Scribd
Upload
32 views22 pages

SIC Manual

Uploaded by

Moin Bhagyawadi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
32 views22 pages

SIC Manual

Uploaded by

Moin Bhagyawadi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 22

Daar-ul-Rehmat Trust’s

A.E. Kalsekar Degree College


(Permanently Affiliated to University of Mumbai)
Add: Near Bharat Gas Factory, Post Dawla, Kausa-Mumbra, Dist. Thane, Pin 400612,
Maharashtra(India).

CERTIFICATE
This is to certify that
SIDDIQUI MOHAMMED SHARIQUE MOHAMMMED
SHAFIQUE
(Exam Seat No. 36) of T. Y. B. Sc. Information Technology class has satisfactory
completed his project/Assignment/Practical on SECURITY IN COMPUTING
for the partial fulfilment of the Degree Bachelor of Science in Information
Technology as prescribed by University of Mumbai.
For academic Year 2022 -2023.

Professor In-Charge H.O.D External Examiner


INDEX

Sr. No. Practical Date Sign.


Packet Tracer - Configure Cisco
1 Routers for Syslog, NTP, and SSH 16-01-2023
Operations
Packet Tracer - Configure AAA
2 17-01-2023
Authentication on Cisco Routers

3 Configuring Extended ACLs 18-01-2023


Configure IP ACLs to Mitigate
4 19-01-2023
Attacks.
5 Configuring IPv6 ACLs 20-01-2023
Configuring a Zone-Based Policy
6 21-01-2023
Firewall (ZPF)
Configure IOS Intrusion
7 Prevention System (IPS) Using the 23-01-2023
CLI
Packet Tracer - Configure Cisco
8 Routers for Syslog, NTP, and SSH 25-01-2023
Operations
Practical 1: Packet Tracer - Configure Cisco Routers for Syslog, NTP,
and SSH Operations
Topology

Addressing Table

Device Interface IP Address Subnet Mask Default Gateway Switch Port

G0/1 192.168.1.1 255.255.255.0 N/A S1 F0/5


R1
S0/0/0 (DCE) 10.1.1.1 255.255.255.252 N/A N/A

S0/0/0 10.1.1.2 255.255.255.252 N/A N/A


R2
S0/0/1 (DCE) 10.2.2.2 255.255.255.252 N/A N/A

G0/1 192.168.3.1 255.255.255.0 N/A S3 F0/5


R3
S0/0/1 10.2.2.1 255.255.255.252 N/A N/A

PC-A NIC 192.168.1.5 255.255.255.0 192.168.1.1 S1 F0/6

PC-B NIC 192.168.1.6 255.255.255.0 192.168.1.1 S2 F0/18

PC-C NIC 192.168.3.5 255.255.255.0 192.168.3.1 S3 F0/18

5
R1(config)# router ospf 1
R1(config-router)# area 0 authentication message-digest
R2(config)# router ospf 1
R2(config-router)# area 0 authentication message-digest
R3(config)# router ospf 1
R3(config-router)# area 0 authentication message-digest

R1(config)# interface s0/0/0


R1(config-if)# ip ospf message-digest-key 1 md5 MD5pa55
R2(config)# interface s0/0/0
R2(config-if)# ip ospf message-digest-key 1 md5 MD5pa55
R2(config-if)# interface s0/0/1
R2(config-if)# ip ospf message-digest-key 1 md5 MD5pa55
R3(config)# interface s0/0/1
R3(config-if)# ip ospf message-digest-key 1 md5 MD5pa55
R1(config)# ntp server 192.168.1.5
R2(config)# ntp server 192.168.1.5
R3(config)# ntp server 192.168.1.5

R1(config)# ntp update-calendar


R2(config)# ntp update-calendar
R2(config)# ntp update-calendar

R1(config)# ntp authenticate


R1(config)# ntp trusted-key 1
R1(config)# ntp authentication-key 1 md5 NTPpa55

R2(config)# ntp authenticate


R2(config)# ntp trusted-key 1
R2(config)# ntp authentication-key 1 md5 NTPpa55

R3(config)# ntp authenticate


R3(config)# ntp trusted-key 1
R3(config)# ntp authentication-key 1 md5 NTPpa55
R1(config)# service timestamps log datetime msec
R2(config)# service timestamps log datetime msec
R3(config)# service timestamps log datetime msec

R1(config)# logging host 192.168.1.6


R2(config)# logging host 192.168.1.6
R3(config)# logging host 192.168.1.6
R3(config)# ip domain-name ccnasecurity.com
R3(config)# username SSHadmin privilege 15 secret ciscosshpa55
R3(config)# line vty 0 4
R3(config-line)# login local R3(config-line)# transport input ssh
R3(config)# crypto key zeroize rsa

R3(config)# crypto key generate rsa


The name for the keys will be: R3.ccnasecurity.com
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take a few
minutes.

How many bits in the modulus [512]: 1024


% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

R3(config)# ip ssh time-out 90


R3(config)# ip ssh authentication-retries 2
R3(config)# ip ssh version 2
PC> telnet 192.168.3.1
PC> ssh –l SSHadmin 192.168.3.1
R2#ssh –v 2 –l SSHadmin 10.2.2.1
Practical 2: Packet Tracer - Configure AAA Authentication on Cisco
Routers
Topology

Addressing Table

Device Interface IP Address Subnet Mask Default Gateway Switch Port

G0/1 192.168.1.1 255.255.255.0 N/A S1 F0/1


R1
S0/0/0 (DCE) 10.1.1.2 255.255.255.252 N/A N/A

G0/0 192.168.2.1 255.255.255.0 N/A S2 F0/2

S0/0/0 10.1.1.1 255.255.255.252 N/A N/A


R2

S0/0/1 (DCE) 10.2.2.1 255.255.255.252 N/A N/A

G0/1 192.168.3.1 255.255.255.0 N/A S3 F0/5


R3
S0/0/1 10.2.2.2 255.255.255.252 N/A N/A

TACACS+ Server NIC 192.168.2.2 255.255.255.0 192.168.2.1 S2 F0/6

RADIUS Server NIC 192.168.3.2 255.255.255.0 192.168.3.1 S3 F0/1

PC-A NIC 192.168.1.3 255.255.255.0 192.168.1.1 S1 F0/2

PC-B NIC 192.168.2.3 255.255.255.0 192.168.2.1 S2 F0/1

PC-C NIC 192.168.3.3 255.255.255.0 192.168.3.1 S3 F0/18

• Ping from PC-A to PC-B. • Ping from PC-A to PC-C.


• Ping from PC-B to PC-C.
R1(config)# username Admin1 secret admin1pa55
R1(config)# aaa new-model
R1(config)# aaa authentication login default local
R1(config)# line console 0
R1(config-line)# login authentication default
R1(config-line)# end
%SYS-5-CONFIG_I: Configured from console by console
R1# exit

R1 con0 is now available Press RETURN to get started.

************ AUTHORIZED ACCESS ONLY *************


UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.

User Access Verification

Username: Admin1
Password: admin1pa55 R1>
R1(config)# ip domain-name ccnasecurity.com

R1(config)# crypto key generate rsa

How many bits in the modulus [512]: 1024


% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
R1(config)# aaa authentication login SSH-LOGIN local
R1(config)# line vty 0 4
R1(config-line)#login authentication SSH-Login
R1(config-line)# transport input ssh
R1(config-line)# end

PC> ssh –l Admin1 192.168.1.1


Open
Password: admin1pa55
R2(config)# username Admin2 secret admin2pa55
R2(config)# tacacs-server host 192.168.2.2 R2(config)# tacacs-server key tacacspa55
R2(config)# aaa new-model
R2(config)# aaa authentication login default group tacacs+ local
R2(config)# line console 0
R2(config-line)# login authentication default
R2(config-line)# end
%SYS-5-CONFIG_I: Configured from console by console
R2# exit

R2 con0 is now available Press RETURN to get started.

User Access Verification

Username: Admin2
Password: admin2pa55
R2>
R3(config)# username Admin3 secret admin3pa55
R3(config)# radius-server host 192.168.3.2 R3(config)# radius-server key radiuspa55
R3(config)# aaa new-model
R3(config)# aaa authentication login default group radius local
R3(config)# line console 0
R3(config-line)# login authentication default
R3(config-line)# end
%SYS-5-CONFIG_I: Configured from console by console
R3# exit

R3 con0 is now available Press RETURN to get started.

************ AUTHORIZED ACCESS ONLY *************


UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.

User Access Verification


Username: Admin3
Password: admin3pa55 R3>
Practical 3: Configuring Extended ACLs
Topology

Addressing Table

Device Interface IP Address Subnet Mask Default Gateway

G0/0 172.22.34.65 255.255.255.224 N/A

G0/1 172.22.34.97 255.255.255.240 N/A


R1

G0/2 172.22.34.1 255.255.255.192 N/A

Server NIC 172.22.34.62 255.255.255.192 172.22.34.1

PC1 NIC 172.22.34.66 255.255.255.224 172.22.34.65

PC2 NIC 172.22.34.98 255.255.255.240 172.22.34.97

a) From global configuration mode on R1, enter the following command to determine the
first valid number for an extended access list.
R1(config)# access-list ?
<1-99> IP standard access list
<100-199> IP extended access list

b) Add 100 to the command, followed by a question mark.


R1(config)# access-list 100 ? deny
Specify packets to reject permit
Specify packets to forward
remark Access list entry comment
c) To permit FTP traffic, enter permit, followed by a question mark.
R1(config)# access-list 100 permit ? ahp Authentication Header Protocol
eigrp Cisco's EIGRP routing protocol esp Encapsulation Security Payload
gre Cisco's GRE tunneling icmp Internet Control Message Protocol ip
Any Internet Protocol ospf OSPF routing protocol tcp Transmission
Control Protocol udp User Datagram Protocol
d) This ACL permits FTP and ICMP. ICMP is listed above, but FTP is not, because FTP
uses TCP.
Therefore,enter tcp to further refine the ACL help.
R1(config)# access-list 100 permit tcp ?
A.B.C.D Source address any Any source host host A single source host

e) Notice that we could filter just for PC1 by using the host keyword or we could allow any
host. In this case, any device is allowed that has an address belonging to the
172.22.34.64/27 network. Enter the network address, followed by a question mark.
R1(config)# access-list 100 permit tcp 172.22.34.64 ?
A.B.C.D Source wildcard bits
f) Calculate the wildcard mask determining the binary opposite of a subnet mask.
11111111.11111111.11111111.11100000 = 255.255.255.224
00000000.00000000.00000000.00011111 = 0.0.0.31

g) Enter the wildcard mask, followed by a question mark.


R1(config)# access-list 100 permit tcp 172.22.34.64 0.0.0.31 ?
A.B.C.D Destination address any Any destination host eq Match only packets on a given
port number gt Match only packets with a greater port number host A single
destination host lt Match only packets with a lower port number neq Match only
packets not on a given port number range Match only packets in the range of port
numbers

h) Configure the destination address. In this scenario, we are filtering traffic for a single
destination, which is the server. Enter the host keyword followed by the server’s IP
address.
R1(config)# access-list 100 permit tcp 172.22.34.64 0.0.0.31 host 172.22.34.62 ?
dscp Match packets with given dscp value eq Match only packets on a given port
number established gt Match only packets with a greater port number lt Match only
packets with a lower port number neq Match only packets not on a given port number
precedence Match packets with given precedence value range Match only packets in the
range of port numbers <cr>

i) Notice that one of the options is <cr> (carriage return). In other words, you can press
Enter and the statement would permit all TCP traffic. However, we are only permitting
FTP traffic; therefore, enter the eq keyword, followed by a question mark to display the
available options. Then, enter ftp and press Enter.
R1(config)# access-list 100 permit tcp 172.22.34.64 0.0.0.31 host 172.22.34.62
eq ?
<0-65535> Port number ftp File Transfer Protocol (21) pop3 Post Office Protocol v3
(110) smtp Simple Mail Transport Protocol (25) telnet Telnet (23)
www World Wide Web (HTTP, 80)
R1(config)# access-list 100 permit tcp 172.22.34.64 0.0.0.31 host 172.22.34.62
eq ftp
j) Create a second access list statement to permit ICMP (ping, etc.) traffic from PC1 to
Server. Note that the access list number remains the same and no particular type of
ICMP traffic needs to be specified.
R1(config)# access-list 100 permit icmp 172.22.34.64 0.0.0.31 host 172.22.34.62

k) All other traffic is denied, by default.

R1(config)# interface gigabitEthernet 0/0 R1(config-if)# ip access-group 100

Verify the ACL implementation.

a. Ping from PC1 to Server. If the pings are unsuccessful, verify the IP addresses before
continuing.
b. FTP from PC1 to Server. The username and password are both cisco.
PC> ftp 172.22.34.62
c. Exit the FTP service of the Server.
ftp> quit
d. Ping from PC1 to PC2. The destination host should be unreachable, because the
traffic was not explicitly permitted.

R1(config)# ip access-list ?
Extended Access List standard Access List

R1(config)# ip access-list extended HTTP_ONLY

R1(config-ext-nacl)# permit tcp 172.22.34.96 ? A.B.C.D Source wildcard bits

255.255.255.255
- 255.255.255.240
-----------------
= 0. 0. 0. 15
R1(config-ext-nacl)# permit tcp 172.22.34.96 0.0.0.15 ?

R1(config-ext-nacl)# permit tcp 172.22.34.96 0.0.0.15 host 172.22.34.62 eq www

R1(config-ext-nacl)# permit icmp 172.22.34.96 0.0.0.15 host 172.22.34.62

R1(config)# interface gigabitEthernet 0/1


R1(config-if)# ip access-group HTTP_ONLY in

Verify the ACL implementation.


a. Ping from PC2 to Server. The ping should be successful, if the ping is unsuccessful,
verify the IP addresses before continuing.
b. FTP from PC2 to Server. The connection should fail.
c. Open the web browser on PC2 and enter the IP address of Server as the URL. The
connection should be successful
Practical 4: Configure IP ACLs to Mitigate Attacks.
Topology

Addressing Table

Device Interface IP Address Subnet Mask Default Gateway Switch Port

G0/1 192.168.1.1 255.255.255.0 N/A S1 F0/5


R1
S0/0/0 (DCE) 10.1.1.1 255.255.255.252 N/A N/A

S0/0/0 10.1.1.2 255.255.255.252 N/A N/A

S0/0/1 (DCE) 10.2.2.2 255.255.255.252 N/A N/A


R2

Lo0 192.168.2.1 255.255.255.0 N/A N/A

G0/1 192.168.3.1 255.255.255.0 N/A S3 F0/5


R3
S0/0/1 10.2.2.1 255.255.255.252 N/A N/A

PC-A NIC 192.168.1.3 255.255.255.0 192.168.1.1 S1 F0/6

PC-C NIC 192.168.3.3 255.255.255.0 192.168.3.1 S3 F0/18

R1(config)# access-list 10 permit host 192.168.3.3


R2(config)# access-list 10 permit host 192.168.3.3
R3(config)# access-list 10 permit host 192.168.3.3
R1(config-line)# access-class 10 in
R2(config-line)# access-class 10 in
R3(config-line)# access-class 10 in

Verify exclusive access from management station PC-C.


a. Establish an SSH session to 192.168.2.1 from PC-C (should be successful).
PC> ssh –l SSHadmin 192.168.2.1

Configure IP ACLs to Mitigate Attacks

b. Establish an SSH session to 192.168.2.1 from PC-A (should fail).


R1(config)# access-list 120 permit udp any host 192.168.1.3 eq domain
R1(config)# access-list 120 permit tcp any host 192.168.1.3 eq smtp
R1(config)# access-list 120 permit tcp any host 192.168.1.3 eq ftp
R1(config)# access-list 120 deny tcp any host 192.168.1.3 eq 443
R1(config)# access-list 120 permit tcp host 192.168.3.3 host 10.1.1.1 eq 22
R1(config)# interface s0/0/0

R1(config-if)# ip access-group 120 in


R1(config)# access-list 120 permit icmp any any echo-reply
R1(config)# access-list 120 permit icmp any any unreachable
R1(config)# access-list 120 deny icmp any any
R1(config)# access-list 120 permit ip any any

R3(config)# access-list 110 permit ip 192.168.3.0 0.0.0.255 any


R3(config)# interface g0/1
R3(config-if)# ip access-group 110 in

R3(config)#
0.255.255.255 eq 22 host
192.168.3.3
0.255.255.255 eq 22 host
192.168.3.3
R3(config)# access-list 100 deny ip 10.0.0.0 0.255.255.255 any
R3(config)# access-list 100 deny ip 172.16.0.0 0.15.255.255 any
R3(config)# access-list 100 deny ip 192.168.0.0 0.0.255.255 any
R3(config)# access-list 100 deny ip 127.0.0.0 0.255.255.255 any
R3(config)# access-list 100 permit ip any any
R3(config)#access-list 100 deny ip 127.0.0.0.0.255.255.255 any

R3(config)# interface s0/0/1


R3(config-if)# ip access-group 100 in
Practical 5: Configuring IPv6 ACLs
Topology

Addressing Table
R1(config)# deny tcp any host 2001:DB8:1:30::30 eq www
R1(config)# deny tcp any host 2001:DB8:1:30::30 eq 443
R1(config)# permit ipv6 any any
R1(config)# interface GigabitEthernet0/1
R1(config-if)# ipv6 traffic-filter BLOCK_HTTP in

Verify the ACL implementation.


Verify that the ACL is operating as intended by conducting the following tests:
• Open the web browser of PC1 to http://2001:DB8:1:30::30 or
https://2001:DB8:1:30::30. The website should appear.
• Open the web browser of PC2 to http://2001:DB8:1:30::30 or
https://2001:DB8:1:30::30. The website should be blocked.
• Ping from PC2 to 2001:DB8:1:30::30. The ping should be successful.

• R3(config)# deny icmp any any


• R3(config)# permit ipv6 any any
• R3(config)# interface GigabitEthernet0/0
• R3(config-if)# ipv6 traffic-filter BLOCK_ICMP out

Verify that the proper access list functions.


a. Ping from PC2 to 2001:DB8:1:30::30. The ping should fail.
b. Ping from PC1 to 2001:DB8:1:30::30. The ping should fail.
Open the web browser of PC1 to http://2001:DB8:1:30::30 or
https://2001:DB8:1:30::30. The website should display.
Practical 6: Configuring a Zone-Based Policy Firewall (ZPF)
Topology

Device Interface IP Address Subnet Mask Default Gateway Switch Port

G0/1 192.168.1.1 255.255.255.0 N/A S1 F0/5


R1
S0/0/0 (DCE) 10.1.1.1 255.255.255.252 N/A N/A

S0/0/0 10.1.1.2 255.255.255.252 N/A N/A


R2
S0/0/1 (DCE) 10.2.2.2 255.255.255.252 N/A N/A

G0/1 192.168.3.1 255.255.255.0 N/A S3 F0/5


R3
S0/0/1 10.2.2.1 255.255.255.252 N/A N/A

PC-A NIC 192.168.1.3 255.255.255.0 192.168.1.1 S1 F0/6

PC-C NIC 192.168.3.3 255.255.255.0 192.168.3.1 S3 F0/18

R3(config)# license boot module c1900 technology-package securityk9


R3(config-sec-zone) exit

R3(config-sec-zone)# zone security OUT-ZONE R3(config-seczone)#


exit

R3(config)# access-list 101 permit ip 192.168.3.0 0.0.0.255 any


Based Policy Firewall (ZPF)

R3(config)# class-map type inspect match-all IN-NET-CLASS-MAP


R3(config-cmap)# match access-group 101
R3(config-cmap)# exit

R3(config)# policy-map type inspect IN-2-OUT-PMAP


%No specific protocol configured in class IN-NET-CLASS-MAP for
inspection. All protocols will be inspected.

R3(config-pmap-c)# exit
R3(config-pmap)# exit

R3(config)# zone-pair security IN-2-OUT-ZPAIR source IN-ZONE


destination OUTZONE

R3(config-sec-zone-pair)# service-policy type inspect IN-2-OUT-PMAP


R3(config-sec-zone-pair)# exit R3(config)#

R3(config)# interface g0/1


R3(config-if)# zone-member security IN-ZONE
R3(config-if)# exit
R3(config)# interface s0/0/1
R3(config-if)# zone-member security OUT-ZONE R3(config-if)# exit

R3# show policy-map type inspect zone-pair sessions


policy exists on zp IN-2-OUT-ZPAIR
Zone-pair: IN-2-OUT-ZPAIR

Service-policy inspect : IN-2-OUT-PMAP

Class-map: IN-NET-CLASS-MAP (match-all)


Match: access-group 101
Inspect

Number of Established Sessions = 1


Established Sessions
Session 175216232 (192.168.3.3:1028)=>(10.2.2.2:22) tcp SIS_OPEN/TCP_ESTAB
Created 00:00:25, Last heard 00:00:20
Bytes sent (initiator:responder) [1195:1256]
Class-map: class-default (match-any)
Match: any
Drop (default action)
0 packets, 0 bytes
Practical 7: Configure IOS Intrusion Prevention System (IPS) Using
the CLI
Topology

Addressing Table

Device Interface IP Address Subnet Mask Default Gateway Switch Port

G0/1 192.168.1.1 255.255.255.0 N/A S1 F0/1


R1
S0/0/0 10.1.1.1 255.255.255.252 N/A N/A

S0/0/0 (DCE) 10.1.1.2 255.255.255.252 N/A N/A


R2
S0/0/1 (DCE) 10.2.2.2 255.255.255.252 N/A N/A

G0/1 192.168.3.1 255.255.255.0 N/A S3 F0/1


R3
S0/0/0 10.2.2.1 255.255.255.252 N/A N/A

Syslog NIC 192.168.1.50 255.255.255.0 192.168.1.1 S1 F0/2

PC-A NIC 192.168.1.2 255.255.255.0 192.168.1.1 S1 F0/3

PC-C NIC 192.168.3.2 255.255.255.0 192.168.3.1 S3 F0/2

R1(config)# license boot module c1900 technology-package securityk9


R1# mkdir ipsdir
Create directory filename [ipsdir]? <Enter> Created dir flash:ipsdir
R1(config)# ip ips config location flash:ipsdir
R1(config)# ip ips name iosips
R1(config)# ip ips notify log
R1# clock set 10:20:00 10 january 2014
R1(config)# service timestamps log datetime msec
R1(config)# logging host 192.168.1.50
R1(config-ips-category)# category all
R1(config-ips-category-action)# retired true
R1(config-ips-category-action)# exit
R1(config-ips-category)# category ios_ips basic
R1(config-ips-category-action)# retired false
R1(config-ips-category-action)# exit
R1(config-ips-cateogry)# exit
Do you want to accept these changes? [confirm] <Enter>
R1(config)# interface g0/1
R1(config-if)# ip ips iosips out
R1(config)# ip ips signature-definition
R1(config-sigdef)# signature 2004 0
R1(config-sigdef-sig)# status
R1(config-sigdef-sig-status)# retired false
R1(config-sigdef-sig-status)# enabled true
R1(config-sigdef-sig-status)# exit
R1(config-sigdef-sig)# engine
R1(config-sigdef-sig-engine)# event-action produce-alert R1(config-sigdefsig-engine)# event-
action deny-packet-inline
R1(config-sigdef-sig-engine)# exit
R1(config-sigdef-sig)# exit
R1(config-sigdef)# exit
Do you want to accept these changes? [confirm] <Enter>
Practical 8: Packet Tracer - Layer 2 Security
Topology

Central(config)# spanning-tree vlan 1 root primary


SW-1(config)# spanning-tree vlan 1 root secondary
Central# show spanning-tree
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 24577
Address 00D0.D31C.634C
This bridge is the root

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec


SW-A(config)# interface range f0/1 - 4
SW-A(config-if-range)# spanning-tree portfast

SW-B(config)# interface range f0/1 - 4


SW-B(config-if-range)# spanning-tree portfast
SW-A(config)# interface range f0/1 - 4
SW-A(config-if-range)# spanning-tree bpduguard enable

SW-B(config)# interface range f0/1 - 4


SW-B(config-if-range)# spanning-tree bpduguard enable
SW-1(config)# interface range f0/23 - 24
SW-1(config-if-range)# spanning-tree guard root
SW-2(config)# interface range f0/23 - 24
SW-2(config-if-range)# spanning-tree guard root
SW-A(config)# interface range f0/1 - 22
SW-A(config-if-range)# switchport mode access
SW-A(config-if-range)# switchport port-security
SW-A(config-if-range)# switchport port-security maximum 2
SW-A(config-if-range)# switchport port-security violation shutdown SWA(config-if-
range)# switchport port-security mac-address sticky

SW-B(config)# interface range f0/1 - 22


SW-B(config-if-range)# switchport mode access
SW-B(config-if-range)# switchport port-security
SW-B(config-if-range)# switchport port-security maximum 2
SW-B(config-if-range)# switchport port-security violation shutdown
SW-B(config-if-range)# switchport port-security mac-address sticky

Verify port security.


a. On SW-A, issue the command show port-security interface f0/1 to verify that port
security has been configured.
SW-A# show port-security interface f0/1
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses :2
Total MAC Addresses :0
Configured MAC Addresses : 0
Sticky MAC Addresses :0
Last Source Address:Vlan : 0000.0000.0000:0
Security Violation Count : 0

b. Ping from C1 to C2 and issue the command show port-security interface f0/1 again to
verify that the switch has learned the MAC address for C1.

SW-A(config)# interface range f0/5 - 22


SW-A(config-if-range)# shutdown

SW-B(config)# interface range f0/5 - 22 SW-B(config-if-range)# shutdown


!!!Script for Central conf t spanning-tree vlan 1 root primary end
!!!Script for SW-1 conf t
spanning-tree vlan 1 root secondary interface range f0/23 - 24 spanning-tree guard root
end
!!!Script for SW-2 conf t
interface range f0/23 - 24 spanning-tree guard root end
!!!Script for SW-A conf t interface range f0/1 - 4 spanning-tree portfast spanning-tree
bodyguard enable interface range f0/1 - 22 switchport mode access switchport
portsecurity switchport port-security maximum 2 switchport port-security violation
shutdown switchport port-security mac-address sticky interface range f0/5 -
22 shutdown end
!!!Script for SW-B conf t interface range f0/1 - 4
spanning-tree portfast spanning-tree bodyguard enable interface range f0/1 -
22 switchport mode access switchport portsecurity switchport port-security maximum
2 switchport port-security violation shutdown switchport port-security mac-address
sticky interface range f0/5 - 22 shutdown end

You might also like