16.5.2 Lab – Secure Network Devices Answers
Objectives: Configure fundamental device settings
Configure Fundamental Security Measures on the Router
Configure Fundamental Security Measures on the Switch
Context / Scenario
All network devices should be configured using at least a minimal set of best practise security instructions. This comprises client devices, servers, and network devices like routers and switches.
Configure the network devices in the topology to allow SSH connections for remote management in this lab. You will also utilise the IOS CLI to establish the standard, fundamental security best practises. Then, you will test the security measures to ensure that they have been properly deployed and are operating as intended.
Note: Cisco 4221 routers running Cisco IOS XE Release 16.9.4 are used in CCNA hands-on labs (universalk9 image). The lab switches are Cisco Catalyst 2960s running Cisco IOS Release 15.2(2). (lanbasek9 image). Other routers, switches, and versions of Cisco IOS may be used. Depending on the model and Cisco IOS version, the available commands and output may differ from what is shown in the labs. For the right interface IDs, see the Router Interface Summary Table at the conclusion of the lab.
Note: Ensure that any startup settings have been removed from the routers and switches. If you are unclear, contact your Answers.
Refer to the Answers Lab Manual for instructions on how to initialise and reload devices.
Essential Resources
one router (Cisco 4221 with Cisco IOS XE Release 16.9.4 universal image or comparable)
1 Switch (Cisco 2960 equipped with Cisco IOS Release 15.2(2) lanbasek9 image or equivalent)
1 PC (Windows with a terminal emulation application, such as Tera Term) (Windows with a terminal emulation program, such as Tera Term)
Console cables for configuring Cisco IOS devices over console port Ethernet connections, as seen in the topology.
Instructions
Part 1: Configure the Device's Basic Settings
In Part 1, you will establish the network architecture and configure fundamental parameters, including interface IP addresses, device access, and device passwords.
Step 1: Wire the network according to its topology.
Connect the devices and cables specified in the topology as required.
Initialize and reload the router and switch in Step 2.
Configure the router and switch in Step 3.
Launch configuration display
Enter the device's console and activate privileged EXEC mode.
Affix the device's name based on the Addressing Table.
Disable DNS lookup to avoid the router from misinterpreting instructions submitted improperly as hostnames.
Assign class as the encrypted password for the EXEC privilege.
Assign cisco as the password for the console and allow login.
Assign the password cisco to the VTY and allow login.
Create a banner indicating that unauthorised access to the device is banned.
Configure and activate the G0/0/1 interface on the router using the Addressing Table's information.
Configure the switch's default SVI with IP address information based on the Addressing Table.
Save the settings currently in use to the startup configuration file.
Close window for configuration
Configure PC-A by using the command prompt
Assign an IP address and subnet mask to PC-A.
Configure PC-default A's gateway.
Terminate command prompt
Verify network connection in the fifth step.
Launch configuration display
R1 and S1 are pinged from PC-A. If any pings fail, investigate the connection.
Close window for configuration
Configure Fundamental Security Measures on the Router
Configure security measures as the first step.
Launch configuration display
Encrypt all passwords in plaintext.
Configure the system to demand a minimum password length of 12 characters.
Change the passwords (privileged exec, console, and vty) to conform to the new minimum length requirement.
1) Set the password for the privileged exec account to $cisco!
PRIV*
2) Set the password for the console to $cisco!!CON*
3) Set the password for the vty line to $cisco!!VTY*
Configure the router to allow only remote SSH connections.
1) Configure the SSHadmin username with the encrypted password 55HAdm!
n2020
2) The domain name of the router should be configured to ccna.
-lab.com
3) The modulus of the key should be 1024 bits.
Configure security and best practises on the console and vty lines.
1) Inactive users should be terminated after five minutes.
2) The router should prohibit vty logins for two minutes after three unsuccessful login attempts within one minute.
Close window for configuration
Configure security measures in Section 3.
Verify that all unneeded ports are deactivated in the first step.
By default, router ports are deactivated, however it is wise to ensure that all unneeded ports are shut down. This is easily verifiable using the display ip interface short command. In interface configuration mode, any unneeded ports that are not administratively down should be deactivated using the shutdown command.
Launch configuration display
R1# display IP interface summary
IP-Address Acceptable for Interface? Method Statistical Protocol
GigabitEthernet0/0/0 unassigned Yes deactivated administratively
GigabitEthernet0/0/1 192.168.1.1 YES manually enabled
Serial0/1/0 unassigned Yes deactivated administratively
Unassigned YES unset administratively down down Serial0/1/1/1.
Close window for configuration
Step 2: Confirm that your security measures have been appropriately deployed.
Launch configuration display
On PC-A, use Tera Term to telnet to R1.
Does R1 support the Telnet protocol? Explain.
No, the link cannot be made. With the input transport ssh command, Telnet was deactivated.
On PC-A, use Tera Term to SSH to R1.
Does R1 acknowledge the SSH connection?
Yes
Intentionally mistype the username and password to see whether access is denied after two failed tries.
What occurred after the second unsuccessful login attempt?
The link with R1 has been severed. If you try to rejoin within 30 seconds, you will be denied access.
Invoke the display login command from your console session on the router to examine the login status. In the example shown below, the router is in Quiet-Mode since the display login command was given during the 120 second login blocking period. The router will not allow any login attempts until 111 seconds have passed.
R1# display login
A login delay of 1 seconds is enforced by default.
No access list for Quiet Mode has been established.
All successful login is logged.
Enabled router to monitor for login attacks.
If more than three login failures occur within 60 seconds, the account is locked.
Inactivity will persist for 120 seconds.
The router is now in Quiet Mode.
Will continue to be in Quiet Mode for 111 seconds.
Rejecting logins from every source.
After 120 seconds, SSH to R1 and log in with the SSHadmin username and 55HAdm!n2020 password.
What was shown when you successfully authenticated?
This is the R1 –MOTD banner.
Enter privileged EXEC mode with the password $cisco!PRIV*.
If you enter this incorrectly three times within 60 seconds, are you automatically disconnected from your SSH session? Explain.
No. The login block-for 120 attempts 3 within 60 command only checks login attempts made on VTY lines.
At the privileged EXEC prompt, enter the show running-config command to examine the security settings you have applied.
Close window for configuration
Configure Fundamental Security Measures on the Switch
Configure security measures as the first step.
Launch configuration display
Encrypt all passwords in plaintext.
Configure the system to demand a 12-character minimum password
Change the passwords (privileged exec, console, and vty) to conform to the new minimum length requirement.
1) Set the password for the privileged exec account to $cisco!
PRIV*
2) Set the password for the console to $cisco!!CON*
3) Set the password for the vty line to $cisco!!VTY*
Configure the switch to only allow SSH connections originating from distant sites.
1) Configure the SSHadmin username with the encrypted password 55HAdm!
n2020
2) The domain name of the switch should be set to ccna.
-lab.com
3) The modulus of the key should be 1024 bits.
Configure security and best practises on the console and vty lines.
1) Inactive users should be terminated after five minutes.
2) The switch should prohibit logins for two minutes if three unsuccessful login attempts occur within one minute.
Deactivate any unneeded ports.
Verify that all unused ports are deactivated in Step 2.
Ports on a switch are activated by default. Switch ports that are not in use should be disabled.
You may determine the status of a switch port with the show ip interface short command.
S1# display IP interface summary
IP-Address Acceptable for Interface? Method Statistical Protocol
Vlan1 192.168.1.11 YES manual up up
FastEthernet0/1 is unassigned and has not been configured.
FastEthernet0/2 is unassigned and has not been put down.
FastEthernet0/3 is unassigned and has not been configured.
FastEthernet0/4 is unassigned and has not been put down.
FastEthernet0/5 unassigned YES unset up up
FastEthernet0/6 unassigned YES unset up up
FastEthernet0/7 is unassigned and has not been put down.
Unassigned YES unset down FastEthernet0/8
Yes
FastEthernet0/10 is unassigned and has not been put down.
FastEthernet0/11 is unassigned and has not been put down.
FastEthernet0/12 is unassigned and has not been put down.
FastEthernet0/13 is not allocated YES and is not put down.
FastEthernet0/14 is not allocated YES and is not put down.
FastEthernet0/15 is unassigned and has not been put down.
Unassigned FastEthernet0/16 YES unset down down
FastEthernet0/17 is not allocated and has not been put down.
FastEthernet0/18 is unassigned and has not been configured.
FastEthernet0/19 is unassigned and has not been put down.
FastEthernet0/20 unassigned YES unset down down
FastEthernet0/21 is unassigned and has not been put down.
FastEthernet0/22 is not allocated YES and is not put down down.
FastEthernet0/23 is unassigned and has not been put down.
Yes
GigabitEthernet0/1 is unassigned and has not been put down.
Yes, GigabitEthernet0/2 is unassigned and not set down.
Utilize the interface range command to disable several interfaces simultaneously.
S1(config)# interface range f0/1–4, f7–24, and g0/1-2.
S1(config-if-range)# stop operation
S1(config-if-range)# end
Confirm that every inactive interface has been administratively disabled.
S1# display IP interface summary
IP-Address Acceptable for Interface? Method Statistical Protocol
Vlan1 192.168.1.11 YES manual up up
FastEthernet0/1 unassigned YES unset administratively deactivated
FastEthernet0/2 unassigned YES unset administratively deactivated
FastEthernet0/3 unassigned YES unset administratively deactivated
FastEthernet0/4 unassigned Yes deactivated administratively
FastEthernet0/5 unassigned YES unset up up
FastEthernet0/6 unassigned YES unset up up
FastEthernet0/7 unassigned YES unset administratively deactivated
FastEthernet0/8 unassigned YES unset administratively deactivated
FastEthernet0/9 unassigned Yes deactivated administratively
FastEthernet0/10 unassigned Yes deactivated administratively
FastEthernet0/11 is unassigned and unconfigured administratively.
FastEthernet0/12 unassigned Yes deactivated administratively
FastEthernet0/13 unassigned Yes deactivated administratively
FastEthernet0/14 is unassigned and unconfigured administratively.
FastEthernet0/15 is unassigned and unconfigured administratively.
FastEthernet0/16 unassigned Yes deactivated administratively
FastEthernet0/17 unassigned Yes deactivated administratively
FastEthernet0/18 unassigned Yes deactivated administratively
FastEthernet0/19 unassigned Yes deactivated administratively
FastEthernet0/20 unassigned Yes deactivated administratively
FastEthernet0/21 is unassigned and unconfigured administratively.
FastEthernet0/22 unassigned Yes deactivated administratively
FastEthernet0/23 unassigned Yes deactivated administratively
FastEthernet0/24 unassigned Yes deactivated administratively
Unassigned GigabitEthernet0/1 YES unset administratively down down
GigabitEthernet0/2 is unassigned and unconfigured administratively.
Close window for configuration
Step 3: Confirm that your security measures have been appropriately deployed.
Confirm that Telnet is deactivated on the switch.
Connect through SSH to the switch and enter the user name and password incorrectly to see whether login access is banned.
After 30 seconds, re-SSH to server S1 and log in using the SSHadmin username and password 55HAdm!n2020.
Did the banner display after you successfully authenticated?
Yes
Enter privileged EXEC mode with the password $cisco!PRIV*.
At the privileged EXEC prompt, enter the show running-config command to examine the security settings you have applied.
Close window for configuration
Reflection Questions
The cisco password command was entered for the console and VTY lines in your Part 1 setup. When is this password used after the implementation of best-practice security measures?
This password will no longer be used. Even though the password command still shows in the running-config line sections, this command was deactivated as soon as the login local command was entered for those lines.
The security passwords min-length 12 command affects predefined passwords less than 10 characters?
No. The security passwords min-length command only affects passwords entered subsequent to its execution. Existing passwords continue to function. If they are altered, they must be at least 12 characters in length.
Note: To determine how the router is set up, examine the interfaces to determine the kind of router and the number of interfaces. There is no practical method to list all configuration choices for each router type. This table contains IDs for the device's various Ethernet and Serial interface combinations. The table does not list any more interface types, despite the fact that certain routers may include them. Such an example may be an ISDN BRI interface. The text included in parentheses is the legal interface abbreviation that may be used in Cisco IOS instructions.
Device Configs – Final
Router R1
R1#sho run
Building configuration…
Current configuration : 3876 bytes
!
version 16.9
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
security passwords min-length 12
enable secret 5 $1$BmR8$GYubrKoVQHVy5jWU918MX/
!
no aaa new-model
!
no ip domain lookup
ip domain name ccna-lab.com
!
!
login block-for 120 attempts 3 within 60
login on-success log
!
!
subscriber templating
!
!
multilink bundle-name authenticated
!
!
crypto pki trustpoint TP-self-signed-950245734
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-950245734
revocation-check none
rsakeypair TP-self-signed-950245734
!
!
crypto pki certificate chain TP-self-signed-950245734
certificate self-signed 01
3082032E 30820216 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
<output omitted>
!
no license smart enable
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
!
username SSHadmin secret 5 $1$tgl9$jKy8iTbZeuS4VaDHetShg0
!
redundancy
mode none
!
!
interface GigabitEthernet0/0/0
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/1
ip address 192.168.1.1 255.255.255.0
negotiation auto
!
interface Serial0/1/0
no ip address
shutdown
!
interface Serial0/1/1
no ip address
shutdown
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
ip ssh server algorithm encryption aes256-ctr aes192-ctr aes128-ctr aes256-cbc aes192-cbc aes128-cbc
!!
control-plane
!
banner motd ^C Unauthorized Access Is Prohibited ^C
!
line con 0
exec-timeout 5 0
password 7 06420C285F4D065844343D2546
transport input none
stopbits 1
line aux 0
stopbits 1
line vty 0 4
exec-timeout 5 0
password 7 08654F471A1A0A56533D383D60
login local
transport input ssh
!
!
end
Switch S1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname S1
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$/Dix$FQPskX.44rHEKUDhJvJI40
!
username SSHadmin secret 5 $1$2ens$10nrX3Vj14Ofk.oMKtTrQ1
no aaa new-model
system mtu routing 1500
!
!
no ip domain-lookup
ip domain-name ccna-lab.com
login block-for 120 attempts 3 within 60
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending!
!
interface FastEthernet0/1
shutdown
!
interface FastEthernet0/2
shutdown
!
interface FastEthernet0/3
shutdown
!
interface FastEthernet0/4
shutdown
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
shutdown
!
interface FastEthernet0/8
shutdown
!
interface FastEthernet0/9
shutdown
!
interface FastEthernet0/10
shutdown
!
interface FastEthernet0/11
shutdown
!
interface FastEthernet0/12
shutdown
!
interface FastEthernet0/13
shutdown
!
interface FastEthernet0/14
shutdown
!
interface FastEthernet0/15
shutdown
!
interface FastEthernet0/16
shutdown
!
interface FastEthernet0/17
shutdown
!
interface FastEthernet0/18
shutdown
!
interface FastEthernet0/19
shutdown
!
interface FastEthernet0/20
shutdown
!
interface FastEthernet0/21
shutdown
!
interface FastEthernet0/22
shutdown
!
interface FastEthernet0/23
shutdown
!
interface FastEthernet0/24
shutdown
!
interface GigabitEthernet0/1
shutdown
!
interface GigabitEthernet0/2
shutdown
!
interface Vlan1
ip address 192.168.1.11 255.255.255.0
!
ip default-gateway 192.168.1.1
ip http server
ip http secure-server
!
!
banner motd ^C Unauthorized Access Is Prohibited ^C
!
line con 0
exec-timeout 5 0
password 7 145311021F07256A650B1C1B68
line vty 0 4
exec-timeout 5 0
password 7 08654F471A1A0A56533D383D60
login local
transport input ssh
line vty 5 15
login
!
Comments
Post a Comment