Part 2: Configure ssh access to the Switches




Download 300.57 Kb.
NamePart 2: Configure ssh access to the Switches
page1/9
A typeDocumentation
manual-guide.com > manual > Documentation
  1   2   3   4   5   6   7   8   9

《计算机网络安全》教学资源

Chapter 6 Lab A: Securing Layer 2 Switches (Instructor Version)

Grey Highlighting – indicates answers provided on instructor lab copies only

Topology


IP Addressing Table

Device


Interface

IP Address

Subnet Mask

Default Gateway


Switch Port

R1

Fa0/1

192.168.1.1

255.255.255.0

N/A

S1 FA0/5

S1

VLAN 1

192.168.1.2

255.255.255.0

N/A

N/A

S2

VLAN 1

192.168.1.3

255.255.255.0

N/A

N/A

PC-A

NIC

192.168.1.10

255.255.255.0

192.168.1.1

S1 FA0/6

PC-B

NIC

192.168.1.11

255.255.255.0

192.168.1.1

S2 FA0/18

Objectives

Part 1: Configure Basic Switch Settings

  • Build the topology.

  • Configure the host name, IP address, and access passwords.

Part 2: Configure SSH Access to the Switches

  • Configure SSH access on the switch.

  • Configure an SSH client to access the switch.

  • Verify the configuration.

Part 3: Secure Trunks and Access Ports

  • Configure trunk port mode.

  • Change the native VLAN for trunk ports.

  • Verify trunk configuration.

  • Enable storm control for broadcasts.

  • Configure access ports.

  • Enable PortFast and BPDU guard.

  • Verify BPDU guard.

  • Enable root guard.

  • Configure and verify port security.

  • Disable unused ports.

  • Move ports from default VLAN 1 to alternate VLAN.

  • Configure the PVLAN Edge Feature on a port.

Part 4: Configure SPAN and Monitor Traffic

  • Configure Switched Port Analyzer (SPAN).

  • Monitor port activity using Wireshark.

  • Analyze a sourced attack.

Background

The Layer 2 infrastructure consists mainly of interconnected Ethernet switches. Most end-user devices, such as computers, printers, IP phones and other hosts, connect to the network via Layer 2 access switches. As a result, switches can present a network security risk. Similar to routers, switches are subject to attack from malicious internal users. The switch Cisco IOS software provides many security features that are specific to switch functions and protocols.

In this lab, you configure SSH access and Layer 2 security for switches S1 and S2. You also configure various switch protection measures, including access port security, switch storm control, and Spanning Tree Protocol (STP) features such as BPDU guard and root guard. Lastly, you use Cisco SPAN to monitor traffic to specific ports on the switch.

Note: The router commands and output in this lab are from a Cisco 1841 with Cisco IOS Release 12.4(20)T (Advanced IP image). The switch commands and output are from a Cisco WS-C2960-24TT-L with Cisco IOS Release 12.2(46)SE (C2960-LANBASEK9-M image). Other routers, switches, and IOS versions may be used. See the Router Interface Summary table at the end of the lab to determine which interface identifiers to use based on the equipment in the lab. Depending on the router or switch model and IOS version, the commands available and output produced might vary from what is shown in this lab.

Note: Make sure that the router and the switches have been erased and have no startup configurations.

Instructor Note: Instructions for erasing switches and routers are provided in the Lab Manual, located on Academy Connection in the Tools section.

Required Resources

  • One router (Cisco 1841 with Cisco IOS Release 12.4(20)T1 or comparable)

  • Two switches (Cisco 2960 or comparable with cryptography IOS image for SSH support – Release 12.2(46)SE or comparable)

  • PC-A: Windows XP, Vista or Windows 7 with PuTTY SSH client and Wireshark

  • PC-B: Windows XP, Vista or Windows 7 with PuTTY SSH client and SuperScan (optional)

  • Ethernet cables as shown in the topology

  • Rollover cables to configure the switches via the console

Instructor Notes:

  • This lab is divided into four parts. Each part can be administered individually or in combination with others as time permits. The focus is configuring security measures on switches S1 and S2. Router R1 serves as a gateway connection and is mainly used to change the MAC address connected to switch S1 for port security testing.

  • Students can work in teams of two for switch configuration, one person configuring S1 and the other configuring S2.

  • The basic running configs for the router and two switches are captured after Parts 1 and 2 of the lab are completed. The running config for S1 and S2 are captured after Parts 3 and 4 and are listed separately. All configs are found at the end of the lab.

Part 1: Basic Device Configuration


In Part 1 of this lab, you set up the network topology and configure basic settings such as the host names, IP addresses, and device access passwords.

Note: Perform all tasks on router R1 and switches S1 and S2. The procedure for S1 is shown here as an example.

Step 1: Cable the network as shown in the topology.

Attach the devices shown in the topology diagram and cable as necessary.

Step 2: Configure basic settings for the router and each switch.

Configure host names as shown in the topology.

Configure interface IP addresses as shown in the IP Addressing Table. The configuration of the VLAN 1 management interface on switch S1 is shown here.

S1(config)#interface vlan 1

S1(config-if)#ip address 192.168.1.2 255.255.255.0

S1(config-if)#no shutdown
Configure the enable secret and console passwords.

S1(config)#enable secret cisco12345

S1(config)#line console 0

S1(config-line)#password ciscoconpass

S1(config-line)#exec-timeout 5 0

S1(config-line)#login

S1(config-line)#logging synchronous

Note: Do not configure the switch vty access at this time. The vty lines are configured on the switches in Part 2 for SSH access.

Configure the vty lines and password on R1.

R1(config)#line vty 0 4

R1(config-line)#password ciscovtypass

R1(config-line)#exec-timeout 5 0

R1(config-line)#login
To prevent the router or switch from attempting to translate incorrectly entered commands, disable DNS lookup. Router R1 is shown here as an example.

R1(config)#no ip domain-lookup

HTTP access to the switch is enabled by default. To prevent HTTP access, disable the HTTP server and HTTP secure server.

S1(config)#no ip http server

S1(config)#no ip http secure-server

Note: The switch must have a cryptography IOS image to support the ip http secure-server command. HTTP access to the router is disabled by default.

Step 3: Configure PC host IP settings.

Configure a static IP address, subnet mask, and default gateway for PC-A and PC-B as shown in the IP Addressing Table.

Step 4: Verify basic network connectivity.

  1. Ping from PC-A and PC-B to the R1 Fa0/1 interface at IP address 192.168.1.1. Were the results successful? Yes.

If the pings are not successful, troubleshoot the basic device configurations before continuing.

  1. Ping from PC-A to PC-B. Were the results successful? Yes.

If the pings are not successful, troubleshoot the basic device configurations before continuing.

Step 5: Save the basic configurations for the router and both switches.

Save the running configuration to the startup configuration from the privileged EXEC prompt.

S1#copy running-config startup-config

Part 2: SSH Configuration


In Part 2 of this lab, you configure switches S1 and S2 to support SSH connections and install SSH client software on the PCs.

Note: A switch IOS image that supports encryption is required to configure SSH. Otherwise, you cannot specify SSH as an input protocol for the vty lines and the crypto commands are not available.
  1   2   3   4   5   6   7   8   9

Share in:

Related:

Part 2: Configure ssh access to the Switches iconDescription of Buttons and Switches

Part 2: Configure ssh access to the Switches iconDescription of Buttons and Switches

Part 2: Configure ssh access to the Switches icon2 manual inverter by-pass switches

Part 2: Configure ssh access to the Switches iconAccess the word, access the world

Part 2: Configure ssh access to the Switches iconExpiresActive on ExpiresDefault "access plus 1 month" ExpiresByType...

Part 2: Configure ssh access to the Switches iconCost: After providing wireless access to the infrastructure via an...

Part 2: Configure ssh access to the Switches iconObjectives: To examine the dip switches of pth for I/O programming on Dragon12+ Board. Reference

Part 2: Configure ssh access to the Switches iconPart 7 Late Summer Page 241 Part 8 Autumn and Winter Page 285 Part...

Part 2: Configure ssh access to the Switches iconHelp Desk Technician: Help desk technicians should understand Access...

Part 2: Configure ssh access to the Switches iconPortfolio meets connectivity and security needs of today’s small...

Part 2: Configure ssh access to the Switches iconUses an 80-pin dspic30F6014 plug-in module. Features selectable 5V...

Part 2: Configure ssh access to the Switches iconConfigure the cics environment for the Debug Tool

Part 2: Configure ssh access to the Switches iconLearn how to set up and configure an Oracle rac 10

Part 2: Configure ssh access to the Switches iconDownload and installation: Configure the initial scan

Part 2: Configure ssh access to the Switches iconHow to configure timeGuardian/QuickBooks for direct integration

Part 2: Configure ssh access to the Switches iconFurnish and install a control panel to interface automatic shut down...

Part 2: Configure ssh access to the Switches iconMacBook-Pro-de-Martin-Ortuno: libusb 9 martinortuno$./configure

Part 2: Configure ssh access to the Switches iconDistrict court judgment affirmed in part and reversed in part, and case remanded

Part 2: Configure ssh access to the Switches iconHistorically, abbreviations were used frequently in construction...

Part 2: Configure ssh access to the Switches iconTwo. The collection has been split, rather arbitrarily, into an L&T...




manual




When copying material provide a link © 2017
contacts
manual-guide.com
search