Chapter 6 Lab A - Securing Layer 2 Switches Instructor Version

CCNA Security Chapter 6 Lab A, Securing Layer 2 Switches Instructor Version
Topology [pic] IP Addressing Table |Device| |IP Address|Subnet Mask |Default | |
| |Interface | | |Gateway |Switch Port |
|R1 |Fa0/1 |192.168.1.|255.255.255.0|N/A |S1 FA0/5 |
| | |1 | | | |
|S1 |VLAN 1 |192.168.1.|255.255.255.0|N/A |N/A |
| | |2 | | | |
|S2 |VLAN 1 |192.168.1.|255.255.255.0|N/A |N/A |
| | |3 | | | |
|PC-A |NIC |192.168.1.|255.255.255.0|192.168.1.1 |S1 FA0/6 |
| | |10 | | | |
|PC-B |NIC |192.168.1.|255.255.255.0|192.168.1.1 |S2 FA0/18 |
| | |11 | | | |
Objectives
Part 1: Configure Basic Switch Settings . Build the topology.
. Configure the host name, IP address, and access passwords. Part 2: Configure SSH Access to the Switches . Configure SSH access on the switch.
. Configure an SSH client to access the switch.
. Verify the configuration. Part 3: Secure Trunks and Access Ports . Configure trunk port mode.
. Change the native VLAN for trunk ports.
. Verify trunk configuration.
. Enable storm control for broadcasts.
. Configure access ports.
. Enable PortFast and BPDU guard.
. Verify BPDU guard.
. Enable root guard.
. Configure port security.
. Verify port security.
. Disable unused ports. Part 4: Configure SPAN and Monitor Traffic . Configure Switched Port Analyzer (SPAN).
. Monitor port activity using Wireshark.
. Analyze a sourced attack. Background
The Layer 2 (Data Link) infrastructure consists mainly of interconnected
Ethernet switches. Most end-user devices, such as computers, printers, IP
phones and other hosts, connect to the network via Layer 2 access
switches. As a result, they can present a network security risk. Similar
to routers, switches are subject to attack from malicious internal users.
The switch Cisco IOS software provides many security features that are
specific to switch functions and protocols.
In this lab, you configure SSH access and Layer 2 security for switches
S1 and S2. You also configure various switch protection measures,
including access port security, switch storm control, and Spanning Tree
Protocol (STP) features such as BPDU guard and root guard. Lastly, you
use Cisco SPAN to monitor traffic to specific ports on the switch.
Note: The router commands and output in this lab are from a Cisco 1841
with Cisco IOS Release 12.4(20)T (Advanced IP image). The switch commands
and output are from a Cisco WS-C2960-24TT-L with Cisco IOS Release
12.2(46)SE (C2960-LANBASEK9-M image). Other routers, switches, and IOS
versions may be used. See the Router Interface Summary table at the end
of the lab to determine which interface identifiers to use based on the
equipment in the lab. Depending on the router or switch model and IOS
version, the commands available and output produced might vary from what
is shown in this lab.
Note: Make sure that the router and the switches have been erased and
have no startup configurations.
Instructor Note: Instructions for erasing switches and routers are
provided in the Lab Manual, located on Academy Connection in the Tools
section.
Required Resources
. One router (Cisco 1841 with Cisco IOS Release 12.4(20)T1 or comparable)
. Two switches (Cisco 2960 or comparable with cryptography IOS image for
SSH support - Release 12.2(46)SE or comparable)
. PC-A (Windows XP or Vista with a PuTTY SSH client and Wireshark)
. PC-B (Windows XP or Vista with a PuTTY SSH client and SuperScan)
. Ethernet cables as shown in the topology
. Rollover cables to configure the switches via the console
Instructor Notes:
. This lab is divided into four parts. Each part can be administered
individually or in combination with others as time permits. The focus is
configuring security measures on switches S1 and S2. Router R1 serves as
a realistic gateway connection and is mainly used to change the MAC
address connected to switch S1 for port security testing.
. Students can work in teams of two for switch configuration, one person
configuring S1 and the other configuring S2.
. The basic running configs for the router and two switches are captured
after Parts 1 and 2 of the lab are completed. The running config for S1
and S2 are captured after Parts 3 and 4 and are listed separately. All
configs are found at the end of the lab.
Part 1: Basic Device Configuration
In Part 1 of this lab, you set up the network topology and configure
basic settings such as the host names, IP addresses, and device access
passwords.
Note: Perform all tasks on router R1 and switches S1 and S2. The
procedure for S1 is shown here as an example.
Step 1: Cable the network as shown in the topology.
Attach the devices shown in the topology diagram and cable as
necessary.
Step 2: Configure basic settings for the router and each switch.
a. Configure host names as shown in the topology.
b. Configure interface IP addresses as shown in the IP Addressing Table.
The configuration of the VLAN 1 management interface on switch S1 is
shown here. S1(config)#interface vlan 1
S1(config-if)#ip address 192.168.1.2 255.255.255.0
S1(config-if)#no shutdown c. Configure the enable secret and console passwords. S1(config)#enable secret cisco12345
S1(config)#line console 0
S1(config-line)#password ciscoconpass
S1(config-line)#exec-timeout 5 0
S1(config-line)#login
S1(config-line)#logging synchronous Note: Do not configure the switch vty access at this time. The vty
lines are configured on the switches in Part 2 for SSH access.
d. Configure the vty lines and password on R1. R1(config)#line vty 0 4
R1(config-line)#password ciscovtypass
R1(config-line)#exec-timeout 5 0
R1(config-line)#login e. To prevent the router or switch from attempting to translate incorrectly
entered commands, disable DNS lookup. Router R1 is shown here as an
example. R1(config)#no ip domain-lookup f. HTTP access to the switch is enabled by default. To prevent HTTP access,
disable the HTTP server and HTTP secure server. S1(config)#no ip http server
S1(config)#no ip http secure-server Note: The switch must have a cryptography IOS image to support the
ip http secure-server command. HTTP access to the router is
disabled by default.
Step 3: Configure PC host IP settings.
Configure a static IP address, subnet mask, and default gateway for PC-
A and PC-B as shown in the IP Addressing Table.
Step 4: Verify basic network connectivity.
a. Ping from PC-A and PC-B to the R1 Fa0/1 interface at IP address
192.168.1.1. Were the results successful? Yes.
If the pings are not successful, troubleshoot the basic device
configurations before continuing.
b. Ping from PC-A to PC-B. Were the results successful? Yes.
If the pings are not successful, troubleshoot the basic device
configurations before continuing.
Step 5: Save the basic configurations for the router and both switches.
Save the running configuration to the startup configuration from the
privileged EXEC prompt. S1#copy running-config startup-config Part 2: SSH Configuration
In Part 2 of this lab, you configure switches S1 and S2 to support SSH
connections and install SSH client software on the PCs.
Note: A switch IOS image that supports encryption is required to
configure SSH. Otherwise, you cannot specify SSH as an input protocol for
the vty lines and the crypto commands are not available.
Task 1: Configure the SSH Server on Switch S1 and S2 Using the CLI
In this task, use the CLI to configure the switch to be managed securely
using SSH instead of Telnet. Secure Shell (SSH) is a network protocol
that establishes a secure terminal emulation connection to a switch or
other networking device. SSH encrypts all information that passes over
the network link and provides authentication of the remote computer. SSH
is rapidly replacing Telnet as the remote login tool of choice for
network professionals.
Note: For a switch to support SSH, it must be configured with local
authentication, AAA services or username. In this task, you configure an
SSH username and local authentication on S1 and S2. S1 is shown here as
an example.
Step 1: Configure a domain name.
Enter global configuration mode and set the domain name. S1#conf t
S1(config)#ip domain-name ccnasecurity.com Step 2: Configure a privileged user for login from the SSH client.
a. Use the username command to create the user ID with the highest possible
privilege level and a secret password. S1(config)#username admin privilege 15 secret cisco12345 b. Exit to the initial switch login screen, and log in with this username.
What was the switch prompt after you entered the password? The privileged
EXEC (enable) prompt # sign. With a privilege level of 15, the login
defaults to privileged EXEC mode.
Step 3: Configure the incoming vty lines.
a. Configure vty access on lines 0 through 4. Specify a privilege level of
15 so that a user with the highest privilege level (15) will default to
privileged EXEC mode when accessing the vty lines. Other users will
default to user EXEC mode.