Skip to document
Welcome to StudocuSign in to access the best study resources
Guest user
0followers
HomeMy LibraryAsk AI
  • You don't have any recent items yet.
My Library
  • You don't have any courses yet.
  • You don't have any books yet.
  • You don't have any Studylists yet.

Lab 7 switch security

switch security
Academic year: 2023/2024
Uploaded by:
Anonymous Student
This document has been uploaded by a student, just like you, who decided to remain anonymous.
Universiteti POLIS

Comments

Please sign in or register to post comments.

Students also viewed

Related documents

Preview text

Lab – Configuring Switch

Security Features

Cisco Packet Tracer

Topology

Addressing Table

Devic

e

Interfac

e

IP Address

Subnet

Mask

Default

Gateway

R1 fa0/

172.16.

1

255.

5.

N/A

S

VLAN

99

172.16.

11

255.

5.

172.16.

PC NIC

172.16.

3

255.

5.

172.16.

Step 1: Configure an IP address on PC.

PC>ipconfig

FastEthernet0 Connection:(default port)

Link-local IPv6 Address.........: FE80::20C:CFFF:FEDE:

IP Address......................: 172.16.

Subnet Mask.....................: 255.255.
Default Gateway.................: 172.16.
PC>

Step 2: Configure basic settings on R1.

 Configure the device name.

Router>
Router>enable
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname R
R1(config)#

 Disable DNS lookup.

R1(config)#no ip domain-lookup

 Configure interface IP address as shown in the Addressing Table.

R1(config)#interface fastEthernet 0/
R1(config-if)#ip address 172.16.99 255.255.
R1(config-if)#no shut

 Assign class as the privileged EXEC mode password.

R1(config)#enable secret class

 Assign cisco as the console and vty password and enable login.

R1(config)#line console 0
R1(config-line)#password cisco
R1(config-line)#login
R1(config-line)#exit
R1(config)#line vty 0 4
R1(config-line)#password cisco
R1(config-line)#login
R1(config-line)#exit
R1(config)#

 Configure a default gateway for S1 using the IP address of R1.

S1(config)#ip default-gateway 172.16.

 Encrypt plain text passwords.

S1(config)#service password-encryption

 Save the running configuration to startup configuration.

S1#copy running-config startup-config
Destination filename [startup-config]?
Building configuration...
[OK]
S1#

 Create VLAN 99 on the switch and name it Management.

S1(config)#vlan 99
S1(config-vlan)#name anagement
S1(config-vlan)#exit
S1(config)#

 Configure the VLAN 99 management interface IP address, as shown in

the Addressing Table, and enable the interface.

S1(config)#interface vlan 99
S1(config-if)#ip address 172.16.99 255.255.
S1(config-if)#no shutdown
S1(config-if)#end
S1#

 Issue the show vlan command on S1.

S1#show vlan
VLAN Name Status Ports
---- -------------------------------- ---------
-------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/
Fa0/5, Fa0/6, Fa0/7, Fa0/
Fa0/9, Fa0/10, Fa0/11,
Fa0/
Fa0/13, Fa0/14, Fa0/15,
Fa0/
Fa0/17, Fa0/18, Fa0/19,
Fa0/
Fa0/21, Fa0/22, Fa0/23,
Fa0/
Gig0/1, Gig0/
99 anagement active
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans
Trans
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------
------
1 enet 100001 1500 - - - - - 0 0
99 enet 100099 1500 - - - - - 0 0
1002 fddi 101002 1500 - - - - - 0 0
1003 tr 101003 1500 - - - - - 0 0
1004 fdnet 101004 1500 - - - ieee - 0 0
1005 trnet 101005 1500 - - - ibm - 0 0
Remote SPAN VLANs
--------------------------------------------------------------------------
----
Primary Secondary Type Ports
------- --------- -----------------
------------------------------------------
S1#

What is the status of VLAN 99? Active

 Issue the show ip interface brief command on S1.

Step 4: Verify connectivity between devices.

 From PC, ping the default gateway address on R1.

PC>ping 172.16.
Pinging 172.16.99 with 32 bytes of data:
Reply from 172.16.99: bytes=32 time=1ms TTL=
Reply from 172.16.99: bytes=32 time=0ms TTL=
Reply from 172.16.99: bytes=32 time=0ms TTL=
Reply from 172.16.99: bytes=32 time=0ms TTL=
Ping statistics for 172.16.99:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 1ms, Average = 0ms
PC>

 From PC, ping the management address of S1.

PC>ping 172.16.
Pinging 172.16.99 with 32 bytes of data:
Reply from 172.16.99: bytes=32 time=1ms TTL=
Reply from 172.16.99: bytes=32 time=0ms TTL=
Reply from 172.16.99: bytes=32 time=0ms TTL=
Reply from 172.16.99: bytes=32 time=0ms TTL=
Ping statistics for 172.16.99:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 1ms, Average = 0ms
PC>

 From S1, ping the default gateway address on R1.

S1#ping 172.16.
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.99, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/1 ms
S1#

Step 5 : Configure and Verify SSH Access on S

 Enable SSH on S1. From global configuration mode, create a domain

name of kelaspar.

S1(config)#ip domain-name kelaspar

 Create a local user database entry for use when connecting to the

switch via SSH. The user should have administrative level access.

S1(config)#username admin privilege 15 secret sshadmin

 Configure the transport input for the vty lines to allow SSH connections

only, and use the local database for authentication.

S1(config)#line vty 0 4
S1(config-line)#transport input ssh
S1(config-line)#login local
S1(config-line)#exit
S1(config)#

 Generate an RSA crypto key using a modulus of 1024 bits.

S1(config)#crypto key generate rsa
The name for the keys will be: S1.kelaspar
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
S1(config)#
S1# show ip http server status
HTTP server status: Enabled
HTTP server port: 80
HTTP server authentication method: enable
HTTP server access class: 0
HTTP server base path: flash:html
HTTP server help root:
Maximum number of concurrent server connections allowed: 16
Server idle time-out: 180 seconds
Server life time-out: 180 seconds
Maximum number of requests allowed on a connection: 25
HTTP server active session modules: ALL
HTTP secure server capability: Present
HTTP secure server status: Enabled
HTTP secure server port: 443
HTTP secure server ciphersuite: 3des-ede-cbc-sha des-cbc-sha rc4-128-md
rc4-128-sha
HTTP secure server client authentication: Disabled
HTTP secure server trustpoint:
HTTP secure server active session modules: ALL

What is the HTTP server status? Enabled

What server port is it using? 80

What is the HTTP secure server status? Enabled

What secure server port is it using? 443

 HTTP sessions send everything in plain text. You will disable the HTTP

service running on S1.

S1(config)# no ip http server

 Configure and verify port security on S1. Record the R1 fa0/1 MAC

address. From the R1 CLI, use the show interface fa0/1 command and

record the MAC address of the interface.

R1#show interfaces fastEthernet 0/
FastEthernet0/1 is administratively down, line protocol is down (disabled)
Hardware is Lance, address is 0001.4262 (bia 0001.4262)
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/
Encapsulation ARPA, loopback not set
ARP type: ARPA, ARP Timeout 04:00:00,
Last input 00:00:08, output 00:00:05, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0 (size/max/drops); Total output drops: 0
Queueing strategy: fifo
Output queue :0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 input packets with dribble condition detected
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 2 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
R1#

What is the MAC address of the R1 fa0/1 interface? 0001.4262

 From the S1 CLI, issue a show mac address-table command from

privileged EXEC mode. Find the dynamic entries for ports F0/5 and

F0/6. Record them below.

S1#show mac-address-table
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
99 0001.4262 DYNAMIC Fa0/
99 000c.cfde DYNAMIC Fa0/
S1#

 From the S1 CLI, enter interface configuration mode for the port that

connects to R1 and shut down the port.

Was this document helpful?

Lab 7 switch security

Course: Network security

University: Universiteti POLIS

Was this document helpful?
Lab – Configuring Switch
Security Features
Cisco Packet Tracer
Topology
Addressing Table
Devic
e
Interfac
eIP Address Subnet
Mask
Default
Gateway
R1 fa0/0 172.16.99.
1
255.255.25
5.0 N/A
S1 VLAN
99
172.16.99.
11
255.255.25
5.0 172.16.99.1
PC NIC 172.16.99.
3
255.255.25
5.0 172.16.99.1
Step 1: Configure an IP address on PC.
PC>ipconfig
FastEthernet0 Connection:(default port)
Link-local IPv6 Address.........: FE80::20C:CFFF:FEDE:1237
IP Address......................: 172.16.99.3

Students also viewed

Related documents