Task 1: Configure Basic Device Settings
The desktop system assigned to you serves as an end-user terminal. You access and manage the lab environment from the student desktop system using GNS3 Software.
Students should perform the steps in this task individually.
In Part 1 of this lab, you set up the network topology and configure basic settings, such as the interface IP addresses, static routing, device access, and passwords.
All steps should be performed on routers R1-S0000. The procedure for R1 is shown here as an example. Step 1: Configure and Deploy switch in the GNS3 network.
If you have not already configured, Configure Switch appliance cisco-iosvl2.gns3a from 10.1.2.78student$ GNS3 and use Switch image IOS-S465-CLI.pkg. Attach the devices, as shown in the topology diagram, and connection as necessary.
Step 2: Configure basic settings for the router and each switch.
Perform all tasks on R1, S1, and S2. The procedure for S1 is shown here as an example.
a. Configure hostnames, as shown in the topology.
b. Configure interface IP addresses, as shown in the IP Addressing Table. The following configuration displays the VLAN 1 management interface on S1:
c. Prevent the router or switch from attempting to translate incorrectly entered commands by disabling DNS lookup. S1 is shown here as an example.
d. HTTP access to the switch is enabled by default. Prevent HTTP access by disabling the HTTP server and HTTP secure server.
e. Configure the enable secret password.
f. Configure console password.
Step 3: Configure PC host IP settings.
Configure a static IP address, subnet mask, and default gateway for PC-A and PC-B, as shown in the IP Addressing Table.
Step 4: Verify basic network connectivity.
a. Ping from PC-A and PC-B to the R1 F0/1 interface at IP address 192.168.1.1.
If the pings are unsuccessful, troubleshoot the basic device configurations before continuing.
b. Ping from PC-A to PC-B.
If the pings are unsuccessful, troubleshoot the basic device configurations before continuing. Step 5: Save the basic configurations for the router and both switches.
Save the running configuration to the startup configuration from the privileged EXEC mode prompt.
Part 2: Configure SSH Access to the Switches
In Part 2, you will configure S1 and S2 to support SSH connections and install SSH client software on the PCs.
Note: A switch IOS image that supports encryption is required to configure SSH. If this version of image is not used you cannot specify SSH as an input protocol for the vty lines and the crypto commands are unavailable.
Task 1: Configure the SSH Server on S1 and S2 Using the CLI.
In this task, use the CLI to configure the switch to be managed securely using SSH instead of Telnet. SSH is a network protocol that establishes a secure terminal emulation connection to a switch or other networking device. SSH encrypts all information that passes over the network link and provides authentication of the remote computer. SSH is rapidly replacing Telnet as the preferred remote login tool for network professionals. It is strongly recommended that SSH be used in place of Telnet on production networks.
Note: A switch must be configured with local authentication or AAA in order to support SSH.
Step 1: Configure a domain name and hostname.
Enter global configuration mode and set the domain name.
Step 2: Configure a privileged user for login from the SSH client.
Use the username command to create the user ID with the highest possible privilege level and a secret password.
Step 3: Generate the RSA encryption key pair for the router.
The switch uses the RSA key pair for authentication and encryption of transmitted SSH data. Configure the RSA keys with 1024 modulus bits. The default number of modulus bits is 512, and the range is from 360 to 2,048.
Step 4: Configure SSH version 2
S1-S0000(config)# ip ssh version 2
Step 5: Verify the SSH configuration.
Step 6: Configure SSH timeouts and authentication parameters.
The default SSH timeouts and authentication parameters can be altered to be more restrictive using the following commands.
Step 8: Save the running configuration to the startup configuration.
S1-S0000# copy running-config startup-config
Task 2: Configure the SSH Client
SSH from R1 to S1 and S2 OR use PuTTy and Tera Term are two terminal emulation programs that can support SSHv2 client connections.
Step: Verify SSH connectivity to R1 from R2.
Part 3: Configure Secure Trunks and Access Ports
In Part 3, you will configure trunk ports, change the native VLAN for trunk ports, and verify trunk configuration.
Securing trunk ports can help stop VLAN hopping attacks. The best way to prevent a basic VLAN hopping attack is to explicitly disable trunking on all ports except the ports that specifically require trunking. On the required trunking ports, disable DTP (auto trunking) negotiations and manually enable trunking. If no trunking is required on an interface, configure the port as an access port. This disables trunking on the interface.
Note: Tasks should be performed on S1 or S2, as indicated.
Task 1: Secure Trunk Ports
Step 1: Configure S1 as the root switch.
For the purposes of this lab, S2 is currently the root bridge. You will configure S1 as the root bridge by changing the bridge ID priority level.
a. From the console on S1, enter global configuration mode.
b. The default priority for S1 and S2 is 32769 (32768 + 1 with System ID Extension). Set S1 priority to 0 so that it becomes the root switch.
c. Issue the show spanning-tree command to verify that S1 is the root bridge, to see the ports in use, and to see their status.
Step 2: Configure trunk ports on S1 and S2.
a. Configure port G0/1 on S1 as a trunk port.
b. Configure port G0/1 on S2 as a trunk port.
c. Verify that S1 port G0/1 is in trunking mode with the show interfaces trunk command.
Step 3: Change the native VLAN for the trunk ports on S1 and S2.
a. Changing the native VLAN for trunk ports to an unused VLAN helps prevent VLAN hopping attacks.
From the output of the show interfaces trunk command in the previous step, what is the current native VLAN for the S1 G0/1 trunk interface?
Step 6: Verify the configuration with the show run command.
Use the show run command to display the running configuration, beginning with the first line that has the text string “0/1” in it.
Task 2: Secure Access Ports
Network attackers hope to spoof their system, or a rogue switch that they add to the network, as the root bridge in the topology by manipulating the STP root bridge parameters. If a port that is configured with PortFast receives a BPDU, STP can put the port into the blocking state by using a feature called BPDU guard.
Step 1: Disable trunking on S1 access ports.
Step 2: Disable trunking on S2 access ports.
On S2, configure Ga0/18, the port to which PC-B is connected, as access mode only.
Task 3: Protect Against STP Attacks
The topology has only two switches and no redundant paths, but STP is still active. In this step, you will enable switch security features that can help reduce the possibility of an attacker manipulating switches via STP-related methods.
Step 1: Enable PortFast on S1 and S2 access ports.
PortFast is configured on access ports that connect to a single workstation or server, which enables them to become active more quickly.
Step 2: Enable BPDU guard on the S1 and S2 access ports.
BPDU guard is a feature that can help prevent rogue switches and spoofing on access ports.
Note: PortFast and BPDU guard can also be enabled globally with the spanning-tree portfast default and spanning- tree portfast bpduguard commands in global configuration mode.
Note: BPDU guard can be enabled on all access ports that have PortFast enabled. These ports should never receive a BPDU. BPDU guard is best deployed on user-facing ports to prevent rogue switch network extensions by an attacker. If a port is enabled with BPDU guard and receives a BPDU, it is disabled and must be manually re-enabled. An err-disable timeout can be configured on the port so that it can recover automatically after a specified time period.
b. Verify that BPDU guard is configured by using the show spanning-tree interface g1/1 detail command on S1.
Step 3: Enable root guard.
Root guard is another option to help prevent rogue switches and spoofing. Root guard can be enabled on all ports on a switch that are not root ports. It is normally enabled only on ports connecting to edge switches where a superior BPDU should never be received. Each switch should have only one root port, which is the best path to the root switch.
a. The following command configures root guard on S2 interface Gi0/1. Normally, this is done if another switch is attached to this port. Root guard is best deployed on ports that connect to switches that should not be the root bridge. In the lab topology, S1 G0/1 would be the most logical candidate for root guard.
However, S2 Gi0/1 is shown here as an example, as Gigabit ports are more commonly used for interswitch connections.
Step 4: Enable Loop Guard
The STP loop guard feature provides additional protection against Layer 2 forwarding loops (STP loops).
An STP loop is created when an STP blocking port in a redundant topology erroneously transitions to the forwarding state. This usually happens because one of the ports of a physically redundant topology (not necessarily the STP blocking port) no longer receives STP BPDUs. Having all ports in forwarding state will result in forwarding loops. If a port enabled with loopguard stops hearing BPDUs from the designated port on the segment, it goes into the loop inconsistent state instead of transitioning into forwarding state.
Loop inconsistent is basically blocking, and no traffic is forwarded. When the port detects BPDUs again it automatically recovers by moving back into blocking state.
Task 4: Configure Port Security and Disable Unused Ports
Switches can be subject to a CAM table, also known as a MAC address table, overflow, MAC spoofing attacks, and unauthorized connections to switch ports. In this task, you will configure port security to limit the number of MAC addresses that can be learned on a switch port and disable the port if that number is exceeded.
Step 1: Record the R1 Ga0/0 MAC address.
Step 2: Configure basic port security.
This procedure should be performed on all access ports that are in use. S1 port Ga0/5 is shown here as an example.
Step 3: Verify port security on S1 Ga0/0.
a. On S1, issue the show port-security command to verify that port security has been configured on S1 G0/0.
Step 4: Clear the S1 Ga0/0 error disabled status.
Step 5: Remove basic port security on S1 G0/0.
From the S1 console, remove port security on Ga0/5. This procedure can also be used to re-enable the port, but port security commands must be reconfigured.
Step 6: (Optional) Configure port security for VoIP.
This example shows a typical port security configuration for a voice port. Three MAC addresses are allowed and should be learned dynamically. One MAC address is for the IP phone, one is for the switch, and one is for the PC connected to the IP phone. Violations of this policy result in the port being shut down. The aging timeout for the learned MAC addresses is set to two hours.
Step 7: Disable unused ports on S1 and S2.
As a further security measure, disable ports that are not being used on the switch.
a. Ports G0/0, and G1/2 are used on S1. The remaining Fast Ethernet ports and the two Gigabit Ethernet ports will be shut down.
Step 8: Move active ports to a VLAN other than the default VLAN 1.
As a further security measure, you can move all active end-user ports and router ports to a VLAN other than the default VLAN 1 on both switches.
Step 9: Configure a port with the PVLAN Edge feature.
Some applications require that no traffic be forwarded at Layer 2 between ports on the same switch so that one neighbor does not see the traffic generated by another neighbor. In such an environment, the use of the Private VLAN (PVLAN) Edge feature, also known as protected ports, ensures that there is no exchange of unicast, broadcast, or multicast traffic between these ports on the switch. The PVLAN Edge feature can only be implemented for ports on the same switch and is locally significant.
For example, to prevent traffic between host PC-A on S1 (port Ga1/1) and a host on another S1 port (e.g. port Ga3/1, which was previously shut down), you could use the switchport protected command to activate the PVLAN Edge feature on these two ports. Use the no switchport protected interface configuration command to disable protected port.
Part 4: Configure DHCP Snooping
DHCP snooping is a Cisco Catalyst feature that determines which switch ports can respond to DHCP requests. It enables only authorized DHCP servers to respond to DHCP requests and distribute network information to clients.
Task 1: Set Up DHCP
Step 1: Set up DHCP on R1 for VLAN 1.
Step 2: Set up DHCP on R1 for VLAN 20.
Task 2: Configure Inter-VLAN Communication
Step 1: Configure subinterfaces on R1.
Step 4: Verify DHCP operation.
Use ipconfig at the command prompt of PC-A and PC-B.
Task 3: Configure DHCP Snooping
Step 1: Enable DHCP snooping globally.
Step 2: Enable DHCP snooping for VLAN 1 and 20.
Step 3: Limit the number of DHCP requests on an interface.
Step 4: Identify the trusted interface(s). DHCP responses are only permitted through trusted ports.
Step 5: Verify DHCP snooping configuration.