16.5.2 Lab - Secure Network Devices

pdf

School

Paradise Valley Community College *

*We aren’t endorsed by this school

Course

140AB

Subject

Computer Science

Date

Oct 30, 2023

Type

pdf

Pages

6

Uploaded by MinisterWorldHummingbird22

Report
10/28/23, 7:26 PM 16.5.2 Lab - Secure Netw ork Devices about:blank 1/6 Lab - Secure Network Devices Topology Addressing Table Device Interface IP Address Subnet Mask Default Gateway R1 G0/0/1 192.168.1.1 255.255.255.0 N/A S1 VLAN 1 192.168.1.11 255.255.255.0 192.168.1.1 PC-A NIC 192.168.1.3 255.255.255.0 192.168.1.1 Objectives Part 1: Configure Basic Device Settings Part 2: Configure Basic Security Measures on the Router Part 3: Configure Basic Security Measures on the Switch Background / Scenario It is recommended that all network devices be configured with at least a minimum set of best practice security commands. This includes end user devices, servers, and network devices, such as routers and switches. In this lab, you will configure the network devices in the topology to accept SSH sessions for remote management. You will also use the IOS CLI to configure common, basic best practice security measures. You will then test the security measures to verify that they are properly implemented and working correctly. Note : The routers used with CCNA hands-on labs are Cisco 4221 with Cisco IOS XE Release 16.9.4 (universalk9 image). The switches used in the labs are Cisco Catalyst 2960s with Cisco IOS Release 15.2(2) (lanbasek9 image). Other routers, switches, and Cisco IOS versions can be used. Depending on the model and Cisco IOS version, the commands available and the output produced might vary from what is shown in the labs. Refer to the Router Interface Summary Table at the end of the lab for the correct interface identifiers. Note : Make sure that the routers and switches have been erased and have no startup configurations. If you are unsure, contact your instructor. Required Resources 1 Router (Cisco 4221 with Cisco IOS XE Release 16.9.4 universal image or comparable) 1 Switch (Cisco 2960 with Cisco IOS Release 15.2(2) lanbasek9 image or comparable) 2013 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page of 1 6 www.netacad.com
10/28/23, 7:26 PM 16.5.2 Lab - Secure Netw ork Devices about:blank 2/6 Lab - Secure Network Devices 1 PC (Windows with a terminal emulation program, such as Tera Term) Console cables to configure the Cisco IOS devices via the console ports Ethernet cables as shown in the topology Instructions Part 1: Configure Basic Device Settings In Part 1, you will set up the network topology and configure basic settings, such as the interface IP addresses, device access, and passwords on the devices. Step 1: Cable the network as shown in the topology. Attach the devices shown in the topology and cable as necessary. Step 2: Initialize and reload the router and switch. Step 3: Configure the router and switch. Open configuration window a. Console into the device and enable privileged EXEC mode. b. Assign the device name according to the Addressing Table. c. Disable DNS lookup to prevent the router from attempting to translate incorrectly entered commands as though they were hostnames. d. Assign class as the privileged EXEC encrypted password. e. Assign cisco as the console password and enable login. f. Assign cisco as the VTY password and enable login. g. Create a banner that warns anyone accessing the device that unauthorized access is prohibited. h. Configure and activate the G0/0/1 interface on the router using the information contained in the Addressing Table. i. Configure the default SVI on the switch with the IP address information according to the Addressing Table. j. Save the running configuration to the startup configuration file. Close configuration window Step 4: Configure PC-A. Open command prompt a. Configure PC-A with an IP address and subnet mask. b. Configure a default gateway for PC-A. Close command prompt Step 5: Verify network connectivity. Open configuration window Ping R1 and S1 from PC-A. If any of the pings fail, troubleshoot the connection. Close configuration window Part 2: Configure Basic Security Measures on the Router Step 1: Configure security measures. Open configuration window a. Encrypt all clear-text passwords. b. Configure the system to require a minimum 12-character password. c. Change the passwords (privileged exec, console, and vty) to meet the new length requirement. 2013 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page of 2 6 www.netacad.com
10/28/23, 7:26 PM 16.5.2 Lab - Secure Netw ork Devices about:blank 3/6 Lab - Secure Network Devices 1) Set the privileged exec password to $cisco!PRIV* 2) Set the console password to $cisco!!CON* 3) Set the vty line password to $cisco!!VTY* d. Configure the router to accept only SSH connections from remote locations 1) Configure the username SSHadmin with an encrypted password of 55HAdm!n2020 2) The router’s domain name should be set to ccna-lab.com 3) The key modulus should be 1024 bits. e. Set security and best-practice configurations on the console and vty lines. 1) Users should be disconnected after 5 minutes of inactivity. 2) The router should not allow vty logins for 2 minutes if 3 failed login attempts occur within 1 minute. Close configuration window Part 3: Configure security measures. Step 1: Verify that all unused ports are disabled. Router ports are disabled by default, but it is always prudent to verify that all unused ports are in an administratively down state. This can be quickly checked by issuing the show ip interface brief command. Any unused ports that are not in an administratively down state should be disabled using the command in interface configuration mode. shutdown Open configuration window Close configuration window Step 2: Verify that your security measures have been implemented correctly. Open configuration window a. Use Tera Term on PC-A to telnet to R1. Question: Does R1 accept the Telnet connection? Explain. No, the connection is refused. Telnet was disabled with the transport input ssh command. Type your answers here. b. Use Tera Term on PC-A to SSH to R1. Question: Does R1 accept the SSH connection? Yes Type your answers here. c. Intentionally mistype the user and password information to see if login access is blocked after two attempts. Question: What happened after you failed to login the second time? The connection to R1 was disconnected. If you attempt to reconnect within 30 seconds, the connection will be refused. d. From your console session on the router, issue the command to view the login show login status. In the example below, the command was issued within the 120 second show login login blocking period and shows that the router is in Quiet-Mode. The router will not accept any login attempts for 111 more seconds. e. After the 120 seconds has expired, SSH to R1 again and login using the SSHadmin username and 55HAdm!n2020 for the password. Question: After you successfully logged in, what was displayed? 2013 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page of 3 6 www.netacad.com
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
10/28/23, 7:26 PM 16.5.2 Lab - Secure Netw ork Devices about:blank 4/6 Lab - Secure Network Devices The R1 –MOTD banner. Type your answers here. f. Enter privileged EXEC mode and use for the password. $cisco!PRIV* Question: If you mistype this password, are you disconnected from your SSH session after three failed attempts within 60 seconds? Explain. No. The login block-for 120 attempts 3 within 60 command only monitors session login attempts on VTY lines. Type your answers here. g. Issue the command at the privileged EXEC prompt to view the show running-config security settings you have applied. Close configuration window Part 4: Configure Basic Security Measures on the Switch Step 1: Configure security measures. Open configuration window a. Encrypt all clear-text passwords. b. Change the passwords (privileged EXEC, console, and vty). 1) Set the privileged exec password to $cisco!PRIV* 2) Set the console password to $cisco!!CON* 3) Set the vty line password to $cisco!!VTY* c. Configure the switch to accept only SSH connections from remote locations. 1) Configure the username SSHadmin with an encrypted password of 55HAdm!n2020 2) The switches domain name should be set to ccna-lab.com 3) The key modulus should be 1024 bits. d. Set security and best-practice configurations on the console and vty lines. 1) Users should be disconnected after 5 minutes of inactivity. 2) The switch should not allow logins for 2 minutes if 3 failed login attempts occur within 1 minute. e. Disable all of the unused ports. Step 2: Verify all unused ports are disabled. Switch ports are enabled, by default. Shut down all ports that are not in use on the switch. a. You can verify the switch port status using the command. show ip interface brief b. Use the command to shut down multiple interfaces at a time. interface range c. Verify that all inactive interfaces have been administratively shut down. Close configuration window Step 3: Verify that your security measures have been implemented correctly. a. Verify that Telnet has been disabled on the switch. b. SSH to the switch and intentionally mistype the user and password information to see if login access is blocked. c. After the 30 seconds has expired, SSH to S1 again and log in using the SSHadmin username and for the password. 55HAdm!n2020 2013 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page of 4 6 www.netacad.com
10/28/23, 7:26 PM 16.5.2 Lab - Secure Netw ork Devices about:blank 5/6 Lab - Secure Network Devices Question: Did the banner appear after you successfully logged in? Yes Type your answers here. d. Enter privileged EXEC mode using as the password. $cisco!PRIV* e. Issue the command at the privileged EXEC prompt to view the show running-config security settings you have applied. Close configuration window Reflection Questions 1. The command was entered for the console and VTY lines in your basic password cisco configuration in Part 1. When is this password used after the best practice security measures have been applied? This password will not be used any longer. Even though the password command still appears in the line sections of the running-config, this command was disabled as soon as the login local command was entered for those lines. Type your answers here. 2. Are preconfigured passwords shorter than 10 characters affected by the security passwords min-length 12 command? No. The security passwords min-length command only affects passwords that are entered after this command is issued. Any pre-existing passwords remain in effect. If they are changed, they will need to be at least 12 characters long. Type your answers here. Router Interface Summary Table Router Model Ethernet Interface #1 Ethernet Interface #2 Serial Interface #1 Serial Interface #2 1800 Fast Ethernet 0/0 (F0/0) Fast Ethernet 0/1 (F0/1) Serial 0/0/0 (S0/0/0) Serial 0/0/1 (S0/0/1) 1900 Gigabit Ethernet 0/0 (G0/0) Gigabit Ethernet 0/1 (G0/1) Serial 0/0/0 (S0/0/0) Serial 0/0/1 (S0/0/1) 2801 Fast Ethernet 0/0 (F0/0) Fast Ethernet 0/1 (F0/1) Serial 0/1/0 (S0/1/0) Serial 0/1/1 (S0/1/1) 2811 Fast Ethernet 0/0 (F0/0) Fast Ethernet 0/1 (F0/1) Serial 0/0/0 (S0/0/0) Serial 0/0/1 (S0/0/1) 2900 Gigabit Ethernet 0/0 (G0/0) Gigabit Ethernet 0/1 (G0/1) Serial 0/0/0 (S0/0/0) Serial 0/0/1 (S0/0/1) 4221 Gigabit Ethernet 0/0/0 (G0/0/0) Gigabit Ethernet 0/0/1 (G0/0/1) Serial 0/1/0 (S0/1/0) Serial 0/1/1 (S0/1/1) 4300 Gigabit Ethernet 0/0/0 (G0/0/0) Gigabit Ethernet 0/0/1 (G0/0/1) Serial 0/1/0 (S0/1/0) Serial 0/1/1 (S0/1/1) Note : To find out how the router is configured, look at the interfaces to identify the type of router and how many interfaces the router has. There is no way to effectively list all the combinations of configurations for each router class. This table includes identifiers for the possible combinations of Ethernet and Serial interfaces in the device. The table does not include any other type of interface, even though a specific router may contain one. An example of this might be an ISDN BRI interface. 2013 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page of 5 6 www.netacad.com
10/28/23, 7:26 PM 16.5.2 Lab - Secure Netw ork Devices about:blank 6/6 Lab - Secure Network Devices The string in parenthesis is the legal abbreviation that can be used in Cisco IOS commands to represent the interface. End of document 2013 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page of 6 6 www.netacad.com
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help

Browse Popular Homework Q&A

Q: What communicates between the OS and computer devices? a. device driver b. OS kernel applications d.…
Q: Bids were placed in a silent auction for a sword reputed to have been used at the Battle of…
Q: 3. Breakdown of a cartel agreement Consider a town in which only two residents, Gregor and Haidy,…
Q: The common stock of Leaning Tower of Pita, Inc., a restaurant chain, will generate the following…
Q: he following table shows retail sales in drug stores in billions of dollars in the U.S. for years…
Q: The major structural difference between soluble globular proteins and membrane proteins is: a.…
Q: Distinguish between the terms tolerable misstatement and preliminary judgment about materiality. How…
Q: 4.) If the Cartesian product of A x B is {(1, 1), (1, 2), (3, 1), (3, 2), (5, 1), (5, 2)), what are…
Q: * Simplify each expression. (a) 2-1 (b) (-2) (c)-2-1 (a) 2-¹ = (Simplify your answer
Q: Determine whether each statement is true or false. a. ら > 2 or 5 = 2. and 7 is a prime number
Q: Only Shot Rising O One Shot Really None of the above QUESTION 8 The over flow bit of an up-counter…
Q: Account Cash Accounts Receivable Supples Prepaid Rent Prepaid Insurance Office Equipment Accumulated…
Q: simple of size n equals 32 has a simple mean x bar equals 53 in simple standard deviation as equals…
Q: Find f'(x) for the following function. Then find f'(4), f'(0), and f'(-3). -8 X f(x) =
Q: The standard normal probability function is used to describe many different populations. Its graph…
Q: K Use the negative exponent rules to simplify. 1 L 2 2-4 11 4 (Simplify your answer.)
Q: ₁ mm [₁ mm A WCD D B e cylinder A is rotating with an angular velocity of 4 rad.s-1, determine the…
Q: A spring-loaded piston-cylinder device contains 0.21 kg of water initially at 90°C and with an…
Q: The following are the distances (in miles) to the nearest airport for 13 families. 9, 13, 14, 14,…
Q: Briefly explain why temperature gradients are used in Gas Chromatography
Q: like the U.S. Constitution? system of Fights and freedoms bestowed upon the subjects by a King. Why…
Q: Should corporate lawyers who become aware that someone at the client corporation may have violated…