Professional Documents
Culture Documents
NET201: Networking With Lab 2: Configuring Cisco Switch Security Features
NET201: Networking With Lab 2: Configuring Cisco Switch Security Features
NET201: Networking With Lab 2: Configuring Cisco Switch Security Features
GRADE
Objectives:
Materials:
Scenario:
It is quite common to lock down access and install strong security features
on PCs and servers. It is important that your network infrastructure devices, such
as switches and routers, are also configured with security features.
In this lab, you will follow some best practices for configuring security
features on LAN switches. You will also configure and verify port security to lock
out any device with a MAC address not recognized by the switch.
PROCEDURES
Router> en
Router# sh run
In Switch DCE
Switch> en
Switch# sh run
6. Configure the VLAN 99 mana gement interface IP address, as shown in the Table
1, and enable the interface.
7. Issue the show vlan command on DCE_SW. What is the status of VLAN 99?
________________________________________________________________
DCE_SW# conf t
DCE_SW(config)# int fa0/1
DCE_SW(config-if)# switchport mode access
DCE_SW(config-if)# switchport access vlan 99
DCE_SW(config-if)# int fa0/2
DCE_SW(config-if)# switchport mode access
DCE_SW(config-if)# switchport access vlan 99
DCE_SW(config-if)# end
DCE_SW# copy run start
DCE_SW#
10. Issue the show ip interface brief command on DCE_SW. What is the
status and protocol showing for interface VLAN 99? Note: There may be a delay
while the port states converge.
________________________________________________________________
a. From DCE-PC, ping the default gateway address on DCE_RTR. Were your pings
successful?
________________________________________________________________
b. From DCE-PC, ping the DCE-Students address of DCE_SW. Were your pings
successful?
________________________________________________________________
c. From DEC_SW, ping the default gateway address on DCE_RTR. Were your pings
successful?
________________________________________________________________
d. From DCE-PC, open a web browser and go to http://192.168.10.99. If you are
prompted for a username and password, leave the username blank and use
dcesilver for the password. If you are prompted for a secured connection, answer
No. Were you able to access the web interface on DCE_SW?
________________________________________________________________
e. Close the browser.
Note: The non-secure web interface (HTTP server) on a Cisco 2960 switch is
enabled by default. A common security measure is to disable this service, as
described in Task 3.
Task 3. Configure and Verify Security Features on DCE_SW.
c. Shut down all unused physical ports on the switch. Use the interface range
command.
DCE_SW> en
DCE_SW# conf t
DCE_SW(config)# int range fa0/3-24
DCE_SW(config-if-range)# shutdown
DCE_SW(config-if-range)# int range g0/1-2
DCE_SW(config-if-range)# shutdown
DCE_SW(config-if-range)# end
DCE_SW#
d. Issue the show ip interface brief command on DCE_SW. What is the status
of ports Fa0/3 to Fa0/24?
____________________________________________________________________
b. From the DCE_SW CLI, issue a show mac address-table command from user EXEC
mode. Find the dynamic entries for ports Fa0/1 and Fa0/2. Record them below.
Fa0/1 MAC Address :____________________________________________
Fa0/2 MAC Address :____________________________________________
a. From the DCE_SW CLI, enter interface configuration mode for the port that connects
to DCE_RTR.
DCE_SW> en
DCE_SW# conf t
DCE_SW(config)# interface fa0/1
DCE_SW(config-if)# shutdown
d. Configure a static entry for the MAC address of DCE_RTR G0/0 interface recorded in
step 3a.
DCE_SW(config-if)# switchport port-security mac-address
xxxx.xxxx.xxxx
(xxxx.xxxx.xxxx is the actual MAC address of the router G0/0 interface)
7. Configure a new MAC address for the interface, using aaaa.bbbb.cccc as the
address.
DCE_RTR(config-if)# mac-address aaaa.bbbb.cccc
8. If possible, have a console connection open on DCE_SW at the same time that
you do the next two steps. You will eventually see messages displayed on the
console connection to DCE_SW indicating a security violation. Enable the G0/0
interface on DCE_RTR.
DCE_RTR(config-if)# no shutdown
9. From DTE_RTR privileged EXEC mode, ping DCE-PC. Was the ping
successful? Why or why not?
___________________________________________________________________
10. On the switch, verify port security with the following commands.
DCE_SW> en
DCE_SW# show port-security
DCE_SW# show port-security interface fa0/1
DCE_SW# show interface fa0/1
DCE_SW# show port-security address
11. On the DCE router, shut down the G0/0 interface, remove the hard-coded MAC
address from the router, and re-enable the G0/0 interface.
DCE_RTR> en
DCE_RTR# conf t
DCE_RTR(config)# int g0/0
DCE_RTR(config-if)# shutdown
DCE_RTR(config-if)# no mac-address aaaa.bbbb.cccc
DCE_RTR(config-if)# no shutdown
DCE_RTR(config-if)# end
DCE_RTR#
12. From DCE_RTR, ping DCE-PC again at 192.168.10.3. Was the ping successful?
___________________________________________________________________
13. On the switch, issue the show interface fa0/1 command to determine the
cause of ping failure. Record your findings.
DCE_SW> en
DCE_SW# show interface fa0/1
____________________________________________________________
16. From the DCE_RTR command prompt, ping DCE-PC again. The ping should be
successful?
________________________________________________________________
Task 1. Set Up the Topology and Initialize Devices (CLI commands, results, or
answers to some question)
Upon setting up the topology and devices we arrived to have result of the
commands of the configuration. After configuring we verify the connectivity of the
networks also the security features of the department.
Switches are used to connect multiple devices together on the same network. In a
properly designed network, local area network switches are responsible for
directing and controlling the data flow at the access layer to networked resources.
These switches are self-configuring and no additional configurations are
necessary for them to function out to the box. Also, can be managed both locally
and remotely. Including port speed, bandwidth and security requirements.
To remotely manage a switch, it needs to have an IP address and default gateway
configured. A command-line interface is a means of interacting with a computer
program where the user issues commands to the program in the form of
successive lines of text .The program which handles the interface is called
a command-line interpreter or command-line processor, or shell. It’s not safe to
assume that your network is safe from security threats, even if you have a firewall
as well as antivirus and antimalware software installed. Although tools prevent
against viruses, worms, and other threats, a managed switch with built-in security
features lets you control exactly who has access to your local network. You can
use the switch to limit the network devices that users can connect to from their
computers and define the resources that they have access to. But if an intruder
does slip past, the switch’s embedded security will deter the unauthorized user
from taking over the switch and disabling all its defenses.
After doing the commands in CLI on packet racer we are designed to accomplished
the tasks needed in this analysis. The command line interface worked as it is but
as we go to the process of coding the commands there is sometimes mistakes or
errors occur in the program sometimes we forget to have same spacing or having
some misspelled words and that makes our work cost a lot of time. The routers are
considered the ones to connect to the switches and in the given end devices
making a lot of changes in the security like the password changing makes our
program invalid at the same time. The destination of the of the sources makes a
lot of differences to make it successful. But we must have the right routers to make
it work and be done.
A router performs its functions almost solely at OSI. This is because the open
system interconnection OSI are one of the steps that is needed to fully function the
CLI, the router is used to connect Internet Protocol networks. Since IP is a protocol
that runs at OSI Layer 3 and can operate on multiple Layer 1 and 2 technologies
(including Ethernet), a router is typically used to connect parts of a network that
use technologies other than Ethernet to connect them connected devices/offices.
Routers also provide the ability to separate IP broadcast domains. This feature is
important, as some protocols use broadcast heavily to communicate with hosts.
These is our all overview about configuring the switch security features and it help
us a lot for better understanding for the next research study will going to make
about this networking.
QUESTIONS AND ANSWERS
Questions:
-We enable port security on a switch when using port security, we can
prevent devices from accessing the network, which increasing security
it would help us to prevent unauthorized devices from accessing your
network and to ensure there is no spoofing.
2. Why would unused ports on a switch be disable?
-we should disable the unused ports in order to secure our network
and also the user could not connect the devices to the disabled switch.
To prevent user from accessing the LAN by connecting a device to an
unused port.
3.
Commands Description Example
DCE_RTR
Router(config)#
5. Router(config)#no ip - it will not show the
domain-look up translation whenever you
mispelled the command on
you line interace.
Router(config)#enable secret
dce
Router(config)#exit
Router# exit
Router>
Router(config-line)# password
dcesilver
Router(config-linie)#
password dcesilver,
Router(config)#line vty 0 4
Router(config)#login
Router(config-if-range)#no
shutdown
Router>
Router(config-if-range)#
shutdown
18. Router#copy run start -it will save your configured Router>en
network even if it is
reloaded, it will be saved. Router#conf t
Router(config)# service
password-encryption
Router(config)#enable secret
dcesilver
Router (config)#exit
Router#copy run start
4.
Router Reload and Initialization
IP Configuration of PC2
IP Configuration of PC3
IP Configuration of PC4
Ping PC 2 to PC 1
Ping of PC 3 to PC 1
Ping of PC 4 to PC 1
Our lab objectives are setting up the topology diagram and the initialization
of different devices were used, and these objectives were created and planned to
discussed by the users of the program.
Upon working in our CLI interface first, we discussed each objective and think on
how we can manage the components of the diagrams in the given figures and
tables examples. For this lab experiment we are tasked to work on switch
configuration, and we made the procedures as the guide throughout the study.
After first step, we configure the basics and get the IP address on PC-DCE that
were referring on the given table 1.1
We follow and code the entire basic setting on DCE router as I have mentioned
before there are some errors occurring in terms of being key sensitive of it just like
having misspelled words or marks but after the process it went well great, the
verification of configuration using CLI command was also performed to configure
the basic setting on DCE switch. Creating the VLAN was the next step for switch
for the management of the interface IP address table, enabling the interface was
done also the issues of the VLAN and IP interface brief for DCE switch. Assigning
of ports for F0/1 and F0/2 from VLAN switch is also performed showing the issue of IP
interface brief on DCE was display to verify the connectivity between the devices.
And now MAC address was needed in this stage because MAC address is the
address that is used in the Ethernet. The address itself is made up of 48 bits which
are represented in hexadecimal numbers.
When we were discussing the operation of routers, we said that the forwarding
decisions routers make are based on the information in the routing table. Similarly,
the switches also have a database that contains addresses. This database is
called the MAC-Address table and it is the basis by which switches forward frames.
When communicating, the switch uses this database to determine the source and
destination of frames.
We have learnt of the IOS configuration modes as well as the basic configuration
in a previous chapter. We saw the different modes as the user executive mode,
the privileged executive mode, the global configuration mode and various specific
configuration modes such as the interface configuration. When we were
configuring routers, we noticed that to access the router remotely using the lines,
we used an IP address. In switches, we need to configure an IP address, subnet
mask and a default gateway much like a PC, the IP address is used to manage the
switch. Switches use VLAN 1 as the management VLAN, but it is advisable to
change this since this can be a security vulnerability. Coming to the next issue we
shut down all unused physical ports in the switch, so we use interface range
command for that.
In this chapter, we have looked at the various configuration options for security on
switch ports, we have also looked at various verification commands. This chapter
is supposed to introduce the concepts behind switch operation, as well as basic
switch configuration, and we learn a lot on how to config the IP addresses of each
device. We therefore conclude, that this chapter of experiment was quite
challenging for all of us because we don’t have much ideas but as our lecturer
professor help and guide us to do some of these things. We are hoping for more
practices in switch and router configuration so it will get easier second time around.
REFERENCES
Books:
Andreasen, N. C. (2001). Brave new brain: Conquering mental illness in the era
of the genome. Oxford, England: Oxford University Press.
Copstead, L., & Banasik, J. (2005). Pathophysiology (3rd ed.). Philadelphia, PA:
Saunders.
Electronic Books:
Print Journals:
Potente, S., Anderson, C., & Karim, M. (2011). Environmental sun protection and
supportive policies and practices: An audit of outdoor recreational settings in
NSW coastal towns. Health Promotion Journal of Australia, 22, 97-101.
Electronic Journals: