Ccna security Chapter 2 Lab A: Securing the Router for Administrative Access Instructor Version Topology ip addressing Table



Download 392.14 Kb.
Page1/10
Date29.01.2017
Size392.14 Kb.
#12094
  1   2   3   4   5   6   7   8   9   10




CCNA Security

Chapter 2 Lab A: Securing the Router for Administrative Access Instructor Version



Topology


IP Addressing Table


Device


Interface

IP Address

Subnet Mask

Default Gateway


Switch Port

R1

FA0/1

192.168.1.1

255.255.255.0

N/A

S1 FA0/5




S0/0/0 (DCE)

10.1.1.1

255.255.255.252

N/A

N/A

R2

S0/0/0

10.1.1.2

255.255.255.252

N/A

N/A




S0/0/1 (DCE)

10.2.2.2

255.255.255.252

N/A

N/A

R3

FA0/1

192.168.3.1

255.255.255.0

N/A

S3 FA0/5




S0/0/1

10.2.2.1

255.255.255.252

N/A

N/A

PC-A

NIC

192.168.1.3

255.255.255.0

192.168.1.1

S1 FA0/6

PC-C

NIC

192.168.3.3

255.255.255.0

192.168.3.1

S3 FA0/18

Objectives

Part 1: Basic Network Device Configuration



  • Cable the network as shown in the topology.

  • Configure basic IP addressing for routers and PCs.

  • Configure static routing, including default routes.

  • Verify connectivity between hosts and routers.



Part 2: Control Administrative Access for Routers

  • Configure and encrypt all passwords.

  • Configure a login warning banner.

  • Configure enhanced username password security.

  • Configure enhanced virtual login security.

  • Configure an SSH server on a router.

  • Configure an SSH client and verify connectivity.



Part 3: Configure Administrative Roles

  • Create multiple role views and grant varying privileges.

  • Verify and contrast views.



Part 4: Configure Cisco IOS Resilience and Management Reporting

  • Secure the Cisco IOS image and configuration files.

  • Configure a router as a synchronized time source for other devices using NTP.

  • Configure Syslog support on a router.

  • Install a Syslog server on a PC and enable it.

  • Configure trap reporting on a router using SNMP.

  • Make changes to the router and monitor syslog results on the PC.



Part 5: Configure Automated Security Features

  • Lock down a router using AutoSecure and verify the configuration.

  • Use the SDM Security Audit tool to identify vulnerabilities and lock down services.

  • Contrast the AutoSecure configuration with SDM.

Background/Scenario

The router is a key component that controls the movement of data into and out of the network and between devices within the network. It is particularly important to protect the network routers because the failure of one of these devices due to malicious activity could make sections of the network or the entire network inaccessible. Controlling access to routers and enabling reporting on routers are critical to network security and should be part of a comprehensive security policy.

In this lab, you build a multi-router network and configure the routers and hosts. You use various CLI and SDM tools to secure local and remote access to the routers, analyze potential vulnerabilities, and take steps to mitigate them. You also enable management reporting to monitor router configuration changes.

The router commands and output in this lab are from Cisco 1841s using Cisco IOS software, release 12.4(20)T (advanced IP image). Other routers and Cisco IOS versions can be used. See the Router Interface Summary table at the end of the lab to determine which interface identifiers to use based on the equipment in the lab. Depending on the model of the router, the commands available and output produced may vary from what is shown in this lab.



Note: Make sure that the routers and the switches have been erased and have no startup configurations.
Instructor Note: Instructions for erasing switches and routers are provided in the Lab Manual, located on Academy Connection in the Tools section.

Required Resources

  • 3 routers with SDM 2.5 installed (Cisco 1841 with Cisco IOS software, release 12.4(20)T1 or comparable)

  • 2 switches (Cisco 2960 or comparable)

  • PC-A: Windows XP, Vista, or Windows Server with PuTTy SSH Client (no ACS required for this lab)

  • PC-C: Windows XP or Vista with PuTTy SSH Client and Kiwi or Tftpd32 Syslog server

  • Serial and Ethernet cables as shown in the topology

  • Rollover cables to configure the routers via the console port

Instructor Note:

This lab is divided into five parts. Each part can be administered individually or in combination with others as time permits. The main goal is to configure various Cisco IOS and SDM security features on routers R1 and R3. R1 and R3 are on separate networks and communicate through R2, which simulates a connection to an ISP. Students can work in teams of two for router security configuration, one student configuring R1 and the other student configuring R3.


Although switches are shown in the topology, students can omit the switches and use crossover cables between the PCs and routers R1 and R3.
The basic running configs for all three routers are captured after Parts 1 and 2 of the lab are completed. The running config commands that are added in Parts 3 and 4 are captured and listed separately. The running configs generated by AutoSecure for R3 and SDM Security Audit for R1 in Part 5 of the lab are listed separately. All configs are found at the end of the lab.

Part 1: Basic Router Configuration


In Part 1 of this lab, you set up the network topology and configure basic settings such as interface IP addresses and static routing.

Step 1: Cable the network.

Attach the devices shown in the topology diagram and cable as necessary.



Step 2: Configure basic settings for each router.

  1. Configure host names as shown in the topology.

  2. Configure interface IP addresses as shown in the IP Addressing Table.

  3. Configure a clock rate for routers with a DCE serial cable attached to their serial interface. Router R1 is shown here as an example.

R1(config)#interface S0/0/0

R1(config-if)#clock rate 64000



  1. To prevent the router from attempting to translate incorrectly entered commands as though they were host names, disable DNS lookup. Router R1 is shown here as an example.

R1(config)#no ip domain-lookup

Step 3: Configure static routing on the routers.

  1. Configure a static default route from R1 to R2 and from R3 to R2.

  2. Configure a static route from R2 to the R1 LAN and from R2 to the R3 LAN.

Step 4: Configure PC host IP settings.

Configure a static IP address, subnet mask, and default gateway for PC-A and PC-C as shown in the IP Addressing Table.



Step 5: Verify connectivity between PC-A and R3.

  1. Ping from R1 to R3.

Were the ping results successful? Yes.

If the pings are not successful, troubleshoot the basic device configurations before continuing.



  1. Ping from PC-A on the R1 LAN to PC-C on the R3 LAN.

Were the ping results successful? Yes.

If the pings are not successful, troubleshoot the basic device configurations before continuing.



    Note: If you can ping from PC-A to PC-C you have demonstrated that static routing is configured and functioning correctly. If you cannot ping but the device interfaces are up and IP addresses are correct, use the show run and show ip route commands to help identify routing protocol related problems.

Step 6: Save the basic running configuration for each router.

Use the Transfer > Capture text option in HyperTerminal or some other method to capture the running configs for each router. Save the three files so that they can be used to restore configs later in the lab.




Part 2: Control Administrative Access for Routers


In Part 2 of this lab, you will:

  • Configure and encrypt passwords.

  • Configure a login warning banner.

  • Configure enhanced username password security.

  • Configure enhanced virtual login security.

  • Configure an SSH server on router R1 using the CLI.

  • Research terminal emulation client software and configure the SSH client.

Note: Perform all tasks, on both R1 and R3. The procedures and output for R1 are shown here.


Download 392.14 Kb.

Share with your friends:
  1   2   3   4   5   6   7   8   9   10




The database is protected by copyright ©ininet.org 2024
send message

    Main page