Lab 9 - RSS100 - Securing Layer 2 Switches
Lab 9 - RSS100 - Securing Layer 2 Switches
Lab 9 - RSS100 - Securing Layer 2 Switches
IP Addressing Table
Objectives
Part 1: Configure Basic Switch Settings
Build the topology.
Configure the hostname, IP address, and access passwords.
Part 2: Configure SSH Access to the Switches
Configure SSH version 2 access on the switch.
Configure an SSH client to access the switch.
Verify the configuration.
Part 3: Configure Secure Trunks and Access Ports
Configure trunk port mode.
Lab – Securing Layer 2 Switches
Change the native VLAN for trunk ports.
Verify trunk configuration.
Enable storm control for broadcasts.
Configure access ports.
Enable PortFast and BPDU guard.
Verify BPDU guard.
Enable root guard.
Enable loop guard.
Configure and verify port security.
Disable unused ports.
Move ports from default VLAN 1 to alternate VLAN.
Configure the PVLAN Edge feature on a port.
Part 4: Configure IP DHCP Snooping
Configure DHCP on R1.
Configure Inter-VLAN communication on R1.
Configure S1 interface F0/5 as a trunk.
Verify DHCP operation on PC- A and B.
Enable DHCP Snooping.
Verify DHCP Snooping.
Background / Scenario
The Layer 2 infrastructure consists mainly of interconnected Ethernet switches. Most end-user devices, such
as computers, printers, IP phones, and other hosts, connect to the network via Layer 2 access switches. As a
result, switches can present a network security risk. Similar to routers, switches are subject to attack from
malicious internal users. The switch Cisco IOS software provides many security features that are specific to
switch functions and protocols.
In this lab, you will configure SSH access and Layer 2 security for S1 and S2. You will also configure various
switch protection measures, including access port security and Spanning Tree Protocol (STP) features, such
as BPDU guard and root guard.
Note: The router commands and output in this lab are from a Cisco 1941 router using Cisco IOS software,
release 15.4(3)M2 (with a Security Technology Package license). The switch commands and output are from
Cisco WS-C2960-24TT-L switches with Cisco IOS Release 15.0(2)SE4 (C2960-LANBASEK9-M image).
Other routers, switches, and Cisco IOS versions can be used. See the Router Interface Summary Table at the
end of the lab to determine which interface identifiers to use based on the equipment in the lab. The
commands available to the user and the output produced may vary depending on which router, switch, and
Cisco IOS version is used.
Note: Make sure that the routers and switches have been erased and have no startup configurations.
.
Required Resources
1 Router (Cisco 1941 with Cisco IOS Release 15.4(3)M2 image with a Security Technology Package
license)
2 Switches (Cisco 2960 with cryptography IOS image for SSH support – Release 15.0(2)SE7 or
comparable)
Lab – Securing Layer 2 Switches
2 PCs (Windows 7 or Windows 8 with SSH client software
Ethernet cables as shown in the topology
Console cables to configure Cisco networking devices
Step 2: Configure basic settings for the router and each switch.
Perform all tasks on R1, S1, and S2. The procedure for S1 is shown here as an example.
a. Configure hostnames, as shown in the topology.
b. Configure interface IP addresses, as shown in the IP Addressing Table. The following configuration
displays the VLAN 1 management interface on S1:
S1(config)# interface vlan 1
S1(config-if)# ip address 192.168.1.2 255.255.255.0
S1(config-if)# no shutdown
c. Prevent the router or switch from attempting to translate incorrectly entered commands by disabling DNS
lookup. S1 is shown here as an example.
S1(config)# no ip domain-lookup
d. HTTP access to the switch is enabled by default. Prevent HTTP access by disabling the HTTP server and
HTTP secure server.
S1(config)# no ip http server
S1(config)# no ip http secure-server
Note: The switch must have a cryptography IOS image to support the ip http secure-server command.
HTTP access to the router is disabled by default.
e. Configure the enable secret password.
S1(config)# enable algorithm-type scrypt secret cisco12345
f. Configure console password.
S1(config)# line console 0
S1(config-line)# password ciscoconpass
S1(config-line)# exec-timeout 5 0
S1(config-line)# login
S1(config-line)# logging synchronous
Step 5: Save the basic configurations for the router and both switches.
Save the running configuration to the startup configuration from the privileged EXEC mode prompt.
S1# copy running-config startup-config
Step 2: Configure a privileged user for login from the SSH client.
Use the username command to create the user ID with the highest possible privilege level and a secret
password.
S1(config)# username admin privilege 15 algorithm-type scrypt secret
cisco12345
Step 3: Generate the RSA encryption key pair for the router.
The switch uses the RSA key pair for authentication and encryption of transmitted SSH data.
Configure the RSA keys with 1024 modulus bits. The default number of modulus bits is 512, and the range is
from 360 to 2,048.
S1(config)# crypto key generate rsa general-keys modulus 1024
The name for the keys will be: S1.ccnasecurity.com
S1(config)#
00:15:36: %SSH-5-ENABLED: SSH 1.99 has been enabled
.
Lab – Securing Layer 2 Switches
Step 4: Configure SSH version 2
S1(config)# ip ssh version 2
Step 1: (Optional) Download and install an SSH client on PC-A and PC-B.
If the SSH client is not already installed, download PuTTY from the following link:
http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
Note: The procedure described here is for PuTTY and pertains to PC-A.
Lab – Securing Layer 2 Switches
Step 2: Verify SSH connectivity to S1 from PC-A.
a. Launch PuTTY by double-clicking the putty.exe icon (and clicking Run if prompted).
b. Input the S1 IP address 192.168.1.2 in the Host Name (or IP address) field.
c. Verify that the SSH radio button is selected. PuTTY defaults to SSH version 2.
d. Click Open.
Note: Upon first connection, the user is prompted with a PuTTY Security Alert stating that the server’s
host key is not cached in the registry.
e. In the PuTTY Security Alert window, click Yes to cache the server’s host key.
f. In the PuTTY window, enter admin as the username and cisco12345 as the password.
g. At the S1 privileged EXEC mode prompt, enter the show users command.
S1# show users
Lab – Securing Layer 2 Switches
Which users are connected to S1 at this time?
____________________________________________________________________________________
____________________________________________________________________________________
You should see at least two users, one for your console connection and another for the SSH interface.
Line User Host(s) Idle Location
0 con 0 idle 00:03:15
* 1 vty 0 admin idle 00:00:33 192.168.1.10
h. Close the PuTTy SSH session window with the exit or quit command.
Try to open a Telnet session to S1 from PC-A. Were you able to open the Telnet session? Explain.
____________________________________________________________________________________
____________________________________________________________________________________
No, the Telnet session fails because only SSH is enabled as input for the vty lines.
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 1
Lab – Securing Layer 2 Switches
Address 001d.4635.0c80
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Name: Fa0/1
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: Off
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 99 (Inactive)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk private VLANs: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none
<output omitted>
Lab – Securing Layer 2 Switches
Task 2: Secure Access Ports
Network attackers hope to spoof their system, or a rogue switch that they add to the network, as the root
bridge in the topology by manipulating the STP root bridge parameters.. If a port that is configured with
PortFast receives a BPDU, STP can put the port into the blocking state by using a feature called BPDU
guard.
Note: The S2 Gi0/1 port is not currently up, so it is not participating in STP. Otherwise, you could use the
show spanning-tree interface Gi0/1 detail command.
Lab – Securing Layer 2 Switches
Note: The expression in the command show run | begin is case-sensitive.
c. If a port that is enabled with BPDU guard receives a superior BPDU, it enters a root-inconsistent state.
Use the show spanning-tree inconsistentports command to determine if there are any ports currently
receiving superior BPDUs that should not be.
S2# show spanning-tree inconsistentports
Note: Root guard allows a connected switch to participate in STP as long as the device does not try to
become the root. If root guard blocks the port, subsequent recovery is automatic. The port returns to the
forwarding state if the superior BPDUs stop.
f. On the switch, use the show port-security commands to verify that port security has been violated.
Lab – Securing Layer 2 Switches
S1# show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
--------------------------------------------------------------------
Fa0/5 1 1 1 Shutdown
----------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 8192
g. Remove the hard-coded MAC address from the router and re-enable the Fast Ethernet 0/1 interface.
R1(config)# interface g0/1
R1(config-if)# no mac-address aaaa.bbbb.cccc
Note: This will restore the original FastEthernet interface MAC address.
From R1, try to ping the PC-A again at 192.168.1.10. Was the ping successful? Why or why not?
____________________________________________________________________________________
____________________________________________________________________________________
No, the S1 F0/5 port is still in an err-disabled state.
S2(config)# vlan 20
S2(config-vlan)# name Users
b. Add the current active access (non-trunk) ports to the new VLAN.
S1(config)# interface f0/6
S1(config-if-range)# switchport access vlan 20
Protected: true
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none
c. Deactivate protected port on interfaces Fa0/6 and Fa0/7 using the following commands:
S1(config)# interface range f0/6 - 7
S1(config-if-range)# no switchport protected
Step 4: Identify the trusted interface(s). DHCP responses are only permitted through trusted
ports.
S1(config)# interface f0/5
S1(config-if)# description connects to DHCP server
S1(config-if)# ip dhcp snooping trust
Router Model Ethernet Interface #1 Ethernet Interface #2 Serial Interface #1 Serial Interface #2
1800 Fast Ethernet 0/0 Fast Ethernet 0/1 Serial 0/0/0 (S0/0/0) Serial 0/0/1 (S0/0/1)
(F0/0) (F0/1)
1900 Gigabit Ethernet 0/0 Gigabit Ethernet 0/1 Serial 0/0/0 (S0/0/0) Serial 0/0/1 (S0/0/1)
(G0/0) (G0/1)
2801 Fast Ethernet 0/0 Fast Ethernet 0/1 Serial 0/1/0 (S0/1/0) Serial 0/1/1 (S0/1/1)
(F0/0) (F0/1)
2811 Fast Ethernet 0/0 Fast Ethernet 0/1 Serial 0/0/0 (S0/0/0) Serial 0/0/1 (S0/0/1)
(F0/0) (F0/1)
2900 Gigabit Ethernet 0/0 Gigabit Ethernet 0/1 Serial 0/0/0 (S0/0/0) Serial 0/0/1 (S0/0/1)
(G0/0) (G0/1)
Note: Determine how the router is configured by identifying the type of router and the number of interfaces the
router has. There is no way to effectively list all the combinations of configurations for each router class. This
table includes identifiers for the possible combinations of Ethernet and Serial interfaces in the device. The table
does not include any other type of interface, even though a specific router may contain one. For example, an
ISDN BRI interface. The string in parenthesis is the legal abbreviation that can be used in Cisco IOS commands
to represent the interface.
Config
R1 après Part 1
R1#show run
Building configuration...
!
no ip domain-lookup
ip domain-name ccnasecurity.com
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
ip ssh time-out 90
ip ssh authentication-retries 2
ip ssh version 2
!
interface FastEthernet0/1
!
interface FastEthernet0/2
Lab – Securing Layer 2 Switches
shutdown
!
interface FastEthernet0/3
shutdown
!
interface FastEthernet0/4
shutdown
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
Lab – Securing Layer 2 Switches
!
interface Vlan1
ip address 192.168.1.2 255.255.255.0
!
no ip http server
no ip http secure-server
!
line con 0
exec-timeout 5 0
password ciscoconpass
logging synchronous
login
line vty 0 4
exec-timeout 5 0
privilege level 15
login local
transport input ssh
line vty 5 15
login
transport input none
!
interface FastEthernet0/23
!
interface FastEthernet0/24
shutdown
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
ip address 192.168.1.3 255.255.255.0
!
no ip http server
no ip http secure-server
!
line con 0
exec-timeout 5 0
password ciscoconpass
logging synchronous
login
line vty 0 4
exec-timeout 5 0
privilege level 15
login local
transport input ssh
line vty 5 15
login
transport input none
!
End
R1 after Part 4
hostname R1
!
boot-start-marker
boot-end-marker
!
!
enable secret 9 $9$fRox2wTrMtcmuk$EzQExT2Y32FrAAOgixfAvSBTMzHQrTttP2B6vPBMQoc
!
no aaa new-model
memory-size iomem 15
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.4
ip dhcp excluded-address 192.168.20.1
!
Lab – Securing Layer 2 Switches
ip dhcp pool CCNAS
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
!
ip dhcp pool 20Users
network 192.168.20.0 255.255.255.0
default-router 192.168.20.1
!
no ip domain lookup
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
cts logging verbose
!
!
redundancy
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/1.1
encapsulation dot1Q 1
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet0/1.20
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0
!
interface GigabitEthernet0/1.99
encapsulation dot1Q 99 native
ip address 192.168.99.1 255.255.255.0
!
interface Serial0/0/0
no ip address
shutdown
clock rate 2000000
!
Lab – Securing Layer 2 Switches
interface Serial0/0/1
no ip address
shutdown
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
!
control-plane
!
line con 0
exec-timeout 5 0
password ciscoconpass
logging synchronous
login
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
login
transport input none
!
scheduler allocate 20000 1000
!
end
R1 Final
R1#sh run
Building configuration...
S1 Final
S1#sh run
Building configuration...
S1 Final
S2#sh run
Building configuration...