<<

. 5
( 9)



>>


Step 2: Run SuperScan and set scanning options.

a. Start the SuperScan program on PC-A.

b. Click the Host and Service Discovery tab. Check the Timestamp Request check box, and uncheck
the Echo Request check box.

c. Scroll the UDP and TCP port selection lists and notice the range of ports that will be scanned.




d. Click the Scan tab and enter the IP address of R2 S0/0/0 (10.1.1.2) in the Hostname/IP field.

Note: You can also specify an address range, such as 10.1.1.1 to 10.1.1.254, by entering an address
in the Start IP and End IP fields. The program scans all hosts with addresses in the range specified.

e. To start the scan, click the button with the blue arrow at the bottom left of the screen. Results of the
scan are shown in the SuperScan window.

121
f. How many open TCP and UDP ports did SuperScan find on R2? Why do you think this is?
________________________________________________________________________________

g. Exit SuperScan.


Step 3: Observe the Syslog messages on R1.

You should see syslog entries on the R1 console and on the syslog server if it is enabled. The
descriptions should include phrases such as “Invalid DHCP Packet” and “DNS Version Request.”
R1#
*Jan 6 19:43:35.611: %IPS-4-SIGNATURE: Sig:6054 Subsig:0 Sev:50 DNS
Version Request [192.168.1.3:1076 -> 10.1.1.2:53] VRF:NONE
RiskRating:50
*Jan 6 19:43:35.851: %IPS-4-SIGNATURE: Sig:4619 Subsig:0 Sev:75
Invalid DHCP Packet [192.168.1.3:1096 -> 10.1.1.2:67] VRF:NONE
RiskRating:75


122
a. What is the IPS risk rating or severity level (Sev:) of the DNS version request, signature 6054? _____

b. What is the IPS risk rating or severity level (Sev:) of the Invalid DHCP Packet, signature 4619? _____

c. Which signature is considered by IPS to be more of a threat? _______________________________


Part 3. Configuring IPS using SDM
In Part 3 of this lab, you configure IOS IPS on R3 using SDM.
Note: To support SDM configuration of IPS, PC-C should be running Java JRE version 6 or newer to set the Java
heap to 256MB. This is done using the runtime parameter “Xmx256m. The latest JRE for Windows XP can be
downloaded from Sun Microsystems at http://www.sun.com/.

The PC must have at least 512MB of RAM. From the PC Start Menu, click Settings > Control Panel > Java to
open the Java Control Panel window. From the Java Control Panel window, click the Java tab and click the View
button to enter or change the Java Applet Runtime Settings. The following screenshot shows setting the heap
size to 256MB using the Runtime Parameter “Xmx256m.




Task 1. Verify Access to the R3 LAN from R2
In this task, you verify that, without IPS configured, external router R2 can access the R3 S0/0/1 interface and
PC-C on the R3 internal LAN.


Step 1: Ping from R2 to R3.

a. From R2, ping the R3 interface S0/0/1 at IP address 10.2.2.1.
R2#ping 10.2.2.1
b. Were the results successful? _____

If the pings are not successful, troubleshoot the basic device configurations before continuing.


Step 2: Ping from R2 to PC-C on the R3 LAN.

a. From R2, ping PC-C on the R3 LAN at IP address 192.168.3.3.
R2#ping 192.168.3.3
b. Were the results successful? _____


123
c. If the pings are not successful, troubleshoot the basic device configurations before continuing.


Step 3: Display the R3 running config prior to starting SDM.

a. Issue the show run command to review the current basic configuration on R3.

b. Verify the R3 basic configuration as performed in Part 1 of the lab. Are there any security commands
related to IPS? ___________________________________________________________________


Task 2. Prepare the Router for SDM and IPS

Step 1: Configure the enable secret password and HTTP router access prior to starting SDM.

a. From the CLI, configure the enable secret password for use with SDM on R3.
R3(config)#enable secret cisco12345
b. Enable the HTTP server on R3.
R3(config)#ip http server

Step 2: Verify or create the IPS directory in router flash.

a. From the R3 CLI, display the content of flash memory using the show flash command and check
for the ipsdir directory.
R3#show flash
b. If this directory is not listed, create it by entering the command mkdir ipsdir in privileged EXEC
mode.
R3#mkdir ipsdir
Create directory filename [ipsdir]?
Created dir flash:ipsdir
c. From the R3 CLI, verify that the directory is present using the dir flash:ipsdir command.
R3#dir flash:ipsdir

Directory of flash:/ipsdir/

No files in directory

Note: The directory exists, but there are currently no files in it.


Task 3. Prepare the TFTP Server

Step 1: Download the TFTP server.

The Tftp32 freeware TFTP server is used in this task. Many other free TFTP servers are also available. If a
TFTP server is not currently available on PC-C, you can download the latest version of Tftpd32 from
http://tftpd32.jounin.net/. If it is already installed, go to Step 2.

This lab uses the Tftpd32 TFTP server. This software also includes a syslog server that runs simultaneously
with the TFTP server.



124
Step 2: Start the TFTP server on PC-A and verify the IPS file directory.

Verify connectivity between R3 and PC-C, the TFTP server, using the ping command.

a. Verify that the PC has the IPS Signature package file in a directory on the TFTP server. This file is
typically named IOS-Sxxx-CLI.pkg, where xxx is the signature file version.

Note: If this file is not present, contact your instructor before continuing.

b. Start Tftpd32 or another TFTP server and set the default directory to the one with the IPS Signature
package. The Tftpd32 screen is shown here with the C:\Program Files\Tftpd32\IPS directory contents
displayed. Take note of the filename for use in the next step.

c. What is the name of the signature file? _____________________________________________




Task 4. Configure IPS Using SDM

Step 1: Access SDM and set command delivery preferences.

a. Run the SDM application or open a browser on PC-C and start SDM by entering the R3 IP address
192.168.3.1 in the address field.

b. Log in with no username and the enable secret password cisco12345.

Note: If you are using Java version 1.6 or later, the Java console displays by default when SDM is run. If
the Java console displays, you can close it. You can also start the Java plug-in application and select
Advanced > Java Console > Do not start console. The Java console will not appear again unless you
change the setting.


125
c. In the Authentication Required and IOS IPS Login dialog boxes, enter cisco12345 in the Password field
and click OK.

d. Configure SDM to allow you to preview the commands before sending them to the router. Select Edit >
Preferences. In the User Preferences window, check the Preview commands before delivering to router
check box and click OK.


Step 2: Use the SDM IPS Wizard to configure Cisco IOS IPS.

a. Click the Configure button at the top of the SDM screen and then select Intrusion Prevention >
Create IPS.




b. Click the Launch IPS Rule Wizard button to open the Welcome to the IPS Policies Wizard window.

c. Read the information on the IPS Policies Wizard screen to become familiar with what the wizard does.
Click Next.




126
Note: SDEE dialog boxes might appear. Read the information and click OK for each dialog box.

d. In the Select Interfaces window, check the Inbound check box for FastEthernet0/1 and Serial0/0/1.
Click Next.

Note: Selecting inbound on both interfaces allows IPS to monitor attacks on the router from the
internal and external network.




127
e. In the Signature File and Public Key window, click the ellipsis (¦) button next to Specify the
Signature File You Want to Use with IOS IPS to open the Specify Signature File window. Confirm that
the Specify Signature File using URL option is chosen.

f. For Protocol, select tftp from the drop-down menu. Enter the IP address of the PC-C TFTP server and
the filename. For example, 192.168.3.3/IOS-S364-CLI.pkg.




g. What other options can be specified as a source for the Signature File?
________________________________________________________________________________

h. Click OK to return to the Signature File and Public Key window. In the Configure Public Key section of
the Signature File and Public Key window, enter realm-cisco.pub in the Name field.

Each change to the signature configuration is saved in a delta file. This file must be digitally signed with a
public key. You can obtain a key from Cisco.com and paste the information in the Name and Key
fields. In this lab, you will copy and paste the key from a text file on PC-C.

i. Open the realm-cisco-pub-key.txt file located on the PC-C desktop. The following is an example from
the realm-cisco-pub-key.txt file.


128
j. Copy the text between the phrase key-string and the word quit into the Key field in the Configure
Public Key section. The Signature File and Public Key window should look similar to the following when
the entries are completed.




129
k. Click Next to display the Config Location and Category window. This is used to specify where to store
the signature information. This file is used by the Cisco IOS IPS for detecting attacks from coming into the
FastEthernet0/1 or Serial0/0/1 interfaces.

l. In the Config Location and Category window in the Config Location section, click the ellipsis (...) button
next to Config Location to add the location.

m. Verify that Specify the config location on this router is selected. Click the ellipsis (...) button. Click
the plus sign (+) next to flash. Choose ipsdir and then click OK.




n. Because router memory and resource constraints might prevent using all the available signatures,
there are two categories of signatures: basic and advanced. In the Choose Category field of the Config
Location and Category window, choose basic. The Config Location and Category window should look
similar to the following when the entries are completed.




130
o. Click Next in the Cisco SDM IPS Policies Wizard window. The Summary window appears. Examine the
IPS configuration information shown.




131
p. Click Finish in the IPS Policies Wizard window and review the commands that will be delivered to the
router.

q. Click Deliver. How many commands were delivered to the router? ___________________________

r. When the Commands Deliver Status window is ready, click OK. The IOS IPS Configuration Status
window opens stating that it can take several minutes for the signatures to be configured.

s. When the signature configuration process has completed, you return to the IPS window with the Edit
IPS tab selected. Your screen should look similar to the following.




132
t. Select interface Serial0/0/1 from the list. What information is displayed at the bottom of the screen?
________________________________________________________________________________


Task 5. Modify Signature Settings

Step 1: Verify connectivity.

From PC-C, ping R3. The pings should be successful.


Step 2: Configure the IPS application to drop ping (echo request) traffic.

a. From SDM, click Configure and select Intrusion Prevention > Edit IPS > Signatures. How many
total signatures are there? ____________

Are all of them enabled? _______

b. In the View By drop-down list, choose Sig ID.



133
c. In the Sig ID field, enter 2004, and then click Go. What is Sig ID 2004?
____________________________________________________________________________

d. Do you know why the pings from PC-C in Step 1 were successful?
____________________________________________________________________________

e. Select signature 2004, click the Unretire button, and then click the Enable button.

f. Right-click the signature and choose Actions from the context menu.

g. Choose Deny Packet Inline and leave the Produce Alert check box checked. Click OK.

h. Click Apply Changes. Your screen should look similar to the following.

Note: It may take some time for the changes to take effect.




i. Return to PC-C and ping R3 again. Were the pings successful this time?
_______________________________________________________________________________


Task 6. Configure IPS Global Settings
In this task, you enable the syslog and SDEE global settings using the Cisco SDM GUI.



134
a. From SDM, click Configure and select Intrusion Prevention > Edit IPS > Global Settings.

b. Verify that the syslog and SDEE options are enabled.

Note: Even if the Syslog and SDEE options are already enabled, click the Edit button and explore the options
available in the Edit Global Settings dialog box. Examine the options to learn whether Cisco IOS IPS has set
the default to fail opened or to fail closed.


Task 7. Verify IPS Functionality with SDM Monitor and Ping
In this task, you demonstrate how the Cisco IOS IPS protects against an external attacker using ping.

a. From the R2 CLI, ping the R3 Fa0/1 interface at 192.168.3.1. Were the pings successful?
________________________________________________________________________________

b. From SDM, click the Monitor button and select IPS Status. The IPS Signature Statistics tab is
selected by default. Wait for the screen to populate.

c. Scroll to near the bottom to locate the signature ID 2004 ICMP echo request. You should see an entry
similar to the one below indicating that IPS identified the ping attempt from R2. Notice that there are five
hits and five drops for signature ID 2004, detected on Fa0/1 IP address 192.168.3.1.




d. From SDM, Click the Monitor button and select Logging.

e. A number of Syslog message are displayed. Click the Clear button to clear the log.

f. From the R2 CLI, ping the R3 Fa0/1 interface at 192.168.3.1 again.

g. Click the Update button. You will see that the Cisco IOS IPS logged the ping attempts from R2.




135
Task 8. (Optional) Verify IPS Functionality with SDM Monitor and SuperScan
In this task, you demonstrate how the Cisco IOS IPS protects against an internal attacker using SuperScan.
SuperScan is a freeware scanning tool that runs with Windows XP that can detect open TCP and UDP ports
on a target host. You can perform this task if the SuperScan program is available on PC-C or if it can be
downloaded.

SuperScan will test the IPS capabilities on R3. You will run the scanning program from PC-C and attempt to
scan open ports on router R2. The IPS rule iosips, which is set on R3 Fa0/1 inbound, should intercept the
scanning attempts and send messages to the R3 console and SDM syslog.


Step 1: Download the SuperScan program.

a. If SuperScan is not on PC-C, download the SuperScan 4.0 tool from the Scanning Tools group at
http://www.foundstone.com.

b. Unzip the file into a folder. The SuperScan4.exe file is executable and installation is not required.




136
Step 2: Run SuperScan and set scanning options.

a. Start SuperScan on PC-C. Click the Host and Service Discovery tab. Check the Timestamp
Request check box, and uncheck the Echo Request check box. Scroll the UDP and TCP port selection
lists and notice the range of ports that will be scanned.

b. Click the Scan tab and enter the IP address of R2 S0/0/1 (10.2.2.2) in the Hostname/IP field.

Note: You can also specify an address range, such as 10.2.2.1 to 10.2.2.254, by entering an address
in the Start IP and End IP fields. The program will scan all hosts with addresses in the range
specified.

c. Click the button with the blue arrow in the lower left corner of the screen to start the scan.


Step 3: Check the results with SDM logging.

a. From Cisco SDM, choose Monitor > Logging.

b. Click the Update button. You will see that the Cisco IOS IPS has been logging the port scans
generated by SuperScan.

c. You should see syslog messages on R3 and entries in the SDM Monitor Log with descriptions that
include one of these phrases: “Invalid DHCP Packet” or “DNS Version Request.”




137
d. Close the SuperScan window.


Task 9. Compare the Results for Different IPS Configuration Methods
a. On R1, display the running configuration after IPS was configured with IOS CLI commands. Note the
commands related to IPS.

________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________

b. On R3, from the menu bar, select View > Show Running Config to display the running configuration
after IPS was configured with the SDM GUI. Note the commands related to IPS.

________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________

c. What differences are there between the CLI-based running configuration and the SDM-based running
configuration?

________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________


Task 10. Reflection
a. What are some advantages and disadvantages to using CLI or SDM to configure IPS?

________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________

b. With version 5.x signature files, if changes are made to a signature, are they visible in the router
running configuration?

________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________


Router Interface Summary Table




138
Router Interface Summary
Router Model Ethernet Interface Ethernet Interface Serial Interface Serial Interface
#1 #2 #1 #2
1700 Fast Ethernet 0 Fast Ethernet 1 Serial 0 (S0) Serial 1 (S1)
(FA0) (FA1)
1800 Fast Ethernet 0/0 Fast Ethernet 0/1 Serial 0/0/0 Serial 0/0/1
(FA0/0) (FA0/1) (S0/0/0) (S0/0/1)
2600 Fast Ethernet 0/0 Fast Ethernet 0/1 Serial 0/0 (S0/0) Serial 0/1 (S0/1)
(FA0/0) (FA0/1)
2800 Fast Ethernet 0/0 Fast Ethernet 0/1 Serial 0/0/0 Serial 0/0/1
(FA0/0) (FA0/1) (S0/0/0) (S0/0/1)
Note: To find out how the router is configured, look at the interfaces to identify the type of router
and how many interfaces the router has. There is no way to effectively list all the combinations of
configurations for each router class. This table includes identifiers for the possible combinations of
Ethernet and Serial interfaces in the device. The table does not include any other type of interface,
even though a specific router may contain one. An example of this might be an ISDN BRI interface.
The string in parenthesis is the legal abbreviation that can be used in Cisco IOS commands to
represent the interface.




139
Chapter 6: Lab A: Securing Layer 2 Switches

Topology




IP Addressing Table

Device Interface IP Address Subnet Mask Default Gateway Switch Port
R1 Fa0/1 192.168.1.1 255.255.255.0 N/A S1 FA0/5
S1 VLAN 1 192.168.1.2 255.255.255.0 N/A N/A
S2 VLAN 1 192.168.1.3 255.255.255.0 N/A N/A
PC-A NIC 192.168.1.10 255.255.255.0 192.168.1.1 S1 FA0/6
PC-B NIC 192.168.1.11 255.255.255.0 192.168.1.1 S2 FA0/18


Objectives
Part 1: Configure Basic Switch Settings

Build the topology.

Configure the host name, IP address, and access passwords.


Part 2: Configure SSH Access to the Switches

Configure SSH access on the switch.



140
Configure an SSH client to access the switch.

Verify the configuration.


Part 3: Secure Trunks and Access Ports

Configure trunk port mode.

Change the native VLAN for trunk ports.

Verify trunk configuration.

Enable storm control for broadcasts.

Configure access ports.

Enable PortFast and BPDU guard.

Verify BPDU guard.

Enable root guard.

Configure port security.

Verify port security.

Disable unused ports.


Part 4: Configure SPAN and Monitor Traffic

Configure Switched Port Analyzer (SPAN).

Monitor port activity using Wireshark.

Analyze a sourced attack.


Background
The Layer 2 (Data Link) infrastructure consists mainly of interconnected Ethernet switches. Most end-user
devices, such as computers, printers, IP phones and other hosts, connect to the network via Layer 2 access
switches. As a result, they can present a network security risk. Similar to routers, switches are subject to
attack from malicious internal users. The switch Cisco IOS software provides many security features that are
specific to switch functions and protocols.

In this lab, you configure SSH access and Layer 2 security for switches S1 and S2. You also configure
various switch protection measures, including access port security, switch storm control, and Spanning Tree
Protocol (STP) features such as BPDU guard and root guard. Lastly, you use Cisco SPAN to monitor traffic to
specific ports on the switch.

Note: The router commands and output in this lab are from a Cisco 1841 with Cisco IOS Release 12.4(20)T
(Advanced IP image). The switch commands and output are from a Cisco WS-C2960-24TT-L with Cisco IOS
Release 12.2(46)SE (C2960-LANBASEK9-M image). Other routers, switches, and IOS versions may be used.
See the Router Interface Summary table at the end of the lab to determine which interface identifiers to use
based on the equipment in the lab. Depending on the router or switch model and IOS version, the commands
available and output produced might vary from what is shown in this lab.

Note: Make sure that the router and the switches have been erased and have no startup configurations.


Required Resources

One router (Cisco 1841 with Cisco IOS Release 12.4(20)T1 or comparable)




141
Two switches (Cisco 2960 or comparable with cryptography IOS image for SSH support “ Release

12.2(46)SE or comparable)

PC-A (Windows XP or Vista with a PuTTY SSH client and Wireshark)


PC-B (Windows XP or Vista with a PuTTY SSH client and SuperScan)


Ethernet cables as shown in the topology


Rollover cables to configure the switches via the console



Part 1. Basic Device Configuration
In Part 1 of this lab, you set up the network topology and configure basic settings such as the host names, IP
addresses, and device access passwords.

Note: Perform all tasks on router R1 and switches S1 and S2. The procedure for S1 is shown here as an
example.


Step 1: Cable the network as shown in the topology.

Attach the devices shown in the topology diagram and cable as necessary.


Step 2: Configure basic settings for the router and each switch.

a. Configure host names as shown in the topology.

b. Configure interface IP addresses as shown in the IP Addressing Table. The configuration of the VLAN
1 management interface on switch S1 is shown here.
S1(config)#interface vlan 1
S1(config-if)#ip address 192.168.1.2 255.255.255.0
S1(config-if)#no shutdown


c. Configure the enable secret and console passwords.
S1(config)#enable secret cisco12345
S1(config)#line console 0
S1(config-line)#password ciscoconpass
S1(config-line)#exec-timeout 5 0
S1(config-line)#login
S1(config-line)#logging synchronous
Note: Do not configure the switch vty access at this time. The vty lines are configured on the switches
in Part 2 for SSH access.

d. Configure the vty lines and password on R1.
R1(config)#line vty 0 4
R1(config-line)#password ciscovtypass
R1(config-line)#exec-timeout 5 0
R1(config-line)#login

e. To prevent the router or switch from attempting to translate incorrectly entered commands, disable
DNS lookup. Router R1 is shown here as an example.


142
R1(config)#no ip domain-lookup
f. HTTP access to the switch is enabled by default. To prevent HTTP access, disable the HTTP server
and HTTP secure server.
S1(config)#no ip http server
S1(config)#no ip http secure-server
Note: The switch must have a cryptography IOS image to support the ip http secure-server
command. HTTP access to the router is disabled by default.


Step 3: Configure PC host IP settings.

Configure a static IP address, subnet mask, and default gateway for PC-A and PC-B as shown in the IP
Addressing Table.


Step 4: Verify basic network connectivity.

a. Ping from PC-A and PC-B to the R1 Fa0/1 interface at IP address 192.168.1.1. Were the results
successful? _____

If the pings are not successful, troubleshoot the basic device configurations before continuing.

b. Ping from PC-A to PC-B. Were the results successful? _____

If the pings are not successful, troubleshoot the basic device configurations before continuing.


Step 5: Save the basic configurations for the router and both switches.

Save the running configuration to the startup configuration from the privileged EXEC prompt.
S1#copy running-config startup-config

Part 2. SSH Configuration
In Part 2 of this lab, you configure switches S1 and S2 to support SSH connections and install SSH client
software on the PCs.

Note: A switch IOS image that supports encryption is required to configure SSH. Otherwise, you cannot
specify SSH as an input protocol for the vty lines and the crypto commands are not available.


Task 1. Configure the SSH Server on Switch S1 and S2 Using the CLI
In this task, use the CLI to configure the switch to be managed securely using SSH instead of Telnet. Secure
Shell (SSH) is a network protocol that establishes a secure terminal emulation connection to a switch or other
networking device. SSH encrypts all information that passes over the network link and provides authentication
of the remote computer. SSH is rapidly replacing Telnet as the remote login tool of choice for network
professionals.

Note: For a switch to support SSH, it must be configured with local authentication, AAA services or
username. In this task, you configure an SSH username and local authentication on S1 and S2. S1 is shown
here as an example.




143
Step 1: Configure a domain name.

Enter global configuration mode and set the domain name.
S1#conf t
S1(config)#ip domain-name ccnasecurity.com

Step 2: Configure a privileged user for login from the SSH client.

Use the username command to create the user ID with the highest possible privilege level and a secret
password.
S1(config)#username admin privilege 15 secret cisco12345
Exit to the initial switch login screen, and log in with this username. What was the switch prompt after you
entered the password? __________________________________________________________


Step 3: Configure the incoming vty lines.

a. Configure vty access on lines 0 through 4. Specify a privilege level of 15 so that a user with the highest
privilege level (15) will default to privileged EXEC mode when accessing the vty lines. Other users will
default to user EXEC mode. Specify the use of local user accounts for mandatory login and
validation, and accept only SSH connections.
S1(config)#line vty 0 4
S1(config-line)#privilege level 15
S1(config-line)#exec-timeout 5 0
S1(config-line)#login local
S1(config-line)#transport input ssh
S1(config-line)#exit
b. Disable login for switch vty lines 5 through 15.
S1(config)#line vty 5 15
S1(config-line)#no login

Step 4: Generate the RSA encryption key pair for the router.

The switch uses the RSA key pair for authentication and encryption of transmitted SSH data.

Configure the RSA keys with 1024 for the number of modulus bits. The default is 512, and the range is
from 360 to 2048.
S1(config)#crypto key generate rsa general-keys modulus 1024
The name for the keys will be: S1.ccnasecurity.com

% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

S1(config)#
00:15:36: %SSH-5-ENABLED: SSH 1.99 has been enabled
Note: The details of encryption methods are covered in Chapter 7.


Step 5: Verify the SSH configuration.

Use the show ip ssh command to see the current settings.
S1#show ip ssh


144
Fill in the following information based on the output of the show ip ssh command.
SSH version enabled: __________________
Authentication timeout: __________________
Authentication retries: __________________

Step 6: Configure SSH timeouts and authentication parameters.

The default SSH timeouts and authentication parameters can be altered to be more restrictive using the
following commands.
S1(config)#ip ssh time-out 90
S1(config)#ip ssh authentication-retries 2

Step 7: Save the running-config to the startup-config.
S1#copy running-config startup-config

Task 2. Configure the SSH Client
TeraTerm and PuTTY are two terminal emulation programs that can support SSHv2 client connections. This
lab uses PuTTY.


Step 1: (Optional) Download and install an SSH client on PC-A and PC-B.

If the SSH client is not already installed, download either TeraTerm or PuTTY.

Note: The procedure described here is for PuTTY and pertains to PC-A.


Step 2: Verify SSH connectivity to S1 from PC-A.
a. Launch PuTTY by double-clicking the putty.exe icon.
b. Input the S1 IP address 192.168.1.2 in the Host Name or IP address field.

c. Verify that the SSH radio button is selected. PuTTY defaults to SSH version 2.




145
d. Click Open.

e. In the PuTTY Security Alert window, click Yes.

f. Enter the admin username and password cisco12345 in the PuTTY window.




g. At the S1 privileged EXEC prompt, enter the show users command.
S1#show users
What users are connected to switch S1 at this time?
______________________________________________________________________________

h. Close the PuTTy SSH session window with the exit or quit command.

i. Try to open a Telnet session to switch S1 from PC-A. Were you able to open the Telnet session? Why
or why not? _______________________________________________________________



146
Step 3: Save the configuration.

Save the running configuration to the startup configuration from the privileged EXEC prompt.
R1#copy running-config startup-config

Part 3. Secure Trunks and Access Ports
In Part 3 of this lab, you configure trunk ports, change the native VLAN for trunk ports, verify trunk
configuration, and enable storm control for broadcasts on the trunk ports.

Securing trunk ports can help stop VLAN hopping attacks. The best way to prevent a basic VLAN hopping
attack is to turn off trunking on all ports except the ones that specifically require trunking. On the required
trunking ports, disable DTP (auto trunking) negotiations and manually enable trunking. If no trunking is
required on an interface, configure the port as an access port. This disables trunking on the interface.

Note: Tasks should be performed on switches S1 or S2 as indicated.


Task 1. Secure Trunk Ports

Step 1: Configure switch S1 as the root switch.

For the purposes of this lab, assume that switch S2 is currently the root bridge and that switch S1 is preferred
as the root switch. To force S1 to become the new root bridge, you configure a new priority for it.

a. From the console on S1, enter privileged EXEC mode and then global configuration mode.

The default priority for switches S1 and S2 is 32769 (32768 + 1 with System ID Extension). Set S1 priority
to 0 so that it becomes the root switch.
S1(config)#spanning-tree vlan 1 priority 0
S1(config)#exit
b. Issue the show spanning-tree command to verify that S1 is the root bridge and to see the ports in
use and their status.
S1#show spanning-tree

VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 1
Address 001d.4635.0c80
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 1 (priority 0 sys-id-ext 1)
Address 001d.4635.0c80
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300

Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------
------
Fa0/1 Desg FWD 19 128.1 P2p
Fa0/5 Desg FWD 19 128.5 P2p
Fa0/6 Desg FWD 19 128.6 P2p



147
c. What is the S1 priority? ______________________________________________________

d. What ports are in use and what is their status? ____________________________________


Step 2: Configure trunk ports on S1 and S2.

a. Configure port Fa0/1 on S1 as a trunk port.
S1(config)#interface FastEthernet 0/1
S1(config-if)#switchport mode trunk
b. Configure port Fa0/1 on S2 as a trunk port.
S2(config)#interface FastEthernet 0/1
S2(config-if)#switchport mode trunk
c. Verify that S1 port Fa0/1 is in trunking mode with the show interfaces trunk command.
S1#show interfaces trunk

Port Mode Encapsulation Status Native vlan
Fa0/1 on 802.1q trunking 1

Port Vlans allowed on trunk
Fa0/1 1-4094

Port Vlans allowed and active in management domain
Fa0/1 1

Port Vlans in spanning tree forwarding state and not pruned
Fa0/1 1

Step 3: Change the native VLAN for the trunk ports on S1 and S2.

Changing the native VLAN for trunk ports to an unused VLAN helps prevent VLAN hopping attacks.

a. From the output of the show interfaces trunk in the previous step, what is the current native
VLAN for the S1 Fa0/1 trunk interface? ______________________________________________

b. Set the native VLAN on the S1 Fa0/1 trunk interface to an unused VLAN 99.
S1(config)#interface Fa0/1
S1(config-if)#switchport trunk native vlan 99
S1(config-if)#end
The following message should be displayed after a brief period of time.
02:16:28: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered
on FastEthernet0/1 (99), with S2 FastEthernet0/1 (1).
What does the message mean? __________________________________________________

c. Set the native VLAN on the S2 Fa0/1 trunk interface to VLAN 99.
S2(config)#interface Fa0/1
S2(config-if)#switchport trunk native vlan 99
S2(config-if)#end




148
Step 4: Prevent the use of DTP on S1 and S2.

Setting the trunk port to not negotiate also helps to mitigate VLAN hopping by turning off the generation of
DTP frames.
S1(config)#interface Fa0/1
S1(config-if)#switchport nonegotiate

S2(config)#interface Fa0/1
S2(config-if)#switchport nonegotiate

Step 5: Verify the trunking configuration on port Fa0/1.
S1#show interface fa0/1 trunk

Port Mode Encapsulation Status Native vlan
Fa0/1 on 802.1q trunking 99

Port Vlans allowed on trunk
Fa0/1 1-4094

Port Vlans allowed and active in management domain
Fa0/1 1

Port Vlans in spanning tree forwarding state and not pruned
Fa0/1 1

S1#show interface fa0/1 switchport

Name: Fa0/1
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: Off
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 99 (Inactive)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk private VLANs: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL

Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none



149
Step 6: Enable storm control for broadcasts.

Enable storm control for broadcasts on the trunk port with a 50 percent rising suppression level using the
storm-control broadcast command.
S1(config)#interface FastEthernet 0/1
S1(config-if)#storm-control broadcast level 50

S2(config)#interface FastEthernet 0/1
S2(config-if)#storm-control broadcast level 50

Step 7: Verify your configuration with the show run command.

Use the show run command to display the running configuration, beginning with the first line that has
the text string “0/1” in it.
S1#show run | beg 0/1
interface FastEthernet0/1
switchport trunk native vlan 99
switchport mode trunk
switchport nonegotiate
storm-control broadcast level 50.00

<Output omitted>

Task 2. Secure Access Ports
By manipulating the STP root bridge parameters, network attackers hope to spoof their system, or a rogue
switch that they add to the network, as the root bridge in the topology. If a port that is configured with PortFast
receives a BPDU, STP can put the port into the blocking state by using a feature called BPDU guard.


Step 1: Disable trunking on S1 access ports.

On S1, configure Fa0/5, the port to which R1 is connected, as access mode only.
S1(config)#interface FastEthernet 0/5
S1(config-if)#switchport mode access
On S1, configure Fa0/6, the port to which PC-A is connected, as access mode only.
S1(config)#interface FastEthernet 0/6
S1(config-if)#switchport mode access
On S2, configure Fa0/18, the port to which PC-B is connected, as access mode only.
S2(config)#interface FastEthernet 0/18
S2(config-if)#switchport mode access

Task 3. Protect Against STP Attacks
The topology has only two switches and no redundant paths, but STP is still active. In this step, you enable
some switch security features that can help reduce the possibility of an attacker manipulating switches via
STP-related methods.


Step 1: Enable PortFast on S1 and S2 access ports.

PortFast is configured on access ports that connect to a single workstation or server to enable them to
become active more quickly.


150
a. Enable PortFast on the S1 Fa0/5 access port.
S1(config)#interface FastEthernet 0/5
S1(config-if)#spanning-tree portfast

The following Cisco IOS warning message is displayed:
%Warning: portfast should only be enabled on ports connected to a
single host. Connecting hubs, concentrators, switches, bridges, etc...
to this interface when portfast is enabled, can cause temporary
bridging loops. Use with CAUTION

%Portfast has been configured on FastEthernet0/5 but will only
have effect when the interface is in a non-trunking mode.
b. Enable PortFast on the S1 Fa0/6 access port.
S1(config)#interface FastEthernet 0/6
S1(config-if)#spanning-tree portfast
c. Enable PortFast on the S2 Fa0/18 access ports
S2(config)#interface FastEthernet 0/18
S2(config-if)#spanning-tree portfast

Step 2: Enable BPDU guard on the S1 and S2 access ports.

BPDU guard is a feature that can help prevent rogue switches and spoofing on access ports.

a. Enable BPDU guard on the switch ports previously configured as access only.
S1(config)#interface FastEthernet 0/5
S1(config-if)#spanning-tree bpduguard enable

S1(config)#interface FastEthernet 0/6
S1(config-if)#spanning-tree bpduguard enable

S2(config)#interface FastEthernet 0/18
S2(config-if)#spanning-tree bpduguard enable
b. PortFast and BPDU guard can also be enabled globally with the spanning-tree portfast
default and spanning-tree portfast bpduguard commands in global configuration mode.

Note: BPDU guard can be enabled on all access ports that have PortFast enabled. These ports
should never receive a BPDU. BPDU guard is best deployed on user-facing ports to prevent rogue
switch network extensions by an attacker. If a port enabled with BPDU guard receives a BPDU, it is
disabled and must be manually re-enabled. An err-disable timeout can be configured on the port so
that it can recover automatically after a specified time period.

c. Verify that BPDU guard is configured by using the show spanning-tree interface fa0/5
detail command on switch S1.
S1#show spanning-tree interface fa0/5 detail

Port 5 (FastEthernet0/5) of VLAN0001 is designated forwarding
Port path cost 19, Port priority 128, Port Identifier 128.5.
Designated root has priority 1, address 001d.4635.0c80
Designated bridge has priority 1, address 001d.4635.0c80
Designated port id is 128.5, designated path cost 0
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 1

151
The port is in the portfast mode
Link type is point-to-point by default
Bpdu guard is enabled
BPDU: sent 3349, received 0

Step 3: (Optional) Enable root guard.

Root guard is another option in helping to prevent rogue switches and spoofing. Root guard can be enabled
on all ports on a switch that are not root ports. It is normally enabled only on ports connecting to edge
switches where a superior BPDU should never be received. Each switch should have only one root port,
which is the best path to the root switch.

The following command configures root guard on S2 interface Gi0/1. Normally, this is done if another
switch is attached to this port. Root guard is best deployed on ports that connect to switches that
should not be the root bridge.
S2(config)#interface gigabitEthernet 0/1
S2(config-if)#spanning-tree guard root
a. Issue the show run command to verify that root guard is configured.
S2#sh run | beg Gig
interface GigabitEthernet0/1
spanning-tree guard root
Note: The S2 Gi0/1 port is not currently up, so it is not participating in STP. Otherwise, you could use
the show spanning-tree interface Gi0/1 detail command.

b. If a port that is enabled with BPDU guard receives a superior BPDU, it goes into a root-inconsistent
state. Use the show spanning-tree inconsistentports command to determine if there are any
ports currently receiving superior BPDUs that should not be.
S2#show spanning-tree inconsistentports

Name Interface Inconsistency
-------------------- ---------------------- ------------------
Number of inconsistent ports (segments) in the system : 0
Note: Root guard allows a connected switch to participate in STP as long as the device does not try to
become the root. If root guard blocks the port, subsequent recovery is automatic. If the superior BPDUs
stop, the port returns to the forwarding state.


Task 4. Configure Port Security and Disable Unused Ports
Switches can also be subject to CAM table overflow, MAC spoofing attacks, and unauthorized connections to
switch ports. In this task, you configure port security to limit the number of MAC addresses that can be
learned on a switch port and disable the port if that number is exceeded.


Step 1: Record the R1 Fa0/0 MAC address.

a. From the router R1 CLI, use the show interface command and record the MAC address of the
interface.
R1#show interface fa0/1

FastEthernet0/1 is up, line protocol is up
Hardware is Gt96k FE, address is 001b.5325.256f (bia 001b.5325.256f)
Internet address is 192.168.1.1/24
MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,

152
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s, 100BaseTX/FX
b. What is the MAC address of the R1 Fa0/1 interface? _____________________________________


Step 2: Configure basic port security.

This procedure should be performed on all access ports that are in use. Switch S1 port Fa0/5 is shown here
as an example.

Note: A switch port must be configured as an access port to enable port security.

a. From the switch S1 CLI, enter interface configuration mode for the port that connects to the router
(Fast Ethernet 0/5).
S1(config)#interface FastEthernet 0/5
b. Shut down the switch port.
S1(config-if)#shutdown
c. Enable port security on the port.
S1(config-if)#switchport port-security
Note: Entering just the switchport port-security command sets the maximum MAC
addresses to 1 and the violation action to shutdown. The switchport port-security maximum
and switchport port-security violation commands can be used to change the default
behavior.

d. Configure a static entry for the MAC address of R1 Fa0/1/ interface recorded in Step 1.
S1(config-if)#switchport port-security mac-address xxxx.xxxx.xxxx
(xxxx.xxxx.xxxx is the actual MAC address of the router Fast Ethernet 0/1 interface.)

Note: Optionally, you can use the switchport port-security mac-address sticky
command to add all the secure MAC addresses that are dynamically learned on a port (up to the
maximum set) to the switch running configuration.

e. Bring up the switch port.
S1(config-if)#no shutdown

Step 3: Verify port security on S1 Fa0/5.

On S1, issue the show port-security command to verify that port security has been configured on
S1 Fa0/5.
S1#show port-security interface f0/5
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses :1
Total MAC Addresses :1
Configured MAC Addresses :1

153
Sticky MAC Addresses :0
Last Source Address:Vlan : 001b.5325.256f:1
Security Violation Count :0

What is the status of the Fa0/5 port? ___________________________________________________

What is the Last Source Address and VLAN? _______________________________________________

From the router R1 CLI, ping PC-A to verify connectivity. This also ensures that the R1 Fa0/1 MAC
address is learned by the switch.
R1#ping 192.168.1.10
You will now violate security by changing the MAC address on the router interface. Enter interface
configuration mode for the Fast Ethernet 0/1 interface and shut it down.
R1(config)#interface FastEthernet 0/1
R1(config-if)#shutdown
Configure a MAC address for the interface on the interface, using aaaa.bbbb.cccc as the address.
R1(config-if)#mac-address aaaa.bbbb.cccc
Enable the Fast Ethernet 0/1 interface.
R1(config-if)#no shutdown
R1(config-if)#end
From the router R1 CLI, ping PC-A. Was the ping successful? Why or why not?
_______________________________________________________________________________

On switch S1 console, observe the messages when port Fa0/5 detects the violating MAC address.
*Jan 14 01:34:39.750: %PM-4-ERR_DISABLE: psecure-violation error
detected on Fa0/5, putting Fa0/5 in err-disable state
*Jan 14 01:34:39.750: %PORT_SECURITY-2-PSECURE_VIOLATION: Security
violation occurred, caused by MAC address aaaa.bbbb.cccc on port
FastEthernet0/5.
*Jan 14 01:34:40.756: %LINEPROTO-5-UPDOWN: Line protocol on Interface
FastEthernet0/5, changed state to down
*Mar 1 01:34:41.755: %LINK-3-UPDOWN: Interface FastEthernet0/5,
changed state to down
On the switch, use the various show port-security commands to verify that port security has been
violated.
S1#show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
Fa0/5 1 1 1 Shutdown

S1#show port-security interface fastethernet0/5
Port Security : Enabled
Port Status : Secure-shutdown
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses :1
Total MAC Addresses :1
Configured MAC Addresses :1
Sticky MAC Addresses :0

154
Last Source Address:Vlan : aaaa.bbbb.cccc:1
Security Violation Count :1

S1#show port-security address
Secure Mac Address Table
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- -------------
1 001b.5325.256f SecureConfigured Fa0/5 -

On the router, shut down the Fast Ethernet 0/1 interface, remove the hard-coded MAC address from the
router, and re-enable the Fast Ethernet 0/1 interface.
R1(config)#interface FastEthernet 0/1
R1(config-if)#shutdown
R1(config-if)#no mac-address aaaa.bbbb.cccc
R1(config-if)#no shutdown
Note: This will restore the original FastEthernet interface MAC address.

From R1, try to ping the PC-A again at 192.168.1.10. Was the ping successful? Why or why not?
________________________________________________________________________________


Step 4: Clear the S1 Fa0/5 error disabled status.

a. From the S1 console, clear the error and re-enable the port using the following commands. This will
change the port status from Secure-shutdown to Secure-up.
S1(config)#interface FastEthernet 0/5
S1(config-if)#shutdown
S1(config-if)#no shutdown

Note: This assumes the device/interface with the violating MAC address has been removed and replaced
with the one originally configured.

b. From R1, ping PC-A again. You should be successful this time.
R1#ping 192.168.1.10

Step 5: Remove basic port security on S1 Fa0/5.

a. From the S1 console, remove port security on Fa0/5. This procedure can also be used to re-enable the
port but port security commands will need to be reconfigured.
S1(config)#interface FastEthernet 0/5
S1(config-if)#shutdown
S1(config-if)#no switchport port-security
S1(config-if)#no switchport port-security mac-address 001b.5325.256f
S1(config-if)#no shutdown
b. You can also use the following commands to reset the interface to its default settings.
S1(config)#interface FastEthernet 0/5
S1(config-if)#shutdown
S1(config-if)#exit
S1(config)#default interface fastethernet 0/5
S1(config)#interface FastEthernet 0/5
S1(config-if)#no shutdown



155
Note: This default interface command also requires you to reconfigure the
port as an access port in order to re-enable the security commands.


Step 6: (Optional) Configure port security for VoIP.

The following example shows a typical port security configuration for a voice port. Two MAC addresses
are allowed, and they are to be learned dynamically. One MAC address is for the IP phone, and the other
IP address is for the PC connected to the IP phone. Violations of this policy result in the port being shut
down. The aging timeout for the learned MAC addresses is set to two hours.

This example is shown for switch S2 port Fa0/18.
S2(config)#interface Fa0/18
S2(config-if)#switchport mode access
S2(config-if)#switchport port-security
S2(config-if)#switchport port-security maximum 2
S2(config-if)#switchport port-security violation shutdown
S2(config-if)#switchport port-security mac-address sticky
S2(config-if)#switchport port-security aging time 120

Step 7: Disable unused ports on S1 and S2.

As a further security measure, disable any ports not being used on the switch.

a. Ports Fa0/1, Fa0/5, and Fa0/6 are used on switch S1. The remaining Fast Ethernet ports and the two
Gigabit Ethernet ports will be shutdown.
S1(config)#interface range Fa0/2 “ 4
S1(config-if-range)#shutdown
S1(config-if-range)#interface range Fa0/7 “ 24
S1(config-if-range)#shutdown
S1(config-if-range)#interface range gigabitethernet0/1 “ 2
S1(config-if-range)#shutdown
b. Ports Fa0/18 and Gi0/1 are used on switch S2. The remaining Fast Ethernet ports and the Gigabit
Ethernet ports will be shutdown.
S2(config)#interface range Fa0/2 - 17
S2(config-if-range)#shutdown
S2(config-if-range)#interface range Fa0/19 - 24
S2(config-if-range)#shutdown
S2(config-if-range)#exit
S2(config)#interface gigabitethernet0/2
S2(config-if)#shutdown

Step 8: (Optional) Move active ports to a VLAN other than the default VLAN 1

As a further security measure, you can move all active end user and router ports to a VLAN other than the
default VLAN 1 on both switches.

a. Configure a new VLAN for users on each switch using the following commands:
S1(config)#vlan 20
S1(config-vlan)#name Users

S2(config)#vlan 20
S2(config-vlan)#name Users
b. Add the current active access (non-trunk) ports to the new VLAN.

156
S1(config)#interface range fa0/5 - 6
S1(config-if)#switchport access vlan 20

S2(config)#interface fa0/18
S2(config-if)#switchport access vlan 20
Note: This will prevent communication between end user hosts and the management VLAN IP address of the
switch, which is currently VLAN 1. The switch can still be accessed and configured using the console
connection.

If you need to provide Telnet or SSH access to the switch, a specific port can be designated as the
management port and added to VLAN 1 with a specific management workstation attached. A more elaborate
solution is to create a new VLAN for switch management (or use the existing native trunk VLAN 99) and

<<

. 5
( 9)



>>