: fddinet-default
    Media Type: FDDI Net
    VLAN 802.10 Id: 101004
    State: Operational
    MTU: 1500
    Bridge Type: SRB
    Bridge Number: 1
    STP Type: IBM

  VLAN ISL Id: 1005
    Name: trnet-default
    Media Type: Token Ring Net
    VLAN 802.10 Id: 101005
    State: Operational
    MTU: 1500
    Bridge Type: SRB
    Bridge Number: 1
    STP Type: IBM

SWLAN(vlan)#

Task 8

Issue the show ip interface brief command on ESW1.
Question 1: What is the status and protocol for management interface VLAN 99?

Status is up, and protocol is down.

SWLAN#show ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            unassigned      YES NVRAM  administratively down down
FastEthernet0/1            unassigned      YES NVRAM  administratively down down
FastEthernet1/0            unassigned      YES unset  up                    down
FastEthernet1/1            unassigned      YES unset  up                    down
FastEthernet1/2            unassigned      YES unset  up                    down
FastEthernet1/3            unassigned      YES unset  up                    down
FastEthernet1/4            unassigned      YES unset  up                    down
FastEthernet1/5            unassigned      YES unset  up                    down
FastEthernet1/6            unassigned      YES unset  up                    down
FastEthernet1/7            unassigned      YES unset  up                    down
FastEthernet1/8            unassigned      YES unset  up                    down
FastEthernet1/9            unassigned      YES unset  up                    down
FastEthernet1/10           unassigned      YES unset  up                    down
FastEthernet1/11           unassigned      YES unset  up                    down
FastEthernet1/12           unassigned      YES unset  up                    down
FastEthernet1/13           unassigned      YES unset  up                    down
FastEthernet1/14           unassigned      YES unset  up                    down
FastEthernet1/15           unassigned      YES unset  up                    down
Vlan1                      unassigned      YES NVRAM  administratively down down
Vlan99                     172.16.99.11    YES manual up                    down

Question 2: Why is the protocol down, even though you issued the no shutdown command for interface VLAN 99?

No physical ports on the switch have been assigned to VLAN 99.

Task 9

Assign ports F0/0 and F0/1 to VLAN 99 on the switch.

SWLAN#(config)# interface f0/0
SWLAN#(config-if)# switchport mode access
SWLAN#(config-if)# switchport access vlan 99
SWLAN#(config-if)# interface f0/1
SWLAN#(config-if)# switchport mode access
SWLAN#(config-if)# switchport access vlan 99
SWLAN#(config-if)# end

PreviousLab 10 : PPP Configuration NextWindows Server 2012

Last updated 4 months ago

PC-1> ip 172.16.99.100 255.255.255.0 172.16.99.1 Checking for duplicate address... PC1 : 172.16.99.100 255.255.255.0 gateway 172.16.99.1 PC-1> show ip NAME : PC-1[1] IP/MASK : 172.16.99.100/24 GATEWAY : 172.16.99.1 DNS : MAC : 00:50:79:66:68:00 LPORT : 10001 RHOST:PORT : 127.0.0.1:10002 MTU: : 1500 PC-1>

R1#configure terminal R1(config)#interface fastEthernet 0/0 R1(config-if)#ip address 172.16.99.1 255.255.255.0 R1(config-if)#no shut R1(config-if)#exit R1(config)#enable secret class R1(config)#line vty 0 4 R1(config-line)#password cisco R1(config-line)#login R1(config-line)#exit R1(config)#line console 0 R1(config-line)#password cisco R1(config-line)#login R1(config-line)#exit R1(config)#service password-encryption R1(config)#exit R1#write memory Building configuration... [OK] R1#

ESW1#configure terminal ESW1(config)#hostname SWLAN SWLAN(config)#ip domain-name KELASPAR SWLAN(config)#username yaser privilege 15 secret rahmati SWLAN(config)#line vty 0 15 SWLAN(config-line)#transport input ssh SWLAN(config-line)#login local SWLAN(config-line)#exit SWLAN(config)#crypto key generate rsa The name for the keys will be: SWLAN.KELASPAR Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: 1024 % Generating 1024 bit RSA keys, keys will be non-exportable...[OK] SWLAN(config)# *Mar 1 00:02:08.147: %SSH-5-ENABLED: SSH 1.99 has been enabled SWLAN(config)#

SWLAN#vlan database % Warning: It is recommended to configure VLAN from config mode, as VLAN database mode is being deprecated. Please consult user documentation for configuring VTP/VLAN in config mode. SWLAN(vlan)#show VLAN ISL Id: 1 Name: default Media Type: Ethernet VLAN 802.10 Id: 100001 State: Operational MTU: 1500 Translational Bridged VLAN: 1002 Translational Bridged VLAN: 1003 VLAN ISL Id: 99 Name: management Media Type: Ethernet VLAN 802.10 Id: 100099 State: Operational MTU: 1500 VLAN ISL Id: 1002 Name: fddi-default Media Type: FDDI VLAN 802.10 Id: 101002 State: Operational MTU: 1500 Bridge Type: SRB Translational Bridged VLAN: 1 Translational Bridged VLAN: 1003 VLAN ISL Id: 1003 Name: token-ring-default Media Type: Token Ring VLAN 802.10 Id: 101003 State: Operational MTU: 1500 Bridge Type: SRB Ring Number: 0 Bridge Number: 1 Parent VLAN: 1005 Maximum ARE Hop Count: 7 Maximum STE Hop Count: 7 Backup CRF Mode: Disabled Translational Bridged VLAN: 1 Translational Bridged VLAN: 1002 VLAN ISL Id: 1004 Name: fddinet-default Media Type: FDDI Net VLAN 802.10 Id: 101004 State: Operational MTU: 1500 Bridge Type: SRB Bridge Number: 1 STP Type: IBM VLAN ISL Id: 1005 Name: trnet-default Media Type: Token Ring Net VLAN 802.10 Id: 101005 State: Operational MTU: 1500 Bridge Type: SRB Bridge Number: 1 STP Type: IBM SWLAN(vlan)#

SWLAN#show ip interface brief Interface IP-Address OK? Method Status Protocol FastEthernet0/0 unassigned YES NVRAM administratively down down FastEthernet0/1 unassigned YES NVRAM administratively down down FastEthernet1/0 unassigned YES unset up down FastEthernet1/1 unassigned YES unset up down FastEthernet1/2 unassigned YES unset up down FastEthernet1/3 unassigned YES unset up down FastEthernet1/4 unassigned YES unset up down FastEthernet1/5 unassigned YES unset up down FastEthernet1/6 unassigned YES unset up down FastEthernet1/7 unassigned YES unset up down FastEthernet1/8 unassigned YES unset up down FastEthernet1/9 unassigned YES unset up down FastEthernet1/10 unassigned YES unset up down FastEthernet1/11 unassigned YES unset up down FastEthernet1/12 unassigned YES unset up down FastEthernet1/13 unassigned YES unset up down FastEthernet1/14 unassigned YES unset up down FastEthernet1/15 unassigned YES unset up down Vlan1 unassigned YES NVRAM administratively down down Vlan99 172.16.99.11 YES manual up down

SWLAN#(config)# interface f0/0 SWLAN#(config-if)# switchport mode access SWLAN#(config-if)# switchport access vlan 99 SWLAN#(config-if)# interface f0/1 SWLAN#(config-if)# switchport mode access SWLAN#(config-if)# switchport access vlan 99 SWLAN#(config-if)# end