Scribd
Upload
70 views14 pages

Security

The document describes how to configure network device security features like passwords, port security, ACLs, NAT, and AAA authentication using TACACS+ on routers and switches. Configuration steps are provided for setting passwords, port security to limit MAC addresses per port, standard and extended ACLs to control network access, NAT for IP address translation, and TACACS+ server configuration for centralized AAA authentication.

Uploaded by

jokate6848
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
70 views14 pages

Security

The document describes how to configure network device security features like passwords, port security, ACLs, NAT, and AAA authentication using TACACS+ on routers and switches. Configuration steps are provided for setting passwords, port security to limit MAC addresses per port, standard and extended ACLs to control network access, NAT for IP address translation, and TACACS+ server configuration for centralized AAA authentication.

Uploaded by

jokate6848
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 14

PART-2 (CCNA Security)

Network Device Security


Network Device Security – Configuration
Switch & Router
Laptop >> Desktop >> Terminal >> OK
Switch(config)#hostname cse
cse(config)#enable secret cse123
cse(config)#line con 0
cse(config-line)#password con123
cse(config-line)#login

Switch & Router


Switch(config)#hostname cse
cse(config)#interface Vlan1
cse(config)#ip address 10.10.10.1 255.255.255.0
cse(config)#line vty 0 4
cse(config-line)#password ssh123
cse (conf)#service password-encryption
cse(config-line)#login
cse#copy running-config startup-config
PC >> Desktop >> IP Configuration >> 10.10.10.2 255.255.255.0
PC >> Desktop >> Command Prompt >> telnet 10.10.10.1

Port Security:
Note: All PCs must be configured by IP Address Like 10.10.10.3/10.10.10.4
cse(config)#interface fastethernet 0/2
cse(config-if)#switchport mode access
cse(config-if)#switchport port-security (This line must be separate inserted to active security)
cse(config-if)#switchport port-security mac-address 0004.9ACB.01C6 (mac-address sticky = auto MAC Address in first sending packet)
cse(config-if)#switchport port-security maximum 1
cse(config-if)#switchport port-security violation shutdown

[cse #show port-security]


[Switch#show port-security address]
[cse #show port-security interface fastEthernet 0/1]
[cse# show mac-address-table]
[Switch#clear port-security all]
[cse(config)#shutdown and cse(config)#no shutdown to get back the PC in same port]

Auto MAC Address in First Packet Sending:


cse(config)#interface range fa0/5 - 24
cse(config-if-range)#switchport port-security mac-address sticky
cse(config-if-range)#switchport port-security violation shutdown

Down all Ports:


cse(config-if-range)#int range fa0/5 - 24
cse(config-if-range)#shutdown

Up all Ports:
cse(config-if-range)#int range fa0/5 - 24
cse(config-if-range)#no shutdown

[cse#show ip interface brief ]


Password Break / Password Recovery
Standard ACL
Three method of Access:
1. Console Access - Directly Connect with Console Cable
2. Telnet Access - you need to Configure Telnet setup in the router using line vty
3. SSH Access - You need to Configure SSH setup in the router using generate crypto key rsa and then line vty
Standard ACL - Configuration:
Router-0
(config)#router rip
(config-router)network 10.10.10.0
(config-router)network 172.16.1.0
(config-router)network 192.168.1.0

Router-1:
(config)#router rip
(config-router)network 200.20.20.0
(config-router)network 172.16.1.0

SSH Configuration:
(config)#line vty 0 4
(config-line)#password 123
Router(config)#service password-encryption
Permit One PC:
Router(config)#access-list 10 permit host 192.168.1.2
Router(config)#line vty 0 4
Router(config-line)#access-class 10 in
Permit on a Network:
(config)#line vty 0 4
(config-line)#password 123
Router(config)#access-list 10 permit 10.10.10.0 0.0.0.255
Router(config)#line vty 0 4
Router(config-line)#access-class 10 in
Define ACL on Port:
Router(config)#access-list 10 deny host 192.168.1.3
Router(config)#access-list 10 permit any
Router(config)#interface fastEthernet 0/0
Router(config-if)#ip access-group 10 out
Extended ACL
Extended ACL - Configuration
Setup DNS Server:
Deny Single Host to a PC (not to use):
Router(config)#access-list 100 deny ip 10.10.10.2 0.0.0.0 10.10.20.2 0.0.0.0
Router(config)#access-list 100 permit ip any any
Router(config)#interface fastEthernet 0/0
Router(config-if)#ip access-group 100 in

Deny Half Network:


Router(config)#access-list 110 deny tcp 10.10.10.100 0.0.0.127 host 10.10.20.4 eq 80
Router(config)#access-list 110 deny tcp 10.10.10.200 0.0.0.127 host 10.10.20.5 eq 80
Router(config)#access-list 110 permit ip any any
interface fastEthernet 0/0
Router(config-if)#ip access-group 110 in
NAT (PAT)
Network Address Translation-NAT (Static)
AAA Security Services
AAA Security Services – Configuration
Router-1
Router(config)#hostname cse TACACS (Terminal Access Controller Access Control System)
cse (config)#username cse secret cse123
cse (config)#aaa new-model
cse (config)#tacacs-server host 10.10.10.2
cse (config)#aaa authentication login default group tacacs+ local
cse (config)#tacacs-server key cse
cse (config)#line vty 0 4

[default=all services like vty and others, group tacacs =maintain by tacacs server, local=if tacacs
doesn’t work then router will work locally)]

In Server:
Service AAA >
Client Name: cse
Clint IP: 10.10.10.1
Secret cse
Server Type: tacacs
On/Off if necessary
Username: abc
Password: abc123
Username: xyz
Password: xyz123

From PC:
telnet 10.10.10.1

Configure Rip in Rouer-1:


CSE(config)# router rip
Network 10.10.10.1
Network 10.10.20.1
Network 10.10.40.1

Configure Rip in Rouer-2:


CSE(config)# router rip
Network 10.10.20.1
Network 10.10.30.1
Router-2
Router(config)#hostname bba
bba (config)#username bba secret bba123
bba (config)#aaa new-model
bba (config)#tacacs-server host 10.10.10.2
bba (config)#aaa authentication login default group tacacs+ local
bba (config)#tacacs-server key bba
bba (config)#line vty 0 4

[default=all services like vty and others, group tacacs =maintain by tacacs server, local=if tacacs
doesn’t work then router will work locally)]

In Server:
Service AAA >
Client Name: BBA
Clint IP: 10.10.30.1
Secret bba On/Off if necessary
Server Type: tacacs

Username: abc
Password: abc123
Username: xyz
Password: xyz123
From PC:
telnet 10.10.30.1

You might also like