Lab 11 : Configuring Switch Security Features

Topology

Objectives

  • Configure and Verify SSH Access on ESW1

    • Configure SSH access

    • Modify SSH parameters

    • Verify the SSH configuration

  • Configure and Verify Security Features on ESW1

    • Configure and verify general security features

    • Configure and verify port security

Task 1

  • Configure an IP address on PC-1

PC-1> ip 172.16.99.100 255.255.255.0 172.16.99.1
Checking for duplicate address...
PC1 : 172.16.99.100 255.255.255.0 gateway 172.16.99.1

PC-1> show ip

NAME        : PC-1[1]
IP/MASK     : 172.16.99.100/24
GATEWAY     : 172.16.99.1
DNS         :
MAC         : 00:50:79:66:68:00
LPORT       : 10001
RHOST:PORT  : 127.0.0.1:10002
MTU:        : 1500

PC-1>

Task 2

  • Configure interface IP address as shown in the topology.

  • Assign class as the privileged EXEC mode password.

  • Assign cisco as the console and vty password and enable login.

  • Encrypt plain text passwords.

  • Save the running configuration to startup configuration.

R1#configure terminal
R1(config)#interface fastEthernet 0/0
R1(config-if)#ip address 172.16.99.1 255.255.255.0
R1(config-if)#no shut
R1(config-if)#exit
R1(config)#enable secret class
R1(config)#line vty 0 4
R1(config-line)#password cisco
R1(config-line)#login
R1(config-line)#exit
R1(config)#line console 0
R1(config-line)#password cisco
R1(config-line)#login
R1(config-line)#exit
R1(config)#service password-encryption
R1(config)#exit
R1#write memory
Building configuration...
[OK]
R1#

Task 3

  • Configure SSH access on ESW1.

    • Enable SSH on ESW1. Create a domain name of KELASPAR.

    • Create a local user database entry for use when connecting to the switch via SSH. The user should have administrative level access.

    • Configure the transport input for the vty lines to allow SSH connections only.

    • Generate an RSA crypto key using a modulus of 1024 bits.

ESW1#configure terminal
ESW1(config)#hostname SWLAN
SWLAN(config)#ip domain-name KELASPAR
SWLAN(config)#username yaser privilege 15 secret rahmati
SWLAN(config)#line vty 0 15
SWLAN(config-line)#transport input ssh
SWLAN(config-line)#login local
SWLAN(config-line)#exit
SWLAN(config)#crypto key generate rsa
The name for the keys will be: SWLAN.KELASPAR
Choose the size of the key modulus in the range of 360 to 2048 for your
  General Purpose Keys. Choosing a key modulus greater than 512 may take
  a few minutes.

How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

SWLAN(config)#
*Mar  1 00:02:08.147: %SSH-5-ENABLED: SSH 1.99 has been enabled
SWLAN(config)#

Task 4

  • Verify the SSH configuration and answer the questions below.

SWLAN#show ip ssh
SSH Enabled - version 1.99
Authentication timeout: 120 secs; Authentication retries: 3

  • Question 1: What version of SSH is the switch using?

1.99

  • Question 2: How many authentication attempts does SSH allow?

3

Task 5

  • Create VLAN 99 on the switch and name it Management.

SWLAN#configure terminal
SWLAN(config)#vlan 99
SWLAN(config-vlan)#name management
SWLAN(config-vlan)#exit
SWLAN(config)#

Task 6

  • Configure the VLAN 99 management interface IP address and enable the interface.

SWLAN(config)#interface vlan 99
SWLAN(config-if)#ip address 172.16.99.11 255.255.255.0
SWLAN(config-if)#no shutdown
SWLAN(config-if)#end
SWLAN#

Task 7

  • Issue the show vlan command on ESW1.

SWLAN#vlan database
% Warning: It is recommended to configure VLAN from config mode,
  as VLAN database mode is being deprecated. Please consult user
  documentation for configuring VTP/VLAN in config mode.

SWLAN(vlan)#show
  VLAN ISL Id: 1
    Name: default
    Media Type: Ethernet
    VLAN 802.10 Id: 100001
    State: Operational
    MTU: 1500
    Translational Bridged VLAN: 1002
    Translational Bridged VLAN: 1003

  VLAN ISL Id: 99
    Name: management
    Media Type: Ethernet
    VLAN 802.10 Id: 100099
    State: Operational
    MTU: 1500

  VLAN ISL Id: 1002
    Name: fddi-default
    Media Type: FDDI
    VLAN 802.10 Id: 101002
    State: Operational
    MTU: 1500
    Bridge Type: SRB
    Translational Bridged VLAN: 1
    Translational Bridged VLAN: 1003

  VLAN ISL Id: 1003
    Name: token-ring-default
    Media Type: Token Ring
    VLAN 802.10 Id: 101003
    State: Operational
    MTU: 1500
    Bridge Type: SRB
    Ring Number: 0
    Bridge Number: 1
    Parent VLAN: 1005
    Maximum ARE Hop Count: 7
    Maximum STE Hop Count: 7
    Backup CRF Mode: Disabled
    Translational Bridged VLAN: 1
    Translational Bridged VLAN: 1002

  VLAN ISL Id: 1004
    Name: fddinet-default
    Media Type: FDDI Net
    VLAN 802.10 Id: 101004
    State: Operational
    MTU: 1500
    Bridge Type: SRB
    Bridge Number: 1
    STP Type: IBM

  VLAN ISL Id: 1005
    Name: trnet-default
    Media Type: Token Ring Net
    VLAN 802.10 Id: 101005
    State: Operational
    MTU: 1500
    Bridge Type: SRB
    Bridge Number: 1
    STP Type: IBM

SWLAN(vlan)#

Task 8

  • Issue the show ip interface brief command on ESW1.

  • Question 1: What is the status and protocol for management interface VLAN 99?

Status is up, and protocol is down.

SWLAN#show ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            unassigned      YES NVRAM  administratively down down
FastEthernet0/1            unassigned      YES NVRAM  administratively down down
FastEthernet1/0            unassigned      YES unset  up                    down
FastEthernet1/1            unassigned      YES unset  up                    down
FastEthernet1/2            unassigned      YES unset  up                    down
FastEthernet1/3            unassigned      YES unset  up                    down
FastEthernet1/4            unassigned      YES unset  up                    down
FastEthernet1/5            unassigned      YES unset  up                    down
FastEthernet1/6            unassigned      YES unset  up                    down
FastEthernet1/7            unassigned      YES unset  up                    down
FastEthernet1/8            unassigned      YES unset  up                    down
FastEthernet1/9            unassigned      YES unset  up                    down
FastEthernet1/10           unassigned      YES unset  up                    down
FastEthernet1/11           unassigned      YES unset  up                    down
FastEthernet1/12           unassigned      YES unset  up                    down
FastEthernet1/13           unassigned      YES unset  up                    down
FastEthernet1/14           unassigned      YES unset  up                    down
FastEthernet1/15           unassigned      YES unset  up                    down
Vlan1                      unassigned      YES NVRAM  administratively down down
Vlan99                     172.16.99.11    YES manual up                    down

  • Question 2: Why is the protocol down, even though you issued the no shutdown command for interface VLAN 99?

No physical ports on the switch have been assigned to VLAN 99.

Task 9

  • Assign ports F0/0 and F0/1 to VLAN 99 on the switch.

SWLAN#(config)# interface f0/0
SWLAN#(config-if)# switchport mode access
SWLAN#(config-if)# switchport access vlan 99
SWLAN#(config-if)# interface f0/1
SWLAN#(config-if)# switchport mode access
SWLAN#(config-if)# switchport access vlan 99
SWLAN#(config-if)# end

PreviousLab 10 : PPP ConfigurationNextMTCNA

Last updated