IP Addressing Table
Device R1 S1 S2 !"A !"$ Interface Fa0/1 VLAN 1 VLAN 1 N#! N#! IP Address 192.168.1.1 192.168.1.2 192.168.1.3 192.168.1.10 192.168.1.11 Subnet Mask 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 Default Gateway N/A N/A N/A 192.168.1.1 192.168.1.1 Switc Port S1 FA0/5 N/A N/A S1 FA0/6 S2 FA0/18
!b"ectives
art 1% !&n'igure $asic Switch Settings $ui() the t&*&(&gy. !&n'igure the h&st na+e, # a))ress, an) access *assw&r)s. art 2% !&n'igure SS- Access t& the Switches
A(( c&ntents are !&*yright . 1992/2009 !isc& Syste+s, #nc. A(( rights reser0e). 1his )&cu+ent is !isc& u2(ic #n'&r+ati&n.
age 1 &' 32
CCNA Security !&n'igure SS- access &n the switch. !&n'igure an SS- c(ient t& access the switch. Veri'y the c&n'igurati&n. art 3% Secure 1run4s an) Access &rts !&n'igure trun4 *&rt +&)e. !hange the nati0e VLAN '&r trun4 *&rts. Veri'y trun4 c&n'igurati&n. 5na2(e st&r+ c&ntr&( '&r 2r&a)casts. !&n'igure access *&rts. 5na2(e &rtFast an) $ 67 guar). Veri'y $ 67 guar). 5na2(e r&&t guar). !&n'igure *&rt security. Veri'y *&rt security. 6isa2(e unuse) *&rts. art 3% !&n'igure S AN an) 8&nit&r 1ra''ic !&n'igure Switche) &rt Ana(y9er :S AN;. 8&nit&r *&rt acti0ity using <ireshar4. Ana(y9e a s&urce) attac4.
#ackground
1he Layer 2 :6ata Lin4; in'rastructure c&nsists +ain(y &' interc&nnecte) 5thernet switches. 8&st en)"user )e0ices, such as c&+*uters, *rinters, # *h&nes an) &ther h&sts, c&nnect t& the netw&r4 0ia Layer 2 access switches. As a resu(t, they can *resent a netw&r4 security ris4. Si+i(ar t& r&uters, switches are su2=ect t& attac4 'r&+ +a(ici&us interna( users. 1he switch !isc& #>S s&'tware *r&0i)es +any security 'eatures that are s*eci'ic t& switch 'uncti&ns an) *r&t&c&(s. #n this (a2, y&u c&n'igure SS- access an) Layer 2 security '&r switches S1 an) S2. ?&u a(s& c&n'igure 0ari&us switch *r&tecti&n +easures, inc(u)ing access *&rt security, switch st&r+ c&ntr&(, an) S*anning 1ree r&t&c&( :S1 ; 'eatures such as $ 67 guar) an) r&&t guar). Last(y, y&u use !isc& S AN t& +&nit&r tra''ic t& s*eci'ic *&rts &n the switch. Note$ 1he r&uter c&++an)s an) &ut*ut in this (a2 are 'r&+ a !isc& 1831 with !isc& #>S Re(ease 12.3:20;1 :A)0ance) # i+age;. 1he switch c&++an)s an) &ut*ut are 'r&+ a !isc& <S"!2960"2311"L with !isc& #>S Re(ease 12.2:36;S5 :!2960"LAN$AS5@9"8 i+age;. >ther r&uters, switches, an) #>S 0ersi&ns +ay 2e use). See the R&uter #nter'ace Su++ary ta2(e at the en) &' the (a2 t& )eter+ine which inter'ace i)enti'iers t& use 2ase) &n the eAui*+ent in the (a2. 6e*en)ing &n the r&uter &r switch +&)e( an) #>S 0ersi&n, the c&++an)s a0ai(a2(e an) &ut*ut *r&)uce) +ight 0ary 'r&+ what is sh&wn in this (a2. Note$ 8a4e sure that the r&uter an) the switches ha0e 2een erase) an) ha0e n& startu* c&n'igurati&ns.
A(( c&ntents are !&*yright . 1992/2009 !isc& Syste+s, #nc. A(( rights reser0e). 1his )&cu+ent is !isc& u2(ic #n'&r+ati&n.
age 2 &' 32
CCNA Security Instructor Note$ #nstructi&ns '&r erasing switches an) r&uters are *r&0i)e) in the La2 8anua(, (&cate) &n Aca)e+y !&nnecti&n in the 1&&(s secti&n.
%e&uired %esources
>ne r&uter :!isc& 1831 with !isc& #>S Re(ease 12.3:20;11 &r c&+*ara2(e; 1w& switches :!isc& 2960 &r c&+*ara2(e with cry*t&gra*hy #>S i+age '&r SS- su**&rt / Re(ease 12.2:36;S5 &r c&+*ara2(e; !"A :<in)&ws B &r Vista with a u11? SS- c(ient an) <ireshar4; !"$ :<in)&ws B &r Vista with a u11? SS- c(ient an) Su*erScan; 5thernet ca2(es as sh&wn in the t&*&(&gy R&((&0er ca2(es t& c&n'igure the switches 0ia the c&ns&(e
Instructor Notes% 1his (a2 is )i0i)e) int& '&ur *arts. 5ach *art can 2e a)+inistere) in)i0i)ua((y &r in c&+2inati&n with &thers as ti+e *er+its. 1he '&cus is c&n'iguring security +easures &n switches S1 an) S2. R&uter R1 ser0es as a rea(istic gateway c&nnecti&n an) is +ain(y use) t& change the 8A! a))ress c&nnecte) t& switch S1 '&r *&rt security testing. Stu)ents can w&r4 in tea+s &' tw& '&r switch c&n'igurati&n, &ne *ers&n c&n'iguring S1 an) the &ther c&n'iguring S2. 1he 2asic running c&n'igs '&r the r&uter an) tw& switches are ca*ture) a'ter arts 1 an) 2 &' the (a2 are c&+*(ete). 1he running c&n'ig '&r S1 an) S2 are ca*ture) a'ter arts 3 an) 3 an) are (iste) se*arate(y. A(( c&n'igs are '&un) at the en) &' the (a2.
CCNA Security S1(config-if)#no shutdown c. !&n'igure the ena2(e secret an) c&ns&(e *assw&r)s. S1(config)#enable secret cisco12345 S1(config)#line console 0 S1(config-line)#password ciscoconpass S1(config-line)#exec-ti eout 5 0 S1(config-line)#lo!in S1(config-line)#lo!!in! s"nchronous Note$ 6& n&t c&n'igure the switch 0ty access at this ti+e. 1he 0ty (ines are c&n'igure) &n the switches in art 2 '&r SS- access. ). !&n'igure the 0ty (ines an) *assw&r) &n R1. R1(config)#line vt" 0 4 R1(config-line)#password ciscovt"pass R1(config-line)#exec-ti eout 5 0 R1(config-line)#lo!in e. 1& *re0ent the r&uter &r switch 'r&+ atte+*ting t& trans(ate inc&rrect(y entere) c&++an)s, )isa2(e 6NS (&&4u*. R&uter R1 is sh&wn here as an eCa+*(e. R1(config)#no ip do ain-loo#up '. -11 access t& the switch is ena2(e) 2y )e'au(t. 1& *re0ent -11 access, )isa2(e the -11 ser0er an) -11 secure ser0er. S1(config)#no ip http server S1(config)#no ip http secure-server Note$ 1he switch +ust ha0e a cry*t&gra*hy #>S i+age t& su**&rt the ip http secure-server c&++an). -11 access t& the r&uter is )isa2(e) 2y )e'au(t.
Step -$ Save t e basic configurations for t e router and bot switc es(
Sa0e the running c&n'igurati&n t& the startu* c&n'igurati&n 'r&+ the *ri0i(ege) 5B5! *r&+*t. S1#cop" runnin!-confi! startup-confi!
A(( c&ntents are !&*yright . 1992/2009 !isc& Syste+s, #nc. A(( rights reser0e). 1his )&cu+ent is !isc& u2(ic #n'&r+ati&n.
age 3 &' 32
CCNA Security
Task '$ Configure t e SS. Server on Switc S' and S) /sing t e C0I
#n this tas4, use the !L# t& c&n'igure the switch t& 2e +anage) secure(y using SS- instea) &' 1e(net. Secure She(( :SS-; is a netw&r4 *r&t&c&( that esta2(ishes a secure ter+ina( e+u(ati&n c&nnecti&n t& a switch &r &ther netw&r4ing )e0ice. SS- encry*ts a(( in'&r+ati&n that *asses &0er the netw&r4 (in4 an) *r&0i)es authenticati&n &' the re+&te c&+*uter. SS- is ra*i)(y re*(acing 1e(net as the re+&te (&gin t&&( &' ch&ice '&r netw&r4 *r&'essi&na(s. Note$ F&r a switch t& su**&rt SS-, it +ust 2e c&n'igure) with (&ca( authenticati&n, AAA ser0ices &r userna+e. #n this tas4, y&u c&n'igure an SS- userna+e an) (&ca( authenticati&n &n S1 an) S2. S1 is sh&wn here as an eCa+*(e.
CCNA Security
Step '$ 5!ptional6 Download and install an SS. client on PC4A and PC4#(
#' the SS- c(ient is n&t a(rea)y insta((e), )&wn(&a) either 1era1er+ &r u11?. Note$ 1he *r&ce)ure )escri2e) here is '&r u11? an) *ertains t& !"A.
CCNA Security c. Veri'y that the SS. ra)i& 2utt&n is se(ecte). u11? )e'au(ts t& SS- 0ersi&n 2.
). !(ic4 !pen. e. #n the u11? Security A(ert win)&w, c(ic4 7es. '. 5nter the a)+in userna+e an) *assw&r) cisco')*+- in the u11? win)&w.
g. At the S1 *ri0i(ege) 5B5! *r&+*t, enter the show users c&++an). S1#show users <hat users are c&nnecte) t& switch S1 at this ti+eD ?&u sh&u() see at (east tw& users, &ne '&r y&ur c&ns&(e c&nnecti&n an) an&ther '&r the SS- inter'ace. 5ine " con " 1 ;ty " 8ser a min 1ost(s) i le i le 9 le "":"/:1. "":"":// 5ocation 17#.10<.1.1"
A(( c&ntents are !&*yright . 1992/2009 !isc& Syste+s, #nc. A(( rights reser0e). 1his )&cu+ent is !isc& u2(ic #n'&r+ati&n.
age F &' 32
CCNA Security h. !(&se the u11y SS- sessi&n win)&w with the exit &r $uit c&++an). i. 1ry t& &*en a 1e(net sessi&n t& switch S1 'r&+ !"A. <ere y&u a2(e t& &*en the 1e(net sessi&nD <hy &r why n&tD N&, the 1e(net sessi&n 'ai(s 2ecause &n(y SS- is ena2(e) as in*ut '&r the 0ty (ines.
@orwar
6elay 1. sec
1 ()riority " sys-i -e(t 1) ""1 .$0/.."c<" # sec ?a( &ge #" sec @orwar 6elay 1. sec
age 8 &' 32
A(( c&ntents are !&*yright . 1992/2009 !isc& Syste+s, #nc. A(( rights reser0e). 1his )&cu+ent is !isc& u2(ic #n'&r+ati&n.
CCNA Security &ging Time /"" 9nterface Role Sts Aost ---------------- ---- --- ---------------------------------------@a"B1 6esg @C6 17 @a"B. 6esg @C6 17 @a"B0 6esg @C6 17 >rio.3br Ty)e -------1#<.1 1#<.. 1#<.0 >#) >#) >#)
). <hat is the S1 *ri&rityD 1 :*ri&rity 0 *(us sys"i)"eCt 1; e. <hat *&rts are in use an) what is their statusD Fa0/1, Fa0/5 an) Fa0/6. A(( are F<6 :'&rwar)ing;
Step *$ C ange t e native ,0AN for t e trunk ports on S' and S)(
!hanging the nati0e VLAN '&r trun4 *&rts t& an unuse) VLAN he(*s *re0ent VLAN h&**ing attac4s. a. Fr&+ the &ut*ut &' the show interfaces trun# in the *re0i&us ste*, what is the current nati0e VLAN '&r the S1 Fa0/1 trun4 inter'aceD #t is set t& the )e'au(t VLAN 1. 2. Set the nati0e VLAN &n the S1 Fa0/1 trun4 inter'ace t& an unuse) VLAN 99. S1(config)#interface %a0'1 S1(config-if)#switchport trun# native vlan 99 S1(config-if)#end c. 1he '&((&wing +essage sh&u() 2e )is*(aye) a'ter a 2rie' *eri&) &' ti+e. "#:10:#<: %A6>-$-3&T9=2E=5&3E?9S?&TA1: 3ati;e =5&3 mismatch on @ast2thernet"B1 (77)' with S# @ast2thernet"B1 (1). isco;ere
A(( c&ntents are !&*yright . 1992/2009 !isc& Syste+s, #nc. A(( rights reser0e). 1his )&cu+ent is !isc& u2(ic #n'&r+ati&n.
age 9 &' 32
CCNA Security <hat )&es the +essage +eanD 1he S1 Fa0/1 nati0e VLAN is n&w 99, 2ut the S2 nati0e VLAN is sti(( 1. $&th en)s &' the trun4 +ust share the sa+e nati0e VLAN '&r trun4ing t& &ccur. '. Set the nati0e VLAN &n the S2 Fa0/1 trun4 inter'ace t& VLAN 99. S#(config)#interface %a0'1 S#(config-if)#switchport trun# native vlan 99 S#(config-if)#end
S1#show interface fa0'1 switchport 3ame: @a"B1 Switch)ort: 2nable & ministrati;e ?o e: trunk +)erational ?o e: trunk & ministrati;e Trunking 2nca)sulation: ot1D +)erational Trunking 2nca)sulation: ot1D 3egotiation of Trunking: +ff &ccess ?o e =5&3: 1 ( efault) Trunking 3ati;e ?o e =5&3: 77 (9nacti;e) & ministrati;e 3ati;e =5&3 tagging: enable =oice =5&3: none & ministrati;e )ri;ate-;lan host-association: none & ministrati;e )ri;ate-;lan ma))ing: none & ministrati;e )ri;ate-;lan trunk nati;e =5&3: none & ministrati;e )ri;ate-;lan trunk 3ati;e =5&3 tagging: enable & ministrati;e )ri;ate-;lan trunk enca)sulation: ot1D & ministrati;e )ri;ate-;lan trunk normal =5&3s: none & ministrati;e )ri;ate-;lan trunk )ri;ate =5&3s: none +)erational )ri;ate-;lan: none Trunking =5&3s 2nable : &55
A(( c&ntents are !&*yright . 1992/2009 !isc& Syste+s, #nc. A(( rights reser0e). 1his )&cu+ent is !isc& u2(ic #n'&r+ati&n. age 10 &' 32
CCNA Security >runing =5&3s 2nable : #-1""1 Aa)ture ?o e 6isable Aa)ture =5&3s &llowe : &55 >rotecte : false 8nknown unicast blocke : isable 8nknown multicast blocke : isable &))liance trust: none
A(( c&ntents are !&*yright . 1992/2009 !isc& Syste+s, #nc. A(( rights reser0e). 1his )&cu+ent is !isc& u2(ic #n'&r+ati&n.
age 11 &' 32
CCNA Security
CCNA Security c. Veri'y that $ 67 guar) is c&n'igure) 2y using the show spannin!-tree interface fa0'5 detail c&++an) &n switch S1. S1#show spannin!-tree interface fa0'5 detail >ort . (@ast2thernet"B.) of =5&3"""1 is esignate forwar ing >ort )ath cost 17' >ort )riority 1#<' >ort 9 entifier 1#<... 6esignate root has )riority 1' a ress ""1 .$0/.."c<" 6esignate bri ge has )riority 1' a ress ""1 .$0/.."c<" 6esignate )ort i is 1#<..' esignate )ath cost " Timers: message age "' forwar elay "' hol " 3umber of transitions to forwar ing state: 1 The )ort is in the )ortfast mo e 5ink ty)e is )oint-to-)oint by efault )pdu !uard is enabled 4>68: sent //$7' recei;e "
CCNA Security
A(( c&ntents are !&*yright . 1992/2009 !isc& Syste+s, #nc. A(( rights reser0e). 1his )&cu+ent is !isc& u2(ic #n'&r+ati&n.
age 13 &' 32
CCNA Security
A(( c&ntents are !&*yright . 1992/2009 !isc& Syste+s, #nc. A(( rights reser0e). 1his )&cu+ent is !isc& u2(ic #n'&r+ati&n.
age 15 &' 32
CCNA Security i. >n the switch, use the 0ari&us show port-securit" c&++an)s t& 0eri'y that *&rt security has 2een 0i&(ate). S1#show port-securit" Secure >ort ?a(Secure& r Aurrent& r Security=iolation Security &ction (Aount) (Aount) (Aount) -------------------------------------------------------------------@a"B. 1 1 1 Shut own ---------------------------------------------------------------------S1#show port-securit" interface fastethernet0'5 >ort Security : 2nable >ort Status : Secure-shut own =iolation ?o e : Shut own &ging Time : " mins &ging Ty)e : &bsolute SecureStatic & ress &ging : 6isable ?a(imum ?&A & resses : 1 Total ?&A & resses : 1 Aonfigure ?&A & resses : 1 Sticky ?&A & resses : " 5ast Source & ress:=lan : aaaa.bbbb.cccc:1 Security =iolation Aount : 1 S1#show )ort-security a ress Secure ?ac & ress Table -----------------------------------------------------------------------=lan ?ac & ress Ty)e >orts Remaining &ge (mins) ---- -----------------------------1 ""1b../#..#.0f SecureAonfigure @a"B. ----------------------------------------------------------------------=. >n the r&uter, shut )&wn the Fast 5thernet 0/1 inter'ace, re+&0e the har)"c&)e) 8A! a))ress 'r&+ the r&uter, an) re"ena2(e the Fast 5thernet 0/1 inter'ace. R1(config)#interface %ast&thernet 0'1 R1(config-if)#shutdown R1(config-if)#no ac-address aaaa.bbbb.cccc R1(config-if)#no shutdown Note$ 1his wi(( rest&re the &rigina( Fast5thernet inter'ace 8A! a))ress. 4. Fr&+ R1, try t& *ing the !"A again at 192.168.1.10. <as the *ing success'u(D <hy &r why n&tD N&, the S1 Fa0/5 *&rt is sti(( in an err")isa2(e) state.
A(( c&ntents are !&*yright . 1992/2009 !isc& Syste+s, #nc. A(( rights reser0e). 1his )&cu+ent is !isc& u2(ic #n'&r+ati&n.
age 16 &' 32
CCNA Security 2. Fr&+ R1, *ing !"A again. ?&u sh&u() 2e success'u( this ti+e. R1#pin! 192.168.1.10
ac-address 001b.5325.256f
2. ?&u can a(s& use the '&((&wing c&++an)s t& reset the inter'ace t& its )e'au(t settings. S1(config)#interface %ast&thernet 0'5 S1(config-if)#shutdown S1(config-if)#exit S1(config)#default interface fastethernet 0'5 S1(config)#interface %ast&thernet 0'5 S1(config-if)#no shutdown Note$ This default interface c&++an) a(s& reAuires y&u t& rec&n'igure the *&rt as an access *&rt in order to re-enable the securit" co ands.
A(( c&ntents are !&*yright . 1992/2009 !isc& Syste+s, #nc. A(( rights reser0e). 1his )&cu+ent is !isc& u2(ic #n'&r+ati&n.
age 1F &' 32
CCNA Security 2. &rts Fa0/18 an) Ji0/1 are use) &n switch S2. 1he re+aining Fast 5thernet *&rts an) the Jiga2it 5thernet *&rts wi(( 2e shut)&wn. S#(config)#interface ran!e %a0'2 - 1/ S#(config-if-range)#shutdown S#(config-if-range)#interface ran!e %a0'19 - 24 S#(config-if-range)#shutdown S#(config-if-range)#exit S#(config)#interface !i!abitethernet0'2 S#(config-if)#shutdown
Step <$ 5!ptional6 Move active ports to a ,0AN ot er t an t e default ,0AN '
As a 'urther security +easure, y&u can +&0e a(( acti0e en) user an) r&uter *&rts t& a VLAN &ther than the )e'au(t VLAN 1 &n 2&th switches. a. !&n'igure a new VLAN '&r users &n each switch using the '&((&wing c&++an)s% S1(config)#vlan 20 S1(config-;lan)#na e 0sers S#(config)#vlan 20 S#(config-;lan)#na e 0sers 2. A)) the current acti0e access :n&n"trun4; *&rts t& the new VLAN. S1(config)#interface ran!e fa0'5 - 6 S1(config-if)#switchport access vlan 20 S#(config)#interface fa0'18 S#(config-if)#switchport access vlan 20 Note$ 1his wi(( *re0ent c&++unicati&n 2etween en) user h&sts an) the +anage+ent VLAN # a))ress &' the switch, which is current(y VLAN 1. 1he switch can sti(( 2e accesse) an) c&n'igure) using the c&ns&(e c&nnecti&n. #' y&u nee) t& *r&0i)e 1e(net &r SS- access t& the switch, a s*eci'ic *&rt can 2e )esignate) as the +anage+ent *&rt an) a))e) t& VLAN 1 with a s*eci'ic +anage+ent w&r4stati&n attache). A +&re e(a2&rate s&(uti&n is t& create a new VLAN '&r switch +anage+ent :&r use the eCisting nati0e trun4 VLAN 99; an) c&n'igure a se*arate su2net '&r the +anage+ent an) user VLANs. 5na2(e trun4ing with su2inter'aces &n R1 t& r&ute 2etween the +anage+ent an) user VLAN su2nets.
CCNA Security Note$ S AN a((&ws y&u t& se(ect an) c&*y tra''ic 'r&+ &ne &r +&re s&urce switch *&rts &r s&urce VLANs &nt& &ne &r +&re )estinati&n *&rts.
Task '$ !ption ' 4 Configure a SPAN Session /sing .ands4on ;&uip1ent(
Note$ !ption ' assu1es you ave p ysical access to t e devices s own in t e topology for t is lab( N;T0A#> users accessing lab e&uip1ent re1otely s ould proceed to Task )$ !ption )( Step '$ Configure a SPAN session on S' wit a source and destination
a. Set the S AN s&urce inter'ace using the onitor session c&++an) in g(&2a( c&n'igurati&n +&)e. 1he '&((&wing c&n'igures a S AN s&urce *&rt &n Fast5thernet 0/5 '&r ingress an) egress tra''ic. 1ra''ic c&*ie) &n the s&urce *&rt can 2e ingress &n(y, egress &n(y &r 2&th. Switch S1 *&rt Fa0/5 is c&nnecte) t& r&uter R1, s& tra''ic t& :ingress; an) 'r&+ :egress; switch *&rt Fa0/5 t& R1 wi(( 2e +&nit&re). S1(config)# onitor session 1 source interface fa0'5 both Note$ ?&u can s*eci'y t& +&nit&r tC :trans+it; &r rC :recei0e; tra''ic. 1he 4eyw&r) both inc(u)es tC an) rC. 1he s&urce can 2e a sing(e inter'ace, a range &' inter'aces, a sing(e VLAN, &r a range &' VLANs. 2. Set the S AN )estinati&n inter'ace. S1,confi!-. onitor session 1 destination interface fa0'6 A(( tra''ic 'r&+ S1 Fa0/5, where R1 is c&nnecte), wi(( 2e c&*ie) t& the S AN )estinati&n *&rt Fa0/6, where !"A with <ireshar4 is c&nnecte). Note$ 1he )estinati&n can 2e an inter'ace &r a range &' inter'aces.
: : : : :
: 6isable
A(( c&ntents are !&*yright . 1992/2009 !isc& Syste+s, #nc. A(( rights reser0e). 1his )&cu+ent is !isc& u2(ic #n'&r+ati&n.
age 19 &' 32
CCNA Security
2. !(ic4 I Agree t& the License agree+ent an) acce*t the )e'au(ts 2y c(ic4ing Ne@t when *r&+*te). Note$ >n the #nsta(( <in ca* screen, se(ect the insta(( <in ca* &*ti&ns an) se(ect Start ?inPcap service &*ti&n i' y&u want t& ha0e &ther users 2esi)es th&se with a)+inistrati0e *ri0i(eges run <ireshar4.
Step +$ Monitor switc S' port 8a9:- ping activity using ?ires ark on PC4A(
a. #' <ireshar4 is a0ai(a2(e, start the a**(icati&n. 2. Fr&+ the +ain +enu, se(ect Capture A Interfaces.
c.
!(ic4 the Start 2utt&n '&r the (&ca( area netw&r4 inter'ace a)a*ter with # a))ress 192.168.1.10.
A(( c&ntents are !&*yright . 1992/2009 !isc& Syste+s, #nc. A(( rights reser0e). 1his )&cu+ent is !isc& u2(ic #n'&r+ati&n.
age 20 &' 32
CCNA Security
). Jenerate s&+e tra''ic 'r&+ !"$ :192.168.1.11; t& R1 inter'ace Fa0/1 :192.168.1.1; using pin!. 1his tra''ic wi(( g& 'r&+ S2 *&rt Fa0/18 t& S2 *&rt Fa0/1 acr&ss the trun4 (in4 t& S1 *&rt Fa0/1 an) then eCit inter'ace Fa0/5 &n S1 t& reach R1. >A-4:LGpin! 192.168.1.1 e. >2ser0e the resu(ts in <ireshar4 &n !"A. N&tice the initia( AR reAuest 2r&a)cast 'r&+ !"$ :#nte( N#!; t& )eter+ine the 8A! a))ress &' the R1 Fa0/1 inter'ace with # a))ress 192.168.1.1 an) the AR re*(y 'r&+ the R1 !isc& 5thernet inter'ace. A'ter the AR reAuest, the *ings :ech& reAuest an) re*(ies; can 2e seen g&ing 'r&+ !"$ t& R1 an) 'r&+ R1 t& !"$ thr&ugh the switch. Note$ ?&ur screen sh&u() (&&4 si+i(ar t& the &ne 2e(&w. S&+e a))iti&na( *ac4ets +ight 2e ca*ture) in a))iti&n t& the *ings, such as the R1 Fa0/1 L>> re*(y.
Step -$ Monitor switc S' port 8a9:- SuperScan activity using ?ires ark on PC4A(
a. #' Su*erScan is n&t &n !"$, )&wn(&a) the Su*erScan 3.0 t&&( 'r&+ the Scanning 1&&(s gr&u* at htt*%//www.'&un)st&ne.c&+. 7n9i* the 'i(e int& a '&()er. 1he Su*erScan3.eCe 'i(e is eCecuta2(e an) insta((ati&n is n&t reAuire).
A(( c&ntents are !&*yright . 1992/2009 !isc& Syste+s, #nc. A(( rights reser0e). 1his )&cu+ent is !isc& u2(ic #n'&r+ati&n. age 21 &' 32
CCNA Security 2. Start the Su*erScan *r&gra+ &n !"$. !(ic4 the .ost and Service Discovery ta2. !hec4 the Ti1esta1p %e&uest chec4 2&C, an) unchec4 the ;c o %e&uest chec4 2&C. Scr&(( thr&ugh the 76 an) 1! *&rt se(ecti&n (ists an) n&tice the range &' *&rts that wi(( 2e scanne). c. #n the Su*erScan *r&gra+, c(ic4 the Scan ta2 an) enter the # a))ress R1 FA0/1 :192.168.1.1; in the .ostna1e:IP 'ie().
). !(ic4 the right arr&w t& *&*u(ate the Start IP an) ;nd IP 'ie()s.
e. !(ear the *re0i&us ca*ture in <ireshar4 an) start a new ca*ture 2y c(ic4ing Capture A Start. <hen *r&+*te), c(ic4 the Continue wit out saving 2utt&n. '. #n the Su*erScan *r&gra+, c(ic4 the 2(ue arr&w 2utt&n in the (&wer (e't t& start the scan.
g. >2ser0e the resu(ts in the <ireshar4 win)&w &n !"A. N&tice the nu+2er an) ty*es &' *&rts trie) 2y the si+u(ate) Su*erScan attac4 'r&+ !"$ :192.168.1.11; t& R1 Fa0/1 :192.168.1.1;. ?&ur screen sh&u() (&&4 si+i(ar t& the '&((&wing%
A(( c&ntents are !&*yright . 1992/2009 !isc& Syste+s, #nc. A(( rights reser0e). 1his )&cu+ent is !isc& u2(ic #n'&r+ati&n. age 22 &' 32
CCNA Security
A(( c&ntents are !&*yright . 1992/2009 !isc& Syste+s, #nc. A(( rights reser0e). 1his )&cu+ent is !isc& u2(ic #n'&r+ati&n.
age 23 &' 32
CCNA Security
Note$ Switch S2 is acting as a regu(ar switch, '&rwar)ing 'ra+es 2ase) &n )estinati&n 8A! a))resses an) switch *&rts. 1he tra''ic entering S2 thr&ugh &rt Fa0/1 uti(i9es the R1Ks 8A! a))ress as )estinati&n '&r the 5thernet 'ra+e, there'&re in &r)er t& '&rwar) th&se *ac4ets t& !"$, the R1Ks 8A! a))ress +ust 2e the sa+e as !"$. 1& acc&+*(ish this, R1Ks Fa0/1 8A! a))ress is +&)i'ie) using the #>S !L# t& si+u(ate !"$Ks 8A! a))ress. 1his reAuire+ent is s*eci'ic t& the N51LA$G en0ir&n+ent.
Step '$ Configure a SPAN session on S' wit Source and Destination$
a. Return the Fa0/1 &n S1 an) S2 t& its )e'au(t c&n'igurati&n. 1his (in4 S1 Fa0/1 t& S2 Fa0/1 is g&ing t& 2e use) t& carry the tra''ic 2eing +&nit&re). S1(config)#default interface fastethernet 0'1 S#(config)#default interface fastethernet 0'1 2. <rite )&wn the 8A! a))ress '&r !"$ !"$Ks 8A! A))ress% Answer will vary !"$Ks 8A! A))ress in this eCa+*(e is 999c4)BBa4e2'a c. !&n'igure the !"$Ks 8A! a))ress &n R1Ks Fa0/1. +1,confi!-.interface fa0'1 +1,confi!-if-. ac-address 000c.299a.e61a ). Set the S AN S&urce #nter'ace using the +&nit&r sessi&n c&++an) in g(&2a( c&n'igurati&n +&)e. 1he '&((&wing c&n'igures a S AN s&urce *&rt &n 'astethernet0/5 '&r egress tra''ic. 1ra''ic c&*ie) &n the s&urce *&rt can 2e ingress &n(y, egress &n(y &r 2&th. #n this case, the egress tra''ic is the &n(y &ne ana(y9e). >n Switch S1 *&rt Fa0/5 is c&nnecte) t& r&uter R1 s& tra''ic t& the switch *&rt Fa0/5 t& R1 wi(( 2e +&nit&re). S1(config)# onitor session 1 source interface fa0'5 tx
A(( c&ntents are !&*yright . 1992/2009 !isc& Syste+s, #nc. A(( rights reser0e). 1his )&cu+ent is !isc& u2(ic #n'&r+ati&n.
age 23 &' 32
CCNA Security Note$ 1he s&urce can 2e a sing(e inter'ace, a range &' inter'aces, a sing(e VLAN, &r range &' VLANs. e. Set the S AN )estinati&n inter'ace. S1,confi!-. onitor session 1 destination interface fa0'1 A(( egress tra''ic 'r&+ S1 Fa0/5, where R1 is c&nnecte), wi(( 2e c&*ie) t& the S AN )estinati&n *&rt Fa0/1, where !"$ with <ireShar4 is c&nnecte). Note$ 1he )estinati&n can 2e an inter'ace &r a range &' inter'aces.
: : : : :
: 6isable
Step +$ Monitor Switc S' port 8a9:- ping activity using ?ires ark on PC4#
a. #' <ireShar4 is a0ai(a2(e, start the a**(icati&n. 2. Fr&+ the +ain +enu, se(ect Capture A Interfaces. c. !(ic4 the Start 2utt&n '&r the L&ca( area netw&r4 inter'ace a)a*ter.
). Jenerate s&+e tra''ic 'r&+ !"A :192.168.1.10; t& R1 inter'ace Fa0/1 :192.168.1.1; using *ing. 1his tra''ic wi(( g& 'r&+ S1 *&rt Fa0/6 t& S1 *&rt Fa0/5. #n a))iti&n, the tra''ic g&ing 'r&+ !"A t& R1 inter'ace Fa0/1 is '&rwar)e) acr&ss the (in4 2etween S1 an) S2, an) then S2 wi(( '&rwar) this tra''ic t& !"$, where <ireshar4 is ca*turing the *ac4ets. $e'&re *inging, )e(ete the AR ta2(e &n !"A, s& an AR reAuest w&u() 2e generate). N&te that the S AN sessi&n is c&n'igure) &n(y &n S1, an) S2 is &*erating as a n&r+a( switch. A:LGarp 1d 2 A:LGpin! 192.168.1.1 e. >2ser0e the resu(ts in <ireShar4 &n !"$. N&tice the initia( AR reAuest 2r&a)cast 'r&+ !"A t& )eter+ine the 8A! a))ress &' the R1 Fa0/1 inter'ace with # a))ress 192.168.1.1 an) the AR re*(y 'r&+ the R1 !isc& 5thernet inter'ace. A'ter the AR reAuest the *ings :ech& reAuests; can 2e seen g&ing 'r&+ !"A t& R1 thr&ugh the switch.
A(( c&ntents are !&*yright . 1992/2009 !isc& Syste+s, #nc. A(( rights reser0e). 1his )&cu+ent is !isc& u2(ic #n'&r+ati&n. age 25 &' 32
CCNA Security Note$ ?&ur screen sh&u() (&&4 si+i(ar t& the &ne 2e(&w. 1here +ay 2e s&+e a))iti&n *ac4ets ca*ture), in a))iti&n t& the *ings, such as the R1 Fa0/1 L>> Re*(y an) S*anning 1ree ac4ets.
Step -$ Monitor Switc S' port 8a9:- SuperScan activity using ?ires ark on PC4#
a. #' Su*erScan is n&t &n !"A, )&wn(&a) the Su*erScan 3.0 t&&( 'r&+ the Scanning 1&&(s gr&u* at htt*%//www.'&un)st&ne.c&+. 7n9i* the 'i(e int& a '&()er. 1he Su*erScan3.eCe 'i(e is eCecuta2(e an) insta((ati&n is n&t reAuire). 2. Start the Su*erScan *r&gra+ &n !"A. !(ic4 the .ost and Service Discovery ta2. !hec4 the Ti1esta1p %e&uest chec4 2&C an) unchec4 the ;c o %e&uest chec4 2&C. Scr&(( the 76 an) 1! *&rt se(ecti&n (ists an) n&tice the range &' *&rts that wi(( 2e scanne). c. #n the Su*erScan *r&gra+ c(ic4 the Scan ta2 an) enter the # a))ress &' R1 FA0/1 :192.168.1.1; in the .ostna1e:IP 'ie().
). !(ic4 the right 'acing arr&w t& *&*u(ate the Start an) 5n) # 'ie()s.
A(( c&ntents are !&*yright . 1992/2009 !isc& Syste+s, #nc. A(( rights reser0e). 1his )&cu+ent is !isc& u2(ic #n'&r+ati&n.
age 26 &' 32
CCNA Security
e. !(ear the *re0i&us ca*ture in <ireShar4 an) start a new ca*ture 2y c(ic4ing Capture A Start an) when *r&+*te) c(ic4 the Continue wit out saving 2utt&n. '. #n the Su*erScan *r&gra+ c(ic4 the 2utt&n which is in the (&wer (e't &' the screen, with the 2(ue arr&w &n it, t& start the scan.
g. >2ser0e the resu(ts &n the <ireShar4 win)&w &n !"$. N&tice the nu+2er an) ty*es &' *&rts trie) 2y the si+u(ate) Su*erScan attac4 'r&+ !"A :192.168.1.11; t& R1 Fa0/1 :192.168.1.1;. ?&ur screen sh&u() (&&4 si+i(ar the '&((&wing%
A(( c&ntents are !&*yright . 1992/2009 !isc& Syste+s, #nc. A(( rights reser0e). 1his )&cu+ent is !isc& u2(ic #n'&r+ati&n.
age 2F &' 32
CCNA Security
Step 2$ %eflection(
a. <hy sh&u() *&rt security 2e ena2(e) &n switch access *&rtsD Answers wi(( 0ary, 2ut sh&u() inc(u)e that *&rt security a((&ws a (i+ite) nu+2er &' h&sts t& use the *&rt an) a ! cann&t 2e c&nnecte) an) use the netw&r4 with&ut auth&ri9ati&n. 2. <hy sh&u() *&rt security 2e ena2(e) &n switch trun4 *&rtsD Answers wi(( 0ary, 2ut sh&u() inc(u)e trun4 security can he(* t& *re0ent VLAN h&**ing an) S1 attac4s 'r&+ r&gue switches. c. <hy sh&u() unuse) *&rts &n a switch 2e )isa2(e)D Answers wi(( 0ary, 2ut sh&u() inc(u)e that an unauth&ri9e) )e0ice cann&t 2e *(ugge) int& an unuse) switch *&rt an) use the netw&r4, 2ecause the unuse) *&rts ha0e t& 2e a)+inistrati0e(y ena2(e) t& 2e uti(i9e).
A(( c&ntents are !&*yright . 1992/2009 !isc& Syste+s, #nc. A(( rights reser0e). 1his )&cu+ent is !isc& u2(ic #n'&r+ati&n.
age 28 &' 32
CCNA Security
%outer Interface Su11ary 1800 2600 2800 Fast 5thernet 0/0 :FA0/0; Fast 5thernet 0/0 :FA0/0; Fast 5thernet 0/0 :FA0/0; Fast 5thernet 0/1 :FA0/1; Fast 5thernet 0/1 :FA0/1; Fast 5thernet 0/1 :FA0/1; Seria( 0/0/0 :S0/0/0; Seria( 0/0 :S0/0; Seria( 0/0/0 :S0/0/0; Seria( 0/0/1 :S0/0/1; Seria( 0/1 :S0/1; Seria( 0/0/1 :S0/0/1;
Note$ 1& 'in) &ut h&w the r&uter is c&n'igure), (&&4 at the inter'aces t& i)enti'y the ty*e &' r&uter an) h&w +any inter'aces the r&uter has. 1here is n& way t& e''ecti0e(y (ist a(( the c&+2inati&ns &' c&n'igurati&ns '&r each r&uter c(ass. 1his ta2(e inc(u)es i)enti'iers '&r the *&ssi2(e c&+2inati&ns &' 5thernet an) Seria( inter'aces in the )e0ice. 1he ta2(e )&es n&t inc(u)e any &ther ty*e &' inter'ace, e0en th&ugh a s*eci'ic r&uter +ay c&ntain &ne. An eCa+*(e &' this +ight 2e an #S6N $R# inter'ace. 1he string in *arenthesis is the (ega( a22re0iati&n that can 2e use) in !isc& #>S c&++an)s t& re*resent the inter'ace.
M interface @ast2thernet"B1 i) a ress 17#.10<.1.1 #...#...#..." u)le( auto s)ee auto M interface @ast2thernet"B1B" M interface @ast2thernet"B1B1 M interface @ast2thernet"B1B# M interface @ast2thernet"B1B/ M interface Serial"B"B" no i) a ress shut own no fair-Dueue clock rate #"""""" M interface Serial"B"B1 no i) a ress shut own clock rate #"""""" M interface =lan1 no i) a ress M i) forwar -)rotocol n no i) htt) ser;er no i) htt) secure-ser;er M control-)lane M line con " e(ec-timeout " " )asswor ciscocon)ass logging synchronous login line au( " line ;ty " $ e(ec-timeout . " )asswor cisco;ty)ass login M sche uler allocate #"""" 1""" en R1#
A(( c&ntents are !&*yright . 1992/2009 !isc& Syste+s, #nc. A(( rights reser0e). 1his )&cu+ent is !isc& u2(ic #n'&r+ati&n.
age 30 &' 32
CCNA Security Aurrent configuration : 10K" bytes M ;ersion 1#.# no ser;ice )a ser;ice timestam)s ebug atetime msec ser;ice timestam)s log atetime msec no ser;ice )asswor -encry)tion M hostname S1 M boot-start-marker boot-en -marker M enable secret . N1N3+ QN./$I&2u7.I/>HR14/oi%4. M username a min )ri;ilege 1. secret . N1N$w@JNkk?>fR"1<tm(y&.2HP!c51 no aaa new-mo el system mtu routing 1."" i) subnet-!ero M no i) omain-looku) i) omain-name ccnasecurity.com M cry)to )ki trust)oint T>-self-signe -11KK<<1K#< enrollment selfsigne subPect-name cnR9+S-Self-Signe -Aertificate-11KK<<1K#< re;ocation-check none rsakey)air T>-self-signe -11KK<<1K#< M cry)to )ki certificate chain T>-self-signe -11KK<<1K#< certificate self-signe "1 /"<#"#$4 /"<#"14$ &""/"#"1 "#"#"1"1 /""6"0"7 #&<0$<<0 @K"6"1"1 "$".""/" /1/1#@/" #6"0"/.. "$"/1/#0 $7$@./#6 ./0.0A00 #6./070K 020.0$#6 $/0.K#K$ 0700070/ 01K$0.#6 /1/1/K/K /</</1/K /#/</"12 1K"6/7// /"///"/1 /"/"/"/" /./".&1K "6/#/"/" /1/"/1/" /"/"/"/" /".&/"/1 /1#@/"#6 "0"/.."$ "/1/#0$7 $@./#6./ 0.0A00#6 ./070K02 0.0$#6$/ 0.K#K$07 00070/01 K$0.#6/1 /1/K/K/< /</1/K/# /</"<17@ /""6"0"7 #&<0$<<0 @K"6"1"1 "1"."""/ <1<6""/" <1<7"#<1 <1""60K# K#422A$" /42A$AA6 <7&1K##7 <6&@K4/# 4.&&A7K2 /0&$#2"7 26/$/6AA 67714.@2 ".&@&A4. 61K#A4&# .A6"0676 @.6""6#A $.$/1@$6 7#"<6241 $/<<&2#2 @&4K24$& 7.@<."K2 001@A616 1$6/6A00 K1"/#12/ 6"60A#.1 #07$242K 124<4"2. #$<1@<2" 7K@<K71. <$0"�/ @K"K2$22 K..2&@#@ 6.@71A&1 #1$A$"01 K2K0.@K< /476"#"/ "1"""1&/ K//"K1/" "@"0"/.. 161/"1"1 @@"$"./" "/"1"1@@ /"12"0"/ ..1611"$ 1K/"1.<# 1/.//1#2 0/0/0201 K/0.0/K. K#07K$K7 #20/0@06 /"1@"0"/ ..16#/"$ 1</"10<" 1$&7#.K$ 641"&@.K &$/@$74" @4K.2$$K K4.$7K12 $0/"16"0 "/..16"2 "$10"$1$ &7#.K$64 1"&@.K&$ /@$74"@4 K.2$$KK4 .$7K12$0 /""6"0"7 #&<0$<<0 @K"6"1"1 "$"."""/ <1<1""A6 K"@2#1&" .6@$04#7 A.6A#164 #"0@2@<1 216#/4A6 K1.07@/< 477.640K &6K4<@"& 11/60@$. 6K@"A<#0 2"$/44"2 #"..$22& $22&<@2& A"1A$@#& A"@72<@# @$&4#/62 "#@@@@<K &"<#"2K4 2#0."0A. K&@&K027 @6740//$ K#46"$1# .</60$61 1"4"K466 "A1./441 @K@$<"$" 40$6&400 .4#2$22$ /K<76##/ @<4<4#0/ #AA$00@K &<@<.# Duit M s)anning-tree mo e );st s)anning-tree e(ten system-i M ;lan internal allocation )olicy ascen ing M
A(( c&ntents are !&*yright . 1992/2009 !isc& Syste+s, #nc. A(( rights reser0e). 1his )&cu+ent is !isc& u2(ic #n'&r+ati&n. age 31 &' 32
CCNA Security i) ssh time-out 7" i) ssh authentication-retries # M interface @ast2thernet"B1 M interface @ast2thernet"B# M interface @ast2thernet"B/ M interface @ast2thernet"B$ M interface @ast2thernet"B. M interface @ast2thernet"B0 M interface @ast2thernet"BK M interface @ast2thernet"B< M interface @ast2thernet"B7 M interface @ast2thernet"B1" M interface @ast2thernet"B11 M interface @ast2thernet"B1# M interface @ast2thernet"B1/ M interface @ast2thernet"B1$ M interface @ast2thernet"B1. M interface @ast2thernet"B10 M interface @ast2thernet"B1K M interface @ast2thernet"B1< M interface @ast2thernet"B17 M interface @ast2thernet"B#" M interface @ast2thernet"B#1 M interface @ast2thernet"B## M interface @ast2thernet"B#/ M interface @ast2thernet"B#$ M interface %igabit2thernet"B1 M interface %igabit2thernet"B# M interface =lan1 i) a ress 17#.10<.1.# #...#...#..."
A(( c&ntents are !&*yright . 1992/2009 !isc& Syste+s, #nc. A(( rights reser0e). 1his )&cu+ent is !isc& u2(ic #n'&r+ati&n. age 32 &' 32
CCNA Security no i) route-cache M no i) htt) ser;er no i) htt) secure-ser;er M control-)lane M line con " e(ec-timeout " " )asswor ciscocon)ass logging synchronous login line ;ty " $ e(ec-timeout . " )ri;ilege le;el 1. login local trans)ort in)ut ssh line ;ty . 1. no login M en S1#
CCNA Security cry)to )ki certificate chain T>-self-signe -11KK<<1K#< certificate self-signe "1 /"<#"#$4 /"<#"14$ &""/"#"1 "#"#"1"1 /""6"0"7 #&<0$<<0 /1/1#@/" #6"0"/.. "$"/1/#0 $7$@./#6 ./0.0A00 #6./070K 0700070/ 01K$0.#6 /1/1/K/K /</</1/K /#/</"12 1K"6/7// /./".&1K "6/#/"/" /1/"/1/" /"/"/"/" /".&/"/1 /1#@/"#6 $@./#6./ 0.0A00#6 ./070K02 0.0$#6$/ 0.K#K$07 00070/01 /</1/K/# /</"<17@ /""6"0"7 #&<0$<<0 @K"6"1"1 "1"."""/ <1""60K# K#422A$" /42A$AA6 <7&1K##7 <6&@K4/# 4.&&A7K2 67714.@2 ".&@&A4. 61K#A4&# .A6"0676 @.6""6#A $.$/1@$6 @&4K24$& 7.@<."K2 001@A616 1$6/6A00 K1"/#12/ 6"60A#.1 #$<1@<2" 7K@<K71. <$0"�/ @K"K2$22 K..2&@#@ 6.@71A&1 /476"#"/ "1"""1&/ K//"K1/" "@"0"/.. 161/"1"1 @@"$"./" ..1611"$ 1K/"1.<# 1/.//1#2 0/0/0201 K/0.0/K. K#07K$K7 ..16#/"$ 1</"10<" 1$&7#.K$ 641"&@.K &$/@$74" @4K.2$$K "/..16"2 "$10"$1$ &7#.K$64 1"&@.K&$ /@$74"@4 K.2$$KK4 #&<0$<<0 @K"6"1"1 "$"."""/ <1<1""A6 K"@2#1&" .6@$04#7 216#/4A6 K1.07@/< 477.640K &6K4<@"& 11/60@$. 6K@"A<#0 $22&<@2& A"1A$@#& A"@72<@# @$&4#/62 "#@@@@<K &"<#"2K4 @6740//$ K#46"$1# .</60$61 1"4"K466 "A1./441 @K@$<"$" /K<76##/ @<4<4#0/ #AA$00@K &<@<.# Duit M s)anning-tree mo e );st s)anning-tree e(ten system-i M ;lan internal allocation )olicy ascen ing M i) ssh time-out 7" i) ssh authentication-retries # M interface @ast2thernet"B1 M interface @ast2thernet"B# M interface @ast2thernet"B/ M interface @ast2thernet"B$ M interface @ast2thernet"B. M interface @ast2thernet"B0 M interface @ast2thernet"BK M interface @ast2thernet"B< M interface @ast2thernet"B7 M interface @ast2thernet"B1" M interface @ast2thernet"B11 M interface @ast2thernet"B1# M interface @ast2thernet"B1/ M
@K"6"1"1 020.0$#6 /"///"/1 "0"/.."$ K$0.#6/1 <1<6""/" /0&$#2"7 7#"<6241 #07$242K #1$A$"01 "/"1"1@@ #20/0@06 K4.$7K12 .$7K12$0 A.6A#164 2"$/44"2 2#0."0A. 40$6&400
"$".""/" $/0.K#K$ /"/"/"/" "/1/#0$7 /1/K/K/< <1<7"#<1 26/$/6AA $/<<&2#2 124<4"2. K2K0.@K< /"12"0"/ /"1@"0"/ $0/"16"0 /""6"0"7 #"0@2@<1 #"..$22& K&@&K027 .4#2$22$
A(( c&ntents are !&*yright . 1992/2009 !isc& Syste+s, #nc. A(( rights reser0e). 1his )&cu+ent is !isc& u2(ic #n'&r+ati&n.
age 33 &' 32
CCNA Security interface @ast2thernet"B1$ M interface @ast2thernet"B1. M interface @ast2thernet"B10 M interface @ast2thernet"B1K M interface @ast2thernet"B1< M interface @ast2thernet"B17 M interface @ast2thernet"B#" M interface @ast2thernet"B#1 M interface @ast2thernet"B## M interface @ast2thernet"B#/ M interface @ast2thernet"B#$ M interface %igabit2thernet"B1 M interface %igabit2thernet"B# M interface =lan1 i) a ress 17#.10<.1./ #...#...#..." no i) route-cache M no i) htt) ser;er no i) htt) secure-ser;er M control-)lane M line con " e(ec-timeout " " )asswor ciscocon)ass logging synchronous login line ;ty " $ e(ec-timeout . " )ri;ilege le;el 1. login local trans)ort in)ut ssh line ;ty . 1. no login M en
CCNA Security no ser;ice )a ser;ice timestam)s ebug u)time ser;ice timestam)s log u)time no ser;ice )asswor -encry)tion M hostname S1 M boot-start-marker boot-en -marker M enable secret . N1N49);Nyg7?c8n7=<w3O%ys;P)f81 M username a min )ri;ilege 1. secret . N1NA6o+NSsTOA@c.eruTOmnsIJ+2?B no aaa new-mo el system mtu routing 1."" i) subnet-!ero M no i) omain-looku) M i) omain-name ccnasecurity.com M cry)to )ki trust)oint T>-self-signe -11KK<<1K#< enrollment selfsigne subPect-name cnR9+S-Self-Signe -Aertificate-11KK<<1K#< re;ocation-check none rsakey)air T>-self-signe -11KK<<1K#< M cry)to )ki certificate chain T>-self-signe -11KK<<1K#< certificate self-signe "1 /"<#"#$4 /"<#"14$ &""/"#"1 "#"#"1"1 /""6"0"7 #&<0$<<0 @K"6"1"1 "$".""/" /1/1#@/" #6"0"/.. "$"/1/#0 $7$@./#6 ./0.0A00 #6./070K 020.0$#6 $/0.K#K$ 0700070/ 01K$0.#6 /1/1/K/K /</</1/K /#/</"12 1K"6/7// /"///"/1 /"/"/"/" /./".&1K "6/#/"/" /1/"/1/" /"/"/"/" /".&/"/1 /1#@/"#6 "0"/.."$ "/1/#0$7 $@./#6./ 0.0A00#6 ./070K02 0.0$#6$/ 0.K#K$07 00070/01 K$0.#6/1 /1/K/K/< /</1/K/# /</"<17@ /""6"0"7 #&<0$<<0 @K"6"1"1 "1"."""/ <1<6""/" <1<7"#<1 <1""60K# K#422A$" /42A$AA6 <7&1K##7 <6&@K4/# 4.&&A7K2 /0&$#2"7 26/$/6AA 67714.@2 ".&@&A4. 61K#A4&# .A6"0676 @.6""6#A $.$/1@$6 7#"<6241 $/<<&2#2 @&4K24$& 7.@<."K2 001@A616 1$6/6A00 K1"/#12/ 6"60A#.1 #07$242K 124<4"2. #$<1@<2" 7K@<K71. <$0"�/ @K"K2$22 K..2&@#@ 6.@71A&1 #1$A$"01 K2K0.@K< /476"#"/ "1"""1&/ K//"K1/" "@"0"/.. 161/"1"1 @@"$"./" "/"1"1@@ /"12"0"/ ..1611"$ 1K/"1.<# 1/.//1#2 0/0/0201 K/0.0/K. K#07K$K7 #20/0@06 /"1@"0"/ ..16#/"$ 1</"10<" 1$&7#.K$ 641"&@.K &$/@$74" @4K.2$$K K4.$7K12 $0/"16"0 "/..16"2 "$10"$1$ &7#.K$64 1"&@.K&$ /@$74"@4 K.2$$KK4 .$7K12$0 /""6"0"7 #&<0$<<0 @K"6"1"1 "$"."""/ <1<1""A6 K"@2#1&" .6@$04#7 A.6A#164 #"0@2@<1 216#/4A6 K1.07@/< 477.640K &6K4<@"& 11/60@$. 6K@"A<#0 2"$/44"2 #"..$22& $22&<@2& A"1A$@#& A"@72<@# @$&4#/62 "#@@@@<K &"<#"2K4 2#0."0A. K&@&K027 @6740//$ K#46"$1# .</60$61 1"4"K466 "A1./441 @K@$<"$" 40$6&400 .4#2$22$ /K<76##/ @<4<4#0/ #AA$00@K &<@<.# Duit M M s)anning-tree mo e );st s)anning-tree e(ten system-i M ;lan internal allocation )olicy ascen ing M i) ssh time-out 7"
A(( c&ntents are !&*yright . 1992/2009 !isc& Syste+s, #nc. A(( rights reser0e). 1his )&cu+ent is !isc& u2(ic #n'&r+ati&n. age 36 &' 32
CCNA Security i) ssh authentication-retries # M M interface @ast2thernet"B1 switch)ort trunk nati;e ;lan 77 switch)ort mo e trunk switch)ort nonegotiate storm-control broa cast le;el ."."" M interface @ast2thernet"B# shut own M interface @ast2thernet"B/ shut own M interface @ast2thernet"B$ shut own M interface @ast2thernet"B. switch)ort mo e access s)anning-tree )ortfast s)anning-tree b) uguar enable M interface @ast2thernet"B0 switch)ort mo e access s)anning-tree )ortfast s)anning-tree b) uguar enable M interface @ast2thernet"BK shut own M interface @ast2thernet"B< shut own M interface @ast2thernet"B7 shut own M interface @ast2thernet"B1" shut own M interface @ast2thernet"B11 shut own M interface @ast2thernet"B1# shut own M interface @ast2thernet"B1/ shut own M interface @ast2thernet"B1$ shut own M interface @ast2thernet"B1. shut own M interface @ast2thernet"B10 shut own
A(( c&ntents are !&*yright . 1992/2009 !isc& Syste+s, #nc. A(( rights reser0e). 1his )&cu+ent is !isc& u2(ic #n'&r+ati&n. age 3F &' 32
CCNA Security M interface @ast2thernet"B1K shut own M interface @ast2thernet"B1< shut own M interface @ast2thernet"B17 shut own M interface @ast2thernet"B#" shut own M interface @ast2thernet"B#1 shut own M interface @ast2thernet"B## shut own M interface @ast2thernet"B#/ shut own M interface @ast2thernet"B#$ shut own M interface %igabit2thernet"B1 shut own M interface %igabit2thernet"B# shut own M interface =lan1 i) a ress 17#.10<.1.# #...#...#..." no i) route-cache M no i) htt) ser;er no i) htt) secure-ser;er M control-)lane M M line con " e(ec-timeout " " )asswor ciscocon)ass logging synchronous login line ;ty " $ e(ec-timeout . " )ri;ilege le;el 1. login local trans)ort in)ut ssh line ;ty . 1. e(ec-timeout " " no login M monitor session 1 source interface @a"B. monitor session 1 estination interface @a"B0
A(( c&ntents are !&*yright . 1992/2009 !isc& Syste+s, #nc. A(( rights reser0e). 1his )&cu+ent is !isc& u2(ic #n'&r+ati&n. age 38 &' 32
CCNA Security /K<76##/ @<4<4#0/ #AA$00@K &<@<.# Duit M s)anning-tree mo e );st s)anning-tree e(ten system-i M ;lan internal allocation )olicy ascen ing M i) ssh time-out 7" i) ssh authentication-retries # M interface @ast2thernet"B1 switch)ort trunk nati;e ;lan 77 switch)ort mo e trunk switch)ort nonegotiate storm-control broa cast le;el ."."" M interface @ast2thernet"B# shut own M interface @ast2thernet"B/ shut own M interface @ast2thernet"B$ shut own M interface @ast2thernet"B. shut own M interface @ast2thernet"B0 shut own M interface @ast2thernet"BK shut own M interface @ast2thernet"B< shut own M interface @ast2thernet"B7 shut own M interface @ast2thernet"B1" shut own M interface @ast2thernet"B11 shut own M interface @ast2thernet"B1# shut own M interface @ast2thernet"B1/ shut own M interface @ast2thernet"B1$ shut own M interface @ast2thernet"B1.
A(( c&ntents are !&*yright . 1992/2009 !isc& Syste+s, #nc. A(( rights reser0e). 1his )&cu+ent is !isc& u2(ic #n'&r+ati&n. age 30 &' 32
CCNA Security shut own M interface @ast2thernet"B10 shut own M interface @ast2thernet"B1K shut own M interface @ast2thernet"B1< switch)ort mo e access s)anning-tree )ortfast s)anning-tree b) uguar enable M interface @ast2thernet"B17 shut own M interface @ast2thernet"B#" shut own M interface @ast2thernet"B#1 shut own M interface @ast2thernet"B## shut own M interface @ast2thernet"B#/ shut own M interface @ast2thernet"B#$ shut own M interface %igabit2thernet"B1 s)anning-tree guar root M interface %igabit2thernet"B# shut own M interface =lan1 i) a ress 17#.10<.1./ #...#...#..." no i) route-cache M no i) htt) ser;er M control-)lane M M line con " e(ec-timeout " " )asswor ciscocon)ass logging synchronous login line ;ty " $ e(ec-timeout . " )ri;ilege le;el 1. login local line ;ty . 1. no login
A(( c&ntents are !&*yright . 1992/2009 !isc& Syste+s, #nc. A(( rights reser0e). 1his )&cu+ent is !isc& u2(ic #n'&r+ati&n. age 31 &' 32
A(( c&ntents are !&*yright . 1992/2009 !isc& Syste+s, #nc. A(( rights reser0e). 1his )&cu+ent is !isc& u2(ic #n'&r+ati&n.
age 32 &' 32