CCNA Security

Chapter 6 Lab A, Securing Layer 2 Switches Instructor Version

Topology

IP Addressing Table
Device R1 S1 S2 !"A !"$ Interface Fa0/1 VLAN 1 VLAN 1 N#! N#! IP Address 192.168.1.1 192.168.1.2 192.168.1.3 192.168.1.10 192.168.1.11 Subnet Mask 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 Default Gateway N/A N/A N/A 192.168.1.1 192.168.1.1 Switc Port S1 FA0/5 N/A N/A S1 FA0/6 S2 FA0/18

!b"ectives
art 1% !&n'igure $asic Switch Settings $ui() the t&*&(&gy. !&n'igure the h&st na+e, # a))ress, an) access *assw&r)s. art 2% !&n'igure SS- Access t& the Switches

A(( c&ntents are !&*yright . 1992/2009 !isc& Syste+s, #nc. A(( rights reser0e). 1his )&cu+ent is !isc& u2(ic #n'&r+ati&n.

age 1 &' 32

CCNA Security !&n'igure SS- access &n the switch. !&n'igure an SS- c(ient t& access the switch. Veri'y the c&n'igurati&n. art 3% Secure 1run4s an) Access &rts !&n'igure trun4 *&rt +&)e. !hange the nati0e VLAN '&r trun4 *&rts. Veri'y trun4 c&n'igurati&n. 5na2(e st&r+ c&ntr&( '&r 2r&a)casts. !&n'igure access *&rts. 5na2(e &rtFast an) $ 67 guar). Veri'y $ 67 guar). 5na2(e r&&t guar). !&n'igure *&rt security. Veri'y *&rt security. 6isa2(e unuse) *&rts. art 3% !&n'igure S AN an) 8&nit&r 1ra''ic !&n'igure Switche) &rt Ana(y9er :S AN;. 8&nit&r *&rt acti0ity using <ireshar4. Ana(y9e a s&urce) attac4.

#ackground
1he Layer 2 :6ata Lin4; in'rastructure c&nsists +ain(y &' interc&nnecte) 5thernet switches. 8&st en)"user )e0ices, such as c&+*uters, *rinters, # *h&nes an) &ther h&sts, c&nnect t& the netw&r4 0ia Layer 2 access switches. As a resu(t, they can *resent a netw&r4 security ris4. Si+i(ar t& r&uters, switches are su2=ect t& attac4 'r&+ +a(ici&us interna( users. 1he switch !isc& #>S s&'tware *r&0i)es +any security 'eatures that are s*eci'ic t& switch 'uncti&ns an) *r&t&c&(s. #n this (a2, y&u c&n'igure SS- access an) Layer 2 security '&r switches S1 an) S2. ?&u a(s& c&n'igure 0ari&us switch *r&tecti&n +easures, inc(u)ing access *&rt security, switch st&r+ c&ntr&(, an) S*anning 1ree r&t&c&( :S1 ; 'eatures such as $ 67 guar) an) r&&t guar). Last(y, y&u use !isc& S AN t& +&nit&r tra''ic t& s*eci'ic *&rts &n the switch. Note$ 1he r&uter c&++an)s an) &ut*ut in this (a2 are 'r&+ a !isc& 1831 with !isc& #>S Re(ease 12.3:20;1 :A)0ance) # i+age;. 1he switch c&++an)s an) &ut*ut are 'r&+ a !isc& <S"!2960"2311"L with !isc& #>S Re(ease 12.2:36;S5 :!2960"LAN$AS5@9"8 i+age;. >ther r&uters, switches, an) #>S 0ersi&ns +ay 2e use). See the R&uter #nter'ace Su++ary ta2(e at the en) &' the (a2 t& )eter+ine which inter'ace i)enti'iers t& use 2ase) &n the eAui*+ent in the (a2. 6e*en)ing &n the r&uter &r switch +&)e( an) #>S 0ersi&n, the c&++an)s a0ai(a2(e an) &ut*ut *r&)uce) +ight 0ary 'r&+ what is sh&wn in this (a2. Note$ 8a4e sure that the r&uter an) the switches ha0e 2een erase) an) ha0e n& startu* c&n'igurati&ns.

A(( c&ntents are !&*yright . 1992/2009 !isc& Syste+s, #nc. A(( rights reser0e). 1his )&cu+ent is !isc& u2(ic #n'&r+ati&n.

age 2 &' 32

CCNA Security Instructor Note$ #nstructi&ns '&r erasing switches an) r&uters are *r&0i)e) in the La2 8anua(, (&cate) &n Aca)e+y !&nnecti&n in the 1&&(s secti&n.

%e&uired %esources
>ne r&uter :!isc& 1831 with !isc& #>S Re(ease 12.3:20;11 &r c&+*ara2(e; 1w& switches :!isc& 2960 &r c&+*ara2(e with cry*t&gra*hy #>S i+age '&r SS- su**&rt / Re(ease 12.2:36;S5 &r c&+*ara2(e; !"A :<in)&ws B &r Vista with a u11? SS- c(ient an) <ireshar4; !"$ :<in)&ws B &r Vista with a u11? SS- c(ient an) Su*erScan; 5thernet ca2(es as sh&wn in the t&*&(&gy R&((&0er ca2(es t& c&n'igure the switches 0ia the c&ns&(e

Instructor Notes% 1his (a2 is )i0i)e) int& '&ur *arts. 5ach *art can 2e a)+inistere) in)i0i)ua((y &r in c&+2inati&n with &thers as ti+e *er+its. 1he '&cus is c&n'iguring security +easures &n switches S1 an) S2. R&uter R1 ser0es as a rea(istic gateway c&nnecti&n an) is +ain(y use) t& change the 8A! a))ress c&nnecte) t& switch S1 '&r *&rt security testing. Stu)ents can w&r4 in tea+s &' tw& '&r switch c&n'igurati&n, &ne *ers&n c&n'iguring S1 an) the &ther c&n'iguring S2. 1he 2asic running c&n'igs '&r the r&uter an) tw& switches are ca*ture) a'ter arts 1 an) 2 &' the (a2 are c&+*(ete). 1he running c&n'ig '&r S1 an) S2 are ca*ture) a'ter arts 3 an) 3 an) are (iste) se*arate(y. A(( c&n'igs are '&un) at the en) &' the (a2.

Part '$ #asic Device Configuration

#n art 1 &' this (a2, y&u set u* the netw&r4 t&*&(&gy an) c&n'igure 2asic settings such as the h&st na+es, # a))resses, an) )e0ice access *assw&r)s. Note$ er'&r+ a(( tas4s &n r&uter R1 an) switches S1 an) S2. 1he *r&ce)ure '&r S1 is sh&wn here as an eCa+*(e.

Step '$ Cable t e network as s own in t e topology(

Attach the )e0ices sh&wn in the t&*&(&gy )iagra+ an) ca2(e as necessary.

Step )$ Configure basic settings for t e router and eac switc (

a. !&n'igure h&st na+es as sh&wn in the t&*&(&gy. 2. !&n'igure inter'ace # a))resses as sh&wn in the # A))ressing 1a2(e. 1he c&n'igurati&n &' the VLAN 1 +anage+ent inter'ace &n switch S1 is sh&wn here. S1(config)#interface vlan 1 S1(config-if)#ip address 192.168.1.2 255.255.255.0
A(( c&ntents are !&*yright . 1992/2009 !isc& Syste+s, #nc. A(( rights reser0e). 1his )&cu+ent is !isc& u2(ic #n'&r+ati&n. age 3 &' 32

CCNA Security S1(config-if)#no shutdown c. !&n'igure the ena2(e secret an) c&ns&(e *assw&r)s. S1(config)#enable secret cisco12345 S1(config)#line console 0 S1(config-line)#password ciscoconpass S1(config-line)#exec-ti eout 5 0 S1(config-line)#lo!in S1(config-line)#lo!!in! s"nchronous Note$ 6& n&t c&n'igure the switch 0ty access at this ti+e. 1he 0ty (ines are c&n'igure) &n the switches in art 2 '&r SS- access. ). !&n'igure the 0ty (ines an) *assw&r) &n R1. R1(config)#line vt" 0 4 R1(config-line)#password ciscovt"pass R1(config-line)#exec-ti eout 5 0 R1(config-line)#lo!in e. 1& *re0ent the r&uter &r switch 'r&+ atte+*ting t& trans(ate inc&rrect(y entere) c&++an)s, )isa2(e 6NS (&&4u*. R&uter R1 is sh&wn here as an eCa+*(e. R1(config)#no ip do ain-loo#up '. -11 access t& the switch is ena2(e) 2y )e'au(t. 1& *re0ent -11 access, )isa2(e the -11 ser0er an) -11 secure ser0er. S1(config)#no ip http server S1(config)#no ip http secure-server Note$ 1he switch +ust ha0e a cry*t&gra*hy #>S i+age t& su**&rt the ip http secure-server c&++an). -11 access t& the r&uter is )isa2(e) 2y )e'au(t.

Step *$ Configure PC ost IP settings(

!&n'igure a static # a))ress, su2net +as4, an) )e'au(t gateway '&r !"A an) !"$ as sh&wn in the # A))ressing 1a2(e.

Step +$ ,erify basic network connectivity(

a. ing 'r&+ !"A an) !"$ t& the R1 Fa0/1 inter'ace at # a))ress 192.168.1.1. <ere the resu(ts success'u(D ?es. #' the *ings are n&t success'u(, tr&u2(esh&&t the 2asic )e0ice c&n'igurati&ns 2e'&re c&ntinuing. 2. ing 'r&+ !"A t& !"$. <ere the resu(ts success'u(D ?es. #' the *ings are n&t success'u(, tr&u2(esh&&t the 2asic )e0ice c&n'igurati&ns 2e'&re c&ntinuing.

Step -$ Save t e basic configurations for t e router and bot switc es(
Sa0e the running c&n'igurati&n t& the startu* c&n'igurati&n 'r&+ the *ri0i(ege) 5B5! *r&+*t. S1#cop" runnin!-confi! startup-confi!

A(( c&ntents are !&*yright . 1992/2009 !isc& Syste+s, #nc. A(( rights reser0e). 1his )&cu+ent is !isc& u2(ic #n'&r+ati&n.

age 3 &' 32

CCNA Security

Part )$ SS. Configuration

#n art 2 &' this (a2, y&u c&n'igure switches S1 an) S2 t& su**&rt SS- c&nnecti&ns an) insta(( SS- c(ient s&'tware &n the !s. Note% A switch #>S i+age that su**&rts encry*ti&n is reAuire) t& c&n'igure SS-. >therwise, y&u cann&t s*eci'y SS- as an in*ut *r&t&c&( '&r the 0ty (ines an) the cr"pto c&++an)s are n&t a0ai(a2(e.

Task '$ Configure t e SS. Server on Switc S' and S) /sing t e C0I
#n this tas4, use the !L# t& c&n'igure the switch t& 2e +anage) secure(y using SS- instea) &' 1e(net. Secure She(( :SS-; is a netw&r4 *r&t&c&( that esta2(ishes a secure ter+ina( e+u(ati&n c&nnecti&n t& a switch &r &ther netw&r4ing )e0ice. SS- encry*ts a(( in'&r+ati&n that *asses &0er the netw&r4 (in4 an) *r&0i)es authenticati&n &' the re+&te c&+*uter. SS- is ra*i)(y re*(acing 1e(net as the re+&te (&gin t&&( &' ch&ice '&r netw&r4 *r&'essi&na(s. Note$ F&r a switch t& su**&rt SS-, it +ust 2e c&n'igure) with (&ca( authenticati&n, AAA ser0ices &r userna+e. #n this tas4, y&u c&n'igure an SS- userna+e an) (&ca( authenticati&n &n S1 an) S2. S1 is sh&wn here as an eCa+*(e.

Step '$ Configure a do1ain na1e(

5nter g(&2a( c&n'igurati&n +&)e an) set the )&+ain na+e. S1#conf t S1(config)#ip do ain-na e ccnasecurit".co

Step )$ Configure a privileged user for login fro1 t e SS. client(

a. 7se the userna e c&++an) t& create the user #6 with the highest *&ssi2(e *ri0i(ege (e0e( an) a secret *assw&r). S1(config)#userna e ad in privile!e 15 secret cisco12345 2. 5Cit t& the initia( switch (&gin screen, an) (&g in with this userna+e. <hat was the switch *r&+*t a'ter y&u entere) the *assw&r)D 1he *ri0i(ege) 5B5! :ena2(e; *r&+*t E sign. <ith a *ri0i(ege (e0e( &' 15, the (&gin )e'au(ts t& *ri0i(ege) 5B5! +&)e.

Step *$ Configure t e inco1ing vty lines(

a. !&n'igure 0ty access &n (ines 0 thr&ugh 3. S*eci'y a *ri0i(ege (e0e( &' 15 s& that a user with the highest *ri0i(ege (e0e( :15; wi(( )e'au(t t& *ri0i(ege) 5B5! +&)e when accessing the 0ty (ines. >ther users wi(( )e'au(t t& user 5B5! +&)e. S*eci'y the use &' (&ca( user acc&unts '&r +an)at&ry (&gin an) 0a(i)ati&n, an) acce*t &n(y SS- c&nnecti&ns. S1(config)#line vt" 0 4 S1(config-line)#privile!e level 15 S1(config-line)#exec-ti eout 5 0 S1(config-line)#lo!in local S1(config-line)#transport input ssh S1(config-line)#exit 2. 6isa2(e (&gin '&r switch 0ty (ines 5 thr&ugh 15. S1(config)#line vt" 5 15 S1(config-line)#no lo!in
A(( c&ntents are !&*yright . 1992/2009 !isc& Syste+s, #nc. A(( rights reser0e). 1his )&cu+ent is !isc& u2(ic #n'&r+ati&n. age 5 &' 32

CCNA Security

Step +$ Generate t e %SA encryption key pair for t e router(

1he switch uses the RSA 4ey *air '&r authenticati&n an) encry*ti&n &' trans+itte) SS- )ata. !&n'igure the RSA 4eys with 1023 '&r the nu+2er &' +&)u(us 2its. 1he )e'au(t is 512, an) the range is 'r&+ 360 t& 2038. S1(config)#cr"pto #e" !enerate rsa !eneral-#e"s odulus 1024 The name for the keys will be: S1.ccnasecurity.com % The key mo ulus si!e is 1"#$ bits % %enerating 1"#$ bit RS& keys' keys will be non-e()ortable...*+,S1(config)# "":1.:/0: %SS1-.-23&4526: SS1 1.77 has been enable Instructor Note% 1he )etai(s &' encry*ti&n +eth&)s are c&0ere) in !ha*ter F.

Step -$ ,erify t e SS. configuration(

a. 7se the show ip ssh c&++an) t& see the current settings. S1#show ip ssh 2. Fi(( in the '&((&wing in'&r+ati&n 2ase) &n the &ut*ut &' the show ip ssh c&++an). SS- 0ersi&n ena2(e)% 8&st (i4e(y 1.5 t& 1.99 Authenticati&n ti+e&ut% 6e'au(t is 120 sec&n)s Authenticati&n retries% 6e'au(t is 3 tries

Step 2$ Configure SS. ti1eouts and aut entication para1eters(

1he )e'au(t SS- ti+e&uts an) authenticati&n *ara+eters can 2e a(tere) t& 2e +&re restricti0e using the '&((&wing c&++an)s. S1(config)#ip ssh ti e-out 90 S1(config)#ip ssh authentication-retries 2

Step 3$ Save t e running4config to t e startup4config(

S1#cop" runnin!-confi! startup-confi!

Task )$ Configure t e SS. Client

1era1er+ an) u11? are tw& ter+ina( e+u(ati&n *r&gra+s that can su**&rt SS-02 c(ient c&nnecti&ns. 1his (a2 uses u11?.

Step '$ 5!ptional6 Download and install an SS. client on PC4A and PC4#(
#' the SS- c(ient is n&t a(rea)y insta((e), )&wn(&a) either 1era1er+ &r u11?. Note$ 1he *r&ce)ure )escri2e) here is '&r u11? an) *ertains t& !"A.

Step )$ ,erify SS. connectivity to S' fro1 PC4A(

a. Launch u11? 2y )&u2(e"c(ic4ing the *utty.eCe ic&n. 2. #n*ut the S1 # a))ress 192.168.1.2 in the .ost Na1e or IP address 'ie().
A(( c&ntents are !&*yright . 1992/2009 !isc& Syste+s, #nc. A(( rights reser0e). 1his )&cu+ent is !isc& u2(ic #n'&r+ati&n. age 6 &' 32

CCNA Security c. Veri'y that the SS. ra)i& 2utt&n is se(ecte). u11? )e'au(ts t& SS- 0ersi&n 2.

). !(ic4 !pen. e. #n the u11? Security A(ert win)&w, c(ic4 7es. '. 5nter the a)+in userna+e an) *assw&r) cisco')*+- in the u11? win)&w.

g. At the S1 *ri0i(ege) 5B5! *r&+*t, enter the show users c&++an). S1#show users <hat users are c&nnecte) t& switch S1 at this ti+eD ?&u sh&u() see at (east tw& users, &ne '&r y&ur c&ns&(e c&nnecti&n an) an&ther '&r the SS- inter'ace. 5ine " con " 1 ;ty " 8ser a min 1ost(s) i le i le 9 le "":"/:1. "":"":// 5ocation 17#.10<.1.1"

A(( c&ntents are !&*yright . 1992/2009 !isc& Syste+s, #nc. A(( rights reser0e). 1his )&cu+ent is !isc& u2(ic #n'&r+ati&n.

age F &' 32

CCNA Security h. !(&se the u11y SS- sessi&n win)&w with the exit &r $uit c&++an). i. 1ry t& &*en a 1e(net sessi&n t& switch S1 'r&+ !"A. <ere y&u a2(e t& &*en the 1e(net sessi&nD <hy &r why n&tD N&, the 1e(net sessi&n 'ai(s 2ecause &n(y SS- is ena2(e) as in*ut '&r the 0ty (ines.

Step *$ Save t e configuration(

Sa0e the running c&n'igurati&n t& the startu* c&n'igurati&n 'r&+ the *ri0i(ege) 5B5! *r&+*t. R1#cop" runnin!-confi! startup-confi!

Part *$ Secure Trunks and Access Ports

#n art 3 &' this (a2, y&u c&n'igure trun4 *&rts, change the nati0e VLAN '&r trun4 *&rts, 0eri'y trun4 c&n'igurati&n, an) ena2(e st&r+ c&ntr&( '&r 2r&a)casts &n the trun4 *&rts. Securing trun4 *&rts can he(* st&* VLAN h&**ing attac4s. 1he 2est way t& *re0ent a 2asic VLAN h&**ing attac4 is t& turn &'' trun4ing &n a(( *&rts eCce*t the &nes that s*eci'ica((y reAuire trun4ing. >n the reAuire) trun4ing *&rts, )isa2(e 61 :aut& trun4ing; neg&tiati&ns an) +anua((y ena2(e trun4ing. #' n& trun4ing is reAuire) &n an inter'ace, c&n'igure the *&rt as an access *&rt. 1his )isa2(es trun4ing &n the inter'ace. Note$ 1as4s sh&u() 2e *er'&r+e) &n switches S1 &r S2 as in)icate).

Task '$ Secure Trunk Ports

Step '$ Configure switc S' as t e root switc (
F&r the *ur*&ses &' this (a2, assu+e that switch S2 is current(y the r&&t 2ri)ge an) that switch S1 is *re'erre) as the r&&t switch. 1& '&rce S1 t& 2ec&+e the new r&&t 2ri)ge, y&u c&n'igure a new *ri&rity '&r it. a. Fr&+ the c&ns&(e &n S1, enter *ri0i(ege) 5B5! +&)e an) then g(&2a( c&n'igurati&n +&)e. 2. 1he )e'au(t *ri&rity '&r switches S1 an) S2 is 32F69 :32F68 G 1 with Syste+ #6 5Ctensi&n;. Set S1 *ri&rity t& 0 s& that it 2ec&+es the r&&t switch. S1(config)#spannin!-tree vlan 1 priorit" 0 S1(config)#exit c. #ssue the show spannin!-tree c&++an) t& 0eri'y that S1 is the r&&t 2ri)ge an) t& see the *&rts in use an) their status. S1#show spannin!-tree =5&3"""1 S)anning tree enable )rotocol ieee Root 96 >riority 1 & ress ""1 .$0/.."c<" This bri ge is the root 1ello Time # sec ?a( &ge #" sec 4ri ge 96 >riority & ress 1ello Time

@orwar

6elay 1. sec

1 ()riority " sys-i -e(t 1) ""1 .$0/.."c<" # sec ?a( &ge #" sec @orwar 6elay 1. sec
age 8 &' 32

A(( c&ntents are !&*yright . 1992/2009 !isc& Syste+s, #nc. A(( rights reser0e). 1his )&cu+ent is !isc& u2(ic #n'&r+ati&n.

CCNA Security &ging Time /"" 9nterface Role Sts Aost ---------------- ---- --- ---------------------------------------@a"B1 6esg @C6 17 @a"B. 6esg @C6 17 @a"B0 6esg @C6 17 >rio.3br Ty)e -------1#<.1 1#<.. 1#<.0 >#) >#) >#)

). <hat is the S1 *ri&rityD 1 :*ri&rity 0 *(us sys"i)"eCt 1; e. <hat *&rts are in use an) what is their statusD Fa0/1, Fa0/5 an) Fa0/6. A(( are F<6 :'&rwar)ing;

Step )$ Configure trunk ports on S' and S)(

a. !&n'igure *&rt Fa0/1 &n S1 as a trun4 *&rt. S1(config)#interface %ast&thernet 0'1 S1(config-if)#switchport ode trun# 2. !&n'igure *&rt Fa0/1 &n S2 as a trun4 *&rt. S#(config)#interface %ast&thernet 0'1 S#(config-if)#switchport ode trun# c. Veri'y that S1 *&rt Fa0/1 is in trun4ing +&)e with the show interfaces trun# c&++an). S1#show interfaces trun# >ort @a"B1 >ort @a"B1 >ort @a"B1 >ort @a"B1 ?o e on =lans allowe 1-$"7$ =lans allowe 1 2nca)sulation <"#.1D on trunk an acti;e in management omain not )rune Status trunking 3ati;e ;lan 1

=lans in s)anning tree forwar ing state an 1

Step *$ C ange t e native ,0AN for t e trunk ports on S' and S)(
!hanging the nati0e VLAN '&r trun4 *&rts t& an unuse) VLAN he(*s *re0ent VLAN h&**ing attac4s. a. Fr&+ the &ut*ut &' the show interfaces trun# in the *re0i&us ste*, what is the current nati0e VLAN '&r the S1 Fa0/1 trun4 inter'aceD #t is set t& the )e'au(t VLAN 1. 2. Set the nati0e VLAN &n the S1 Fa0/1 trun4 inter'ace t& an unuse) VLAN 99. S1(config)#interface %a0'1 S1(config-if)#switchport trun# native vlan 99 S1(config-if)#end c. 1he '&((&wing +essage sh&u() 2e )is*(aye) a'ter a 2rie' *eri&) &' ti+e. "#:10:#<: %A6>-$-3&T9=2E=5&3E?9S?&TA1: 3ati;e =5&3 mismatch on @ast2thernet"B1 (77)' with S# @ast2thernet"B1 (1). isco;ere

A(( c&ntents are !&*yright . 1992/2009 !isc& Syste+s, #nc. A(( rights reser0e). 1his )&cu+ent is !isc& u2(ic #n'&r+ati&n.

age 9 &' 32

CCNA Security <hat )&es the +essage +eanD 1he S1 Fa0/1 nati0e VLAN is n&w 99, 2ut the S2 nati0e VLAN is sti(( 1. $&th en)s &' the trun4 +ust share the sa+e nati0e VLAN '&r trun4ing t& &ccur. '. Set the nati0e VLAN &n the S2 Fa0/1 trun4 inter'ace t& VLAN 99. S#(config)#interface %a0'1 S#(config-if)#switchport trun# native vlan 99 S#(config-if)#end

Step +$ Prevent t e use of DTP on S' and S)(

Setting the trun4 *&rt t& n&t neg&tiate a(s& he(*s t& +itigate VLAN h&**ing 2y turning &'' the generati&n &' 61 'ra+es. S1(config)#interface %a0'1 S1(config-if)#switchport none!otiate S#(config)#interface %a0'1 S#(config-if)#switchport none!otiate

Step -$ ,erify t e trunking configuration on port 8a9:'(

S1#show interface fa0'1 trun# >ort @a"B1 >ort @a"B1 >ort @a"B1 >ort @a"B1 ?o e on =lans allowe 1-$"7$ =lans allowe 1 2nca)sulation <"#.1D on trunk an acti;e in management omain not )rune Status trunking 3ati;e ;lan 77

=lans in s)anning tree forwar ing state an 1

S1#show interface fa0'1 switchport 3ame: @a"B1 Switch)ort: 2nable & ministrati;e ?o e: trunk +)erational ?o e: trunk & ministrati;e Trunking 2nca)sulation: ot1D +)erational Trunking 2nca)sulation: ot1D 3egotiation of Trunking: +ff &ccess ?o e =5&3: 1 ( efault) Trunking 3ati;e ?o e =5&3: 77 (9nacti;e) & ministrati;e 3ati;e =5&3 tagging: enable =oice =5&3: none & ministrati;e )ri;ate-;lan host-association: none & ministrati;e )ri;ate-;lan ma))ing: none & ministrati;e )ri;ate-;lan trunk nati;e =5&3: none & ministrati;e )ri;ate-;lan trunk 3ati;e =5&3 tagging: enable & ministrati;e )ri;ate-;lan trunk enca)sulation: ot1D & ministrati;e )ri;ate-;lan trunk normal =5&3s: none & ministrati;e )ri;ate-;lan trunk )ri;ate =5&3s: none +)erational )ri;ate-;lan: none Trunking =5&3s 2nable : &55
A(( c&ntents are !&*yright . 1992/2009 !isc& Syste+s, #nc. A(( rights reser0e). 1his )&cu+ent is !isc& u2(ic #n'&r+ati&n. age 10 &' 32

CCNA Security >runing =5&3s 2nable : #-1""1 Aa)ture ?o e 6isable Aa)ture =5&3s &llowe : &55 >rotecte : false 8nknown unicast blocke : isable 8nknown multicast blocke : isable &))liance trust: none

Step 2$ ;nable stor1 control for broadcasts(

5na2(e st&r+ c&ntr&( '&r 2r&a)casts &n the trun4 *&rt with a 50 *ercent rising su**ressi&n (e0e( using the stor -control broadcast c&++an). S1(config)#interface %ast&thernet 0'1 S1(config-if)#stor -control broadcast level 50 S#(config)#interface %ast&thernet 0'1 S#(config-if)#stor -control broadcast level 50

Step 3$ ,erify your configuration wit t e s ow run co11and(

7se the show run c&++an) t& )is*(ay the running c&n'igurati&n, 2eginning with the 'irst (ine that has the teCt string H0/1I in it. S1#show run ( be! 0'1 interface @ast2thernet"B1 switch)ort trunk nati;e ;lan 77 switch)ort mo e trunk switch)ort nonegotiate storm-control broa cast le;el ."."" F+ut)ut omitte G

Task )$ Secure Access Ports

$y +ani*u(ating the S1 r&&t 2ri)ge *ara+eters, netw&r4 attac4ers h&*e t& s*&&' their syste+, &r a r&gue switch that they a)) t& the netw&r4, as the r&&t 2ri)ge in the t&*&(&gy. #' a *&rt that is c&n'igure) with &rtFast recei0es a $ 67, S1 can *ut the *&rt int& the 2(&c4ing state 2y using a 'eature ca((e) $ 67 guar).

Step '$ Disable trunking on S' access ports(

a. >n S1, c&n'igure Fa0/5, the *&rt t& which R1 is c&nnecte), as access +&)e &n(y. S1(config)#interface %ast&thernet 0'5 S1(config-if)#switchport ode access 2. >n S1, c&n'igure Fa0/6, the *&rt t& which !"A is c&nnecte), as access +&)e &n(y. S1(config)#interface %ast&thernet 0'6 S1(config-if)#switchport ode access c. >n S2, c&n'igure Fa0/18, the *&rt t& which !"$ is c&nnecte), as access +&)e &n(y. S#(config)#interface %ast&thernet 0'18 S#(config-if)#switchport ode access

A(( c&ntents are !&*yright . 1992/2009 !isc& Syste+s, #nc. A(( rights reser0e). 1his )&cu+ent is !isc& u2(ic #n'&r+ati&n.

age 11 &' 32

CCNA Security

Task *$ Protect Against STP Attacks

1he t&*&(&gy has &n(y tw& switches an) n& re)un)ant *aths, 2ut S1 is sti(( acti0e. #n this ste*, y&u ena2(e s&+e switch security 'eatures that can he(* re)uce the *&ssi2i(ity &' an attac4er +ani*u(ating switches 0ia S1 "re(ate) +eth&)s.

Step '$ ;nable Port8ast on S' and S) access ports(

&rtFast is c&n'igure) &n access *&rts that c&nnect t& a sing(e w&r4stati&n &r ser0er t& ena2(e the+ t& 2ec&+e acti0e +&re Auic4(y. a. 5na2(e &rtFast &n the S1 Fa0/5 access *&rt. S1(config)#interface %ast&thernet 0'5 S1(config-if)#spannin!-tree portfast 1he '&((&wing !isc& #>S warning +essage is )is*(aye)% %Carning: )ortfast shoul only be enable on )orts connecte to a single host. Aonnecting hubs' concentrators' switches' bri ges' etc... to this interface when )ortfast is enable ' can cause tem)orary bri ging loo)s. 8se with A&8T9+3 %>ortfast has been configure on @ast2thernet"B. but will only ha;e effect when the interface is in a non-trunking mo e. 2. 5na2(e &rtFast &n the S1 Fa0/6 access *&rt. S1(config)#interface %ast&thernet 0'6 S1(config-if)#spannin!-tree portfast c. 5na2(e &rtFast &n the S2 Fa0/18 access *&rts S#(config)#interface %ast&thernet 0'18 S#(config-if)#spannin!-tree portfast

Step )$ ;nable #PD/ guard on t e S' and S) access ports(

$ 67 guar) is a 'eature that can he(* *re0ent r&gue switches an) s*&&'ing &n access *&rts. a. 5na2(e $ 67 guar) &n the switch *&rts *re0i&us(y c&n'igure) as access &n(y. S1(config)#interface %ast&thernet 0'5 S1(config-if)#spannin!-tree bpdu!uard enable S1(config)#interface %ast&thernet 0'6 S1(config-if)#spannin!-tree bpdu!uard enable S#(config)#interface %ast&thernet 0'18 S#(config-if)#spannin!-tree bpdu!uard enable 2. &rtFast an) $ 67 guar) can a(s& 2e ena2(e) g(&2a((y with the spannin!-tree portfast default an) spannin!-tree portfast bpdu!uard c&++an)s in g(&2a( c&n'igurati&n +&)e. Note$ $ 67 guar) can 2e ena2(e) &n a(( access *&rts that ha0e &rtFast ena2(e). 1hese *&rts sh&u() ne0er recei0e a $ 67. $ 67 guar) is 2est )e*(&ye) &n user"'acing *&rts t& *re0ent r&gue switch netw&r4 eCtensi&ns 2y an attac4er. #' a *&rt ena2(e) with $ 67 guar) recei0es a $ 67, it is )isa2(e) an) +ust 2e +anua((y re"ena2(e). An err")isa2(e ti+e&ut can 2e c&n'igure) &n the *&rt s& that it can rec&0er aut&+atica((y a'ter a s*eci'ie) ti+e *eri&).
A(( c&ntents are !&*yright . 1992/2009 !isc& Syste+s, #nc. A(( rights reser0e). 1his )&cu+ent is !isc& u2(ic #n'&r+ati&n. age 12 &' 32

CCNA Security c. Veri'y that $ 67 guar) is c&n'igure) 2y using the show spannin!-tree interface fa0'5 detail c&++an) &n switch S1. S1#show spannin!-tree interface fa0'5 detail >ort . (@ast2thernet"B.) of =5&3"""1 is esignate forwar ing >ort )ath cost 17' >ort )riority 1#<' >ort 9 entifier 1#<... 6esignate root has )riority 1' a ress ""1 .$0/.."c<" 6esignate bri ge has )riority 1' a ress ""1 .$0/.."c<" 6esignate )ort i is 1#<..' esignate )ath cost " Timers: message age "' forwar elay "' hol " 3umber of transitions to forwar ing state: 1 The )ort is in the )ortfast mo e 5ink ty)e is )oint-to-)oint by efault )pdu !uard is enabled 4>68: sent //$7' recei;e "

Step *$ 5!ptional6 ;nable root guard(

R&&t guar) is an&ther &*ti&n in he(*ing t& *re0ent r&gue switches an) s*&&'ing. R&&t guar) can 2e ena2(e) &n a(( *&rts &n a switch that are n&t r&&t *&rts. #t is n&r+a((y ena2(e) &n(y &n *&rts c&nnecting t& e)ge switches where a su*eri&r $ 67 sh&u() ne0er 2e recei0e). 5ach switch sh&u() ha0e &n(y &ne r&&t *&rt, which is the 2est *ath t& the r&&t switch. a. 1he '&((&wing c&++an) c&n'igures r&&t guar) &n S2 inter'ace Ji0/1. N&r+a((y, this is )&ne i' an&ther switch is attache) t& this *&rt. R&&t guar) is 2est )e*(&ye) &n *&rts that c&nnect t& switches that sh&u() n&t 2e the r&&t 2ri)ge. S#(config)#interface !i!abit&thernet 0'1 S#(config-if)#spannin!-tree !uard root 2. #ssue the show run c&++an) t& 0eri'y that r&&t guar) is c&n'igure). S##sh run ( be! *i! interface %igabit2thernet"B1 s)anning-tree guar root Note$ 1he S2 Ji0/1 *&rt is n&t current(y u*, s& it is n&t *artici*ating in S1 . >therwise, y&u c&u() use the show spannin!-tree interface *i0'1 detail c&++an). c. #' a *&rt that is ena2(e) with $ 67 guar) recei0es a su*eri&r $ 67, it g&es int& a r&&t"inc&nsistent state. 7se the show spannin!-tree inconsistentports c&++an) t& )eter+ine i' there are any *&rts current(y recei0ing su*eri&r $ 67s that sh&u() n&t 2e. S##show spannin!-tree inconsistentports 3ame 9nterface 9nconsistency -------------------- ---------------------- -----------------3umber of inconsistent )orts (segments) in the system : " Note$ R&&t guar) a((&ws a c&nnecte) switch t& *artici*ate in S1 as (&ng as the )e0ice )&es n&t try t& 2ec&+e the r&&t. #' r&&t guar) 2(&c4s the *&rt, su2seAuent rec&0ery is aut&+atic. #' the su*eri&r $ 67s st&*, the *&rt returns t& the '&rwar)ing state.

Task +$ Configure Port Security and Disable /nused Ports

Switches can a(s& 2e su2=ect t& !A8 ta2(e &0er'(&w, 8A! s*&&'ing attac4s, an) unauth&ri9e) c&nnecti&ns t& switch *&rts. #n this tas4, y&u c&n'igure *&rt security t& (i+it the nu+2er &' 8A! a))resses that can 2e (earne) &n a switch *&rt an) )isa2(e the *&rt i' that nu+2er is eCcee)e).
A(( c&ntents are !&*yright . 1992/2009 !isc& Syste+s, #nc. A(( rights reser0e). 1his )&cu+ent is !isc& u2(ic #n'&r+ati&n. age 13 &' 32

CCNA Security

Step '$ %ecord t e %' 8a9:9 MAC address(

a. Fr&+ the r&uter R1 !L#, use the show interface c&++an) an) rec&r) the 8A! a))ress &' the inter'ace. R1#show interface fa0'1 @ast2thernet"B1 is u)' line )rotocol is u) 1ar ware is %t70k @2' a ress is ""1b../#..#.0f (bia ""1b../#..#.0f) 9nternet a ress is 17#.10<.1.1B#$ ?T8 1."" bytes' 4C 1""""" ,bitBsec' 65H 1"" usec' reliability #..B#..' t(loa 1B#..' r(loa 1B#.. 2nca)sulation &R>&' loo)back not set ,ee)ali;e set (1" sec) @ull- u)le(' 1""?bBs' 1""4aseTIB@I 2. <hat is the 8A! a))ress &' the R1 Fa0/1 inter'aceD #n the eCa+*(e a2&0e, it is 0012.5325.256'

Step )$ Configure basic port security(

1his *r&ce)ure sh&u() 2e *er'&r+e) &n a(( access *&rts that are in use. Switch S1 *&rt Fa0/5 is sh&wn here as an eCa+*(e. Note$ A switch *&rt +ust 2e c&n'igure) as an access *&rt t& ena2(e *&rt security. a. Fr&+ the switch S1 !L#, enter inter'ace c&n'igurati&n +&)e '&r the *&rt that c&nnects t& the r&uter :Fast 5thernet 0/5;. S1(config)#interface %ast&thernet 0'5 2. Shut )&wn the switch *&rt. S1(config-if)#shutdown c. 5na2(e *&rt security &n the *&rt. S1(config-if)#switchport port-securit" Note$ 5ntering =ust the switchport port-securit" c&++an) sets the +aCi+u+ 8A! a))resses t& 1 an) the 0i&(ati&n acti&n t& shut)&wn. 1he switchport port-securit" axi u an) switchport port-securit" violation c&++an)s can 2e use) t& change the )e'au(t 2eha0i&r. ). !&n'igure a static entry '&r the 8A! a))ress &' R1 Fa0/1/ inter'ace rec&r)e) in Ste* 1. S1(config-if)#switchport port-securit" ac-address xxxx.xxxx.xxxx :xxxx.xxxx.xxxx is the actua( 8A! a))ress &' the r&uter Fast 5thernet 0/1 inter'ace.; Note$ >*ti&na((y, y&u can use the switchport port-securit" ac-address stic#" c&++an) t& a)) a(( the secure 8A! a))resses that are )yna+ica((y (earne) &n a *&rt :u* t& the +aCi+u+ set; t& the switch running c&n'igurati&n. e. $ring u* the switch *&rt. S1(config-if)#no shutdown

A(( c&ntents are !&*yright . 1992/2009 !isc& Syste+s, #nc. A(( rights reser0e). 1his )&cu+ent is !isc& u2(ic #n'&r+ati&n.

age 13 &' 32

CCNA Security

Step *$ ,erify port security on S' 8a9:-(

a. >n S1, issue the show port-securit" c&++an) t& 0eri'y that *&rt security has 2een c&n'igure) &n S1 Fa0/5. S1#show port-securit" interface f0'5 >ort Security : 2nable >ort Status : Secure-u) =iolation ?o e : Shut own &ging Time : " mins &ging Ty)e : &bsolute SecureStatic & ress &ging : 6isable ?a(imum ?&A & resses : 1 Total ?&A & resses : 1 Aonfigure ?&A & resses : 1 Sticky ?&A & resses : " 5ast Source & ress:=lan : ""1b../#..#.0f:1 Security =iolation Aount : " 2. <hat is the status &' the Fa0/5 *&rtD Secure"u*, which in)icates that the *&rt is secure 2ut the status an) *r&t&c&( are u*. <hat is the Last S&urce A))ress an) VLAND 0012.5325.256'%1, the 8A! a))ress &' R1 Fa0/1 an) VLAN 1. c. Fr&+ the r&uter R1 !L#, *ing !"A t& 0eri'y c&nnecti0ity. 1his a(s& ensures that the R1 Fa0/1 8A! a))ress is (earne) 2y the switch. R1#pin! 192.168.1.10 ). ?&u wi(( n&w 0i&(ate security 2y changing the 8A! a))ress &n the r&uter inter'ace. 5nter inter'ace c&n'igurati&n +&)e '&r the Fast 5thernet 0/1 inter'ace an) shut it )&wn. R1(config)#interface %ast&thernet 0'1 R1(config-if)#shutdown e. !&n'igure a 8A! a))ress '&r the inter'ace &n the inter'ace, using aaaa.2222.cccc as the a))ress. +1,confi!-if-. ac-address aaaa.bbbb.cccc '. 5na2(e the Fast 5thernet 0/1 inter'ace. R1(config-if)#no shutdown R1(config-if)#end g. Fr&+ the r&uter R1 !L#, *ing !"A. <as the *ing success'u(D <hy &r why n&tD N&, the Fa0/5 *&rt &n switch S1 shut )&wn 2ecause &' the security 0i&(ati&n. h. >n switch S1 c&ns&(e, &2ser0e the +essages when *&rt Fa0/5 )etects the 0i&(ating 8A! a))ress. :Jan 1$ "1:/$:/7.K.": %>?-$-2RRE69S&452: )secure-;iolation error etecte on @a"B.' )utting @a"B. in err- isable state :Jan 1$ "1:/$:/7.K.": %>+RTES2A8R9TH-#->S2A8R2E=9+5&T9+3: Security ;iolation occurre ' cause by ?&A a ress aaaa.bbbb.cccc on )ort @ast2thernet"B.. :Jan 1$ "1:/$:$".K.0: %5932>R+T+-.-8>6+C3: 5ine )rotocol on 9nterface @ast2thernet"B.' change state to own :?ar 1 "1:/$:$1.K..: %593,-/-8>6+C3: 9nterface @ast2thernet"B.' change state to own

A(( c&ntents are !&*yright . 1992/2009 !isc& Syste+s, #nc. A(( rights reser0e). 1his )&cu+ent is !isc& u2(ic #n'&r+ati&n.

age 15 &' 32

CCNA Security i. >n the switch, use the 0ari&us show port-securit" c&++an)s t& 0eri'y that *&rt security has 2een 0i&(ate). S1#show port-securit" Secure >ort ?a(Secure& r Aurrent& r Security=iolation Security &ction (Aount) (Aount) (Aount) -------------------------------------------------------------------@a"B. 1 1 1 Shut own ---------------------------------------------------------------------S1#show port-securit" interface fastethernet0'5 >ort Security : 2nable >ort Status : Secure-shut own =iolation ?o e : Shut own &ging Time : " mins &ging Ty)e : &bsolute SecureStatic & ress &ging : 6isable ?a(imum ?&A & resses : 1 Total ?&A & resses : 1 Aonfigure ?&A & resses : 1 Sticky ?&A & resses : " 5ast Source & ress:=lan : aaaa.bbbb.cccc:1 Security =iolation Aount : 1 S1#show )ort-security a ress Secure ?ac & ress Table -----------------------------------------------------------------------=lan ?ac & ress Ty)e >orts Remaining &ge (mins) ---- -----------------------------1 ""1b../#..#.0f SecureAonfigure @a"B. ----------------------------------------------------------------------=. >n the r&uter, shut )&wn the Fast 5thernet 0/1 inter'ace, re+&0e the har)"c&)e) 8A! a))ress 'r&+ the r&uter, an) re"ena2(e the Fast 5thernet 0/1 inter'ace. R1(config)#interface %ast&thernet 0'1 R1(config-if)#shutdown R1(config-if)#no ac-address aaaa.bbbb.cccc R1(config-if)#no shutdown Note$ 1his wi(( rest&re the &rigina( Fast5thernet inter'ace 8A! a))ress. 4. Fr&+ R1, try t& *ing the !"A again at 192.168.1.10. <as the *ing success'u(D <hy &r why n&tD N&, the S1 Fa0/5 *&rt is sti(( in an err")isa2(e) state.

Step +$ Clear t e S' 8a9:- error disabled status(

a. Fr&+ the S1 c&ns&(e, c(ear the err&r an) re"ena2(e the *&rt using the '&((&wing c&++an)s. 1his wi(( change the *&rt status 'r&+ Secure"shut)&wn t& Secure"u*. S1(config)#interface %ast&thernet 0'5 S1(config-if)#shutdown S1(config-if)#no shutdown Note$ 1his assu+es the )e0ice/inter'ace with the 0i&(ating 8A! a))ress has 2een re+&0e) an) re*(ace) with the &ne &rigina((y c&n'igure).

A(( c&ntents are !&*yright . 1992/2009 !isc& Syste+s, #nc. A(( rights reser0e). 1his )&cu+ent is !isc& u2(ic #n'&r+ati&n.

age 16 &' 32

CCNA Security 2. Fr&+ R1, *ing !"A again. ?&u sh&u() 2e success'u( this ti+e. R1#pin! 192.168.1.10

Step -$ %e1ove basic port security on S' 8a9:-(

a. Fr&+ the S1 c&ns&(e, re+&0e *&rt security &n Fa0/5. 1his *r&ce)ure can a(s& 2e use) t& re"ena2(e the *&rt 2ut *&rt security c&++an)s wi(( nee) t& 2e rec&n'igure). S1(config)#interface %ast&thernet 0'5 S1(config-if)#shutdown S1(config-if)#no switchport port-securit" S1(config-if)#no switchport port-securit" S1(config-if)#no shutdown

ac-address 001b.5325.256f

2. ?&u can a(s& use the '&((&wing c&++an)s t& reset the inter'ace t& its )e'au(t settings. S1(config)#interface %ast&thernet 0'5 S1(config-if)#shutdown S1(config-if)#exit S1(config)#default interface fastethernet 0'5 S1(config)#interface %ast&thernet 0'5 S1(config-if)#no shutdown Note$ This default interface c&++an) a(s& reAuires y&u t& rec&n'igure the *&rt as an access *&rt in order to re-enable the securit" co ands.

Step 2$ 5!ptional6 Configure port security for ,oIP(

1he '&((&wing eCa+*(e sh&ws a ty*ica( *&rt security c&n'igurati&n '&r a 0&ice *&rt. 1w& 8A! a))resses are a((&we), an) they are t& 2e (earne) )yna+ica((y. >ne 8A! a))ress is '&r the # *h&ne, an) the &ther # a))ress is '&r the ! c&nnecte) t& the # *h&ne. Vi&(ati&ns &' this *&(icy resu(t in the *&rt 2eing shut )&wn. 1he aging ti+e&ut '&r the (earne) 8A! a))resses is set t& tw& h&urs. 1his eCa+*(e is sh&wn '&r switch S2 *&rt Fa0/18. S#(config)#interface %a0'18 S#(config-if)#switchport ode access S#(config-if)#switchport port-securit" S#(config-if)#switchport port-securit" axi u 2 S#(config-if)#switchport port-securit" violation shutdown S#(config-if)#switchport port-securit" ac-address stic#" S#(config-if)#switchport port-securit" a!in! ti e 120

Step 3$ Disable unused ports on S' and S)(

As a 'urther security +easure, )isa2(e any *&rts n&t 2eing use) &n the switch. a. &rts Fa0/1, Fa0/5, an) Fa0/6 are use) &n switch S1. 1he re+aining Fast 5thernet *&rts an) the tw& Jiga2it 5thernet *&rts wi(( 2e shut)&wn. S1(config)#interface ran!e %a0'2 - 4 S1(config-if-range)#shutdown S1(config-if-range)#interface ran!e %a0'/ - 24 S1(config-if-range)#shutdown S1(config-if-range)#interface ran!e !i!abitethernet0'1 - 2 S1(config-if-range)#shutdown

A(( c&ntents are !&*yright . 1992/2009 !isc& Syste+s, #nc. A(( rights reser0e). 1his )&cu+ent is !isc& u2(ic #n'&r+ati&n.

age 1F &' 32

CCNA Security 2. &rts Fa0/18 an) Ji0/1 are use) &n switch S2. 1he re+aining Fast 5thernet *&rts an) the Jiga2it 5thernet *&rts wi(( 2e shut)&wn. S#(config)#interface ran!e %a0'2 - 1/ S#(config-if-range)#shutdown S#(config-if-range)#interface ran!e %a0'19 - 24 S#(config-if-range)#shutdown S#(config-if-range)#exit S#(config)#interface !i!abitethernet0'2 S#(config-if)#shutdown

Step <$ 5!ptional6 Move active ports to a ,0AN ot er t an t e default ,0AN '
As a 'urther security +easure, y&u can +&0e a(( acti0e en) user an) r&uter *&rts t& a VLAN &ther than the )e'au(t VLAN 1 &n 2&th switches. a. !&n'igure a new VLAN '&r users &n each switch using the '&((&wing c&++an)s% S1(config)#vlan 20 S1(config-;lan)#na e 0sers S#(config)#vlan 20 S#(config-;lan)#na e 0sers 2. A)) the current acti0e access :n&n"trun4; *&rts t& the new VLAN. S1(config)#interface ran!e fa0'5 - 6 S1(config-if)#switchport access vlan 20 S#(config)#interface fa0'18 S#(config-if)#switchport access vlan 20 Note$ 1his wi(( *re0ent c&++unicati&n 2etween en) user h&sts an) the +anage+ent VLAN # a))ress &' the switch, which is current(y VLAN 1. 1he switch can sti(( 2e accesse) an) c&n'igure) using the c&ns&(e c&nnecti&n. #' y&u nee) t& *r&0i)e 1e(net &r SS- access t& the switch, a s*eci'ic *&rt can 2e )esignate) as the +anage+ent *&rt an) a))e) t& VLAN 1 with a s*eci'ic +anage+ent w&r4stati&n attache). A +&re e(a2&rate s&(uti&n is t& create a new VLAN '&r switch +anage+ent :&r use the eCisting nati0e trun4 VLAN 99; an) c&n'igure a se*arate su2net '&r the +anage+ent an) user VLANs. 5na2(e trun4ing with su2inter'aces &n R1 t& r&ute 2etween the +anage+ent an) user VLAN su2nets.

Part +$ Configure SPAN and Monitor Traffic

Note$ T ere are two tasks in t is part of t e lab= Task '$ !ption ' is to be perfor1ed using ands4on e&uip1ent( Task )$ !ption ) is 1odified to be co1patible wit t e N;T0A#> syste1 but can also be perfor1ed using ands4on e&uip1ent( !isc& #>S *r&0i)es a 'eature that can 2e use) t& +&nit&r netw&r4 attac4s ca((e) Switche) &rt Ana(y9er :S AN;. !isc& #>S su**&rts (&ca( S AN an) re+&te S AN :RS AN;. <ith (&ca( S AN, the s&urce VLANs, s&urce switch *&rts, an) the )estinati&n switch *&rts are &n the sa+e *hysica( switch. #n this *art &' the (a2, y&u c&n'igure a (&ca( S AN t& c&*y tra''ic 'r&+ &ne *&rt where a h&st is c&nnecte) t& an&ther *&rt where a +&nit&ring stati&n is c&nnecte). 1he +&nit&ring stati&n wi(( run the <ireshar4 *ac4et sni''er a**(icati&n t& ana(y9e tra''ic.
A(( c&ntents are !&*yright . 1992/2009 !isc& Syste+s, #nc. A(( rights reser0e). 1his )&cu+ent is !isc& u2(ic #n'&r+ati&n. age 18 &' 32

CCNA Security Note$ S AN a((&ws y&u t& se(ect an) c&*y tra''ic 'r&+ &ne &r +&re s&urce switch *&rts &r s&urce VLANs &nt& &ne &r +&re )estinati&n *&rts.

Task '$ !ption ' 4 Configure a SPAN Session /sing .ands4on ;&uip1ent(
Note$ !ption ' assu1es you ave p ysical access to t e devices s own in t e topology for t is lab( N;T0A#> users accessing lab e&uip1ent re1otely s ould proceed to Task )$ !ption )( Step '$ Configure a SPAN session on S' wit a source and destination
a. Set the S AN s&urce inter'ace using the onitor session c&++an) in g(&2a( c&n'igurati&n +&)e. 1he '&((&wing c&n'igures a S AN s&urce *&rt &n Fast5thernet 0/5 '&r ingress an) egress tra''ic. 1ra''ic c&*ie) &n the s&urce *&rt can 2e ingress &n(y, egress &n(y &r 2&th. Switch S1 *&rt Fa0/5 is c&nnecte) t& r&uter R1, s& tra''ic t& :ingress; an) 'r&+ :egress; switch *&rt Fa0/5 t& R1 wi(( 2e +&nit&re). S1(config)# onitor session 1 source interface fa0'5 both Note$ ?&u can s*eci'y t& +&nit&r tC :trans+it; &r rC :recei0e; tra''ic. 1he 4eyw&r) both inc(u)es tC an) rC. 1he s&urce can 2e a sing(e inter'ace, a range &' inter'aces, a sing(e VLAN, &r a range &' VLANs. 2. Set the S AN )estinati&n inter'ace. S1,confi!-. onitor session 1 destination interface fa0'6 A(( tra''ic 'r&+ S1 Fa0/5, where R1 is c&nnecte), wi(( 2e c&*ie) t& the S AN )estinati&n *&rt Fa0/6, where !"A with <ireshar4 is c&nnecte). Note$ 1he )estinati&n can 2e an inter'ace &r a range &' inter'aces.

Step )$ ,erify t e setup of t e SPAN session on S'(

!&n'ir+ the S AN sessi&n setu*. S1#show onitor session 1

Session 1 --------Ty)e Source >orts 4oth 6estination >orts 2nca)sulation 9ngress

: : : : :

5ocal Session @a"B. @a"B0 3ati;e

: 6isable

Step *$ 5!ptional6 Download and install ?ires ark on PC4A(

a. <ireshar4 is a netw&r4 *r&t&c&( ana(y9er :a(s& ca((e) a *ac4et sni''er; that runs with <in)&ws B an) Vista. #' <ireshar4 is n&t current(y a0ai(a2(e &n !"A, y&u can )&wn(&a) the (atest 0ersi&n 'r&+ htt*%//www.wireshar4.&rg/)&wn(&a).ht+(. 1his (a2 uses <ireshar4 0ersi&n 1.0.5. 1he initia( <ireshar4 insta((ati&n screen is sh&wn here.

A(( c&ntents are !&*yright . 1992/2009 !isc& Syste+s, #nc. A(( rights reser0e). 1his )&cu+ent is !isc& u2(ic #n'&r+ati&n.

age 19 &' 32

CCNA Security

2. !(ic4 I Agree t& the License agree+ent an) acce*t the )e'au(ts 2y c(ic4ing Ne@t when *r&+*te). Note$ >n the #nsta(( <in ca* screen, se(ect the insta(( <in ca* &*ti&ns an) se(ect Start ?inPcap service &*ti&n i' y&u want t& ha0e &ther users 2esi)es th&se with a)+inistrati0e *ri0i(eges run <ireshar4.

Step +$ Monitor switc S' port 8a9:- ping activity using ?ires ark on PC4A(
a. #' <ireshar4 is a0ai(a2(e, start the a**(icati&n. 2. Fr&+ the +ain +enu, se(ect Capture A Interfaces.

c.

!(ic4 the Start 2utt&n '&r the (&ca( area netw&r4 inter'ace a)a*ter with # a))ress 192.168.1.10.

A(( c&ntents are !&*yright . 1992/2009 !isc& Syste+s, #nc. A(( rights reser0e). 1his )&cu+ent is !isc& u2(ic #n'&r+ati&n.

age 20 &' 32

CCNA Security

). Jenerate s&+e tra''ic 'r&+ !"$ :192.168.1.11; t& R1 inter'ace Fa0/1 :192.168.1.1; using pin!. 1his tra''ic wi(( g& 'r&+ S2 *&rt Fa0/18 t& S2 *&rt Fa0/1 acr&ss the trun4 (in4 t& S1 *&rt Fa0/1 an) then eCit inter'ace Fa0/5 &n S1 t& reach R1. >A-4:LGpin! 192.168.1.1 e. >2ser0e the resu(ts in <ireshar4 &n !"A. N&tice the initia( AR reAuest 2r&a)cast 'r&+ !"$ :#nte( N#!; t& )eter+ine the 8A! a))ress &' the R1 Fa0/1 inter'ace with # a))ress 192.168.1.1 an) the AR re*(y 'r&+ the R1 !isc& 5thernet inter'ace. A'ter the AR reAuest, the *ings :ech& reAuest an) re*(ies; can 2e seen g&ing 'r&+ !"$ t& R1 an) 'r&+ R1 t& !"$ thr&ugh the switch. Note$ ?&ur screen sh&u() (&&4 si+i(ar t& the &ne 2e(&w. S&+e a))iti&na( *ac4ets +ight 2e ca*ture) in a))iti&n t& the *ings, such as the R1 Fa0/1 L>> re*(y.

Step -$ Monitor switc S' port 8a9:- SuperScan activity using ?ires ark on PC4A(
a. #' Su*erScan is n&t &n !"$, )&wn(&a) the Su*erScan 3.0 t&&( 'r&+ the Scanning 1&&(s gr&u* at htt*%//www.'&un)st&ne.c&+. 7n9i* the 'i(e int& a '&()er. 1he Su*erScan3.eCe 'i(e is eCecuta2(e an) insta((ati&n is n&t reAuire).
A(( c&ntents are !&*yright . 1992/2009 !isc& Syste+s, #nc. A(( rights reser0e). 1his )&cu+ent is !isc& u2(ic #n'&r+ati&n. age 21 &' 32

CCNA Security 2. Start the Su*erScan *r&gra+ &n !"$. !(ic4 the .ost and Service Discovery ta2. !hec4 the Ti1esta1p %e&uest chec4 2&C, an) unchec4 the ;c o %e&uest chec4 2&C. Scr&(( thr&ugh the 76 an) 1! *&rt se(ecti&n (ists an) n&tice the range &' *&rts that wi(( 2e scanne). c. #n the Su*erScan *r&gra+, c(ic4 the Scan ta2 an) enter the # a))ress R1 FA0/1 :192.168.1.1; in the .ostna1e:IP 'ie().

). !(ic4 the right arr&w t& *&*u(ate the Start IP an) ;nd IP 'ie()s.

e. !(ear the *re0i&us ca*ture in <ireshar4 an) start a new ca*ture 2y c(ic4ing Capture A Start. <hen *r&+*te), c(ic4 the Continue wit out saving 2utt&n. '. #n the Su*erScan *r&gra+, c(ic4 the 2(ue arr&w 2utt&n in the (&wer (e't t& start the scan.

g. >2ser0e the resu(ts in the <ireshar4 win)&w &n !"A. N&tice the nu+2er an) ty*es &' *&rts trie) 2y the si+u(ate) Su*erScan attac4 'r&+ !"$ :192.168.1.11; t& R1 Fa0/1 :192.168.1.1;. ?&ur screen sh&u() (&&4 si+i(ar t& the '&((&wing%
A(( c&ntents are !&*yright . 1992/2009 !isc& Syste+s, #nc. A(( rights reser0e). 1his )&cu+ent is !isc& u2(ic #n'&r+ati&n. age 22 &' 32

CCNA Security

Task )$ !ption ) 4 Configure a SPAN Session /sing N;T0A#> %e1ote ;&uip1ent(

Note$ T is portion of t e lab as been rewritten to en ance co1patibility wit t e N;T0A#> syste1(
>n switch S1, y&u wi(( c&n'igure a (&ca( S AN t& re'(ect the tra''ic eCiting &rt Fa0/5, in this case, the tra''ic 'r&+ !"A t& R1Ks Fa0/1. 1his tra''ic sh&u() 2e recei0e) 2y switch S2, an) '&rwar)e) t& !"$, where <ireshar4 is ca*turing the *ac4ets. Re'er t& the '&((&wing )iagra+ which i((ustrates the S AN tra''ic '(&w. Note$ 1& *er'&r+ this 1as4, <ireshar4 sh&u() 2e insta((e) &n !"$.

A(( c&ntents are !&*yright . 1992/2009 !isc& Syste+s, #nc. A(( rights reser0e). 1his )&cu+ent is !isc& u2(ic #n'&r+ati&n.

age 23 &' 32

CCNA Security

Note$ Switch S2 is acting as a regu(ar switch, '&rwar)ing 'ra+es 2ase) &n )estinati&n 8A! a))resses an) switch *&rts. 1he tra''ic entering S2 thr&ugh &rt Fa0/1 uti(i9es the R1Ks 8A! a))ress as )estinati&n '&r the 5thernet 'ra+e, there'&re in &r)er t& '&rwar) th&se *ac4ets t& !"$, the R1Ks 8A! a))ress +ust 2e the sa+e as !"$. 1& acc&+*(ish this, R1Ks Fa0/1 8A! a))ress is +&)i'ie) using the #>S !L# t& si+u(ate !"$Ks 8A! a))ress. 1his reAuire+ent is s*eci'ic t& the N51LA$G en0ir&n+ent.

Step '$ Configure a SPAN session on S' wit Source and Destination$
a. Return the Fa0/1 &n S1 an) S2 t& its )e'au(t c&n'igurati&n. 1his (in4 S1 Fa0/1 t& S2 Fa0/1 is g&ing t& 2e use) t& carry the tra''ic 2eing +&nit&re). S1(config)#default interface fastethernet 0'1 S#(config)#default interface fastethernet 0'1 2. <rite )&wn the 8A! a))ress '&r !"$ !"$Ks 8A! A))ress% Answer will vary !"$Ks 8A! A))ress in this eCa+*(e is 999c4)BBa4e2'a c. !&n'igure the !"$Ks 8A! a))ress &n R1Ks Fa0/1. +1,confi!-.interface fa0'1 +1,confi!-if-. ac-address 000c.299a.e61a ). Set the S AN S&urce #nter'ace using the +&nit&r sessi&n c&++an) in g(&2a( c&n'igurati&n +&)e. 1he '&((&wing c&n'igures a S AN s&urce *&rt &n 'astethernet0/5 '&r egress tra''ic. 1ra''ic c&*ie) &n the s&urce *&rt can 2e ingress &n(y, egress &n(y &r 2&th. #n this case, the egress tra''ic is the &n(y &ne ana(y9e). >n Switch S1 *&rt Fa0/5 is c&nnecte) t& r&uter R1 s& tra''ic t& the switch *&rt Fa0/5 t& R1 wi(( 2e +&nit&re). S1(config)# onitor session 1 source interface fa0'5 tx

A(( c&ntents are !&*yright . 1992/2009 !isc& Syste+s, #nc. A(( rights reser0e). 1his )&cu+ent is !isc& u2(ic #n'&r+ati&n.

age 23 &' 32

CCNA Security Note$ 1he s&urce can 2e a sing(e inter'ace, a range &' inter'aces, a sing(e VLAN, &r range &' VLANs. e. Set the S AN )estinati&n inter'ace. S1,confi!-. onitor session 1 destination interface fa0'1 A(( egress tra''ic 'r&+ S1 Fa0/5, where R1 is c&nnecte), wi(( 2e c&*ie) t& the S AN )estinati&n *&rt Fa0/1, where !"$ with <ireShar4 is c&nnecte). Note$ 1he )estinati&n can 2e an inter'ace &r a range &' inter'aces.

Step )$ ,erify t e setup of t e SPAN session on S'(

!&n'ir+ the S AN sessi&n setu* using the s ow 1onitor session ' c&++an). S1#show onitor session 1

Session 1 --------Ty)e Source >orts TI +nly 6estination >orts 2nca)sulation 9ngress

: : : : :

5ocal Session @a"B. @a"B1 3ati;e

: 6isable

Step *$ 5!ptional6 Download and install ?ires ark on PC4#

a. <ireShar4 is a netw&r4 *r&t&c&( ana(y9er :a(s& ca((e) a *ac4et sni''er; that runs with <in)&ws B an) Vista. #' <ireShar4 is n&t current(y a0ai(a2(e &n !"$, y&u +ay )&wn(&a) the (atest 0ersi&n 'r&+ htt*%//www.wireshar4.&rg/)&wn(&a).ht+( an) insta(( it as )escri2e) in art 3, 1as4 1, Ste* 3.

Step +$ Monitor Switc S' port 8a9:- ping activity using ?ires ark on PC4#
a. #' <ireShar4 is a0ai(a2(e, start the a**(icati&n. 2. Fr&+ the +ain +enu, se(ect Capture A Interfaces. c. !(ic4 the Start 2utt&n '&r the L&ca( area netw&r4 inter'ace a)a*ter.

). Jenerate s&+e tra''ic 'r&+ !"A :192.168.1.10; t& R1 inter'ace Fa0/1 :192.168.1.1; using *ing. 1his tra''ic wi(( g& 'r&+ S1 *&rt Fa0/6 t& S1 *&rt Fa0/5. #n a))iti&n, the tra''ic g&ing 'r&+ !"A t& R1 inter'ace Fa0/1 is '&rwar)e) acr&ss the (in4 2etween S1 an) S2, an) then S2 wi(( '&rwar) this tra''ic t& !"$, where <ireshar4 is ca*turing the *ac4ets. $e'&re *inging, )e(ete the AR ta2(e &n !"A, s& an AR reAuest w&u() 2e generate). N&te that the S AN sessi&n is c&n'igure) &n(y &n S1, an) S2 is &*erating as a n&r+a( switch. A:LGarp 1d 2 A:LGpin! 192.168.1.1 e. >2ser0e the resu(ts in <ireShar4 &n !"$. N&tice the initia( AR reAuest 2r&a)cast 'r&+ !"A t& )eter+ine the 8A! a))ress &' the R1 Fa0/1 inter'ace with # a))ress 192.168.1.1 an) the AR re*(y 'r&+ the R1 !isc& 5thernet inter'ace. A'ter the AR reAuest the *ings :ech& reAuests; can 2e seen g&ing 'r&+ !"A t& R1 thr&ugh the switch.
A(( c&ntents are !&*yright . 1992/2009 !isc& Syste+s, #nc. A(( rights reser0e). 1his )&cu+ent is !isc& u2(ic #n'&r+ati&n. age 25 &' 32

CCNA Security Note$ ?&ur screen sh&u() (&&4 si+i(ar t& the &ne 2e(&w. 1here +ay 2e s&+e a))iti&n *ac4ets ca*ture), in a))iti&n t& the *ings, such as the R1 Fa0/1 L>> Re*(y an) S*anning 1ree ac4ets.

Step -$ Monitor Switc S' port 8a9:- SuperScan activity using ?ires ark on PC4#
a. #' Su*erScan is n&t &n !"A, )&wn(&a) the Su*erScan 3.0 t&&( 'r&+ the Scanning 1&&(s gr&u* at htt*%//www.'&un)st&ne.c&+. 7n9i* the 'i(e int& a '&()er. 1he Su*erScan3.eCe 'i(e is eCecuta2(e an) insta((ati&n is n&t reAuire). 2. Start the Su*erScan *r&gra+ &n !"A. !(ic4 the .ost and Service Discovery ta2. !hec4 the Ti1esta1p %e&uest chec4 2&C an) unchec4 the ;c o %e&uest chec4 2&C. Scr&(( the 76 an) 1! *&rt se(ecti&n (ists an) n&tice the range &' *&rts that wi(( 2e scanne). c. #n the Su*erScan *r&gra+ c(ic4 the Scan ta2 an) enter the # a))ress &' R1 FA0/1 :192.168.1.1; in the .ostna1e:IP 'ie().

). !(ic4 the right 'acing arr&w t& *&*u(ate the Start an) 5n) # 'ie()s.

A(( c&ntents are !&*yright . 1992/2009 !isc& Syste+s, #nc. A(( rights reser0e). 1his )&cu+ent is !isc& u2(ic #n'&r+ati&n.

age 26 &' 32

CCNA Security

e. !(ear the *re0i&us ca*ture in <ireShar4 an) start a new ca*ture 2y c(ic4ing Capture A Start an) when *r&+*te) c(ic4 the Continue wit out saving 2utt&n. '. #n the Su*erScan *r&gra+ c(ic4 the 2utt&n which is in the (&wer (e't &' the screen, with the 2(ue arr&w &n it, t& start the scan.

g. >2ser0e the resu(ts &n the <ireShar4 win)&w &n !"$. N&tice the nu+2er an) ty*es &' *&rts trie) 2y the si+u(ate) Su*erScan attac4 'r&+ !"A :192.168.1.11; t& R1 Fa0/1 :192.168.1.1;. ?&ur screen sh&u() (&&4 si+i(ar the '&((&wing%

A(( c&ntents are !&*yright . 1992/2009 !isc& Syste+s, #nc. A(( rights reser0e). 1his )&cu+ent is !isc& u2(ic #n'&r+ati&n.

age 2F &' 32

CCNA Security

Step 2$ %eflection(
a. <hy sh&u() *&rt security 2e ena2(e) &n switch access *&rtsD Answers wi(( 0ary, 2ut sh&u() inc(u)e that *&rt security a((&ws a (i+ite) nu+2er &' h&sts t& use the *&rt an) a ! cann&t 2e c&nnecte) an) use the netw&r4 with&ut auth&ri9ati&n. 2. <hy sh&u() *&rt security 2e ena2(e) &n switch trun4 *&rtsD Answers wi(( 0ary, 2ut sh&u() inc(u)e trun4 security can he(* t& *re0ent VLAN h&**ing an) S1 attac4s 'r&+ r&gue switches. c. <hy sh&u() unuse) *&rts &n a switch 2e )isa2(e)D Answers wi(( 0ary, 2ut sh&u() inc(u)e that an unauth&ri9e) )e0ice cann&t 2e *(ugge) int& an unuse) switch *&rt an) use the netw&r4, 2ecause the unuse) *&rts ha0e t& 2e a)+inistrati0e(y ena2(e) t& 2e uti(i9e).

%outer Interface Su11ary Table

%outer Interface Su11ary R&uter 8&)e( 1F00 5thernet #nter'ace E1 Fast 5thernet 0 :FA0; 5thernet #nter'ace E2 Fast 5thernet 1 :FA1; Seria( #nter'ace E1 Seria( 0 :S0; Seria( #nter'ace E2 Seria( 1 :S1;

A(( c&ntents are !&*yright . 1992/2009 !isc& Syste+s, #nc. A(( rights reser0e). 1his )&cu+ent is !isc& u2(ic #n'&r+ati&n.

age 28 &' 32

CCNA Security

%outer Interface Su11ary 1800 2600 2800 Fast 5thernet 0/0 :FA0/0; Fast 5thernet 0/0 :FA0/0; Fast 5thernet 0/0 :FA0/0; Fast 5thernet 0/1 :FA0/1; Fast 5thernet 0/1 :FA0/1; Fast 5thernet 0/1 :FA0/1; Seria( 0/0/0 :S0/0/0; Seria( 0/0 :S0/0; Seria( 0/0/0 :S0/0/0; Seria( 0/0/1 :S0/0/1; Seria( 0/1 :S0/1; Seria( 0/0/1 :S0/0/1;

Note$ 1& 'in) &ut h&w the r&uter is c&n'igure), (&&4 at the inter'aces t& i)enti'y the ty*e &' r&uter an) h&w +any inter'aces the r&uter has. 1here is n& way t& e''ecti0e(y (ist a(( the c&+2inati&ns &' c&n'igurati&ns '&r each r&uter c(ass. 1his ta2(e inc(u)es i)enti'iers '&r the *&ssi2(e c&+2inati&ns &' 5thernet an) Seria( inter'aces in the )e0ice. 1he ta2(e )&es n&t inc(u)e any &ther ty*e &' inter'ace, e0en th&ugh a s*eci'ic r&uter +ay c&ntain &ne. An eCa+*(e &' this +ight 2e an #S6N $R# inter'ace. 1he string in *arenthesis is the (ega( a22re0iati&n that can 2e use) in !isc& #>S c&++an)s t& re*resent the inter'ace.

Device Configs %outer %' after Part '

R1#sh run 4uil ing configuration... Aurrent configuration : 1#1/ bytes M ;ersion 1#.$ ser;ice timestam)s ebug atetime msec ser;ice timestam)s log atetime msec no ser;ice )asswor -encry)tion M hostname R1 M boot-start-marker boot-en -marker M logging message-counter syslog enable secret . N1N7Os&NP/i>wi@Cfy!fKa8T>A($31 M no aaa new-mo el ot11 syslog i) source-route M i) cef no i) omain looku) M no i);0 cef multilink bun le-name authenticate M archi;e log config hi ekeys M interface @ast2thernet"B" no i) a ress
A(( c&ntents are !&*yright . 1992/2009 !isc& Syste+s, #nc. A(( rights reser0e). 1his )&cu+ent is !isc& u2(ic #n'&r+ati&n. age 29 &' 32

CCNA Security shut own u)le( auto s)ee auto

M interface @ast2thernet"B1 i) a ress 17#.10<.1.1 #...#...#..." u)le( auto s)ee auto M interface @ast2thernet"B1B" M interface @ast2thernet"B1B1 M interface @ast2thernet"B1B# M interface @ast2thernet"B1B/ M interface Serial"B"B" no i) a ress shut own no fair-Dueue clock rate #"""""" M interface Serial"B"B1 no i) a ress shut own clock rate #"""""" M interface =lan1 no i) a ress M i) forwar -)rotocol n no i) htt) ser;er no i) htt) secure-ser;er M control-)lane M line con " e(ec-timeout " " )asswor ciscocon)ass logging synchronous login line au( " line ;ty " $ e(ec-timeout . " )asswor cisco;ty)ass login M sche uler allocate #"""" 1""" en R1#

Switc S' after Parts ' and )

S1#sh run 4uil ing configuration...

A(( c&ntents are !&*yright . 1992/2009 !isc& Syste+s, #nc. A(( rights reser0e). 1his )&cu+ent is !isc& u2(ic #n'&r+ati&n.

age 30 &' 32

CCNA Security Aurrent configuration : 10K" bytes M ;ersion 1#.# no ser;ice )a ser;ice timestam)s ebug atetime msec ser;ice timestam)s log atetime msec no ser;ice )asswor -encry)tion M hostname S1 M boot-start-marker boot-en -marker M enable secret . N1N3+ QN./$I&2u7.I/>HR14/oi%4. M username a min )ri;ilege 1. secret . N1N$w@JNkk?>fR"1<tm(y&.2HP!c51 no aaa new-mo el system mtu routing 1."" i) subnet-!ero M no i) omain-looku) i) omain-name ccnasecurity.com M cry)to )ki trust)oint T>-self-signe -11KK<<1K#< enrollment selfsigne subPect-name cnR9+S-Self-Signe -Aertificate-11KK<<1K#< re;ocation-check none rsakey)air T>-self-signe -11KK<<1K#< M cry)to )ki certificate chain T>-self-signe -11KK<<1K#< certificate self-signe "1 /"<#"#$4 /"<#"14$ &""/"#"1 "#"#"1"1 /""6"0"7 #&<0$<<0 @K"6"1"1 "$".""/" /1/1#@/" #6"0"/.. "$"/1/#0 $7$@./#6 ./0.0A00 #6./070K 020.0$#6 $/0.K#K$ 0700070/ 01K$0.#6 /1/1/K/K /</</1/K /#/</"12 1K"6/7// /"///"/1 /"/"/"/" /./".&1K "6/#/"/" /1/"/1/" /"/"/"/" /".&/"/1 /1#@/"#6 "0"/.."$ "/1/#0$7 $@./#6./ 0.0A00#6 ./070K02 0.0$#6$/ 0.K#K$07 00070/01 K$0.#6/1 /1/K/K/< /</1/K/# /</"<17@ /""6"0"7 #&<0$<<0 @K"6"1"1 "1"."""/ <1<6""/" <1<7"#<1 <1""60K# K#422A$" /42A$AA6 <7&1K##7 <6&@K4/# 4.&&A7K2 /0&$#2"7 26/$/6AA 67714.@2 ".&@&A4. 61K#A4&# .A6"0676 @.6""6#A $.$/1@$6 7#"<6241 $/<<&2#2 @&4K24$& 7.@<."K2 001@A616 1$6/6A00 K1"/#12/ 6"60A#.1 #07$242K 124<4"2. #$<1@<2" 7K@<K71. <$0"&#0/ @K"K2$22 K..2&@#@ 6.@71A&1 #1$A$"01 K2K0.@K< /476"#"/ "1"""1&/ K//"K1/" "@"0"/.. 161/"1"1 @@"$"./" "/"1"1@@ /"12"0"/ ..1611"$ 1K/"1.<# 1/.//1#2 0/0/0201 K/0.0/K. K#07K$K7 #20/0@06 /"1@"0"/ ..16#/"$ 1</"10<" 1$&7#.K$ 641"&@.K &$/@$74" @4K.2$$K K4.$7K12 $0/"16"0 "/..16"2 "$10"$1$ &7#.K$64 1"&@.K&$ /@$74"@4 K.2$$KK4 .$7K12$0 /""6"0"7 #&<0$<<0 @K"6"1"1 "$"."""/ <1<1""A6 K"@2#1&" .6@$04#7 A.6A#164 #"0@2@<1 216#/4A6 K1.07@/< 477.640K &6K4<@"& 11/60@$. 6K@"A<#0 2"$/44"2 #"..$22& $22&<@2& A"1A$@#& A"@72<@# @$&4#/62 "#@@@@<K &"<#"2K4 2#0."0A. K&@&K027 @6740//$ K#46"$1# .</60$61 1"4"K466 "A1./441 @K@$<"$" 40$6&400 .4#2$22$ /K<76##/ @<4<4#0/ #AA$00@K &<@<.# Duit M s)anning-tree mo e );st s)anning-tree e(ten system-i M ;lan internal allocation )olicy ascen ing M
A(( c&ntents are !&*yright . 1992/2009 !isc& Syste+s, #nc. A(( rights reser0e). 1his )&cu+ent is !isc& u2(ic #n'&r+ati&n. age 31 &' 32

CCNA Security i) ssh time-out 7" i) ssh authentication-retries # M interface @ast2thernet"B1 M interface @ast2thernet"B# M interface @ast2thernet"B/ M interface @ast2thernet"B$ M interface @ast2thernet"B. M interface @ast2thernet"B0 M interface @ast2thernet"BK M interface @ast2thernet"B< M interface @ast2thernet"B7 M interface @ast2thernet"B1" M interface @ast2thernet"B11 M interface @ast2thernet"B1# M interface @ast2thernet"B1/ M interface @ast2thernet"B1$ M interface @ast2thernet"B1. M interface @ast2thernet"B10 M interface @ast2thernet"B1K M interface @ast2thernet"B1< M interface @ast2thernet"B17 M interface @ast2thernet"B#" M interface @ast2thernet"B#1 M interface @ast2thernet"B## M interface @ast2thernet"B#/ M interface @ast2thernet"B#$ M interface %igabit2thernet"B1 M interface %igabit2thernet"B# M interface =lan1 i) a ress 17#.10<.1.# #...#...#..."
A(( c&ntents are !&*yright . 1992/2009 !isc& Syste+s, #nc. A(( rights reser0e). 1his )&cu+ent is !isc& u2(ic #n'&r+ati&n. age 32 &' 32

CCNA Security no i) route-cache M no i) htt) ser;er no i) htt) secure-ser;er M control-)lane M line con " e(ec-timeout " " )asswor ciscocon)ass logging synchronous login line ;ty " $ e(ec-timeout . " )ri;ilege le;el 1. login local trans)ort in)ut ssh line ;ty . 1. no login M en S1#

Switc S) after Parts ' and )

S##sh run 4uil ing configuration... Aurrent configuration : 10K" bytes M ;ersion 1#.# no ser;ice )a ser;ice timestam)s ebug atetime msec ser;ice timestam)s log atetime msec no ser;ice )asswor -encry)tion M hostname S# M boot-start-marker boot-en -marker M enable secret . N1N3+ QN./$I&2u7.I/>HR14/oi%4. M username a min )ri;ilege 1. secret . N1N$w@JNkk?>fR"1<tm(y&.2HP!c51 no aaa new-mo el system mtu routing 1."" i) subnet-!ero M no i) omain-looku) i) omain-name ccnasecurity.com M cry)to )ki trust)oint T>-self-signe -11KK<<1K#< enrollment selfsigne subPect-name cnR9+S-Self-Signe -Aertificate-11KK<<1K#< re;ocation-check none rsakey)air T>-self-signe -11KK<<1K#< M
A(( c&ntents are !&*yright . 1992/2009 !isc& Syste+s, #nc. A(( rights reser0e). 1his )&cu+ent is !isc& u2(ic #n'&r+ati&n. age 33 &' 32

CCNA Security cry)to )ki certificate chain T>-self-signe -11KK<<1K#< certificate self-signe "1 /"<#"#$4 /"<#"14$ &""/"#"1 "#"#"1"1 /""6"0"7 #&<0$<<0 /1/1#@/" #6"0"/.. "$"/1/#0 $7$@./#6 ./0.0A00 #6./070K 0700070/ 01K$0.#6 /1/1/K/K /</</1/K /#/</"12 1K"6/7// /./".&1K "6/#/"/" /1/"/1/" /"/"/"/" /".&/"/1 /1#@/"#6 $@./#6./ 0.0A00#6 ./070K02 0.0$#6$/ 0.K#K$07 00070/01 /</1/K/# /</"<17@ /""6"0"7 #&<0$<<0 @K"6"1"1 "1"."""/ <1""60K# K#422A$" /42A$AA6 <7&1K##7 <6&@K4/# 4.&&A7K2 67714.@2 ".&@&A4. 61K#A4&# .A6"0676 @.6""6#A $.$/1@$6 @&4K24$& 7.@<."K2 001@A616 1$6/6A00 K1"/#12/ 6"60A#.1 #$<1@<2" 7K@<K71. <$0"&#0/ @K"K2$22 K..2&@#@ 6.@71A&1 /476"#"/ "1"""1&/ K//"K1/" "@"0"/.. 161/"1"1 @@"$"./" ..1611"$ 1K/"1.<# 1/.//1#2 0/0/0201 K/0.0/K. K#07K$K7 ..16#/"$ 1</"10<" 1$&7#.K$ 641"&@.K &$/@$74" @4K.2$$K "/..16"2 "$10"$1$ &7#.K$64 1"&@.K&$ /@$74"@4 K.2$$KK4 #&<0$<<0 @K"6"1"1 "$"."""/ <1<1""A6 K"@2#1&" .6@$04#7 216#/4A6 K1.07@/< 477.640K &6K4<@"& 11/60@$. 6K@"A<#0 $22&<@2& A"1A$@#& A"@72<@# @$&4#/62 "#@@@@<K &"<#"2K4 @6740//$ K#46"$1# .</60$61 1"4"K466 "A1./441 @K@$<"$" /K<76##/ @<4<4#0/ #AA$00@K &<@<.# Duit M s)anning-tree mo e );st s)anning-tree e(ten system-i M ;lan internal allocation )olicy ascen ing M i) ssh time-out 7" i) ssh authentication-retries # M interface @ast2thernet"B1 M interface @ast2thernet"B# M interface @ast2thernet"B/ M interface @ast2thernet"B$ M interface @ast2thernet"B. M interface @ast2thernet"B0 M interface @ast2thernet"BK M interface @ast2thernet"B< M interface @ast2thernet"B7 M interface @ast2thernet"B1" M interface @ast2thernet"B11 M interface @ast2thernet"B1# M interface @ast2thernet"B1/ M

@K"6"1"1 020.0$#6 /"///"/1 "0"/.."$ K$0.#6/1 <1<6""/" /0&$#2"7 7#"<6241 #07$242K #1$A$"01 "/"1"1@@ #20/0@06 K4.$7K12 .$7K12$0 A.6A#164 2"$/44"2 2#0."0A. 40$6&400

"$".""/" $/0.K#K$ /"/"/"/" "/1/#0$7 /1/K/K/< <1<7"#<1 26/$/6AA $/<<&2#2 124<4"2. K2K0.@K< /"12"0"/ /"1@"0"/ $0/"16"0 /""6"0"7 #"0@2@<1 #"..$22& K&@&K027 .4#2$22$

A(( c&ntents are !&*yright . 1992/2009 !isc& Syste+s, #nc. A(( rights reser0e). 1his )&cu+ent is !isc& u2(ic #n'&r+ati&n.

age 33 &' 32

CCNA Security interface @ast2thernet"B1$ M interface @ast2thernet"B1. M interface @ast2thernet"B10 M interface @ast2thernet"B1K M interface @ast2thernet"B1< M interface @ast2thernet"B17 M interface @ast2thernet"B#" M interface @ast2thernet"B#1 M interface @ast2thernet"B## M interface @ast2thernet"B#/ M interface @ast2thernet"B#$ M interface %igabit2thernet"B1 M interface %igabit2thernet"B# M interface =lan1 i) a ress 17#.10<.1./ #...#...#..." no i) route-cache M no i) htt) ser;er no i) htt) secure-ser;er M control-)lane M line con " e(ec-timeout " " )asswor ciscocon)ass logging synchronous login line ;ty " $ e(ec-timeout . " )ri;ilege le;el 1. login local trans)ort in)ut ssh line ;ty . 1. no login M en

Switc S' after Parts * and +

S1#sh run 4uil ing configuration... Aurrent configuration : /707 bytes M ;ersion 1#.#
A(( c&ntents are !&*yright . 1992/2009 !isc& Syste+s, #nc. A(( rights reser0e). 1his )&cu+ent is !isc& u2(ic #n'&r+ati&n. age 35 &' 32

CCNA Security no ser;ice )a ser;ice timestam)s ebug u)time ser;ice timestam)s log u)time no ser;ice )asswor -encry)tion M hostname S1 M boot-start-marker boot-en -marker M enable secret . N1N49);Nyg7?c8n7=<w3O%ys;P)f81 M username a min )ri;ilege 1. secret . N1NA6o+NSsTOA@c.eruTOmnsIJ+2?B no aaa new-mo el system mtu routing 1."" i) subnet-!ero M no i) omain-looku) M i) omain-name ccnasecurity.com M cry)to )ki trust)oint T>-self-signe -11KK<<1K#< enrollment selfsigne subPect-name cnR9+S-Self-Signe -Aertificate-11KK<<1K#< re;ocation-check none rsakey)air T>-self-signe -11KK<<1K#< M cry)to )ki certificate chain T>-self-signe -11KK<<1K#< certificate self-signe "1 /"<#"#$4 /"<#"14$ &""/"#"1 "#"#"1"1 /""6"0"7 #&<0$<<0 @K"6"1"1 "$".""/" /1/1#@/" #6"0"/.. "$"/1/#0 $7$@./#6 ./0.0A00 #6./070K 020.0$#6 $/0.K#K$ 0700070/ 01K$0.#6 /1/1/K/K /</</1/K /#/</"12 1K"6/7// /"///"/1 /"/"/"/" /./".&1K "6/#/"/" /1/"/1/" /"/"/"/" /".&/"/1 /1#@/"#6 "0"/.."$ "/1/#0$7 $@./#6./ 0.0A00#6 ./070K02 0.0$#6$/ 0.K#K$07 00070/01 K$0.#6/1 /1/K/K/< /</1/K/# /</"<17@ /""6"0"7 #&<0$<<0 @K"6"1"1 "1"."""/ <1<6""/" <1<7"#<1 <1""60K# K#422A$" /42A$AA6 <7&1K##7 <6&@K4/# 4.&&A7K2 /0&$#2"7 26/$/6AA 67714.@2 ".&@&A4. 61K#A4&# .A6"0676 @.6""6#A $.$/1@$6 7#"<6241 $/<<&2#2 @&4K24$& 7.@<."K2 001@A616 1$6/6A00 K1"/#12/ 6"60A#.1 #07$242K 124<4"2. #$<1@<2" 7K@<K71. <$0"&#0/ @K"K2$22 K..2&@#@ 6.@71A&1 #1$A$"01 K2K0.@K< /476"#"/ "1"""1&/ K//"K1/" "@"0"/.. 161/"1"1 @@"$"./" "/"1"1@@ /"12"0"/ ..1611"$ 1K/"1.<# 1/.//1#2 0/0/0201 K/0.0/K. K#07K$K7 #20/0@06 /"1@"0"/ ..16#/"$ 1</"10<" 1$&7#.K$ 641"&@.K &$/@$74" @4K.2$$K K4.$7K12 $0/"16"0 "/..16"2 "$10"$1$ &7#.K$64 1"&@.K&$ /@$74"@4 K.2$$KK4 .$7K12$0 /""6"0"7 #&<0$<<0 @K"6"1"1 "$"."""/ <1<1""A6 K"@2#1&" .6@$04#7 A.6A#164 #"0@2@<1 216#/4A6 K1.07@/< 477.640K &6K4<@"& 11/60@$. 6K@"A<#0 2"$/44"2 #"..$22& $22&<@2& A"1A$@#& A"@72<@# @$&4#/62 "#@@@@<K &"<#"2K4 2#0."0A. K&@&K027 @6740//$ K#46"$1# .</60$61 1"4"K466 "A1./441 @K@$<"$" 40$6&400 .4#2$22$ /K<76##/ @<4<4#0/ #AA$00@K &<@<.# Duit M M s)anning-tree mo e );st s)anning-tree e(ten system-i M ;lan internal allocation )olicy ascen ing M i) ssh time-out 7"
A(( c&ntents are !&*yright . 1992/2009 !isc& Syste+s, #nc. A(( rights reser0e). 1his )&cu+ent is !isc& u2(ic #n'&r+ati&n. age 36 &' 32

CCNA Security i) ssh authentication-retries # M M interface @ast2thernet"B1 switch)ort trunk nati;e ;lan 77 switch)ort mo e trunk switch)ort nonegotiate storm-control broa cast le;el ."."" M interface @ast2thernet"B# shut own M interface @ast2thernet"B/ shut own M interface @ast2thernet"B$ shut own M interface @ast2thernet"B. switch)ort mo e access s)anning-tree )ortfast s)anning-tree b) uguar enable M interface @ast2thernet"B0 switch)ort mo e access s)anning-tree )ortfast s)anning-tree b) uguar enable M interface @ast2thernet"BK shut own M interface @ast2thernet"B< shut own M interface @ast2thernet"B7 shut own M interface @ast2thernet"B1" shut own M interface @ast2thernet"B11 shut own M interface @ast2thernet"B1# shut own M interface @ast2thernet"B1/ shut own M interface @ast2thernet"B1$ shut own M interface @ast2thernet"B1. shut own M interface @ast2thernet"B10 shut own
A(( c&ntents are !&*yright . 1992/2009 !isc& Syste+s, #nc. A(( rights reser0e). 1his )&cu+ent is !isc& u2(ic #n'&r+ati&n. age 3F &' 32

CCNA Security M interface @ast2thernet"B1K shut own M interface @ast2thernet"B1< shut own M interface @ast2thernet"B17 shut own M interface @ast2thernet"B#" shut own M interface @ast2thernet"B#1 shut own M interface @ast2thernet"B## shut own M interface @ast2thernet"B#/ shut own M interface @ast2thernet"B#$ shut own M interface %igabit2thernet"B1 shut own M interface %igabit2thernet"B# shut own M interface =lan1 i) a ress 17#.10<.1.# #...#...#..." no i) route-cache M no i) htt) ser;er no i) htt) secure-ser;er M control-)lane M M line con " e(ec-timeout " " )asswor ciscocon)ass logging synchronous login line ;ty " $ e(ec-timeout . " )ri;ilege le;el 1. login local trans)ort in)ut ssh line ;ty . 1. e(ec-timeout " " no login M monitor session 1 source interface @a"B. monitor session 1 estination interface @a"B0
A(( c&ntents are !&*yright . 1992/2009 !isc& Syste+s, #nc. A(( rights reser0e). 1his )&cu+ent is !isc& u2(ic #n'&r+ati&n. age 38 &' 32

CCNA Security en S1#

Switc S) after Parts * and +

S##sh run 4uil ing configuration... Aurrent configuration : 1<0" bytes M ;ersion 1#.# no ser;ice )a ser;ice timestam)s ebug u)time ser;ice timestam)s log u)time no ser;ice )asswor -encry)tion M hostname S# M boot-start-marker boot-en -marker M enable secret . N1NmtK1N;KRcaTBTI1u5=i1%,u14,B M username a min )ri;ilege 1. secret . N1N$w@JNkk?>fR"1<tm(y&.2HP!c51 no aaa new-mo el system mtu routing 1."" i) subnet-!ero M no i) omain-looku) i) omain-name ccnasecurity.com M cry)to )ki trust)oint T>-self-signe -11KK<<1K#< enrollment selfsigne subPect-name cnR9+S-Self-Signe -Aertificate-11KK<<1K#< re;ocation-check none rsakey)air T>-self-signe -11KK<<1K#< M cry)to )ki certificate chain T>-self-signe -11KK<<1K#< certificate self-signe "1 /"<#"#$4 /"<#"14$ &""/"#"1 "#"#"1"1 /""6"0"7 #&<0$<<0 @K"6"1"1 "$".""/" /1/1#@/" #6"0"/.. "$"/1/#0 $7$@./#6 ./0.0A00 #6./070K 020.0$#6 $/0.K#K$ 0700070/ 01K$0.#6 /1/1/K/K /</</1/K /#/</"12 1K"6/7// /"///"/1 /"/"/"/" /./".&1K "6/#/"/" /1/"/1/" /"/"/"/" /".&/"/1 /1#@/"#6 "0"/.."$ "/1/#0$7 $@./#6./ 0.0A00#6 ./070K02 0.0$#6$/ 0.K#K$07 00070/01 K$0.#6/1 /1/K/K/< /</1/K/# /</"<17@ /""6"0"7 #&<0$<<0 @K"6"1"1 "1"."""/ <1<6""/" <1<7"#<1 <1""60K# K#422A$" /42A$AA6 <7&1K##7 <6&@K4/# 4.&&A7K2 /0&$#2"7 26/$/6AA 67714.@2 ".&@&A4. 61K#A4&# .A6"0676 @.6""6#A $.$/1@$6 7#"<6241 $/<<&2#2 @&4K24$& 7.@<."K2 001@A616 1$6/6A00 K1"/#12/ 6"60A#.1 #07$242K 124<4"2. #$<1@<2" 7K@<K71. <$0"&#0/ @K"K2$22 K..2&@#@ 6.@71A&1 #1$A$"01 K2K0.@K< /476"#"/ "1"""1&/ K//"K1/" "@"0"/.. 161/"1"1 @@"$"./" "/"1"1@@ /"12"0"/ ..1611"$ 1K/"1.<# 1/.//1#2 0/0/0201 K/0.0/K. K#07K$K7 #20/0@06 /"1@"0"/ ..16#/"$ 1</"10<" 1$&7#.K$ 641"&@.K &$/@$74" @4K.2$$K K4.$7K12 $0/"16"0 "/..16"2 "$10"$1$ &7#.K$64 1"&@.K&$ /@$74"@4 K.2$$KK4 .$7K12$0 /""6"0"7 #&<0$<<0 @K"6"1"1 "$"."""/ <1<1""A6 K"@2#1&" .6@$04#7 A.6A#164 #"0@2@<1 216#/4A6 K1.07@/< 477.640K &6K4<@"& 11/60@$. 6K@"A<#0 2"$/44"2 #"..$22& $22&<@2& A"1A$@#& A"@72<@# @$&4#/62 "#@@@@<K &"<#"2K4 2#0."0A. K&@&K027 @6740//$ K#46"$1# .</60$61 1"4"K466 "A1./441 @K@$<"$" 40$6&400 .4#2$22$
A(( c&ntents are !&*yright . 1992/2009 !isc& Syste+s, #nc. A(( rights reser0e). 1his )&cu+ent is !isc& u2(ic #n'&r+ati&n. age 39 &' 32

CCNA Security /K<76##/ @<4<4#0/ #AA$00@K &<@<.# Duit M s)anning-tree mo e );st s)anning-tree e(ten system-i M ;lan internal allocation )olicy ascen ing M i) ssh time-out 7" i) ssh authentication-retries # M interface @ast2thernet"B1 switch)ort trunk nati;e ;lan 77 switch)ort mo e trunk switch)ort nonegotiate storm-control broa cast le;el ."."" M interface @ast2thernet"B# shut own M interface @ast2thernet"B/ shut own M interface @ast2thernet"B$ shut own M interface @ast2thernet"B. shut own M interface @ast2thernet"B0 shut own M interface @ast2thernet"BK shut own M interface @ast2thernet"B< shut own M interface @ast2thernet"B7 shut own M interface @ast2thernet"B1" shut own M interface @ast2thernet"B11 shut own M interface @ast2thernet"B1# shut own M interface @ast2thernet"B1/ shut own M interface @ast2thernet"B1$ shut own M interface @ast2thernet"B1.
A(( c&ntents are !&*yright . 1992/2009 !isc& Syste+s, #nc. A(( rights reser0e). 1his )&cu+ent is !isc& u2(ic #n'&r+ati&n. age 30 &' 32

CCNA Security shut own M interface @ast2thernet"B10 shut own M interface @ast2thernet"B1K shut own M interface @ast2thernet"B1< switch)ort mo e access s)anning-tree )ortfast s)anning-tree b) uguar enable M interface @ast2thernet"B17 shut own M interface @ast2thernet"B#" shut own M interface @ast2thernet"B#1 shut own M interface @ast2thernet"B## shut own M interface @ast2thernet"B#/ shut own M interface @ast2thernet"B#$ shut own M interface %igabit2thernet"B1 s)anning-tree guar root M interface %igabit2thernet"B# shut own M interface =lan1 i) a ress 17#.10<.1./ #...#...#..." no i) route-cache M no i) htt) ser;er M control-)lane M M line con " e(ec-timeout " " )asswor ciscocon)ass logging synchronous login line ;ty " $ e(ec-timeout . " )ri;ilege le;el 1. login local line ;ty . 1. no login
A(( c&ntents are !&*yright . 1992/2009 !isc& Syste+s, #nc. A(( rights reser0e). 1his )&cu+ent is !isc& u2(ic #n'&r+ati&n. age 31 &' 32

CCNA Security M en S##

A(( c&ntents are !&*yright . 1992/2009 !isc& Syste+s, #nc. A(( rights reser0e). 1his )&cu+ent is !isc& u2(ic #n'&r+ati&n.

age 32 &' 32