NET201: Networking with Lab 2

Configuring Cisco Switch Security Features

Laboratory Exercise # 1

GRADE

Group No. : ____ Signature

Leader : LIWANAG, James Ryan C. ___________________

Members :
RODELAS, Lyka B. ___________________
STA. MONICA, Matthew C. ___________________

Date Performed : August 20 2019

Date Submitted : August 27 2019

Mr. Leonardo Antivo

(Lab Instructor)
OBJECTIVES AND MATERIALS

Objectives:

After this laboratory, students should be able to:

1. set up the topology and initialize devices

2. configure basic device settings and verify connectivity, and
3. configure and verify security features on Cisco switch.

Materials:

QUANTITY PART DESCRIPTION

NUMBER
- Working Personal Computer (PC)
1 with Installed Cisco Packet Tracer
Software

Scenario:

It is quite common to lock down access and install strong security features
on PCs and servers. It is important that your network infrastructure devices, such
as switches and routers, are also configured with security features.
In this lab, you will follow some best practices for configuring security
features on LAN switches. You will also configure and verify port security to lock
out any device with a MAC address not recognized by the switch.
PROCEDURES

Task 1. Set Up the Topology and Initialize Devices.

1. Cable the network topology as shown in Figure 1.1 using Packet Tracer network
simulator software,
2. Initialize and reload the router and switch. Note: If configuration files were
previously saved on the router or switch, initialize and reload these devices back
to their default configurations (Reminders: Capture all the outputs since they part
of your data results)
In Router DCE

Router> en
Router# sh run

In Switch DCE

Switch> en
Switch# sh run

Task 2. Configure Basic Device Settings and Verify Connectivity

1. Configure an IP address on PC-DCE (Refer to the Addressing Table for the IP
Address information in Table 1.1.)
2. Configure basic settings on DCE router.
Router> en
Router# hostname DCE_RTR
Router# conf t
Router# hostname DCE_RTR
DCE_RTR(config)# no ip domain-lookup
DCE_RTR(config)# service password-encryption
DCE_RTR(config)# enable secret dce
DCE_RTR(config)# banner motd #This is DCE office, unauthorized
access is strictly prohibited!#
DCE_RTR(config)# line con 0
DCE_RTR(config-line)# password dcesilver
DCE_RTR(config-line)# login
DCE_RTR(config-line)# exit
DCE_RTR(config)# line vty 0 4
DCE_RTR(config-line)# password dcesilver
DCE_RTR(config-line)# login
DCE_RTR(config-line)# exit
DCE_RTR(config)# int g0/0
DCE_RTR(config-if)# ip add 192.168.10.1 255.255.255.0
DCE_RTR(config-if)# no shutdown
DCE_RTR(config-if)# end
 DCE_RTR# copy run start
DCE_RTR# exit

3. Verify your configuration using command show ip interface brief

4. Configure basic settings on DCE switch.
Switch> en
Switch# conf t
Switch(config)# hostname DCE_SW
DCE_SW(config)# no ip domain-lookup
DCE_SW(config)# service password-encryption
DCE_SW (config)# enable secret dce
DCE_SW(config)# banner motd #This is DCE LAN, unauthorized access
is strictly prohibited!#
DCE_SW(config)# line con 0
DCE_SW(config-line)# password dcesilver
DCE_SW(config-line)# login
DCE_SW(config-line)# exit
DCE_SW(config)# line vty 0 15
DCE_SW(config-line)# password dcesilver
DCE_SW(config-line)# login
DCE_SW(config-if)# end
DCE_SW# copy run start

5. Create VLAN 99 on the switch and name it DCE-Students.

DCE_SW(config)# vlan 99
DCE_SW(config-vlan)# name DCE-Students
DCE_SW(config-vlan)# exit
DCE_SW(config)#

6. Configure the VLAN 99 mana gement interface IP address, as shown in the Table
1, and enable the interface.

DCE_SW(config)# int vlan 99

DCE_SW(config-if)# ip add 192.168.10.99 255.255.255.0
DCE_SW(config-if)# no shutdown
DCE_SW(config-if)# end
DCE_SW#

7. Issue the show vlan command on DCE_SW. What is the status of VLAN 99?
________________________________________________________________

8. Issue the show ip interface brief command on DCE_SW. What is the

status and protocol for DCE-Students interface VLAN 99? Why is the protocol
down, even though you issued the no shutdown command for interface VLAN
99?
________________________________________________________________
________________________________________________________________
9. Assign ports F0/1 and F0/2 to VLAN 99 on the switch.

DCE_SW# conf t
DCE_SW(config)# int fa0/1
DCE_SW(config-if)# switchport mode access
DCE_SW(config-if)# switchport access vlan 99
DCE_SW(config-if)# int fa0/2
DCE_SW(config-if)# switchport mode access
DCE_SW(config-if)# switchport access vlan 99
DCE_SW(config-if)# end
DCE_SW# copy run start
DCE_SW#

10. Issue the show ip interface brief command on DCE_SW. What is the
status and protocol showing for interface VLAN 99? Note: There may be a delay
while the port states converge.
________________________________________________________________

11. Verify connectivity between devices.

a. From DCE-PC, ping the default gateway address on DCE_RTR. Were your pings
successful?
________________________________________________________________
b. From DCE-PC, ping the DCE-Students address of DCE_SW. Were your pings
successful?
________________________________________________________________
c. From DEC_SW, ping the default gateway address on DCE_RTR. Were your pings
successful?
________________________________________________________________
d. From DCE-PC, open a web browser and go to http://192.168.10.99. If you are
prompted for a username and password, leave the username blank and use
dcesilver for the password. If you are prompted for a secured connection, answer
No. Were you able to access the web interface on DCE_SW?
________________________________________________________________
e. Close the browser.

Note: The non-secure web interface (HTTP server) on a Cisco 2960 switch is
enabled by default. A common security measure is to disable this service, as
described in Task 3.
Task 3. Configure and Verify Security Features on DCE_SW.

1. Configure general security features on DCE_SW.

a. Change the message of the day (MOTD) banner on DCE_SW to, “Unauthorized
access is strictly prohibited. Violators will be prosecuted to the full extent of the
law.” Then verify the new banner.

b. Issue a show ip interface brief command on DCE_SW. What physical ports

are up?
____________________________________________________________________

c. Shut down all unused physical ports on the switch. Use the interface range
command.

DCE_SW> en
DCE_SW# conf t
DCE_SW(config)# int range fa0/3-24
DCE_SW(config-if-range)# shutdown
DCE_SW(config-if-range)# int range g0/1-2
DCE_SW(config-if-range)# shutdown
DCE_SW(config-if-range)# end
DCE_SW#

d. Issue the show ip interface brief command on DCE_SW. What is the status
of ports Fa0/3 to Fa0/24?
____________________________________________________________________

3. Configure and verify port security on DCE_SW.

a. Record the DCE_RTR G0/0 MAC address. From the DCE_RTR CLI, use the show
interface g0/0 command and record the MAC address of the interface. What is
the MAC address of the DCE_RTR G0/0 interface?
___________________________________________________________________

DCE_RTR> show interface g0/0

b. From the DCE_SW CLI, issue a show mac address-table command from user EXEC
mode. Find the dynamic entries for ports Fa0/1 and Fa0/2. Record them below.
Fa0/1 MAC Address :____________________________________________
Fa0/2 MAC Address :____________________________________________

DCE_SW> show interface fa0/1

DCE_SW> show interface fa0/2
4. Configure basic port security.

a. From the DCE_SW CLI, enter interface configuration mode for the port that connects
to DCE_RTR.

DCE_SW> en
DCE_SW# conf t
DCE_SW(config)# interface fa0/1

b. Shut down the port.

DCE_SW(config-if)# shutdown

c. Enable port security on Fa0/1.

DCE_SW(config-if)# switchport port-security

Note: Entering the switchport port-security command sets the maximum

MAC addresses to 1 and the violation action to shutdown. The switchport
port-security maximum and switchport port-security violation
commands can be used to change the default behavior.

d. Configure a static entry for the MAC address of DCE_RTR G0/0 interface recorded in
step 3a.
DCE_SW(config-if)# switchport port-security mac-address
xxxx.xxxx.xxxx
(xxxx.xxxx.xxxx is the actual MAC address of the router G0/0 interface)

Note: Optionally, you can use the switchport port-security mac-address

sticky command to add all the secure MAC addresses that are dynamically learned
on a port (up to the maximum set) to the switch running configuration.

e. Enable the switch port.

DCE_SW(config-if)# no shutdown
DCE_SW(config-if)# end

4. Verify port security on DCE_SW Fa0/1 by issuing a show port-security

interface command. What is the port status of Fa0/1?
___________________________________________________________________

DCE_SW# show port-security interface fa0/1

5. From DCE_RTR command prompt, ping DCE-PC to verify connectivity.

DCE_RTR> ping 192.168.10.3
6. You will now violate security by changing the MAC address on the router
interface. Enter interface configuration mode for G0/0 and shut it down.
DCE_RTR> en
DCE_RTR# config t
DCE_RTR(config)# interface g0/0 1
DCE_RTR(config-if)# shutdown

7. Configure a new MAC address for the interface, using aaaa.bbbb.cccc as the
address.
DCE_RTR(config-if)# mac-address aaaa.bbbb.cccc

8. If possible, have a console connection open on DCE_SW at the same time that
you do the next two steps. You will eventually see messages displayed on the
console connection to DCE_SW indicating a security violation. Enable the G0/0
interface on DCE_RTR.

DCE_RTR(config-if)# no shutdown

9. From DTE_RTR privileged EXEC mode, ping DCE-PC. Was the ping
successful? Why or why not?
___________________________________________________________________

10. On the switch, verify port security with the following commands.
DCE_SW> en
DCE_SW# show port-security
DCE_SW# show port-security interface fa0/1
DCE_SW# show interface fa0/1
DCE_SW# show port-security address

11. On the DCE router, shut down the G0/0 interface, remove the hard-coded MAC
address from the router, and re-enable the G0/0 interface.
DCE_RTR> en
DCE_RTR# conf t
DCE_RTR(config)# int g0/0
DCE_RTR(config-if)# shutdown
DCE_RTR(config-if)# no mac-address aaaa.bbbb.cccc
DCE_RTR(config-if)# no shutdown
DCE_RTR(config-if)# end
DCE_RTR#

12. From DCE_RTR, ping DCE-PC again at 192.168.10.3. Was the ping successful?
___________________________________________________________________
13. On the switch, issue the show interface fa0/1 command to determine the
cause of ping failure. Record your findings.
DCE_SW> en
DCE_SW# show interface fa0/1

____________________________________________________________

14. Clear the DCE_SW Fa0/1 error disabled status.

DCE_SW> en
DCE_SW# conf t
DCE_SW(config)# int fa0/1
DCE_SW(config-if)# shutdown
DCE_SW(config-if)# no shutdown
DCE_SW(config-if)# end
DCE_SW#

Note: There may be a delay while the port states converge.

15. Issue the show interface Fa0/1 command on DCE_SW to verify Fa0/1 is no
longer in error disabled mode.
DCE_SW# sh int fa0/1

16. From the DCE_RTR command prompt, ping DCE-PC again. The ping should be
successful?
________________________________________________________________

17. Save your Packet Tracer file as NET202 Lab 1 – Group#

NETWORK TOPOLOGY DIAGRAM

Network Address: 192.168.10.0/24

Figure 1.1. Switch Environment Network Diagram

DATA RESULTS

Table 1. Summary of network device interface IP addresses

SUBNET DEFAULT
NETWORK DEVICE INTERFACE IP ADDRESS
ADDRESS GATEWAY
DCE_RTR G0/0 192.168.10.1 255.255.255.0
DCE_SW VLAN 10 192.168.10.99 255.255.255.0 192.168.10.1
DCE-PC NIC 192.168.10.3 255.255.255.0 192.168.10.1

Task 1. Set Up the Topology and Initialize Devices (CLI commands, results, or
answers to some question)

Task 2. Configure Basic Device Settings and Verify Connectivity (CLI

commands, results, or answers to some question)

Task 3. Configure and Verify Security Features on DCE_SW (CLI commands,

results, or answers to some question)
DATA ANALYSIS / OBSERVATIONS

Upon setting up the topology and devices we arrived to have result of the
commands of the configuration. After configuring we verify the connectivity of the
networks also the security features of the department.
Switches are used to connect multiple devices together on the same network. In a
properly designed network, local area network switches are responsible for
directing and controlling the data flow at the access layer to networked resources.
These switches are self-configuring and no additional configurations are
necessary for them to function out to the box. Also, can be managed both locally
and remotely. Including port speed, bandwidth and security requirements.
To remotely manage a switch, it needs to have an IP address and default gateway
configured. A command-line interface is a means of interacting with a computer
program where the user issues commands to the program in the form of
successive lines of text .The program which handles the interface is called
a command-line interpreter or command-line processor, or shell. It’s not safe to
assume that your network is safe from security threats, even if you have a firewall
as well as antivirus and antimalware software installed. Although tools prevent
against viruses, worms, and other threats, a managed switch with built-in security
features lets you control exactly who has access to your local network. You can
use the switch to limit the network devices that users can connect to from their
computers and define the resources that they have access to. But if an intruder
does slip past, the switch’s embedded security will deter the unauthorized user
from taking over the switch and disabling all its defenses.
After doing the commands in CLI on packet racer we are designed to accomplished
the tasks needed in this analysis. The command line interface worked as it is but
as we go to the process of coding the commands there is sometimes mistakes or
errors occur in the program sometimes we forget to have same spacing or having
some misspelled words and that makes our work cost a lot of time. The routers are
considered the ones to connect to the switches and in the given end devices
making a lot of changes in the security like the password changing makes our
program invalid at the same time. The destination of the of the sources makes a
lot of differences to make it successful. But we must have the right routers to make
it work and be done.
A router performs its functions almost solely at OSI. This is because the open
system interconnection OSI are one of the steps that is needed to fully function the
CLI, the router is used to connect Internet Protocol networks. Since IP is a protocol
that runs at OSI Layer 3 and can operate on multiple Layer 1 and 2 technologies
(including Ethernet), a router is typically used to connect parts of a network that
use technologies other than Ethernet to connect them connected devices/offices.
Routers also provide the ability to separate IP broadcast domains. This feature is
important, as some protocols use broadcast heavily to communicate with hosts.
These is our all overview about configuring the switch security features and it help
us a lot for better understanding for the next research study will going to make
about this networking.
QUESTIONS AND ANSWERS

Questions:

1. Why would you enable port security on a switch?

2. Why should unused ports on a switch be disabled?
3. Provide a summary a description of all the switch CLI commands used
in the laboratory exercise in tabular form showing the command
description, and its example.
4. Given the network topology diagram and the assigned interface IP
address presented in Table 2, show and perform basic configuration in
Cisco router (use RIPv1 dynamic routing protocol to advertise network
address of directly connected interfaces) and switches. Also, provide
verification outputs.

Table 2. Summary of network device interface IP addresses

SUBNET DEFAULT
NETWORK DEVICE INTERFACE IP ADDRESS
ADDRESS GATEWAY
CORE_RTR G0/0 192.168.10.1 255.255.255.0
G0/1 192.168.20.1 255.255.255.0
ACCESS_SW1 VLAN 10 192.168.10.10 255.255.255.0 192.168.10.1
VLAN 20 192.168.10.20 255.255.255.0 192.168.10.1
ACCESS_SW2 VLAN 10 192.168.20.10 255.255.255.0 192.168.20.1
VLAN 20 192.168.20.20 255.255.255.0 192.168.20.1
PC1 NIC 192.168.10.2 255.255.255.0 192.168.10.1
PC2 NIC 192.168.10.3 255.255.255.0 192.168.10.1
PC3 NIC 192.168.20.2 255.255.255.0 192.168.20.1
PC4 NIC 192.168.20.3 255.255.255.0 192.168.20.1
Answers:

1. Why would you enable port security on a switch?

-We enable port security on a switch when using port security, we can
prevent devices from accessing the network, which increasing security
it would help us to prevent unauthorized devices from accessing your
network and to ensure there is no spoofing.
2. Why would unused ports on a switch be disable?

-we should disable the unused ports in order to secure our network
and also the user could not connect the devices to the disabled switch.
To prevent user from accessing the LAN by connecting a device to an
unused port.
3.
Commands Description Example

1.Router>en -used to enter in privileged Router>en

mode; or you wll enter in
the exec mode Router#

2.Router#sh run -it will displays the saved

data that you configured on
your network.

3.Router#hostname -it will allows you to give a Router>en

name on your devices.
Router#hostname DCE_RTR

DCE_RTR

4.Router#conf t -can used to do a Router>en

configuration that can affect
the system as a whole. Router#conf t

Router(config)#
5. Router(config)#no ip
domain-look up
6. Router(config)#service
password-encryption
7. Router(config)#enable
secret
8. Router(config)#banner
motd
9. Router(config)#line con 0
- it will not show the
translation whenever you
mispelled the command on
you line interace.
-allows you to enable your
secret.
-it allows the user to create
another password after
enabling the user-exec
mode.all
-it will allows you to have a
comment at the start when
you open you command line
interface.
-it is used when setting up
your password on console.
Router>en
Router#conf t
Router(config)# service
password-encryption
Router(config)#enable secret
dce
Router>en
Router#conf t
Router(config)# banner motd
# This is DCE office,
unauthorized access is strictly
prohibited!#
Router(config)#exit
Router# exit
This is DCE office,
unauthorized access is strictly
prohibited!
Router>
Router>en
Router#conf t
Router(config)# line con 0
Router(config-line)# line con 0
10. Router(config- -use to prevent public Router>en
line)#password connection so that only few
people can connect to the Router#conf t
network. Router(config)# line con 0

Router(config-line)# password
dcesilver

11. Router(config)#line vty 0 4 -

12. Router(config-line)#login -it is used to verify the Router>en

password that you put
when logging in. Router#conf t

Router(config)# line con 0

Router(config-linie)#
password dcesilver,

Router(config)#line vty 0 4

Router(config)#login

13. Router(config)#exit -it will go back to previous Router(config)#

configuration mode.
Router#

14. Router(config)#int fa -allows the other ports to Router(config)#int fa0/1

connect to each other.

15. Router(config)#int g - allows the other ports to Router(config)#int g0/0

connect to each other.

16. Router(config-if)#no -it will enable your interface Router>en

shutdown
Router#conf t

Router(config)# int range

fa0/3-24

Router(config-if-range)#no
shutdown

17. Router(config-if)#end -it will go back the Router>en

privileged mde
Router#conf t

18. Router(config-if)#
shutdown
18. Router#copy run start
19. Router(config-
if)#switchport mode access
20. Router(config-
if)#switchport access
21. Router#show ip interface
brief
Router(config)#end
Router>
- it will enable your Router>en
interface
Router#conf t
Router(config)# int range
fa0/3-24
Router(config-if-range)#
shutdown
-it will save your configured Router>en
network even if it is
reloaded, it will be saved. Router#conf t
Router(config)# service
password-encryption
Router(config)#enable secret
dcesilver
Router (config)#exit
Router#copy run start
-it will be served as an
connection port of the
other devices that is
plugged into this port. And
only the devices thartare
the same that is only
connected to this port can
connect to each other.
-use to access the VLAN.
-It will display the status of Router>en
your IP protocol if it is up or
Router#show ip interface
down.
brief
22. Router(config)#int range -it helps you to identify the
rangers of your interface.

23. Router(config- -it allows you to limit the

if)#switchport port-security mac addresses that can
connect to the port

24. Router(config-if)#mac -allows you to create your Router(config)#mac address

address own mac address aaaa.bbbb.cccc

25. Router>show interface -it will display the Router>show interface

information of the specific
interface.

4.
 Router Reload and Initialization

Switch Reload and Initialization

IP Configuration of PC1

IP Configuration of PC2

IP Configuration of PC3
 IP Configuration of PC4

Configuration of Router Interfaces

 Status of the Routers Interfaces

Configuration of RIP on Router

Creating VLAN 10 VLAN 20 Configuration on SW1

 VLAN Status on SW2

Assigning of Ports to VLAN 10 Access SW1

Creating VLAN 10 VLAN 20 Configuration on SW2

VLAN 20 Configuration on SW12

VLAN Status on SW2

Assigning of Ports to VLAN 10 Access SW2

Ping of SW1 Default Gateway on PC 1

Ping of SW2 Default Gateway on PC 1

Ping PC 2 to PC 1
Ping of PC 3 to PC 1

Ping of PC 4 to PC 1

Protocol Data Unit

CONCLUSION

Our lab objectives are setting up the topology diagram and the initialization
of different devices were used, and these objectives were created and planned to
discussed by the users of the program.
Upon working in our CLI interface first, we discussed each objective and think on
how we can manage the components of the diagrams in the given figures and
tables examples. For this lab experiment we are tasked to work on switch
configuration, and we made the procedures as the guide throughout the study.
After first step, we configure the basics and get the IP address on PC-DCE that
were referring on the given table 1.1
We follow and code the entire basic setting on DCE router as I have mentioned
before there are some errors occurring in terms of being key sensitive of it just like
having misspelled words or marks but after the process it went well great, the
verification of configuration using CLI command was also performed to configure
the basic setting on DCE switch. Creating the VLAN was the next step for switch
for the management of the interface IP address table, enabling the interface was
done also the issues of the VLAN and IP interface brief for DCE switch. Assigning
of ports for F0/1 and F0/2 from VLAN switch is also performed showing the issue of IP
interface brief on DCE was display to verify the connectivity between the devices.
And now MAC address was needed in this stage because MAC address is the
address that is used in the Ethernet. The address itself is made up of 48 bits which
are represented in hexadecimal numbers.
When we were discussing the operation of routers, we said that the forwarding
decisions routers make are based on the information in the routing table. Similarly,
the switches also have a database that contains addresses. This database is
called the MAC-Address table and it is the basis by which switches forward frames.
When communicating, the switch uses this database to determine the source and
destination of frames.
We have learnt of the IOS configuration modes as well as the basic configuration
in a previous chapter. We saw the different modes as the user executive mode,
the privileged executive mode, the global configuration mode and various specific
configuration modes such as the interface configuration. When we were
configuring routers, we noticed that to access the router remotely using the lines,
we used an IP address. In switches, we need to configure an IP address, subnet
mask and a default gateway much like a PC, the IP address is used to manage the
switch. Switches use VLAN 1 as the management VLAN, but it is advisable to
change this since this can be a security vulnerability. Coming to the next issue we
shut down all unused physical ports in the switch, so we use interface range
command for that.

In this chapter, we have looked at the various configuration options for security on
switch ports, we have also looked at various verification commands. This chapter
is supposed to introduce the concepts behind switch operation, as well as basic
switch configuration, and we learn a lot on how to config the IP addresses of each
device. We therefore conclude, that this chapter of experiment was quite
challenging for all of us because we don’t have much ideas but as our lecturer
professor help and guide us to do some of these things. We are hoping for more
practices in switch and router configuration so it will get easier second time around.
REFERENCES
Books:

Andreasen, N. C. (2001). Brave new brain: Conquering mental illness in the era
of the genome. Oxford, England: Oxford University Press.

Copstead, L., & Banasik, J. (2005). Pathophysiology (3rd ed.). Philadelphia, PA:
Saunders.

Electronic Books:

Wilkins S. (2015).CCNA Routing and Switching 200-120 Network Simulator

http://teachweb.millin.cc/datacommunicatie/routing_switching_configuration.htm

Print Journals:

Potente, S., Anderson, C., & Karim, M. (2011). Environmental sun protection and
supportive policies and practices: An audit of outdoor recreational settings in
NSW coastal towns. Health Promotion Journal of Australia, 22, 97-101.

Electronic Journals:

Jackson, D., Firtko, A., & Edenborough, M. (2007). Personal resilience as a

strategy for surviving and thriving in the face of workplace adversity: A literature
review. Journal of Advanced Nursing, 60(1), 1-9. doi:10.1111/j.1365-
2648.2007.04412.x