Scribd
Upload
14 views5 pages

CCNA

Uploaded by

Dorra Ben arbi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
14 views5 pages

CCNA

Uploaded by

Dorra Ben arbi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 5

------------------------------chap4------------------------------------------------

service password-encryption
security passwords min-length 10
username ADMIN algorithm-type scrypt secret cisco54321
exec-timeout 3 0
login local
-/- ACL-/-
ip access-list standard PERMIT-ADMIN
permit 192.168.10.10
-/- login -/-
login block-for 15 attempts 5 within 60
login quiet-mode access-class PERMIT-ADMIN
login delay 10
login on-success log
login on-failure log
show login

-/- SSH -/-


ip domain-name span.com
crypto key generate rsa general-keys modulus 1024
transport input ssh
ip ssh version 2
ip ssh authentication-retries 2
ip ssh time-out 60
---------------------------------chap5---------------------------------------------
-/- Privilege -/-
privilege exec level 5 ping
enable algorithm-type scrypt secret level 5 cisco5
username Support privilege 5 algorithm-type scrypt secret cisco5
-/- View & Superview
aaa new-model
parser view SHOWVIEW
secret cisco
commands exec include show
parser view USER superview
secret cisco1
view SHOWVIEW
----------------------------------
timestampservice----------------------------------------------
service timestamps log datetime msec
---------------------------------
NTP------------------------------------------------
show clock detail
ntp server 209.165.200.225
---------------------------------
syslog----------------------------------------------
logging 10.0.1.254
--------------------------------------Configure Local
AAA-----------------------------------
aaa authentication login default local
--------------------------------
chap6-----------------------------------------------
-/- -/-
auto secure
-/- OSPF SHA -/-
router ospf 1
area 0 authentication message-digest
---------M1-------------
interface g0/0/0
ip ospf message-digest-key 1 md5 MD5pa5
--------M2--------------
key chain SHA256
key 1
key-string ospfSHA256
cryptographic-algorithm hmac-sha-256
interface S0/0/0
key-chain SHA256
ip ospf authentication key-chain SHA256
-/- snmp -/-
snmp-server view SNMP-RO iso included
snmp-server group ADMIN v3 priv read SNMP-RO access PERMIT-ADMIN
snmp-server user BOB ADMIN v3 auth sha cisco12345 priv aes 128 cisco54321
------------------------------chap 7----------------------------------------------
Configure Server-Based AAA Authentication
login authentication default
-/- TACACS+ -/-
aaa new-model
tacacs server SERVER-T
address ipv4 192.168.1.100
single-connection
key TACACS-Pa55w0rd
aaa authentication login default group tacacs+ group radius local

-/- RADUIS -/-


address ipv4 192.168.1.101 auth-port 1812 acct-port 1813
key RADIUS-Pa55w0rd
aaa authentication login default group radius local

-/-Configure AAA Accounting-/-


aaa authorization exec default group tacacs+
aaa authorization network default group tacacs+
aaa accounting exec default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
------------------------------chap 8----------------------------------------------
no 10
10 deny host 192.168.10.10
ip access-list standard File_Server_Restrictions
permit host 192.168.20.4
permit 192.168.100.100 0.0.0.0
deny any
interface FastEthernet0/1
ip access-group File_Server_Restrictions out
show access-lists

deny tcp host 172.31.1.101 host 64.101.255.254 eq 80


deny tcp host 172.31.1.101 host 64.101.255.254 eq 443
deny tcp host 172.31.1.102 host 64.101.255.254 eq 21
deny icmp host 172.31.1.103 host 64.101.255.254
permit ip any any

access-class 10 in

ipv6 access-list BLOCK_HTTP


permit ipv6 any any
ipv6 traffic-filter BLOCK_HTTP in
------------------------------chap 10----------------------------------------------
-/- ZPF -/-
zone security PRIVATE
zone security PUBLIC
class-map type inspect match-any HTTP-TRAFFIC

/M1/
match protocol http
match protocol https
match protocol dns

/M2/
match access-group 101

policy-map type inspect PRIV-TO-PUB-POLICY


class type inspect HTTP-TRAFFIC
inspect
zone-pair security PRIV-PUB source PRIVATE destination PUBLIC
service-policy type inspect PRIV-TO-PUB-POLICY

interface g0/0
zone-member security PRIVATE
interface s0/0/0
zone-member security PUBLIC
------------------------------chap 11----------------------------------------------
monitor session 1 source interface fastethernet 0/1
monitor session 1 destination interface fastethernet 0/2
show monitor
------------------------------chap 13----------------------------------------------
Configure 802.1x Port-Authentication
aaa authentication dot1x default group radius
dot1x system-auth-control
interface F0/1
switchport mode access
authentication port-control auto
dot1x pae authenticator
------------------------------chap 14----------------------------------------------
Implement Port Security
interface fa0/5
security mode access
switchport mode access
switchport port-security
switchport port-security maximum 3
switchport port-security mac-address aaaa.bbbb.1234
switchport port-security mac-address sticky
show port-security
show port-security interface fa0/5

/Mitigate VLAN Hopping Attacks/


interface range fa0/1 - 4
switchport mode trunk
switchport nonegotiate
switchport trunk native vlan 99

interface range fa0/5 - 10


switchport mode access
switchport access vlan 86
shutdown

interface range fa0/11 - 24


switchport mode access
/Mitigate DHCP Attacks/
ip dhcp snooping

interface range g0/1 - 2


ip dhcp snooping trust

interface range f0/1 - 24


ip dhcp snooping limit rate 10
ip dhcp snooping vlan 10,20,30-49

show ip dhcp snooping

/Mitigate ARP Attacks/


interface range g0/1 - 2
ip arp inspection trust

ip arp inspection vlan 10,20,30-49

/Configure IP Source Guard/


interface range F0/1 - 2
ip verify source
do show ip verify source

/Configure and Verify the Root Bridge/

s3:spanning-tree vlan 1 priority 24576


s2: spanning-tree vlan 1 root secondary
s1: spanning-tree vlan 1 root primary
show spanning-tree

/Mitigate STP Attacks/


interface range f0/1 - 4
spanning-tree portfast default
spanning-tree portfast bpduguard default
spanning-tree loopguard default
show spanning-tree summary

------------------------------chap 19----------------------------------------------
Configuring a Pre-Shared Key
crypto isakmp policy 1
hash sha
authentication pre-share
group 24
lifetime 3600
encryption aes 256
crypto isakmp key cisco12345 address 172.30.2.1
do show crypto isakmp policy

Configure IPsec Transform Set


access-list 102 permit ip 192.168.1.0 0.0.0.255 10.0.1.0 0.0.0.255
crypto ipsec transform-set R1-R2 esp-aes esp-sha-hmac

Configure, Apply, and Verify the Crypto Map


crypto map R1-R2_MAP 10 ipsec-isakmp
match address 102
set transform-set R1-R2
set peer 172.30.2.1
set pfs group24
set security-association lifetime seconds 900

interface s0/0/0
crypto map R1-R2_MAP
do show crypto map

class-map type inspect match-any


match access-group 100
policy-map type inspect
class type instpect (esm) inspect

You might also like