Lab 11 : Configuring Switch Security Features

Topology

Objectives

Configure and Verify SSH Access on ESW1
- Configure SSH access
- Modify SSH parameters
- Verify the SSH configuration
Configure and Verify Security Features on ESW1
- Configure and verify general security features
- Configure and verify port security

Task 1

Configure an IP address on PC-1

PC-1> ip 172.16.99.100 255.255.255.0 172.16.99.1
Checking for duplicate address...
PC1 : 172.16.99.100 255.255.255.0 gateway 172.16.99.1

PC-1> show ip

NAME        : PC-1[1]
IP/MASK     : 172.16.99.100/24
GATEWAY     : 172.16.99.1
DNS         :
MAC         : 00:50:79:66:68:00
LPORT       : 10001
RHOST:PORT  : 127.0.0.1:10002
MTU:        : 1500

PC-1>

Task 2

Configure interface IP address as shown in the topology.
Assign class as the privileged EXEC mode password.
Assign cisco as the console and vty password and enable login.
Encrypt plain text passwords.
Save the running configuration to startup configuration.

R1#configure terminal
R1(config)#interface fastEthernet 0/0
R1(config-if)#ip address 172.16.99.1 255.255.255.0
R1(config-if)#no shut
R1(config-if)#exit
R1(config)#enable secret class
R1(config)#line vty 0 4
R1(config-line)#password cisco
R1(config-line)#login
R1(config-line)#exit
R1(config)#line console 0
R1(config-line)#password cisco
R1(config-line)#login
R1(config-line)#exit
R1(config)#service password-encryption
R1(config)#exit
R1#write memory
Building configuration...
[OK]
R1#

Task 3

Configure SSH access on ESW1.
- Enable SSH on ESW1. Create a domain name of KELASPAR.
- Create a local user database entry for use when connecting to the switch via SSH. The user should have administrative level access.
- Configure the transport input for the vty lines to allow SSH connections only.
- Generate an RSA crypto key using a modulus of 1024 bits.

ESW1#configure terminal
ESW1(config)#hostname SWLAN
SWLAN(config)#ip domain-name KELASPAR
SWLAN(config)#username yaser privilege 15 secret rahmati
SWLAN(config)#line vty 0 15
SWLAN(config-line)#transport input ssh
SWLAN(config-line)#login local
SWLAN(config-line)#exit
SWLAN(config)#crypto key generate rsa
The name for the keys will be: SWLAN.KELASPAR
Choose the size of the key modulus in the range of 360 to 2048 for your
  General Purpose Keys. Choosing a key modulus greater than 512 may take
  a few minutes.

How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

SWLAN(config)#
*Mar  1 00:02:08.147: %SSH-5-ENABLED: SSH 1.99 has been enabled
SWLAN(config)#

Task 4

Verify the SSH configuration and answer the questions below.

SWLAN#show ip ssh
SSH Enabled - version 1.99
Authentication timeout: 120 secs; Authentication retries: 3

Question 1: What version of SSH is the switch using?

1.99

Question 2: How many authentication attempts does SSH allow?

3

Task 5

Create VLAN 99 on the switch and name it Management.

SWLAN#configure terminal
SWLAN(config)#vlan 99
SWLAN(config-vlan)#name management
SWLAN(config-vlan)#exit
SWLAN(config)#

Task 6

Configure the VLAN 99 management interface IP address and enable the interface.

SWLAN(config)#interface vlan 99
SWLAN(config-if)#ip address 172.16.99.11 255.255.255.0
SWLAN(config-if)#no shutdown
SWLAN(config-if)#end
SWLAN#

Task 7

Issue the show vlan command on ESW1.

SWLAN#vlan database
% Warning: It is recommended to configure VLAN from config mode,
  as VLAN database mode is being deprecated. Please consult user
  documentation for configuring VTP/VLAN in config mode.

SWLAN(vlan)#show
  VLAN ISL Id: 1
    Name: default
    Media Type: Ethernet
    VLAN 802.10 Id: 100001
    State: Operational
    MTU: 1500
    Translational Bridged VLAN: 1002
    Translational Bridged VLAN: 1003

  VLAN ISL Id: 99
    Name: management
    Media Type: Ethernet
    VLAN 802.10 Id: 100099
    State: Operational
    MTU: 1500

  VLAN ISL Id: 1002
    Name: fddi-default
    Media Type: FDDI
    VLAN 802.10 Id: 101002
    State: Operational
    MTU: 1500
    Bridge Type: SRB
    Translational Bridged VLAN: 1
    Translational Bridged VLAN: 1003

  VLAN ISL Id: 1003
    Name: token-ring-default
    Media Type: Token Ring
    VLAN 802.10 Id: 101003
    State: Operational
    MTU: 1500
    Bridge Type: SRB
    Ring Number: 0
    Bridge Number: 1
    Parent VLAN: 1005
    Maximum ARE Hop Count: 7
    Maximum STE Hop Count: 7
    Backup CRF Mode: Disabled
    Translational Bridged VLAN: 1
    Translational Bridged VLAN: 1002

  VLAN ISL Id: 1004
    Name: fddinet-default
    Media Type: FDDI Net
    VLAN 802.10 Id: 101004
    State: Operational
    MTU: 1500
    Bridge Type: SRB
    Bridge Number: 1
    STP Type: IBM

  VLAN ISL Id: 1005
    Name: trnet-default
    Media Type: Token Ring Net
    VLAN 802.10 Id: 101005
    State: Operational
    MTU: 1500
    Bridge Type: SRB
    Bridge Number: 1
    STP Type: IBM

SWLAN(vlan)#

Task 8

Issue the show ip interface brief command on ESW1.
Question 1: What is the status and protocol for management interface VLAN 99?

Status is up, and protocol is down.

SWLAN#show ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            unassigned      YES NVRAM  administratively down down
FastEthernet0/1            unassigned      YES NVRAM  administratively down down
FastEthernet1/0            unassigned      YES unset  up                    down
FastEthernet1/1            unassigned      YES unset  up                    down
FastEthernet1/2            unassigned      YES unset  up                    down
FastEthernet1/3            unassigned      YES unset  up                    down
FastEthernet1/4            unassigned      YES unset  up                    down
FastEthernet1/5            unassigned      YES unset  up                    down
FastEthernet1/6            unassigned      YES unset  up                    down
FastEthernet1/7            unassigned      YES unset  up                    down
FastEthernet1/8            unassigned      YES unset  up                    down
FastEthernet1/9            unassigned      YES unset  up                    down
FastEthernet1/10           unassigned      YES unset  up                    down
FastEthernet1/11           unassigned      YES unset  up                    down
FastEthernet1/12           unassigned      YES unset  up                    down
FastEthernet1/13           unassigned      YES unset  up                    down
FastEthernet1/14           unassigned      YES unset  up                    down
FastEthernet1/15           unassigned      YES unset  up                    down
Vlan1                      unassigned      YES NVRAM  administratively down down
Vlan99                     172.16.99.11    YES manual up                    down

Question 2: Why is the protocol down, even though you issued the no shutdown command for interface VLAN 99?

No physical ports on the switch have been assigned to VLAN 99.

Task 9

Assign ports F0/0 and F0/1 to VLAN 99 on the switch.

SWLAN#(config)# interface f0/0
SWLAN#(config-if)# switchport mode access
SWLAN#(config-if)# switchport access vlan 99
SWLAN#(config-if)# interface f0/1
SWLAN#(config-if)# switchport mode access
SWLAN#(config-if)# switchport access vlan 99
SWLAN#(config-if)# end

PreviousLab 10 : PPP Configuration NextMTCNA

Last updated 1 year ago