LAB Assignment

Student Name: Akash Choudhary UID: 22BCS13892

Branch: BE - CSE Section/Group: FL_IOT_602-A
Semester: 5 Date of Performance: 18/10/24
Subject Name: Computer Networks Subject Code: 22CSH– 312

Problem 1: Configure Port Security

Configure port security on interface Fa 0/2 of the switch with the following settings:
a. Port security enabled
b. Mode: shutdown
c. Allowed MAC addresses: 3
d. Dynamic MAC address learning.
Configuration
1. enable
2. configure terminal
3. interface FastEthernet 0/2
4. switchport port-security
5. switchport port-security violation shutdown
6. switchport port-security maximum 3
7. switchport port-security mac-address sticky
8. exit
9. write memory
Result
1. Switch#show port-security interface FastEthernet0/2
2. Port Security : Enabled
3. Port Status : Secure-down
4. Violation Mode : Shutdown
5. Aging Time : 0 mins
6. Aging Type : Absolute
7. SecureStatic Address Aging : Disabled
8. Maximum MAC Addresses : 3
9. Total MAC Addresses : 0
10. Configured MAC Addresses : 0
11. Sticky MAC Addresses : 0
12. Last Source Address:Vlan : 0000.0000.0000:0
13. Security Violation Count : 0
Problem 2: Configure ASA Firewall
Configure the ASA firewall to allow HTTP traffic from the inside laptop to the HTTP server while denying
all outside to inside communications.

Step-by-Step Commands
1. Enter Privileged Mode:
1. ciscoasa> en
2. Password:
2. Enter Global Configuration Mode:
ciscoasa# conf t

3. Configure the Inside Interface (GigabitEthernet1/1):

1. ciscoasa(config)# int gig1/1
2. ciscoasa(config-if)# ip address 192.168.1.1 255.255.255.0
3. ciscoasa(config-if)# nameif INSIDE
 4. INFO: Security level for "INSIDE" set to 0 by default.
5. ciscoasa(config-if)# security-level 100
6. ciscoasa(config-if)# exit
4. Configure DHCP Settings:
1. Configure DHCP address pool:
ciscoasa(config)# dhcpd address 192.168.1.10-192.168.1.100 INSIDE
2. Configure DNS server for DHCP clients:
ciscoasa(config)# dhcpd dns 192.168.1.1
3. Enable DHCP on the inside interface:
ciscoasa(config)# dhcpd enable INSIDE
5. Save Configuration to Memory:
ciscoasa# write memory
6. Bring the Interface Up (No Shutdown):
1. ciscoasa(config)# int gig1/1
2. ciscoasa(config-if)# no shut
3. ciscoasa(config-if)# exit
7. Save Configuration Again (Optional):
ciscoasa(config)# wr m
OUTPUT
Problem 5: Design a network in Cisco Packet Tracer to connects ACCOUNTS and DELIVERY
departments through the following:
• Each department should contain at least two PCs.
• Appropriate number of switches and routers should be used in the network.
• Using the given network 192.168.40.0, all interfaces should be configured with correct IP addresses,
subnet mask and gateways.
• All devices in the network should be connected using appropriate cables.
• Test communication between devices in both ACCOUNTS and DELIVERY departments.

Configure IP addresses

The network 192.168.40.0/24 allows for 254 usable IP addresses. We'll assign IP addresses to PCs and
routers in both departments.

● Subnet Mask: 255.255.255.0

ACCOUNTS Department (Subnet: 192.168.40.0/28)

● PC1_ACC: 192.168.40.2
● PC2_ACC: 192.168.40.3
● Default gateway: 192.168.40.1 (Router interface for ACCOUNTS)[GigabitEthernet0/0]

DELIVERY Department (Subnet: 192.168.40.16/28)

● PC1_DEL: 192.168.40.18
● PC2_DEL: 192.168.40.19
● Default gateway: 192.168.40.17 (Router interface for DELIVERY)[GigabitEthernet0/1]

Router Interfaces

● Interface for ACCOUNTS: 192.168.40.1

● Interface for DELIVERY: 192.168.40.17
 Fig. PC2_ACC pinging PC1_DEL

Problem 6: Design and Implementation of a Small Office Home Office Network

Fig. PC7 pinging Printer0

This network consists of two pcs, connected to a switch, two printers connected to another switch and both
switches connected via router.
Problem 3
To configure CBAC trafic inspection on ISR 2911 "Router1" connecting the branch office to the Internet. An
inbound DENY ANY ANY access list is configured on the Gi0/2 interface of the router to deny all incoming
flows from the internet. Despite this access list, the branch office laptops have to be able to access the
46.20.150.2 web server.
1. Activate security license on ISR 2911 router
2. Configure DHCP for the 192.168.1.0/24 LAN network. Gateway is 192.168.1.1 on Router 1. The
first 8 IP addresses are reserved for network use and don't have to be used by LAN clients.
3. Configure NAT on Router 1 to allow branch laptops to access the Internet. Use the first standard
access list to configure the source network and the Gi0/2 interface for outgoing traffic to the
internet
4. Configure a named access list to deny all the inbound traffic from the internet and apply it on the
internet facing network interface. The access-list will be named DENY_ANY
5. Configure CBAC to allow outbound HTTP traffic
6. Verify CBAC configuration by accessing http://46.20.150.2 from a laptop's web browser. CBAC
inspection policy will be named ALLOWED_TRAFIC

Step-by-Step Configuration
Activate Security License on ISR 2911

1. Connect to the ISR 2911 router via console or SSH.

2. Check the current license status using the command:
a. show version
 Fig show version

3. To activate the security license, enter the following command in global configuration mode:

license boot module security

 Fig Router2 config

Fig Context Based Access Control - CBAC

Configurations in the above figure follow the same principles as that of the previous question.