Lab 3
Lab 3
Aims:
Background:
Remote Access
In the previous lab (see Lab 2) we accessed the console port of the switch using a direct cable connection. This is how
Console access is provided in the Cisco lab. However, in production environments, switches are usually accessed via a
console concentrator. Telnet server is enabled on the switch (or router). When enabled, you can connect to the device using a
telnet application from a remote location. You will be asked for the telnet password which will then drop you into User mode
(see Lab 2). To get to Administrator mode, you will then need to enter the Administrator password (if one has set).
It is typically not a good idea to enable Telnet access. Telnet is an insecure protocol where all commands and passwords are
transferred over the Internet/network as plaintext – anybody with packet sniffing abilities would be able to compromise your
security.
Secure Shell (SSH) is a cryptographic network protocol that uses over an unsecured network. It is a more secure approach
where all communications are encrypted. In this lab, we will also configure the SSH server on the switch and connect to the
switch using secure communications.
The Subnet
The word Subnet came from sub-network, which mean a portion of a larger pool of computer network. Apart from the
physical separation of the broadcast domain by the hardware through layer-3 devices (e.g. router), a network can be logically
sub-divide through two methods: Virtual switch-port grouping through hardware configuration and IP subnetting. The formal
is done through VLAN configuration that is available in the network switch while the latter is done through the modification
of subnet mask (or IP mask). This week we will look into only the VLAN approach.
Difference between the layer-2 device and layer-1 device (in OSI reference model)
A layer-1 network device in the Ethernet network such as a hub or a repeater provides simple networking space to connect the
end devices. It, however, leave those directly connected devices communicated in the same signal ground (single collision
domain) where they all share the messages transmitted out by either node in the same subnet. There has no privacy as every
node in the same subnet will receive the same message. As well, it led to lower throughput due to signal collision happens; it
gets worse with the increase of nodes connected.
Layer-2 network device such as a switch resolves the issue through the separation of signal ground down to individual
physical interface (Ethernet port) where the connections to other nodes are managed by the switch processor. The Data-link
layer algorithm shall decide which physical interface(s) shall be connected (unicast, broadcast, or multicast) and how a
message is forwarded (encapsulation process, error checking, etc..). In this case, every physical interface remained in its
collision domain and it will only be connected or share the same collision domain temporarily at the time when transmission
happens. The control is in the hand of the switch processor.
[1]
TNE10006 Networks and Switching Lab 3
Due to the control available in the network switch, it makes possible for this device to virtually segmenting individual
physical interfaces into different groups (here we shall be called it a subnet) through simple configuration done to the switch.
It also enables a seamless connection of virtual grouping through multiple switches that are physically connected.
Introduction to VLANs
VLAN technology allows the network administrator to virtually divide one simple physical network Switch into multiple
virtual switches. You can consider a VLAN to be a virtual switch within the larger switch. After a VLAN is created,
individual physical ports are assigned to one of the virtual switches within the physical switch.
With proper VLAN configuration done to a switch, you can divide PCs connected to the same switch into different subnets
like shown in the diagram below. In this case, only the PCs in the same VLAN subnet shall be able to “see” and “talk to” each
other.
While having a basic Switch is fine in a simple or small environment where only a single subnet exists (think of your home
router/modem), this becomes problematic in larger environments where we want to take advantage of the ability to deploy
virtual switches within the switch (multiple VLANs).
The security issues – potential threat to keep the default VLAN as the management interface.
The problem with leaving the default VLAN (VLAN 1) is that if a port is not configured, it belongs to VLAN 1. Also,
somebody may connect another Switch to the network and gain access to VLAN 1. This then allows a potential attacker to
connect their PC to VLAN 1, and thereby be connected on the same subnet as the switch management hardware. This
potentially allows direct access to the management network and other networking equipment within the organization.
The management interface of a network switch is called interface VLAN since it can not have IP addresses configured on the
Ethernet ports like what router does. You can configure multiple interface VLAN by adding an IP address to the respective
VLANs created in the switch. By doing this, it will enable those VLANs to be accessible by remote users through the
network.
For security reason, it is strongly recommended to remove the management interface from the default VLAN and assign it to
a different, dedicated VLAN to protect against these obvious attacks. Besides, you should create ONLY one management
interface to each switch/router.
[2]
TNE10006 Networks and Switching Lab 3
In today’s lab, we will create a second VLAN to act as the management VLAN, you should be doing this for all Switch
configurations for the rest of the semester.
NOTICE: We will NOT be configuring and using multiple VLANs today, we will still place our PCs on the management
VLAN (it just won’t be VLAN 1). We will start configuring and using multiple VLANs next week.
Switch Attacks
There is a range of common attacks made on switches to gain either unauthorized access to the network or to steal network
traffic. We already mentioned issues about the default VLAN 1 used as the management VLAN and why the management
VLAN should be moved to another VLAN ID.
Another problem is when users have physical access to the switch ports (either directly to the switch or via a patched port on
a wall in an office). By default, all switch ports are enabled and plugging a device into a switch port shall instantly make that
device connected to the network. So, if the port is not intended to be used by anyone, it is considered good practice to disable
it.
A common attack against switches is to attempt to overflow the MAC address table with bad information. An attacker sends
lots of packets to a switch with fake source MAC addresses. The switch learns these addresses and stores them in the table.
When the table gets full, the old, real, MAC addresses are purged from the table. Now, when a valid packet arrives at the
switch, the switch no longer knows the correct destination or MAC/port mapping and so it sends the packet out all output
interfaces. The attacker uses this approach to force the switch to send copies of all packets to the attacker which can then be
captured and analysed.
Another common attack is to spoof source MAC addresses. If you send a fake Ethernet frame with your target PCs MAC
address as your source MAC address, the switch will assume that the target has been moved to a new switch interface. Frames
targeted to the correct MAC address will now be sent to the attacker rather than the correct host.
A good solution to both attacks can be implemented via port security where we limit which, or how many, MAC addresses
may be connected to each physical switch port.
Building a Network
There is a defined process for constructing a network to make it easier to detect and troubleshoot errors. This involves
constructing the network from the bottom layer. By this way, if something goes wrong and/or it does not work, it is within the
last step you have completed. An outline of the steps is:
1. Physical Layer – Ensure that all devices are correctly connected to where they are supposed to be.
a. Connected to the wrong device:
• If your Ethernet PC is supposed to be plugged into Switch 1, check that it is not in Router 2. If it is supposed to
be plugged in f0/12. Check that it is not in f0/15.
b. Connected to the wrong port:
• If the cable is plugged into f0/15 and you configure f0/12, nothing is ever going to work. Do never assume you
did things properly, cabling problems are very common, why do you think that the first thing asked by the PC
help desk is “Is your computer plugged into the power outlet and is the power turned on?”
2. Configure Interfaces.
a. Enable the correct VLANs on the correct Interfaces.
b. Configure IP on all interfaces on all devices (switches, routers and PCs).
c. Make sure each device can successfully ping all other directly connected devices (on the same VLAN).
• If point-to-point devices cannot talk to each other, remote devices will have no chance because the link they
need to use to communicate is broken. This is one of the key tests.
• In lab exams, we often see people who have configured routing but have broken or non-functioning links. They
then waste their time trying to debug the routing tables when the error was not there.
[3]
TNE10006 Networks and Switching Lab 3
• If the pings don't work you need to check the interface status, as well as the IP address/subnet-mask
configuration to ensure that the connected devices are on the same network. Also, check that the IP addresses
you have used are the correct ones that you were instructed to use
3. Configure VLAN Trunking.
a. If trunking is to be used, ensure that the correct VLANs are shared on the trunk and that all devices on a
nominated VLAN can connect to other devices over a trunk link.
b. If a trunk is incorrectly established, then some VLANs may not extend across multiple switches, and devices on
that VLAN on one switch may not be able to talk to other devices on the same VLAN. Likely, your router will
also be connected via a VLAN trunk, it is important to check that all the router sub-interfaces are accessible from
devices in the same VLAN
4. Configure Routing.
a. Every device has to know how to reach all other networks by the routing table entries. Ensure that the routing
table on the router(s) contains entries for all VLAN networks in your system.
b. If an entry is missing from the routing table, you need to make sure it goes in. In a VLAN-based switching
environment, this typically occurs if you have incorrectly configured a router interface or sub-interface
5. Test.
a. Make sure each device can successfully ping all other devices in the network.
b. If a device has multiple IP addresses (a router), you should test against all IP addresses on that router. If just one
device cannot ping one other device in the network, then something is broken, your network does not work, and, if
this is the lab exam, you will fail
6. Security.
a. Finally, don’t forget to configure and test any security items such as switch port security, and to ensure that ports
are allocated to the right VLANs and if necessary, disabled
Methodology:
Enabling the Telnet server – via both the “password” and “login” commands – immediately allows remote systems to access
the switch via the Telnet port (port 23). You will get a warning that telnet access is not enabled until you also set the
password. On some switches/routers, you will also get a warning when enabling telnet when there is no Administrator
password, you may ignore this warning. When an application connects to TCP port 23 on the device:
The device will connect the input and output of the TCP connection to the output and input of the first available
VTY terminal of the sixteen on the switch (five for the router). All input from the network is sent to the virtual
terminal, all output from the terminal is sent over the network.
The telnet application on the PC becomes the monitor/keyboard to access the device configuration mode
Up to seventeen people can concurrently configure the switch (6 on the router), one on the console port and sixteen
via telnet
In the last lab, we have used the PuTTy to gain access to the remote switch/router in the same network. We also learnt that it
is required also to configure the Administrator (Privilege EXEC) password to enable a user to possess the right to browse and
configure the remote network device.
In packet tracer, there is no software available like PuTTy to use, we shall test through the “command prompt” in the
desktop of a PC using command “telnet”. For example: telnet 192.168.0.1 23
Assumed the hostname for the device (e.g. a switch) is “MySwitch” for the rest of the examples in this document.
[4]
TNE10006 Networks and Switching Lab 3
NOTE: this configuration shall bypass a normal login to the user mode and goes directly to the Administrator mode.
This will create a user account with the username labuser and password labpassword. A privilege level of 15 indicates
administrator or enable mode access to the switch. Lower levels can be used to create administrator levels with partial
privileges. Creating user accounts with privilege levels other than 15 is beyond the scope of the CCNA curriculum.
You can change a user password by re-issuing the command but using a new password
You can create more than one user and with its very own password.
You can remove a user account by issuing the command:
MySwitch(config)#no username labuser
USEFUL TIP: To access the remote device using a local user account, we should use the Telnet server on the switch/router
using the following commands: (instead of simply “login” command in the virtual terminal configuration)
MySwitch(config-line)#login local
If your device (e.g. switch) is called MySwitch, its FQDN is now MySwitch.ccna.lab
For the older version packet tracer (Simulator version before 7.0), the way you should key in is a little different:
MySwitch(config)#crypto key generate rsa
Then,
[5]
TNE10006 Networks and Switching Lab 3
MySwitch(config)#1024
This will generate a certificate signed with a 1024 bits RSA key. If you later change the hostname or domain name, you
should regenerate your certificate (otherwise it would not match your name and a user may think the system is being hacked).
To remove generated certificates, use the command:
MySwitch(config)#crypto key zeroize
Notice: this configuration ONLY works if the SSH server setting is available in the network device.
First, we have to configure the virtual terminal (vty = virtual terminal) ports
on the switch. Cisco network device has virtual terminals (or virtual
consoles), the 0 and 15 signify we wish to configure virtual ports 0 to 15
(all 16 of them). Command “line” indicates a connection. We will now
MySwitch(config)#line vty 0 15
enter a sub-configuration mode, as noted by the change in prompt, note this
is the same sub-configuration mode as when configuring the console
terminal line.
The Cisco routers only have 5 vty ports, numbered 0 through 4
Next, the setting of the password is not necessary as it uses the individual
local account to log in. we now just need to tell the device that the user
MySwitch(config-line)#login local needs to login using a local account. The “login local” command tells the
server to accept the only login using one of the registered local user
accounts
Then, to let the device know that the connection is for user input and open
MySwitch(config-line)#transport input ssh
only for SSH communication
MySwitch(config)#line vty 0 15
MySwitch(config-line)#no password
MySwitch(config-line)#no login
MySwitch(config-line)#transport input none
MySwitch(config-line)#end
[6]
TNE10006 Networks and Switching Lab 3
Configure a VLAN with the number 99. If the specified VLAN does not
exist, create it first. Simple VLANs can take the numbers 1-1005, given
the default VLANs, we can use any number from 2-1001. We will now
MySwitch(config)#vlan 99
enter the VLAN sub-configuration mode, as noted by the change in
prompt. The VLAN is created immediately with the name VLAN0099
(based on the VLAN number) and is made active
Sets the VLAN name. Names make it easier to check if you have
allocated the correct ports to the correct VLAN. You should use
MySwitch(config-vlan)#name Management something descriptive here. In this case, the name is set to
“Management”. You can remove the name using the command “no
name” or change the name by re-running the “name” command
MySwitch(config-line)#end Leave configuration mode
The above commands create a new VLAN, VLAN 99. To examine the current VLANs configured on the switch, execute the
command:
MySwitch#show vlan brief
Note that the newly created VLAN along with the name has no physical interfaces (ethernet ports) were allocated. Part 3 of
this lab sheet will tell you how to assign a physical interface (or move an existing port) to specific VLAN id that you have
created.
Now that the management VLAN (VLAN 99) does exist, we need to assign an IP address to the virtual interface:
USEFUL TIP: We usually create only one interface VLAN and name it as “Management” as it is intended to be the only
access door to a network switch from remote access for device configuration. It never means we cannot create more than one
interface VLAN (done by simply adding an IP address to those). For security purpose, maintain only one interface VLAN is
the best choice.
To remove the previously configured IP address on a VLAN (assumed the VLAN 1 here); the commands respectively remove
the IP address configuration on the virtual interface and disable the interface.
MySwitch(config)#interface vlan1
MySwitch(config-if)#no ip address
[7]
TNE10006 Networks and Switching Lab 3
MySwitch(config-if)#end
For VLAN 1 only; if you are no longer use it, shut it down (you cannot remove this default VLAN)
MySwitch(config-if)#shutdown
Note that deleting a VLAN will make those physical ports that is assigned under it become unattached to any of the available
VLAN in the system. You should re-assign them to other intended VLAN(s). Always verify your work to avoid unnecessary
problem.
Configure multiple ports at the same time with the same configuration
In Lab 2, we learnt about configuring single port one at a time. Here, we do not need to repeat the same process. Instead,
Cisco switches (switches only, not routers) allow you to configure a range of interfaces simultaneously by just adding a
command “range”. For example:
Configure ports at a range from 1 to 24.
MySwitch(config)#interface range f0/1-24
Configure ports at a range from 1 to 5, 10-12, and 24. Groups can be separated by a comma.
MySwitch(config)#interface range f0/1-5, f0/10-12, f0/24
USEFUL TIP: Configuring a port to access mode (switchport mode access) means that devices connected to that port are
unaware of VLAN configurations. All Ethernet packets arriving at that port are assumed to belong to the VLAN allocated to
that port. Only packets for the nominated VLAN will be delivered out that port and they will be delivered without VLAN
information. The access mode is typically used to connect end devices to a switch.
USEFUL TIP: The (switchport access) command assigns a particular VLAN to a port. Only one VLAN can be assigned to
an “access mode” port, running the command again will change the VLAN allocation for this port.
For examples: you have created VLAN 20. You decided to attach ports 10-20 to this VLAN.
MySwitch(config)#interface range f0/10-20
MySwitch(config-if-range)#description This port is in VLAN 20
MySwitch(config-if-range)#switchport mode access
MySwitch(config-if-range)#switchport access vlan 20
MySwitch(config-if-range)#end
Once you enter the “interface range” command, the prompt will change to indicate you are configuring a range of interfaces.
MySwitch(config)#interface range f0/1-8
MySwitch(config-if-range)#description These ports have been disabled
MySwitch(config-if-range)#shutdown
MySwitch(config-if-range)#end
[8]
TNE10006 Networks and Switching Lab 3
This set of commands will apply the nominated description to all selected interfaces and then shutdown all those interfaces.
It is considered good practice when configuring a switch to begin by shutting down all interfaces and then re-enabling the
ones you plan to use.
The commands outlined below can be entered when configuring a range of interfaces, in this case, all interfaces will be
configured with the same security options.
USEFUL TIP: You will not be able to configure switchport security until after you have first specified the switchport
mode. By default, the switchport mode will be dynamic in that it will attempt to automatically determine whether it should
be access mode or trunked mode. If you wish to enable security, you must first enforce a particular mode.
MySwitch(config-if)#switchport port-security
This command will activate a default maximum of one MAC address on this port and action taken upon breach to
shut down.
Step 2: Configure the maximum MAC addresses allowed on this port to N. (violation condition)
There are two options for the port to “remember” the potential MAC addresses of the network interfaces to be
connected to the port.
Option 1: through self-learning capability. It read the first few (depend on the N number) unknown external interface
and save their MAC address into the port buffer.
MySwitch(config-if)#switchport port-security mac-address sticky
MAC addresses learnt are sticky. Once a MAC address is learnt on a port it is saved and can’t be removed
from the list of MAC addresses associated with this port. You can disable this by re-issuing this command
with “no” at the start of the command.
Option 2: through direct user input (hardcoded while configuration take place)
MySwitch(config-if)#switchport port-security mac-address xxxx.xxxx.xxxx
Allocate a specific MAC address to the list of MAC addresses of this port. An address can be manually
added if the mode is sticky or dynamic
Step 3: Determine the breach action. You have three options for this: (action upon violation of rules)
Option 1: Shutdown the port
If the maximum MAC addresses are breached, this interface will be immediately disabled and the administrator is
informed via SNMP.
[9]
TNE10006 Networks and Switching Lab 3
If the maximum MAC addresses are breached, the switch will drop packets with unknown source addresses and the
administrator is informed via SNMP.
Challenge Exercises
Verify the implementation using “sh run” command and then log off the device and tried to enter the user mode
again. Does it has been correctly configured?
[10]
TNE10006 Networks and Switching Lab 3
Let’s access MySwitch from one (either) of our PCs. Use PuTTy select Telnet as Connection type, type 192.168.0.1
in the Host Name (or IP address) box, type 23 in the Port box, and click on Open. The telnet application will
prompt you for the telnet login user and respective password. You now have CLI access to the switch at
Administrator mode, confirm this by running a few commands – “sh run”, “sh ip int brief”, etc – and checking that
it is MySwitch. When you exit from the Telnet session, the telnet application will close, and you will be logged out.
USEFUL TIP: When connecting to a router, you can enter any of its multiple IP addresses (but all these IPs has to
be assigned to either of the port available in that router). The telnet server is connected to all the device’s IP
addresses and any incoming connection will be routed to an available vty port.
Log off the device and enter the user mode again. Which pass-code did you use to access the administrator
(PRIVILEGE EXEC) mode: CLASSW3 or CLASSCR? What can you conclude?
5. Configure the SSH server with additional two local users in both Router and Switch:
a. Username: Jason, password: abc123
b. Username: Mark, password: def456
6. Abandon Telnet connection and set up the virtual terminal (vty) login only to SSH.
From one of your PCs, run the PuTTy program, select SSH option and connect to the switch IP address. The program should
show you the certificate and ask if you want to accept it, answer yes. Once connected, you need to enter a username and
password, use one of the two username/password combinations you previously entered. Confirm that you have full
administrator access to the switch
You should confirm that you can log in multiple times concurrently from both PCs
You can use the “show ip ssh” command to check your current SSH server configuration, the “show ssh” to see all
information about current remote connections to the SSH server, and the “show users” command to see who is logged into
the server at the moment.
Now try adding and removing users from the switch using the “username” command and attempt to SSH to the switch again.
TRY this
Now let’s access the switch using telnet from both PCs at the same time. You should confirm that this is possible. With one
telnet connection from PC1 and one telnet connection from PC2, do you think you can start a second concurrent connection
from the PC1? Try this.
USEFUL TIP: Configuring a device from another device is confusing; it is easy to forget which device which is, and what
you are trying to do. Also, when you configure the second device, you are no longer able to configure the first until you
logout. It is more useful to use the telnet application to connect to the devices so you can configure all devices concurrently.
[11]
TNE10006 Networks and Switching Lab 3
1. Create VLANs with respective ID and name of (10, general) and (50, Management)
2. Move the IP address from VLAN 1 to VLAN 50 a management VLAN (interface VLAN) with an IP address of
192.168.0.1 255.255.255.0
Examine the output of “sh ip int brief”. Why do you think that the status of interface VLAN 50 are down? And why
interface VLAN 10 is not shown in the list?
Note that as soon as we allocated one port to the new VLAN, interface vlan50 changes state to up. Now retry the
ping tests. Does everything work? Is it less broken than before? What do we need to do to fix it?
6. At CLI, enter command sh vlan br again. Compare both results and comment on the changes.
Retry all your ping tests, PC to PC, PC to Switch/Router, Switch/Router to PC. Which one’s work? Why do you think some
work, and some don’t?
Do not proceed to the next task until your network is fully working with full connectivity between each PC and the switch.
Once the port is down due to the rule violation, you will not be able to use it anymore, UNLESS you disable it and re-enabled
it to revive.
What if the port f0/20 is enabled and you are plugging the PC1 to the port? What did you notice? Why?
Task 5: Cleaning Up
If you have finished, feel free to make changes to your SSH and VLAN configurations. You should also play around with the
different port security options and experiment by causing the conditions to be breached.
When you are ready to finish, make sure you complete the following steps:
1. If you were silly enough to save the switch configuration, clear the switch configuration with “erase startup-config”
and make sure the switch is clean with the command “sh start”
[12]
TNE10006 Networks and Switching Lab 3
2. Since you created and modified VLAN information, you MUST delete the VLAN configurations by issuing the
command “delete vlan.dat”. The switch will then ask you to confirm the filename you wish to delete; you should
check the spelling of vlan.dat and press enter to confirm. The switch will then ask you to confirm that you want to
delete vlan.dat, again press enter to delete the file.
Note: this will only clear the saved VLAN configuration, the running configuration will still contain all currently
configured VLAN information (just as erasing startup-config does not delete the switch running-config)
3. Unplug all cables from the switches and return them.
- - - - End of Lab - - - -
Assumed the IP address and subnet mask of the connecting PC is 192.168.0.2, 255.255.255.0
[13]
TNE10006 Networks and Switching Lab 3
4. Connect the PC to either port from f0/16-18 of the switch. At command line of the PC (C:\>), type: telnet
192.168.0.200 23 you should be able to access to the switch interface.
NOTE: you can try to configure the port security for the switch in the packet tracer, but you would not be able to test it with
satisfactory feedback.
Task 2: Remote access to a Router
In the Cisco Packet Tracer software, create a simple Ethernet network by connects a generic PC to a network router (model
2811). Then, configure the Router with the following features:
Hostname – R1
Message of the day (MOTD) – Router 1 console interface
Console login with password – CCNA1
Administrator password (not secret) – CLASSW3
A virtual terminal (vty) login using SSH with one local user called Zeppa with password CCNA1VTY
Configure the fast Ethernet port f0/0 with IP address of 192.168.0.201 255.255.255.0. Enable the port.
Assumed the IP address and subnet mask of the connecting PC is 192.168.0.2, 255.255.255.0
Connect the PC to port f0/0 of the router interface using a straight-through cable. At the command line of the PC (C:\>), ping
the router to confirm the response. Later type: SSH –l Zeppa 192.168.0.201 (you should be able to gain access to the
interface)
[14]