Wednesday, June 11, 2014

SSH should replace Telnet for management connections


Device
Interface
IP Address
Subnet Mask
S1
VLAN 1
10.10.10.2
255.255.255.0
PC1
NIC
10.10.10.10
255.255.255.0

SSH should replace Telnet for management connections. Telnet uses insecure plain text communications. SSH provides security for remote connections by providing strong encryption of all transmitted data between devices. In this activity, you will secure a remote switch with password encryption and SSH.

As we already have telnet connection, so firstly we are going to connect by telnet through PC1 to S1 for changing the switch configuration telnet to ssh access.

From PC1 command prompt telnet to S1 vlan IP:

PC>telnet 10.10.10.2
Trying 10.10.10.2 ...Open
User Access Verification
Password:
S1>enable
Password:
S1#

Configure the domain name to nrt.com:

S1#conf t
S1(config)#ip domain-name nrt.com

Secure keys are needed to encrypt the data. Generate the RSA keys using a 1024 key length:

S1(config)#crypto key generate rsa
The name for the keys will be: S1.nrt.com
Choose the size of the key modulus in the range of 360 to 2048 for your
  General Purpose Keys. Choosing a key modulus greater than 512 may take
  a few minutes.
How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

Create an SSH user and reconfigure the VTY lines for SSH-only access:

S1(config)#username administrator password sshlogin
S1(config)#service password-encryption

Configure the VTY lines to check the local username database for login credentials and to only allow SSH for remote access. Remove the existing vty line password:

S1(config)#line vty 0 15
S1(config-line)#login local
S1(config-line)#no password
S1(config-line)#transport input ssh

  Exit the Telnet session and attempt to log back in using Telnet. The attempt should fail. Attempt to log in using SSH with below command at PC1 command prompt (Password- sshlogin).

PC>ssh -l administrator 10.10.10.2
Open
Password:

For more, visit my youtube channel - GoCisco
Posted by at No comments:

Port Security by MAC Address Sticky

Device
Interface
IP Address
Subnet Mask
S1
VLAN 1
10.10.10.2
255.255.255.0
PC1
NIC
10.10.10.10
255.255.255.0
PC2
NIC
10.10.10.11
255.255.255.0
Rogue Laptop
NIC
10.10.10.12
255.255.255.0

Port security allows you to restrict a port’s ingress traffic by limiting the MAC addresses that are allowed to send traffic into the port.

MAC address sticky configuration at Interface Fast Ethernet 0/1 end where PC1 MAC address will sticky:

S1#conf t
S1(config)#interface fastEthernet 0/1
S1(config-if-range)#switchport port-security
S1(config-if-range)#switchport port-security maximum 1
S1(config-if-range)#switchport port-security mac-address sticky
S1(config-if-range)#switchport port-security mac-address 00E0.B027.2245
S1(config-if-range)#switchport port-security violation restrict

MAC address sticky configuration at Interface Fast Ethernet 0/2 end where PC2 MAC address will sticky:

S1#conf t
S1(config)#interface fastEthernet 0/2
S1(config-if-range)#switchport port-security
S1(config-if-range)#switchport port-security maximum 1
S1(config-if-range)#switchport port-security mac-address sticky
S1(config-if-range)#switchport port-security mac-address 0001.647C.697E
S1(config-if-range)#switchport port-security violation restrict

Disconnect PC2 and connect Rogue Laptop to PC2’s port. Verify that Rogue Laptop is unable to ping PC1.
Disconnect Rouge Laptop and reconnect PC2. Verify PC2can ping PC1.


For more, visit my youtube channel - GoCisco
Posted by at No comments:

Configuring Telnet for accessing remotely from a PC to Switch end



Firstly connect PC0 & Switch through console cable, then login Switch by Terminal from PCO.


Switch end configuration:
Switch#conf t
Switch(config)#vlan 10
Switch(config-vlan)#exit
Switch(config)#int vlan 10
Switch(config-if)#ip address 192.168.1.1 255.255.255.0
Switch(config-if)#exit
Switch(config)#enable password telnet123
Switch(config)#line vty 0 4
Switch(config-line)#password telnet321
Switch(config-line)#login

Switch(config)#int fa0/1
Switch(config)#no shut
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlan 10
Switch(config-if)#exit
Switch#copy running-config startup-config

Assign IP at PC1 as shown in below,


From PC1 end using command prompt login to Switch as below,
PC>telnet 192.168.1.1
Trying 192.168.1.1 ...Open
User Access Verification

Password:
Switch>enable
Password:
From Switch end you can check which line user currently login by telnet as below command,
Switch# show users

Fore more, visit my youtube channel - GoCisco
Posted by at No comments:

Configuring PVST


Enable the user ports on S1, S2, and S3 in access mode.

S1#conf t
S1(config)# int fa0/6
S1(config-if)#no shut
S1(config-if)#switchport mode access

S2#conf t
S2(config)# int fa0/18
S2(config-if)#no shut
S2(config-if)#switchport mode access

S3#conf t
S3(config)# int fa0/11
S3(config-if)#no shut
S3(config-if)#switchport mode access

Create VLANs.

S1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
S1(config)#vlan 10
S1(config-vlan)#vlan 20
S1(config-vlan)#vlan 30
S1(config-vlan)#vlan 40
S1(config-vlan)#vlan 50
S1(config-vlan)#vlan 60
S1(config-vlan)#vlan 70
S1(config-vlan)#vlan 80
S1(config-vlan)#vlan 99

Using above command create VLANs for S2 & S3.

  Assign VLANs & IP Address to switch ports.

S1(config)#int fa0/6
S1(config-if)#switchport access vlan 30
S1(config)#int vlan 30
S1(config-if)#ip address 172.17.30.1 255.255.255.0

S2(config)#int fa0/18
S2(config-if)#switchport access vlan 20
S2(config)#int vlan 20
S2(config-if)#ip address 172.17.20.1 255.255.255.0

S3(config)#int fa0/11
S3(config-if)#switchport access vlan 10
S3(config)#int vlan 10
S3(config-if)#ip address 172.17.10.1 255.255.255.0

Assign the trunks to native VLAN 99 for all SWs ports F0/1 to F0/4.

S1(config)#int range fa0/1-4
S1(config-if-range)#switchport mode trunk
S1(config-if-range)#switchport trunk native vlan 99
S1(config-if-range)#exit
S1(config)#int vlan 99

S1(config-if)#ip address 172.31.99.1 255.255.255.0
S2(config)#int range fa0/1-4
S2(config-if-range)#switchport mode trunk
S2(config-if-range)#switchport trunk native vlan 99
S2(config-if-range)#exit
S2(config)#int vlan 99
S2(config-if)#ip address 172.31.99.2 255.255.255.0

S3(config)#int range fa0/1-4
S3(config-if-range)#switchport mode trunk
S3(config-if-range)#switchport trunk native vlan 99
S3(config-if-range)#exit
S3(config)#int vlan 99
S3(config-if)#ip address 172.31.99.3 255.255.255.0

Configure STP mode.

 Configure S1 to be the primary root for VLANs 1, 10, 30, 50, and 70. Configure S3 to be the primary root for VLANs 20, 40, 60, 80, and 99. Configure S2 to be the secondary root for all VLANs

S1(config)#spanning-tree mode pvst
S1(config)#spanning-tree vlan 1,10,30,50,70 root primary
S3(config)#spanning-tree mode pvst
S3(config)#spanning-tree vlan 20,40,60,80,99 root  primary
S3(config)#spanning-tree mode pvst
S2(config)# spanning-tree vlan 1,10,20,30,40,50,60,70,80,99 root secondary

 Configure PortFast on the switches.

S1(config-if)#spanning-tree portfast

Configure BPDU guard on the switches.


S1(config-if)#spanning-tree bpduguard enable

For more, visit my youtube channel - GoCisco
Posted by at No comments:

Configuring IPv4 Static and Default Routes



Static route will declared by next hop address or exit interface. In R1 added three networks using exit interface.

R1#conf t
R1(config)#ip route 172.31.0.0 255.255.255.0 serial 0/0/0
R1(config)#ip route 172.31.1.196 255.255.255.252 serial 0/0/0
R1(config)#ip route 172.31.1.128 255.255.255.192 serial 0/0/0
R1(config)#exit

After declare static route, using below command we can check the static route assign by this router.

R1#show ip route
Gateway of last resort is not set
     172.31.0.0/16 is variably subnetted, 7 subnets, 5 masks
S       172.31.0.0/24 is directly connected, Serial0/0/0
C       172.31.1.0/25 is directly connected, GigabitEthernet0/0
L       172.31.1.1/32 is directly connected, GigabitEthernet0/0
S       172.31.1.128/26 is directly connected, Serial0/0/0
C       172.31.1.192/30 is directly connected, Serial0/0/0
L       172.31.1.194/32 is directly connected, Serial0/0/0
S       172.31.1.196/30 is directly connected, Serial0/0/0


Here we will declared static route at R2 by using both options (next hop address or exit interface).

R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#ip route 172.31.1.0 255.255.255.128 serial 0/0/0
R2(config)#ip route 172.31.1.128 255.255.255.192 172.31.1.198
R2(config)#exit
R2#sh ip route
Gateway of last resort is not set
     172.31.0.0/16 is variably subnetted, 8 subnets, 5 masks
C       172.31.0.0/24 is directly connected, GigabitEthernet0/0
L       172.31.0.1/32 is directly connected, GigabitEthernet0/0
S       172.31.1.0/25 is directly connected, Serial0/0/0
S       172.31.1.128/26 [1/0] via 172.31.1.198
C       172.31.1.192/30 is directly connected, Serial0/0/0
L       172.31.1.193/32 is directly connected, Serial0/0/0
C       172.31.1.196/30 is directly connected, Serial0/0/1
L       172.31.1.197/32 is directly connected, Serial0/0/1

Another way we implemented for R3 by using default route declaration we forwarded all packets to the next hop address or exit interface.

R3#conf t
R3(config)#ip route 0.0.0.0 0.0.0.0 serial 0/0/1
R3(config)#exit
R3#sh ip route
Gateway of last resort is 0.0.0.0 to network 0.0.0.0

     172.31.0.0/16 is variably subnetted, 4 subnets, 3 masks
C       172.31.1.128/26 is directly connected, GigabitEthernet0/0
L       172.31.1.129/32 is directly connected, GigabitEthernet0/0
C       172.31.1.196/30 is directly connected, Serial0/0/1
L       172.31.1.198/32 is directly connected, Serial0/0/1

S*   0.0.0.0/0 is directly connected, Serial0/0/1

For more, visit my youtube channel - GoCisco
Posted by at No comments:

Configuring EIGRP

 Enable the EIGRP routing process:
R1#conf t
R1(config)#router eigrp 1

Advertise directly connected networks:
R1(config-router)#network 172.16.1.0 0.0.0.255
R1(config-router)#network 172.16.3.0 0.0.0.3
R1(config-router)#network 192.168.10.4 0.0.0.3

Disable automatic summarization:
R1(config-router)#no auto-summary

Configure passive interfaces:
R1(config-router)#passive-interface gigabitEthernet 0/0

Same as above for R2 & R3:

R2#conf t
R2(config)#router eigrp 1
R2(config-router)#network 172.16.2.0 0.0.0.255
R2(config-router)#network 192.168.10.8 0.0.0.3
R2(config-router)#network 172.16.3.0 0.0.0.3
R2(config-router)#
R2(config-router)#passive-interface gigabitEthernet 0/0

R3#conf t
R3(config)#router eigrp 1
R3(config-router)#network 192.168.10.8 0.0.0.3
R3(config-router)#network 192.168.10.4 0.0.0.3
R3(config-router)#network 192.168.1.0 0.0.0.255
R3(config-router)#no auto-summary
R3(config-router)#passive-interface gigabitEthernet 0/0



For more visit my youtube channel-GoCisco
Posted by at No comments:
Subscribe to: Comments (Atom)