0% found this document useful (0 votes)
111 views14 pages

Lab 3

This document provides instructions for a lab on remote access and securing a switch. The goals are to enable Telnet and SSH remote access to the switch CLI, consider basic switch security issues, secure remote access through VLAN changes, and secure the switch from attacks using port security. It discusses enabling Telnet and the more secure SSH for remote access. It also covers securing the management VLAN, disabling unused ports, attacks like MAC table overflow and spoofing, and mitigating these using port security.

Uploaded by

Fyon Chin
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
111 views14 pages

Lab 3

This document provides instructions for a lab on remote access and securing a switch. The goals are to enable Telnet and SSH remote access to the switch CLI, consider basic switch security issues, secure remote access through VLAN changes, and secure the switch from attacks using port security. It discusses enabling Telnet and the more secure SSH for remote access. It also covers securing the management VLAN, disabling unused ports, attacks like MAC table overflow and spoofing, and mitigating these using port security.

Uploaded by

Fyon Chin
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 14

TNE10006 Networks and Switching Lab 3

Laboratory Week 3 – Remote Access and Securing your Switch

Aims:

• To enable remote access to the CLI of a Switch or Router through Telnet.


• To consider basic security issues for switch deployment and configuration
• To secure remote Switch access through VLAN changes
• To secure the remote access protocol using SSH
• To secure the switch against other user attacks through port-security

Background:

Remote Access
In the previous lab (see Lab 2) we accessed the console port of the switch using a direct cable connection. This is how
Console access is provided in the Cisco lab. However, in production environments, switches are usually accessed via a
console concentrator. Telnet server is enabled on the switch (or router). When enabled, you can connect to the device using a
telnet application from a remote location. You will be asked for the telnet password which will then drop you into User mode
(see Lab 2). To get to Administrator mode, you will then need to enter the Administrator password (if one has set).

It is typically not a good idea to enable Telnet access. Telnet is an insecure protocol where all commands and passwords are
transferred over the Internet/network as plaintext – anybody with packet sniffing abilities would be able to compromise your
security.

Secure Shell (SSH) is a cryptographic network protocol that uses over an unsecured network. It is a more secure approach
where all communications are encrypted. In this lab, we will also configure the SSH server on the switch and connect to the
switch using secure communications.

The Subnet
The word Subnet came from sub-network, which mean a portion of a larger pool of computer network. Apart from the
physical separation of the broadcast domain by the hardware through layer-3 devices (e.g. router), a network can be logically
sub-divide through two methods: Virtual switch-port grouping through hardware configuration and IP subnetting. The formal
is done through VLAN configuration that is available in the network switch while the latter is done through the modification
of subnet mask (or IP mask). This week we will look into only the VLAN approach.

Difference between the layer-2 device and layer-1 device (in OSI reference model)
A layer-1 network device in the Ethernet network such as a hub or a repeater provides simple networking space to connect the
end devices. It, however, leave those directly connected devices communicated in the same signal ground (single collision
domain) where they all share the messages transmitted out by either node in the same subnet. There has no privacy as every
node in the same subnet will receive the same message. As well, it led to lower throughput due to signal collision happens; it
gets worse with the increase of nodes connected.

Layer-2 network device such as a switch resolves the issue through the separation of signal ground down to individual
physical interface (Ethernet port) where the connections to other nodes are managed by the switch processor. The Data-link
layer algorithm shall decide which physical interface(s) shall be connected (unicast, broadcast, or multicast) and how a
message is forwarded (encapsulation process, error checking, etc..). In this case, every physical interface remained in its
collision domain and it will only be connected or share the same collision domain temporarily at the time when transmission
happens. The control is in the hand of the switch processor.

[1]
TNE10006 Networks and Switching Lab 3

Due to the control available in the network switch, it makes possible for this device to virtually segmenting individual
physical interfaces into different groups (here we shall be called it a subnet) through simple configuration done to the switch.
It also enables a seamless connection of virtual grouping through multiple switches that are physically connected.

Introduction to VLANs
VLAN technology allows the network administrator to virtually divide one simple physical network Switch into multiple
virtual switches. You can consider a VLAN to be a virtual switch within the larger switch. After a VLAN is created,
individual physical ports are assigned to one of the virtual switches within the physical switch.

With proper VLAN configuration done to a switch, you can divide PCs connected to the same switch into different subnets
like shown in the diagram below. In this case, only the PCs in the same VLAN subnet shall be able to “see” and “talk to” each
other.

Physical Network Diagram Logical Network Presentation

The Default VLAN


The default VLAN in generic Cisco Switch is VLAN 1. When you first start a Cisco Switch without any configuration (just
being initialized), all ports are enabled and assigned to VLAN 1. The principle is that the Switch should be usable as a non-
smart switch without any further configuration.

While having a basic Switch is fine in a simple or small environment where only a single subnet exists (think of your home
router/modem), this becomes problematic in larger environments where we want to take advantage of the ability to deploy
virtual switches within the switch (multiple VLANs).

The security issues – potential threat to keep the default VLAN as the management interface.
The problem with leaving the default VLAN (VLAN 1) is that if a port is not configured, it belongs to VLAN 1. Also,
somebody may connect another Switch to the network and gain access to VLAN 1. This then allows a potential attacker to
connect their PC to VLAN 1, and thereby be connected on the same subnet as the switch management hardware. This
potentially allows direct access to the management network and other networking equipment within the organization.

The management interface of a network switch is called interface VLAN since it can not have IP addresses configured on the
Ethernet ports like what router does. You can configure multiple interface VLAN by adding an IP address to the respective
VLANs created in the switch. By doing this, it will enable those VLANs to be accessible by remote users through the
network.

For security reason, it is strongly recommended to remove the management interface from the default VLAN and assign it to
a different, dedicated VLAN to protect against these obvious attacks. Besides, you should create ONLY one management
interface to each switch/router.

[2]
TNE10006 Networks and Switching Lab 3

In today’s lab, we will create a second VLAN to act as the management VLAN, you should be doing this for all Switch
configurations for the rest of the semester.

NOTICE: We will NOT be configuring and using multiple VLANs today, we will still place our PCs on the management
VLAN (it just won’t be VLAN 1). We will start configuring and using multiple VLANs next week.

Switch Attacks
There is a range of common attacks made on switches to gain either unauthorized access to the network or to steal network
traffic. We already mentioned issues about the default VLAN 1 used as the management VLAN and why the management
VLAN should be moved to another VLAN ID.

Another problem is when users have physical access to the switch ports (either directly to the switch or via a patched port on
a wall in an office). By default, all switch ports are enabled and plugging a device into a switch port shall instantly make that
device connected to the network. So, if the port is not intended to be used by anyone, it is considered good practice to disable
it.

The threats and possible prevention


Switches work by passively learning which devices (MAC addresses) are connected to which ports and it only forwarding the
traffic to known MAC addresses to the correct ports. To do this, the MAC address/port number mappings are stored in the
MAC address table. If a destination MAC address is unknown, then packets are broadcast out to all ports.

A common attack against switches is to attempt to overflow the MAC address table with bad information. An attacker sends
lots of packets to a switch with fake source MAC addresses. The switch learns these addresses and stores them in the table.
When the table gets full, the old, real, MAC addresses are purged from the table. Now, when a valid packet arrives at the
switch, the switch no longer knows the correct destination or MAC/port mapping and so it sends the packet out all output
interfaces. The attacker uses this approach to force the switch to send copies of all packets to the attacker which can then be
captured and analysed.

Another common attack is to spoof source MAC addresses. If you send a fake Ethernet frame with your target PCs MAC
address as your source MAC address, the switch will assume that the target has been moved to a new switch interface. Frames
targeted to the correct MAC address will now be sent to the attacker rather than the correct host.

A good solution to both attacks can be implemented via port security where we limit which, or how many, MAC addresses
may be connected to each physical switch port.

Building a Network
There is a defined process for constructing a network to make it easier to detect and troubleshoot errors. This involves
constructing the network from the bottom layer. By this way, if something goes wrong and/or it does not work, it is within the
last step you have completed. An outline of the steps is:
1. Physical Layer – Ensure that all devices are correctly connected to where they are supposed to be.
a. Connected to the wrong device:
• If your Ethernet PC is supposed to be plugged into Switch 1, check that it is not in Router 2. If it is supposed to
be plugged in f0/12. Check that it is not in f0/15.
b. Connected to the wrong port:
• If the cable is plugged into f0/15 and you configure f0/12, nothing is ever going to work. Do never assume you
did things properly, cabling problems are very common, why do you think that the first thing asked by the PC
help desk is “Is your computer plugged into the power outlet and is the power turned on?”
2. Configure Interfaces.
a. Enable the correct VLANs on the correct Interfaces.
b. Configure IP on all interfaces on all devices (switches, routers and PCs).
c. Make sure each device can successfully ping all other directly connected devices (on the same VLAN).
• If point-to-point devices cannot talk to each other, remote devices will have no chance because the link they
need to use to communicate is broken. This is one of the key tests.
• In lab exams, we often see people who have configured routing but have broken or non-functioning links. They
then waste their time trying to debug the routing tables when the error was not there.
[3]
TNE10006 Networks and Switching Lab 3

• If the pings don't work you need to check the interface status, as well as the IP address/subnet-mask
configuration to ensure that the connected devices are on the same network. Also, check that the IP addresses
you have used are the correct ones that you were instructed to use
3. Configure VLAN Trunking.
a. If trunking is to be used, ensure that the correct VLANs are shared on the trunk and that all devices on a
nominated VLAN can connect to other devices over a trunk link.
b. If a trunk is incorrectly established, then some VLANs may not extend across multiple switches, and devices on
that VLAN on one switch may not be able to talk to other devices on the same VLAN. Likely, your router will
also be connected via a VLAN trunk, it is important to check that all the router sub-interfaces are accessible from
devices in the same VLAN
4. Configure Routing.
a. Every device has to know how to reach all other networks by the routing table entries. Ensure that the routing
table on the router(s) contains entries for all VLAN networks in your system.
b. If an entry is missing from the routing table, you need to make sure it goes in. In a VLAN-based switching
environment, this typically occurs if you have incorrectly configured a router interface or sub-interface
5. Test.
a. Make sure each device can successfully ping all other devices in the network.
b. If a device has multiple IP addresses (a router), you should test against all IP addresses on that router. If just one
device cannot ping one other device in the network, then something is broken, your network does not work, and, if
this is the lab exam, you will fail
6. Security.
a. Finally, don’t forget to configure and test any security items such as switch port security, and to ensure that ports
are allocated to the right VLANs and if necessary, disabled

Methodology:

Part 1: Remote Access configurations


Last week, you have learnt how to configure simple user access through the remote terminal. When a Telnet connection is set
up, it enabled a generic user to connect to a network switch/router remotely via the Ethernet network to perform necessary
configuration like one used to connect directly through the console terminal.

Enabling the Telnet server – via both the “password” and “login” commands – immediately allows remote systems to access
the switch via the Telnet port (port 23). You will get a warning that telnet access is not enabled until you also set the
password. On some switches/routers, you will also get a warning when enabling telnet when there is no Administrator
password, you may ignore this warning. When an application connects to TCP port 23 on the device:
 The device will connect the input and output of the TCP connection to the output and input of the first available
VTY terminal of the sixteen on the switch (five for the router). All input from the network is sent to the virtual
terminal, all output from the terminal is sent over the network.
 The telnet application on the PC becomes the monitor/keyboard to access the device configuration mode
 Up to seventeen people can concurrently configure the switch (6 on the router), one on the console port and sixteen
via telnet

In the last lab, we have used the PuTTy to gain access to the remote switch/router in the same network. We also learnt that it
is required also to configure the Administrator (Privilege EXEC) password to enable a user to possess the right to browse and
configure the remote network device.
 In packet tracer, there is no software available like PuTTy to use, we shall test through the “command prompt” in the
desktop of a PC using command “telnet”. For example: telnet 192.168.0.1 23

Assumed the hostname for the device (e.g. a switch) is “MySwitch” for the rest of the examples in this document.

[4]
TNE10006 Networks and Switching Lab 3

Configure a local user account with specific rights


Telnet support both generic user access as well as individual local user access. You have learnt how to configure a generic
login (one account for all). Even so, Cisco enabled you to connect to a remote network device with different individual access
privileges.

NOTE: this configuration shall bypass a normal login to the user mode and goes directly to the Administrator mode.

Managing local accounts


To create a local user account on the switch, issue the command:
MySwitch(config)#username labuser privilege 15 secret labpassword

This will create a user account with the username labuser and password labpassword. A privilege level of 15 indicates
administrator or enable mode access to the switch. Lower levels can be used to create administrator levels with partial
privileges. Creating user accounts with privilege levels other than 15 is beyond the scope of the CCNA curriculum.
 You can change a user password by re-issuing the command but using a new password
 You can create more than one user and with its very own password.
 You can remove a user account by issuing the command:
MySwitch(config)#no username labuser

USEFUL TIP: To access the remote device using a local user account, we should use the Telnet server on the switch/router
using the following commands: (instead of simply “login” command in the virtual terminal configuration)

MySwitch(config-line)#login local

Configuring the Secure Shell (SSH) server on a Cisco network devices


As previously mentioned, Telnet is insecure, the use of SSH which encrypts all communications. To do this we will need to:
 Disable the telnet server on the device and enable the SSH server
 Create a fully-qualified domain name for the switch (the certificate is created based on the domain name)
 Create an SSH certificate for the switch to use to authenticate itself, this certificate is sent to connecting clients
 Create a local account on the switch with administrative privileges. This account is used to log in via SSH to gain
access to the switch

Naming the network device with a Fully Qualified Domain Name


To enable the encryption module (create a certificate) successfully, you must both change the device (e.g. switch) name from
the default one (e.g. Switch) to something else and configure a domain for the device to live within. The name and domain
together form a fully qualified domain name (FQDN). The FQDN does not need to be a valid DNS-known name, you just
need to create a name.
 you must ensure you do this before creating an SSH certificate

To configure the domain name ccna.lab, issue the command:

MySwitch(config)#ip domain-name ccna.lab

If your device (e.g. switch) is called MySwitch, its FQDN is now MySwitch.ccna.lab

Creating the SSH Certificate


After FQDN is created, then now generate the SSH certificate. The FQDN have first being set because the certificate is
generated from the FQDN. To create a certificate, issue the command in the interface program (e.g. PuTTy):

MySwitch(config)#crypto key generate rsa general-keys modulus 1024

For the older version packet tracer (Simulator version before 7.0), the way you should key in is a little different:
MySwitch(config)#crypto key generate rsa
Then,

[5]
TNE10006 Networks and Switching Lab 3

MySwitch(config)#1024

This will generate a certificate signed with a 1024 bits RSA key. If you later change the hostname or domain name, you
should regenerate your certificate (otherwise it would not match your name and a user may think the system is being hacked).
 To remove generated certificates, use the command:
MySwitch(config)#crypto key zeroize

Modify the SSH Server Configuration (optional)


The following commands can be used to modify aspects of how the SSH server operates.
Timeout an SSH connection after N seconds if there is no activity.
MySwitch(config)#ip ssh time-out N
This forces an automatic log-off from the remote connection
Allow a maximum on N attempts to enter the password on the initial
MySwitch(config-if)#ip ssh authentication-retries N
login

Configuring SSH Access to the cisco network devices


We can enable the SSH server on the switch/router using the following commands:

Notice: this configuration ONLY works if the SSH server setting is available in the network device.
First, we have to configure the virtual terminal (vty = virtual terminal) ports
on the switch. Cisco network device has virtual terminals (or virtual
consoles), the 0 and 15 signify we wish to configure virtual ports 0 to 15
(all 16 of them). Command “line” indicates a connection. We will now
MySwitch(config)#line vty 0 15
enter a sub-configuration mode, as noted by the change in prompt, note this
is the same sub-configuration mode as when configuring the console
terminal line.
The Cisco routers only have 5 vty ports, numbered 0 through 4
Next, the setting of the password is not necessary as it uses the individual
local account to log in. we now just need to tell the device that the user
MySwitch(config-line)#login local needs to login using a local account. The “login local” command tells the
server to accept the only login using one of the registered local user
accounts
Then, to let the device know that the connection is for user input and open
MySwitch(config-line)#transport input ssh
only for SSH communication

Disabling Telnet or SSH remote access


We can disable the telnet/SSH access configuration which we have previously configured, this can be done with:

MySwitch(config)#line vty 0 15
MySwitch(config-line)#no password
MySwitch(config-line)#no login
MySwitch(config-line)#transport input none
MySwitch(config-line)#end

Part 2: A VLAN Vs. a Management VLAN

Moving the Management VLAN – for network switch only


As previously mentioned, it is good security practice to assign the management IP address to a VLAN other than the default
VLAN 1 on the switch. We know that by default the VLAN 1 is disabled. Then, avoid enabling it to be the Management
VLAN shall be the best choice. Noted that this decision will never help to get rid of the security attacks; we just aimed to
minimize the vulnerability through psychology mean.

[6]
TNE10006 Networks and Switching Lab 3

Create a new VLAN


Cisco switches adopted IEEE 802.1Q standard which allowed a maximum default VLAN ID from 1 to 4094. The output of
VLAN related commands will contain a formatted version of the contents in the vlan.dat file. You should note that your
network switch comes pre-configured with five VLANs. VLAN 1 is the default VLAN for Ethernet connectivity. The other
default VLANs serve other purposes and we will not use them. Also, note that the name for VLAN 1 is “default”, it is active,
and that all the physical ports on the switch have been assigned to this VLAN (as per the discussion in the Background
section of the Lab sheet). To create a new VLAN, you can use the following commands:

Configure a VLAN with the number 99. If the specified VLAN does not
exist, create it first. Simple VLANs can take the numbers 1-1005, given
the default VLANs, we can use any number from 2-1001. We will now
MySwitch(config)#vlan 99
enter the VLAN sub-configuration mode, as noted by the change in
prompt. The VLAN is created immediately with the name VLAN0099
(based on the VLAN number) and is made active
Sets the VLAN name. Names make it easier to check if you have
allocated the correct ports to the correct VLAN. You should use
MySwitch(config-vlan)#name Management something descriptive here. In this case, the name is set to
“Management”. You can remove the name using the command “no
name” or change the name by re-running the “name” command
MySwitch(config-line)#end Leave configuration mode

The above commands create a new VLAN, VLAN 99. To examine the current VLANs configured on the switch, execute the
command:
MySwitch#show vlan brief

Note that the newly created VLAN along with the name has no physical interfaces (ethernet ports) were allocated. Part 3 of
this lab sheet will tell you how to assign a physical interface (or move an existing port) to specific VLAN id that you have
created.

Create an Interface VLAN


When a VLAN is created with a name called “Management”, it does not mean it should be available as an interface VLAN.
An interface VLAN is the VLAN enabled with the capability to interface or access from outside for a network switch. Note
that a valid interface VLAN is a VLAN with an IP address assigned to it.

Now that the management VLAN (VLAN 99) does exist, we need to assign an IP address to the virtual interface:

Configure the virtual interface vlan99. If the virtual interface


does not exist, create it first. The virtual interfaces are
MySwitch(config)#int vlan99
enabled by default, you do not need to issue the “no
shutdown” command
Configure the IP address for the virtual interface. Note we are
MySwitch(config-if)#ip address 192.168.0.1 255.255.255.0
using the same IP address and subnet mask as before
MySwitch(config-if)#description Management Interface Allocate a description to the management interface
MySwitch (config-if)#end Leave configuration mode

USEFUL TIP: We usually create only one interface VLAN and name it as “Management” as it is intended to be the only
access door to a network switch from remote access for device configuration. It never means we cannot create more than one
interface VLAN (done by simply adding an IP address to those). For security purpose, maintain only one interface VLAN is
the best choice.

To remove the previously configured IP address on a VLAN (assumed the VLAN 1 here); the commands respectively remove
the IP address configuration on the virtual interface and disable the interface.
MySwitch(config)#interface vlan1
MySwitch(config-if)#no ip address
[7]
TNE10006 Networks and Switching Lab 3

MySwitch(config-if)#end

For VLAN 1 only; if you are no longer use it, shut it down (you cannot remove this default VLAN)
MySwitch(config-if)#shutdown

Remove a VLAN from the VLAN list


You can delete a single VLAN by executing (confirm when complete):
MySwitch(config)#no vlan 99

Note that deleting a VLAN will make those physical ports that is assigned under it become unattached to any of the available
VLAN in the system. You should re-assign them to other intended VLAN(s). Always verify your work to avoid unnecessary
problem.

Part 3: Port Configuration & Access Security

Configure multiple ports at the same time with the same configuration
In Lab 2, we learnt about configuring single port one at a time. Here, we do not need to repeat the same process. Instead,
Cisco switches (switches only, not routers) allow you to configure a range of interfaces simultaneously by just adding a
command “range”. For example:
 Configure ports at a range from 1 to 24.
MySwitch(config)#interface range f0/1-24

 Configure ports at a range from 1 to 5, 10-12, and 24. Groups can be separated by a comma.
MySwitch(config)#interface range f0/1-5, f0/10-12, f0/24

USEFUL TIP: Configuring a port to access mode (switchport mode access) means that devices connected to that port are
unaware of VLAN configurations. All Ethernet packets arriving at that port are assumed to belong to the VLAN allocated to
that port. Only packets for the nominated VLAN will be delivered out that port and they will be delivered without VLAN
information. The access mode is typically used to connect end devices to a switch.

USEFUL TIP: The (switchport access) command assigns a particular VLAN to a port. Only one VLAN can be assigned to
an “access mode” port, running the command again will change the VLAN allocation for this port.

For examples: you have created VLAN 20. You decided to attach ports 10-20 to this VLAN.
MySwitch(config)#interface range f0/10-20
MySwitch(config-if-range)#description This port is in VLAN 20
MySwitch(config-if-range)#switchport mode access
MySwitch(config-if-range)#switchport access vlan 20
MySwitch(config-if-range)#end

General Switch Security – Disabling Ports


It is considered good security to disable ports that are not in use. A simple means of achieving this is to configure each
interface with the “shutdown” command. Unfortunately, switches typically have many ports, and typing this command for
each interface is very time-consuming.

Once you enter the “interface range” command, the prompt will change to indicate you are configuring a range of interfaces.
MySwitch(config)#interface range f0/1-8
MySwitch(config-if-range)#description These ports have been disabled
MySwitch(config-if-range)#shutdown
MySwitch(config-if-range)#end

[8]
TNE10006 Networks and Switching Lab 3

This set of commands will apply the nominated description to all selected interfaces and then shutdown all those interfaces.
It is considered good practice when configuring a switch to begin by shutting down all interfaces and then re-enabling the
ones you plan to use.

General Switch Security – Port Security


As previously mentioned, limiting the number of MAC addresses that are allowed to connect to a switch port is considered
good practice, especially for publically accessible switch ports, like a wall port in general access area). Cisco switches can be
configured to accept a maximum number of MAC addresses associated with each port, manually programmed with what
those MAC addresses are, and programmed with different actions to occur when these policies are breached.

The commands outlined below can be entered when configuring a range of interfaces, in this case, all interfaces will be
configured with the same security options.

USEFUL TIP: You will not be able to configure switchport security until after you have first specified the switchport
mode. By default, the switchport mode will be dynamic in that it will attempt to automatically determine whether it should
be access mode or trunked mode. If you wish to enable security, you must first enforce a particular mode.

NOTE: Sequence is important here!!!

Step 1: Enable port security on this interface.

MySwitch(config-if)#switchport port-security

This command will activate a default maximum of one MAC address on this port and action taken upon breach to
shut down.

Step 2: Configure the maximum MAC addresses allowed on this port to N. (violation condition)

MySwitch(config-if)#switchport port-security maximum N

There are two options for the port to “remember” the potential MAC addresses of the network interfaces to be
connected to the port.

Option 1: through self-learning capability. It read the first few (depend on the N number) unknown external interface
and save their MAC address into the port buffer.
MySwitch(config-if)#switchport port-security mac-address sticky

MAC addresses learnt are sticky. Once a MAC address is learnt on a port it is saved and can’t be removed
from the list of MAC addresses associated with this port. You can disable this by re-issuing this command
with “no” at the start of the command.

Option 2: through direct user input (hardcoded while configuration take place)
MySwitch(config-if)#switchport port-security mac-address xxxx.xxxx.xxxx

Allocate a specific MAC address to the list of MAC addresses of this port. An address can be manually
added if the mode is sticky or dynamic

Step 3: Determine the breach action. You have three options for this: (action upon violation of rules)
Option 1: Shutdown the port

MySwitch(config-if)#switchport port-security violation shutdown

If the maximum MAC addresses are breached, this interface will be immediately disabled and the administrator is
informed via SNMP.

[9]
TNE10006 Networks and Switching Lab 3

Option 2: Restrict the port

MySwitch(config-if)#switchport port-security violation restrict

If the maximum MAC addresses are breached, the switch will drop packets with unknown source addresses and the
administrator is informed via SNMP.

Option 3: Protect the port

MySwitch(config-if)#switchport port-security violation protect

Behaves like restrict mode except no notification is made to the administrator.

Useful commands to explore the current security settings include:


Display the current learnt MAC addresses and which ports they are
MySwitch#show mac address-table
associated with
MySwitch#show port-security Display a summary of the port security status for the switch
Display the port-security status for the nominated interface. Includes the
MySwitch#show port-security interface f?/? state of port security, the violation mode, and the maximum MAC
addresses allowed on this port
Display which MAC addresses are attached to secure ports on the switch
MySwitch#show port-security address
and the status of the secure port
Show detailed configuration and status information for the specified
MySwitch#show interface f?/?
interface

Challenge Exercises

Task 1: Setting up a network


We will start by setting up a simple network topology and configuration. The requirements are listed below:
1. Switch – Configure the hostname of the switch to “MySwitch”, configure a MOTD, configure the VLAN1 interface
with the IP address 192.168.0.1 and IP mask 255.255.255.0 and add an interface description
2. PC1 – Configure an IP address of 192.168.0.10 and IP mask 255.255.255.0 and connect it to f0/10 on the switch
3. PC2 – Configure an IP address of 192.168.0.20 and IP mask 255.255.255.0 and connect it to f0/20 on the switch.
4. Verify that each PC can directly ping the Switch and that the switch can ping both PCs.
5. Router - Configure the hostname of the router to “MyRouter”, configure a MOTD, configure the port F0/0 interface
with the IP address 192.168.0.200 and IP mask 255.255.255.0 and add an interface description. Then, enable the port.
Connect the port to f0/24 on the switch using a straight-thru cable.
6. Verify again each PC can directly ping the Router, and that the Router can ping both PCs and the switch.

Task 2: Configure the basic security for network devices


We will now be configuring the basic security for the network device: For both the switch and router:
1. Console login with password – CCNA1
2. Administrator password (not secret) – CLASSW3
3. A virtual terminal (vty) login using Telnet with local user Anthony with password CCNA1VTY

Verify the implementation using “sh run” command and then log off the device and tried to enter the user mode
again. Does it has been correctly configured?

[10]
TNE10006 Networks and Switching Lab 3

Let’s access MySwitch from one (either) of our PCs. Use PuTTy select Telnet as Connection type, type 192.168.0.1
in the Host Name (or IP address) box, type 23 in the Port box, and click on Open. The telnet application will
prompt you for the telnet login user and respective password. You now have CLI access to the switch at
Administrator mode, confirm this by running a few commands – “sh run”, “sh ip int brief”, etc – and checking that
it is MySwitch. When you exit from the Telnet session, the telnet application will close, and you will be logged out.

Do this for the router. You should be able to access it too!

USEFUL TIP: When connecting to a router, you can enter any of its multiple IP addresses (but all these IPs has to
be assigned to either of the port available in that router). The telnet server is connected to all the device’s IP
addresses and any incoming connection will be routed to an available vty port.

For any windows system before Windows 7


You can access any other network device from a Cisco Switch/Router from that device’s CLI. From the CLI, enter
the command “telnet XXX.XXX.XXX.XXX” – where the parameter is any IP addresses allocated to the device you
wish to connect to. Again, you will be prompted for the login user and password, following which you will be
configuring that device from the first device. When you exit, you will be returned to the MySwitch prompt. Also
note that using the “telnet” command is optional, if you just type in an IP address, the switch will assume you wish
to telnet to that IP address. As per the last lab, if you type something that is not a valid command, the device will
assume you want to telnet to that computer and will perform a DNS lookup in an attempt to determine the IP address
for the mistyped command (see Lab 2)

4. Enable the secret (administrator-level security) in the switch – CLASSCR

Log off the device and enter the user mode again. Which pass-code did you use to access the administrator
(PRIVILEGE EXEC) mode: CLASSW3 or CLASSCR? What can you conclude?

5. Configure the SSH server with additional two local users in both Router and Switch:
a. Username: Jason, password: abc123
b. Username: Mark, password: def456
6. Abandon Telnet connection and set up the virtual terminal (vty) login only to SSH.

From one of your PCs, run the PuTTy program, select SSH option and connect to the switch IP address. The program should
show you the certificate and ask if you want to accept it, answer yes. Once connected, you need to enter a username and
password, use one of the two username/password combinations you previously entered. Confirm that you have full
administrator access to the switch

Explore logging in with an incorrect username and/or password.

You should confirm that you can log in multiple times concurrently from both PCs

You can use the “show ip ssh” command to check your current SSH server configuration, the “show ssh” to see all
information about current remote connections to the SSH server, and the “show users” command to see who is logged into
the server at the moment.
Now try adding and removing users from the switch using the “username” command and attempt to SSH to the switch again.

TRY this
Now let’s access the switch using telnet from both PCs at the same time. You should confirm that this is possible. With one
telnet connection from PC1 and one telnet connection from PC2, do you think you can start a second concurrent connection
from the PC1? Try this.

USEFUL TIP: Configuring a device from another device is confusing; it is easy to forget which device which is, and what
you are trying to do. Also, when you configure the second device, you are no longer able to configure the first until you
logout. It is more useful to use the telnet application to connect to the devices so you can configure all devices concurrently.

[11]
TNE10006 Networks and Switching Lab 3

Task 3: Configure VLAN – do it on the switch only


We will now be adding the VLAN configuration in the switch:

At CLI, enter command sh vlan br. copy the content to an MS Wordpad.

1. Create VLANs with respective ID and name of (10, general) and (50, Management)
2. Move the IP address from VLAN 1 to VLAN 50 a management VLAN (interface VLAN) with an IP address of
192.168.0.1 255.255.255.0

Examine the output of “sh ip int brief”. Why do you think that the status of interface VLAN 50 are down? And why
interface VLAN 10 is not shown in the list?

3. Shut down ports f0/1-5, f0/8-9, g0/1-2


4. Attach ports f0/10-24 to VLAN 10.
5. Attach ports f0/6-7 to VLAN 50.

Note that as soon as we allocated one port to the new VLAN, interface vlan50 changes state to up. Now retry the
ping tests. Does everything work? Is it less broken than before? What do we need to do to fix it?

6. At CLI, enter command sh vlan br again. Compare both results and comment on the changes.

Retry all your ping tests, PC to PC, PC to Switch/Router, Switch/Router to PC. Which one’s work? Why do you think some
work, and some don’t?

Do not proceed to the next task until your network is fully working with full connectivity between each PC and the switch.

Task 4: Port security – switch only


We will now be adding the VLAN configuration in the switch:
1. Get the registered MAC address from your Ethernet PC by typing “ipconfig” on the PC
2. At CLI, enter command sh run. copy the content to an MS Wordpad.
3. Enable the port security for ports that attached to VLAN 10.
4. Enable sticky function for each port with a maximum of two MAC-addresses only except port f0/10, which use only
the static entry.
5. Set the violation rule to shut down.
6. At CLI, enter command sh run. Compare the output with the one you captured earlier. What changes did you notice?
7. Disconnect the PC2 and replace with PC1 at port f0/20. What will you see if you call the running configuration
again?
8. Get a PC connection from another group. Replace the existing connection with it. What will happen? Note the error
messages displayed on the switch command-line indicating a security violation

Once the port is down due to the rule violation, you will not be able to use it anymore, UNLESS you disable it and re-enabled
it to revive.

What if the port f0/20 is enabled and you are plugging the PC1 to the port? What did you notice? Why?

Task 5: Cleaning Up
If you have finished, feel free to make changes to your SSH and VLAN configurations. You should also play around with the
different port security options and experiment by causing the conditions to be breached.
When you are ready to finish, make sure you complete the following steps:
1. If you were silly enough to save the switch configuration, clear the switch configuration with “erase startup-config”
and make sure the switch is clean with the command “sh start”

[12]
TNE10006 Networks and Switching Lab 3

2. Since you created and modified VLAN information, you MUST delete the VLAN configurations by issuing the
command “delete vlan.dat”. The switch will then ask you to confirm the filename you wish to delete; you should
check the spelling of vlan.dat and press enter to confirm. The switch will then ask you to confirm that you want to
delete vlan.dat, again press enter to delete the file.
Note: this will only clear the saved VLAN configuration, the running configuration will still contain all currently
configured VLAN information (just as erasing startup-config does not delete the switch running-config)
3. Unplug all cables from the switches and return them.

- - - - End of Lab - - - -

Post laboratory simulation exercises (optional)

Task 1: Remote Access to a Switch.


In Cisco Packet Tracer software, create a simple Ethernet network by connects a generic PC to a network Switch (model
2960). Then, configure the Switch with the following features:
1. Hostname – SW1
2. Message of the day (MOTD) – Switch 1 console interface
3. Console login with password – CCNA1
4. Administrator password (not secret) – CLASSW3
5. A virtual terminal (vty) login using telnet with password CCNA1VTY
6. Create VLANs with respective ID and name of (10, Student), (20, Staff) and (50, Management)
7. Make VLAN 50 a management VLAN (interface VLAN) with an IP address of 192.168.0.200 255.255.255.0
8. Shut down ports f0/1-5, f0/20, g0/1
9. Attach ports f0/6-10 to VLAN 10.
10. Attach ports f0/11-15 to VLAN 20.
11. Attach ports f0/16-18 to VLAN 50.
12. Put port description to every interface ports.

Assumed the IP address and subnet mask of the connecting PC is 192.168.0.2, 255.255.255.0

Answer the following questions:


1. Check the configuration done in the Switch using “show run” and “show vlan brief”. Has they being correctly
implemented?
2. Connect PC to the following ports and Ping from the PC to the Switch; do it each at a time. Observe what has shown
the command line interface of the PC. Comment the results.
a. Port f0/1
b. Port f0/7
c. Port f0/12
d. Port f0/17
e. Port f0/22
3. Repeat the above connection as described in (a) to (e). In the switch, at the administrator CLI, try to ping the PC.
What have you observed?

[13]
TNE10006 Networks and Switching Lab 3

4. Connect the PC to either port from f0/16-18 of the switch. At command line of the PC (C:\>), type: telnet
192.168.0.200 23 you should be able to access to the switch interface.

NOTE: you can try to configure the port security for the switch in the packet tracer, but you would not be able to test it with
satisfactory feedback.
Task 2: Remote access to a Router
In the Cisco Packet Tracer software, create a simple Ethernet network by connects a generic PC to a network router (model
2811). Then, configure the Router with the following features:
Hostname – R1
Message of the day (MOTD) – Router 1 console interface
Console login with password – CCNA1
Administrator password (not secret) – CLASSW3
A virtual terminal (vty) login using SSH with one local user called Zeppa with password CCNA1VTY
Configure the fast Ethernet port f0/0 with IP address of 192.168.0.201 255.255.255.0. Enable the port.

Assumed the IP address and subnet mask of the connecting PC is 192.168.0.2, 255.255.255.0

Connect the PC to port f0/0 of the router interface using a straight-through cable. At the command line of the PC (C:\>), ping
the router to confirm the response. Later type: SSH –l Zeppa 192.168.0.201 (you should be able to gain access to the
interface)

[14]

You might also like