10. 07. 23.

CCNA security ( )

: @Xpert crsarang@ynu.ac.kr

- 1 -

- - 3 - 4 1. 4 2. PASSWORD 4 . PASSWORD 4 . PASSWORD 4 . PASSWORD 4 3. ACL 4 . standard 4 . extend 4 4. IPsec_VPN 5 5. AAA(TACACS) 6 . ACS 6 . client router 7 6. ntp(Network Time Protocol) 7 7. Logging history 7 8. SSH 8 9. ZFW( Zone-Based Policy Firewall) 8 . 8 . Configure Zone-Based Firewall 8 10. PACKET TRACE 10 - 25 - NSA/SNAC Router Security Configuration Guide v1.1 26

- 2 -

- . . . CCNA_SECURITY . CISCO . .

- 3 -

- 1.

(config)#no ip http server ;http server (config)#no service pad ;pad service . (config)#no ip finger ;finger service (config)#no ip bootp server ;bootp server . (config)#no ip domain-lookup ; (config)#no cdp run ;CDP , . (config-if)#no ip redirects ;icmp redirect (config-if)#no ip unreachables ;icmp unreachable (config-if)#no ip directed-broadcast ;smurf (config-if)#no ip proxy-arp ;proxy-arp (config-if)#no ip mask-reply ;icmp mark-reply

2. PASSWORD

. PASSWORD security passwords min-length 10 enable secret PASSWORD . PASSWORD (config)#line con 0 (config-line)#password PASSWORD ; PASSWORD (config-line)#exec-timeout 5 0 ; 5 (config-line)#logging synchronous ; . PASSWORD (config)#line vty 0 4 ; (config-line)#password PASSWORD ; PASSWORD (config-line)#exec-timeout 5 0 ; (config-line)#login authentication default ; PASSWORD ; PASSWORD( )

3. ACL

. standard (0~99, 1300~1999)

( )

(config)#access-list 5 deny 192.168.2.0 0.0.0.255 ;192.168.2.0 (config)#access-list 5 permit any (config)#int s 0/0 (config-if)#ip access-group acl in or out . extend (100~199, 2000~2699) ( )

(config)#access-list 105 permit tcp host SRC host DES range 22 23 ((config)#access-list 105 permit tcp host SRC host DES eq SERVICE_NAME) (config)#access-list 105 permit ip any any (config)#int s 0/0 (config-if)#ip access-group acl in or out

- 4 -

4. IPsec_VPN

(config)#crypto isakmp policy 10 ; (1~65535). IKE 1(ISAKMP SA) (Phase 1) (config-isakmp)#authentication pre-share ; . pre-share (config-isakmp)#encryption 3des ; 3des (config-isakmp)#group 2 ;Group 2 (1,2,5 , ) (config-isakmp)#hash md5 ; MD5 (config-isakmp)#lifetime 3600 ; 3600(1) R1,R2 (TTL ) (config)#crypto isakmp key cisco address ADDRES ; Pre-shared , IP () (config)#crypto ipsec transform-set ciscotrans esp-3des esp-sha-hmac ;- (IPSec ) (config)#access-list 110 permit ip SRC DSE ;IPSec (R1 ~R2 ) (config)#crypto map ciscomap ipsec-isakmp ;IKE 2(IPsec SA) (Phase 2) (config-crypto-map)#match address 110 ;ACL 110 ( ) (config-crypto-map)#set peer DESIP ; IP ( ) (config-crypto-map)#set transform-set ciscotrans ;ciscotrans (config)#interface serial 1/1 (config-if)#crypto map ciscomap ; IPSec

- 5 -

5. AAA(TACACS)

AAA , , , . . ACS

1) Network Configuration (AAA Client add entry ) 2) AAA Client Hostname : ACS Server Client hostname AAA Client IP Address : Client IP Shared Secret : (Router AAA ) Authenticate Using : TACACS+ (Cisco IOS)

3) User Setup ( Add/Edit )

4)

- 6 -

. client router (config)#aaa new-model ; AAA . (config)#aaa authentication login default group tacacs+ none ;AAA . tacacs+ (config)#aaa authentication login telnet_login group tacacs+ ;telnet_login tacacs+ (config)#tacacs-server host 1.1.20.20 key cisco ;Tacacs Server key (config)#line vty 0 4 (config)#login authentication telnet_login ; telnet_login 6. ntp(Network Time Protocol) (config)#ntp authenticate ;ntp (config)#ntp authentication-key 1 md5 ciscontppa55 ;ntp key MD5 (config)#ntp trusted-key 1 ;ntp trust 1 (config)#ntp server key 1 ;ntp IP (config)#ntp update-calendar ;ntp calendar

7. Logging history (config)#logging (config)#logging (config)#logging (config)#service (config)#service

buffered 16000 ;logging 16k . trap debugging ;debugging log server SERVER_IP ;logging server timestamps debug datetime localtime show-timezone msec timestamps log datetime localtime show-timezone msec

- 7 -

8. SSH

(config)#line vty 0 4 ;Remote (config-line)#transport input ssh ;Remote SSH (config-line)#login local ; LOCAL (config)#crypto key generate rsa 1024 ; RSA (config)#ip ssh time-out 90 ;time 90 (config)#ip ssh authentication-retries 2 ;2 (config)#ip ssh version 2 ;SSH Ver2

9. ZFW( Zone-Based Policy Firewall)

IOS Software Release 12.4(6) . ) Stateful packet Inspection (SPI) 1. STATIC 2. STATEFUL packet , ip port , . , static , stateful . ) VRF-aware Cisco IOS Firewall ) URL filtering ) Denial-of-service(DoS) mitigation . Configure Zone-Based Firewall ( ) Figure1. Basic Security Zone Topology

Private zone connectivity to the Internet Private zone connectivity to DMZ hosts Internet zone connectivity to DMZ hosts class-map type inspect match-all all-private match access-group 101 class-map type inspect match-all private-ftp match protocol ftp match access-group 101 class-map type inspect match-any netbios match protocol msrpc match protocol netbios-dgm

- 8 -

match protocol netbios-ns match protocol netbios-ssn class-map type inspect match-all private-netbios match class-map netbios match access-group 101 class-map type inspect match-all private-ssh match protocol ssh match access-group 101 class-map type inspect match-all private-http match protocol http match access-group 101 ! policy-map type inspect priv-pub-pmap class type inspect private-http inspect class type inspect private-ftp inspect class type inspect private-ssh inspect class type inspect private-netbios inspect class type inspect all-private inspect class class-default! zone security private zone security public zone-pair security priv-pub source private destination public service-policy type inspect priv-pub-pmap ! interface FastEthernet4 ip address 172.16.108.44 255.255.255.0 zone-member security public ! interface Vlan1 ip address 192.168.108.1 255.255.255.0 zone-member security private ! access-list 101 permit ip 192.168.108.0 0.0.0.255 any ZFW-TEST#sh policy-map type insp zone-pair priv-pub Zone-pair: priv-pub

[] http://blog.naver.com/a51880?Redirect=Log&logNo=30054522012

- 9 -

10. PACKET TRACE

( ) Configure a Network for Secure Operation 17

Task2 Step1-Step6 for R1, R3 R1#conf t R1(config)#security passwords min-length 10 R1(config)#enable secret ciscoenpa55 R1(config)#service password-encryption R1(config)#line con 0 R1(config-line)#password ciscoconpa55 R1(config-line)#exec-timeout 5 0 R1(config-line)#logging synchronous R1(config-line)#login R1(config-line)#exit R1(config)#line vty 0 4 R1(config-line)#password ciscovtypa55 R1(config-line)#exec-timeout 5 0 R1(config-line)#login authentication default R1(config-line)#exit R1(config)#banner motd $No Unauthorized Access!$ Task3 Step1-Step3 for R1, R3 R1(config)#username Admin01 secret Admin01pa55 R1(config)#aaa new-model

- 10 -

R1(config)#aaa authentication login default local none Task4 Step1 PC NTP ON, KEY password Step2-Step3 R1(config)#ntp authenticate R1(config)#ntp authentication-key 1 md5 ciscontppa55 R1(config)#ntp trusted-key 1 R1(config)#ntp server 192.168.1.5 key 1 R1(config)#ntp update-calendar Task 5: Configure R1 as Syslog Client R1(config)#service timestamps log datetime msec R1(config)#logging 192.168.1.6 PC-B Syslog Task 6: Secure Router Against Login Attacks Step1-Step3 Try steps! Task 8: Configure CBAC on R1 Step1-Step4 R1(config)# R1(config)#ip access-list extended OUT-IN R1(config-ext-nacl)#deny ip any any R1(config-ext-nacl)#exit R1(config)#int serial 0/0/0 R1(config-if)#ip access-group OUT-IN in R1(config-if)#exit R1(config)#ip inspect name IN-OUT-IN icmp R1(config)#ip inspect name IN-OUT-IN telnet R1(config)#ip inspect name IN-OUT-IN http R1(config)#int serial 0/0/0 R1(config-if)#ip inspect IN-OUT-IN out R1(config-if)#exit R1(config)#exit Step5 ping PC-A to PA-C R3#conf t R3(config)#security passwords min-length 10 R3(config)#enable secret ciscoenpa55 R3(config)#service password-encryption

- 11 -

R3(config)#line con 0 R3(config-line)#password ciscoconpa55 R3(config-line)#exec-timeout 5 0 R3(config-line)#logging synchronous R3(config-line)#login R3(config-line)#exit R3(config)#line vty 0 4 R3(config-line)#password ciscovtypa55 R3(config-line)#exec-timeout 5 0 R3(config-line)#login local R3(config-line)#exit R3(config)#banner motd $No Unauthorized Access!$ R3(config)#username Admin01 secret Admin01pa55 R3(config)#aaa new-model R3(config)#aaa authentication login default local none Task 7: Configure SSH on R3 R3(config)#ip domain-name ccnasecurity.com R3(config)#line vty 0 4 R3(config-line)#transport input ssh R3(config-line)#login local R3(config-line)#exit R3(config)#crypto key generate rsa 1024 R3(config)#ip ssh time-out 90 R3(config)#ip ssh authentication-retries 2 R3(config)#ip ssh version 2 Task 9: Configure ZPF on R3 Step1 Test connectivity! Step2-Step6 R3(config)#zone security IN-ZONE R3(config-sec-zone)#exit R3(config)#zone security OUT-ZONE R3(config-sec-zone)#exit R3(config)#access-list 101 permit ip 192.168.3.0 0.0.0.255 any R3(config)#class-map type inspect IN-NET-CLASS-MAP R3(config-cmap)#match access-group 101 R3(config-cmap)#exit R3(config)#policy-map type inspect IN-2-OUT-PMAP

- 12 -

R3(config-pmap)#class type inspect IN-NET-CLASS-MAP R3(config-pmap-c)#inspect R3(config-pmap-c)#exit R3(config-pmap)#exit R3(config)#zone-pair security IN-2-OUT-ZPAIR source IN-ZONE destination OUT-ZONE R3(config-sec-zone-pair)#service-policy type inspect IN-2-OUT-PMAP R3(config-sec-zone-pair)#exit R3(config)#int fa 0/1 R3(config-if)#zone-member security IN-ZONE R3(config-if)#exit R3(config)#int serial 0/0/1 R3(config-if)#zone-member security OUT-ZONE R3(config-if)#exit R3(config)# Step7 Test Firewall functionality! Task 10: Secure the Switches Step1-Step4 S1>en S1#conf t S1(config)#enable secret ciscoenpa55 S1(config)#service password-encryption S1(config)#line con 0 S1(config-line)#password ciscoconpa55 S1(config-line)#exec-timeout 5 0 S1(config-line)#logging synchronous S1(config-line)#login S1(config-line)#exit S1(config-line)#line vty 0 4 S1(config-line)#password ciscovtypa55 S1(config-line)#exec-timeout 5 0 S1(config-line)#login S1(config-line)#exit S1(config)#int fa 0/1 Step5-Step6. Secure trunk ports on S1. S1(config-if)#switchport mode trunk S1(config-if)# S1(config-if)#switchport trunk native vlan 99

- 13 -

S1(config-if)#switchport nonegotiate S1(config-if)#storm-control broadcast level 50 S1(config-if)#exit S1(config)#int range fa 0/2-24 S1(config-if-range)#switchport mode access S1(config-if-range)#spanning-tree portfast S1(config-if-range)#spanning-tree bpduguard enable S1(config-if-range)#shutdown S1(config-if-range)# S1(config-if-range)#exit S1(config)#int range gigabitEthernet 1/1-2 S1(config-if-range)#switchport mode access S1(config-if-range)#spanning-tree portfast S1(config-if-range)#spanning-tree bpduguard enable S1(config-if-range)#shutdown S1(config-if-range)#exit S1(config)#int range fa 0/5-6 S1(config-if-range)#switchport port-security S1(config-if-range)#switchport port-security mac-address sticky S1(config-if-range)#no shutdown S1(config-if-range)#exit S1(config)# S2>en S2#conf t S2(config)#enable secret ciscoenpa55 S2(config)#service password-encryption S2(config)#line con 0 S2(config-line)#password ciscoconpa55 S2(config-line)#exec-timeout 5 0 S2(config-line)#logging synchronous S2(config-line)#login S2(config-line)#exit S2(config-line)#line vty 0 4 S2(config-line)#password ciscovtypa55 S2(config-line)#exec-timeout 5 0 S2(config-line)#login S2(config-line)#exit S2(config)#int fa 0/1

- 14 -

S2(config-if)#switchport mode trunk S2(config-if)#switchport trunk native vlan 99 S2(config-if)#switchport nonegotiate S2(config-if)#storm-control broadcast level 50 S2(config-if)#exit S2(config)#int range fa 0/2-24 S2(config-if-range)#switchport mode access S2(config-if-range)#spanning-tree portfast S2(config-if-range)#spanning-tree bpduguard enable S2(config-if-range)#shutdown S2(config-if-range)# S2(config-if-range)#exit S2(config)#int range gigabitEthernet 1/1-2 S2(config-if-range)#switchport mode access S2(config-if-range)#spanning-tree portfast S2(config-if-range)#spanning-tree bpduguard enable S2(config-if-range)#shutdown S2(config-if-range)#exit S2(config)#int fa 0/18 S2(config-if-range)#switchport port-security S2(config-if-range)#switchport port-security mac-address sticky S2(config-if-range)#no shutdown S2(config-if-range)#exit S2(config)# S3>en S3#conf t S3(config)#enable secret ciscoenpa55 S3(config)#service password-encryption S3(config)#line con 0 S3(config-line)#password ciscoconpa55 S3(config-line)#exec-timeout 5 0 S3(config-line)#logging synchronous S3(config-line)#login S3(config-line)#exit S3(config-line)#line vty 0 4 S3(config-line)#password ciscovtypa55 S3(config-line)#exec-timeout 5 0 S3(config-line)#login

- 15 -

S3(config-line)#exit S3(config)#int range fa 0/1-24 S3(config-if-range)#switchport mode access S3(config-if-range)#spanning-tree portfast S3(config-if-range)#spanning-tree bpduguard enable S3(config-if-range)#shutdown S3(config-if-range)# S3(config-if-range)#exit S3(config)#int range gigabitEthernet 1/1-2 S3(config-if-range)#switchport mode access S3(config-if-range)#spanning-tree portfast S3(config-if-range)#spanning-tree bpduguard enable S3(config-if-range)#shutdown S3(config-if-range)#exit S3(config)#int range fa 0/5-6 S3(config-if-range)#switchport port-security S3(config-if-range)#switchport port-security mac-address sticky S3(config-if-range)#no shutdown S3(config-if-range)#exit S3(config)# Task11: Verification!!

- 16 -

Learning Objectives Secure the routers with strong passwords, password encryption and a login banner. Secure the console and VTY lines with passwords. Configure local AAA authentication. Configure SSH server. Configure router for syslog. Configure router for NTP. Secure the router against login attacks. Configure CBAC and ZPF firewalls. Secure network switches.

Introduction In this comprehensive practice activity, you will apply a combination of security measures that were introduced in the course. These measures are listed in the objectives. In the topology, R1 is the edge outer for the Company A while R3 is the edge router for Company B. These networks are interconnected via the R2 router which represents the ISP. You will configure various security features on the routers and switches for Company A and Company B. Not all security features will be configured on R1 and R3. The following preconfigurations have been made: Hostnames on all devices IP addresses on all devices R2 console password: ciscoconpa55 R2 password on VTY lines: ciscovtypa55 R2 enable password: ciscoenpa55 Static routing Syslog services on PC-B DNS lookup has been disabled IP default gateways for all switches

Task 1: Test Connectivity and Verify Configurations Step 1. Verify IP addresses. Step 2. Verify routing tables. Step 3. Test connectivity. From PC-A, ping PC-C at IP address 192.168.3.5. Task 2: Secure the Routers Step 1. Set minimum a password length of 10 characters on router R1 and R3. Step 2. Configure an enable secret password on router R1 and R3.

- 17 -

Use an enable secret password of ciscoenpa55. Step 3. Encrypt plaintext passwords. Step 4. Configure the console lines on R1 and R3. Configure a console password of ciscoconpa55 and enable login. Set the exec-timeout to log out after 5 minutes of inactivity. Prevent console messages from interrupting command entry. Step 5. Configure vty lines on R1. Configure a vty line password of ciscovtypa55 and enable login. Set the exec-timeout to log out after 5 minutes of inactivity. Set the login authentication to use the default AAA list to be defined later. Note: The vty lines on R3 will be configured for SSH in a later task. Step 6. Configure login banner on R1 and R3. Configure a warning to unauthorized users with a message-of-the-day (MOTD) banner that says: No Unauthorized Access!. Task 3: Configure Local Authentication on R1 and R3 Step 1. Configure the local user database. Create a local user account of Admin01 with a secret password of Admin01pa55. Step 2. Enable AAA services. Step 3. Implement AAA services using the local database. Create the default login authentication method list using local authentication with no backup method. Task 4: Configure NTP Step 1. Enable NTP authentication on PC-A. On PC-A, choose the Config tab, and then the NTP button. Select On for NTP service. Enable authentication and enter a Key of 1 and a password of ciscontppa55. Step 2. Configure R1 as an NTP Client. Configure NTP authentication Key 1 with a password of ciscontppa55. Configure R1 to synchronize with the NTP server and authenticate using Key 1.

- 18 -

Step 3. Configure routers to update hardware clock. Configure routers to periodically update the hardware clock with the time learned from NTP. Task 5: Configure R1 as Syslog Client Step 1. Configure R1 to timestamp log messages. Configure timestamp service for logging on the routers. Step 2. Configure R1 to log messages to the syslog server. Configure the routers to identify the remote host (syslog server) that will receive logging messages. You should see a console message similar to the following: SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.1.6 port 514 started - CLI initiated Step 3. Check for syslog messages on PC-B. On R1, exit config mode to generate a syslog message. Open the syslog server on PC-B to view the message sent from R1. You should see a message similar to the following on the syslog server: %SYS-5-CONFIG_I: Configured from console by console Task 6: Secure Router Against Login Attacks Step 1. Log unsuccessful login attempts to R1. Step 2. Telnet to R1 from PC-A. Telnet from PC-A to R1 and provide the username Admin01 and password Admin01pa55. The Telnet should be successful. Step 3. Telnet to R1 from PC-A and check syslog messages on the syslog server. Exit from the current Telnet session and Telnet again to R1 using the username of baduser and any password. Check the syslog server on PC-B. You should see an error message similar to the following that is generated by the failed login attempt. SEC_LOGIN-4-LOGIN_FAILED:Login failed [user:baduser] [Source:192.168.1.5] [localport:23] [Reason:Invalid login] at 15:01:23 UTC Wed June 17 2009 Task 7: Configure SSH on R3

- 19 -

Step 1. Configure a domain name. Configure a domain name of ccnasecurity.com on R3. Step 2. Configure the incoming vty lines on R3. Use the local user accounts for mandatory login and validation and accept only SSH connections. Step 3. Configure RSA encryption key pair for R3. Any existing RSA key pairs should be erased on the router. If there are no keys currently configured a message will be displayed indicating this. Configure the RSA keys with a modulus of 1024. Step 4. Configure SSH timeouts and authentication parameters. Set the SSH timeout to 90 seconds, the number of authentication retries to 2, and the version to 2. Task 8: Configure CBAC on R1 Step 1. Configure a named IP ACL. Create an IP ACL named OUT-IN to block all traffic originating from the outside network. Apply the access list to incoming traffic on interface Serial 0/0/0. Step 2. Confirm that traffic entering interface Serial 0/0/0 is dropped. From the PC-A command prompt, ping PC-C. The ICMP echo replies are blocked by the ACL. Step 3. Create an inspection rule to inspect ICMP, Telnet and HTTP traffic. Create an inspection rule named IN-OUT-IN to inspect ICMP, Telnet and HTTP traffic. Step 4. Apply the inspect rule to the outside interface. Apply the IN-OUT-IN inspection rule to the interface where traffic exits to outside networks. Step 5. Test operation of the inspection rule. From the PC-A command prompt, ping PC-C. The ICMP echo replies should be inspected and allowed through. Task 9: Configure ZPF on R3 Step 1. Test connectivity.

- 20 -

Verify that the internal host can access external resources. From PC-C, test connectivity with ping and Telnet to R2; all should be successful. From R2 ping to PC-C. The pings should be allowed. Step 2. Create the firewall zones. Create an internal zone named IN-ZONE. Create an external zone named OUT-ZONE. Step 3. Create an ACL that defines internal traffic. Create an extended, numbered ACL that permits all IP protocols from the 192.168.3.0/24 source network to any destination. Use 101 for the ACL number. Step 4. Create a class map referencing the internal traffic ACL. Create a class map named IN-NET-CLASS-MAP to match ACL 101. Step 5. Specify firewall policies. Create a policy map named IN-2-OUT-PMAP to determine what to do with matched traffic. Specify a class type of inspect and reference class map IN-NET-CLASS-MAP. Specify the action of inspect for this policy map You should see the following console message: %No specific protocol configured in class IN-NET-CLASS-MAP for inspection. All protocols will be inspected. Exit to the global config prompt. Step 6. Apply firewall policies. Create a zone pair named IN-2-OUT-ZPAIR. Specify the source and destination zones that were created earlier. Attach a policy map and actions to the zone pair referencing the policy map previously created, IN-2-OUT-PMAP. Exit to the global config prompt and assign the internal and external interfaces to the security zones.

- 21 -

Step 7. Test firewall functionality. Verify that the internal host can still access external resources. From PC-C, test connectivity with ping and Telnet to R2; all should be successful. From R2 ping to PC-C. The pings should now be blocked. Task 10: Secure the Switches Step 1. Configure an enable secret password on all switches. Use an enable secret password of ciscoenpa55. Step 2. Encrypt plaintext passwords. Step 3. Configure the console lines on all switches. Configure a console password of ciscoconpa55 and enable login. Set the exec-timeout to log out after 5 minutes of inactivity. Prevent console messages from interrupting command entry. Step 4. Configure vty lines on all switches. Configure a vty line password of ciscovtypa55 and enable login. Set the exec-timeout to log out after 5 minutes of inactivity. Set the basic login parameter. Step 5. Secure trunk ports on S1 and S2. Configure port Fa0/1 on S1 as a trunk port. Configure port Fa0/1 on S2 as a trunk port. Verify that S1 port Fa0/1 is in trunking mode. Set the native VLAN on S1 and S2 trunk ports to an unused VLAN 99. Set the trunk ports on S1 and S2 so that they do not negotiate by turning off the generation of DTP frames. Enable storm control for broadcasts on the S1 and S2 trunk ports with a 50 percent rising suppression level. Step 6. Secure access ports. Disable trunking on S1, S2 and S3 access ports. Enable PortFast on S1, S2, and S3 access ports.

- 22 -

Enable BPDU guard on the switch ports previously configured as access only. Enable basic default port security on all end-user access ports that are in use. Use the sticky option. Re-enable each access port to which port security was applied. Disable any ports not being used on each switch. Task 11: Verification Step 1. Test SSH configuration. Attempt to connect to R3 via Telnet from PC-C. From PC-C, enter the command to connect to R3 via Telnet at IP address 192.168.3.1. This connection should fail, since R3 has been configured to accept only SSH connections on the virtual terminal lines. From PC-C, enter the ssh l Admin01 192.168.3.1 command to connect to R3 via SSH. When prompted for the password, enter the password Admin01pa55 configured for the local administrator. Use the show ip ssh command to see the configured settings. Step 2. Verify timestamps, NTP status for R1 and PC-A. Step 3. Test CBAC firewall on R1. Ping from PC-A to R2 at 10.2.2.2 (should succeed) Telnet from PC-A to R2 10.2.2.2 (should succeed) Ping from R2 to PC-A at 192.168.1.3 (should fail) Step 4. Test ZPF firewall on R3. Ping from PC-C to R2 at 10.2.2.2 (should succeed) Telnet from PC-C to R2 at 10.2.2.2 (should succeed) Ping from R2 to PC-C at 192.168.3.5 (should fail) Telnet from R2 to R3 at 10.2.2.1 (should fail only SSH is allowed) Step 5. Verify port security.

- 23 -

On S2, use the show run command to confirm that S2 has added a sticky MAC address for Fa0/18. This should be the MAC address of PC-B. Record the MAC address for later use. Select PC-B. Go to the Config tab. Select FastEthernet under the Interface section. Edit the MAC address field. This should cause a port security violation and S2 should shut down port Fa0/18. Use the show interface Fa0/18 command to view the status of the port. The port should be in the err-disabled state. On PC-B, go to the Config tab. Select FastEthernet under the Interface section. Change the MAC address to another address. From interface configuration mode on switch S2 for Fa0/18, use the no switchport port-security mac-address sticky address command to remove the original PC-B learned address. Shutdown and then re-enable the Fa0/18 interface. On S2, use the show run command to confirm that the port comes up and that the new MAC address has been learned. Note: If it is desired to reconnect the PC with the original MAC address, you can simply change the MAC address on the PC back to the original one and issue the shutdown and no shut down commands on port Fa0/18. If the PC or a NIC is being replaced and will have a new MAC address, you must first remove the old learned address. Step 6. Check results. Your completion percentage should be 100%. Click Check Results to see feedback and verification of which required components have been completed. All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.

- 24 -

 - -TACACS http://blog.naver.com/a51880?Redirect=Log&logNo=30054522012
-NSA/SNAC Router Security Configuration Guide

v1.1

- http://cafe.naver.com/neteg

- 25 -

- 26 -

- 27 -