Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Lab Se
ecuring Network
k Device
es
T
Topology
S1
G0/1
1
F0/6
R1
PCA
A
Addressing
g Table
Device
Interface
IP Ad
ddress
Subnet Mas
sk
Default Gateway
R1
G0/1
G
192.168
8.1.1
25
55.255.255.0
0
N/A
S1
VLAN
V
1
192.168
8.1.11
25
55.255.255.0
0
192.168.1.1
PC
C-A
NIC
N
192.168
8.1.3
25
55.255.255.0
0
192.168.1.1
O
Objectives
Part 1: Co
onfigure Bas
sic Device Se
ettings
Part 2: Co
onfigure Bas
sic Security Measures
M
on
n the Router
Part 3: Co
onfigure Bas
sic Security Measures
M
on
n the Switch
B
Backgroun
nd / Scenarrio
It is recom
mmended thatt all network devices
d
be co
onfigured with
h, at least, a m
minimum set o
of best practicce
security commands. Th
his includes end
e user devic
ces, servers, and network devices, such as routers a
and
switches.
In this lab
b, you will configure the nettwork devices
s in the topolo
ogy to accept SSH session
ns for remote
managem
ment. You will also use the IOS CLI to co
onfigure comm
mon, basic be
est practice ssecurity measures. You
will then te
est the security measures to verify that they are prop
perly impleme
ented and wo
orking correctlly.
Note: The
e routers used
d with CCNA hands-on lab
bs are Cisco 1
1941 ISRs witth Cisco IOS Release 15.2
2(4)M3
(universallk9 image). The switches used
u
are Cisc
co Catalyst 29
960s with Ciscco IOS Relea
ase 15.0(2) (la
anbasek9
image). Other
O
routers, switches and
d Cisco IOS versions can b
be used. Depe
ending on the
e model and C
Cisco IOS
version, th
he commands
s available an
nd output prod
duced might vvary from wha
at is shown in
n the labs. Re
efer to the
Router Intterface Summ
mary table at the
t end of the
e lab for the ccorrect interface identifiers.
Note: Make sure that the routers an
nd switches ha
ave been era
ased and have
e no startup cconfigurationss. If you
are unsurre contact you
ur instructor.
R
Required Resources
R
1 Rou
uter (Cisco 19
941 with Cisco
o IOS softwarre, release 15
5.2(4)M3 univversal image o
or comparable)
1 Switch (Cisco 29
960 with Cisco
o IOS Release 15.0(2) lanb
basek9 image
e or compara
able)
Conso
ole cables to configure the
e Cisco IOS devices via the
e console porrts
Ethernet cables as
s shown in the
e topology
Page 1 of 8
d. Disable DNS lookup to prevent the router from attempting to translate incorrectly entered commands as
though they were hostnames.
e. Assign class as the privileged EXEC encrypted password.
f.
Create a banner that warns anyone accessing the device that unauthorized access is prohibited.
j.
Configure and activate the G0/1 interface on the router using the information contained in the Addressing
Table.
k.
d. Disable DNS lookup to prevent the router from attempting to translate incorrectly entered commands as
though they were hostnames.
e. Assign class as the privileged EXEC encrypted password.
f.
Create a banner that warns anyone accessing the device that unauthorized access is prohibited.
j.
Configure the default SVI with the IP address information contained in the Addressing Table.
k.
2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
Page 2 of 8
Configure the transport input for the vty lines so that they accept SSH connections, but do not allow
Telnet connections.
R1(config)# line vty 0 4
R1(config-line)# transport input ssh
d. The vty lines should use the local user database for authentication.
R1(config-line)# login local
R1(config-line)# exit
e. Generate a RSA crypto key using a modulus of 1024 bits.
R1(config)# crypto key generate rsa modulus 1024
The name for the keys will be: R1.CCNA-lab.com
% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 2 seconds)
R1(config)#
*Jan 31 17:54:16.127: %SSH-5-ENABLED: SSH 1.99 has been enabled
2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
Page 3 of 8
console 0
exec-timeout 5 0
line vty 0 4
exec-timeout 5 0
exit
b. The following command impedes brute force login attempts. The router blocks login attempts for 30
seconds if someone fails two attempts within 120 seconds. This timer is set especially low for the purpose
of this lab.
R1(config)# login block-for 30 attempts 2 within 120
What does the 2 within 120 mean in the above command?
Two attempts failed in a 2 minute (within 120 seconds) time span and login access has been blocked.
IP-Address
unassigned
unassigned
192.168.1.1
unassigned
unassigned
OK?
YES
YES
YES
YES
YES
Method
NVRAM
NVRAM
manual
NVRAM
NVRAM
Status
administratively
administratively
up
administratively
administratively
Protocol
down down
down down
up
down down
down down
Step 5: Verify that your security measures have been implemented correctly.
a. Use Tera Term to telnet to R1.
Does R1 accept the Telnet connection? No,
the
Why or why not?
conne
The transport input ssh command disabled Telnet.
ction
b. Use Tera Term to SSH to R1.
was
refuse
Does R1 accept the SSH connection? Yes
d
c. Intentionally mistype the user and password information to see if login access is blocked after two
attempts.
What happened after you failed to login the second time?
R1 connection was disconnected. If I were to attempt to connect again before 30 seconds has gone by
then the connection would be refused.
2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
Page 4 of 8
e. After the 30 seconds has expired, SSH to R1 again and login using the admin username and
Admin15p@55 for the password.
After you successfully logged in, what was displayed? R1 login banner
f.
Enter privilege Exec mode and use Enablep@55 for the password.
If you mistype this password, are you disconnected from your SSH session after two failed attempts
within 120 seconds? No
Why or why not?
Because the login block-for 30 attempts 2 within 120 command only monitors session login attempts.
g. Issue the show running-config command at the privileged EXEC prompt to view the security settings
you have applied.
Configure the transport input for the vty lines to allow SSH connections but not allow Telnet connections.
S1(config)# line vty 0 15
S1(config-line)# transport input ssh
d. The vty lines should use the local user database for authentication.
2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
Page 5 of 8
console 0
exec-timeout 10 0
line vty 0 15
exec-timeout 10 0
exit
b. To impede brute force login attempts, configure the switch to block login access for 30 seconds if there
are 2 failed attempts within 120 seconds. This timer is set especially low for the purpose of this lab.
S1(config)# login block-for 30 attempts 2 within 120
S1(config)# end
IP-Address
192.168.1.11
unassigned
unassigned
unassigned
unassigned
unassigned
unassigned
unassigned
unassigned
unassigned
unassigned
unassigned
unassigned
unassigned
unassigned
unassigned
unassigned
unassigned
unassigned
unassigned
unassigned
unassigned
OK?
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
Method
manual
unset
unset
unset
unset
unset
unset
unset
unset
unset
unset
unset
unset
unset
unset
unset
unset
unset
unset
unset
unset
unset
2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
Status
up
down
down
down
down
up
up
down
down
down
down
down
down
down
down
down
down
down
down
down
down
down
Protocol
up
down
down
down
down
up
up
down
down
down
down
down
down
down
down
down
down
down
down
down
down
down
Page 6 of 8
unassigned
unassigned
unassigned
unassigned
unassigned
YES
YES
YES
YES
YES
unset
unset
unset
unset
unset
down
down
down
down
down
down
down
down
down
down
b. Use the interface range command to shut down multiple interfaces at a time.
S1(config)# interface range f0/14 , f0/7-24 , g0/1-2
S1(config-if-range)# shutdown
S1(config-if-range)# end
S1#
c.
Verify that all inactive interfaces have been administratively shut down.
S1# show ip interface brief
Interface
Vlan1
FastEthernet0/1
FastEthernet0/2
FastEthernet0/3
FastEthernet0/4
FastEthernet0/5
FastEthernet0/6
FastEthernet0/7
FastEthernet0/8
FastEthernet0/9
FastEthernet0/10
FastEthernet0/11
FastEthernet0/12
FastEthernet0/13
FastEthernet0/14
FastEthernet0/15
FastEthernet0/16
FastEthernet0/17
FastEthernet0/18
FastEthernet0/19
FastEthernet0/20
FastEthernet0/21
FastEthernet0/22
FastEthernet0/23
FastEthernet0/24
GigabitEthernet0/1
GigabitEthernet0/2
S1#
IP-Address
192.168.1.11
unassigned
unassigned
unassigned
unassigned
unassigned
unassigned
unassigned
unassigned
unassigned
unassigned
unassigned
unassigned
unassigned
unassigned
unassigned
unassigned
unassigned
unassigned
unassigned
unassigned
unassigned
unassigned
unassigned
unassigned
unassigned
unassigned
OK?
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
Method
manual
unset
unset
unset
unset
unset
unset
unset
unset
unset
unset
unset
unset
unset
unset
unset
unset
unset
unset
unset
unset
unset
unset
unset
unset
unset
unset
Status
up
administratively
administratively
administratively
administratively
up
up
administratively
administratively
administratively
administratively
administratively
administratively
administratively
administratively
administratively
administratively
administratively
administratively
administratively
administratively
administratively
administratively
administratively
administratively
administratively
administratively
down
down
down
down
down
down
down
down
down
down
down
down
down
down
down
down
down
down
down
down
down
down
down
down
Protocol
up
down
down
down
down
up
up
down
down
down
down
down
down
down
down
down
down
down
down
down
down
down
down
down
down
down
down
Step 5: Verify that your security measures have been implemented correctly.
a. Verify that Telnet has been disabled on the switch.
b. SSH to the switch and intentionally mistype the user and password information to see if login access is
blocked.
2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
Page 7 of 8
After the 30 seconds has expired, SSH to S1 again and log in using the admin username and
Admin15p@55 for the password.
Did the banner appear after you successfully logged in? Yes
Reflection
1. The password cisco command was entered for the console and vty lines in your basic configuration in Part
1. When is this password used after the best practice security measures have been applied?
Although the password command still shows up in the running-config it will not be used anymore. The
command got disabled when the login-local command was entered.
2. Are preconfigured passwords, shorter than 10 characters, affected by the security passwords min-length
10 command?
No. The security passwords min-length command only works on passwords that are entered after the
command has been issued. Any pre-existing passwords will still remain in effect and if changed, they have to
be at least 10 characters long.
Ethernet Interface #1
Ethernet Interface #2
Serial Interface #1
Serial Interface #2
1800
1900
2801
2811
2900
Note: To find out how the router is configured, look at the interfaces to identify the type of router and how many
interfaces the router has. There is no way to effectively list all the combinations of configurations for each router
class. This table includes identifiers for the possible combinations of Ethernet and Serial interfaces in the device.
The table does not include any other type of interface, even though a specific router may contain one. An
example of this might be an ISDN BRI interface. The string in parenthesis is the legal abbreviation that can be
used in Cisco IOS commands to represent the interface.
2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
Page 8 of 8