Monavathia's Blog

CCNA 4 Labskill Chapter 1

Posted on: December 29, 2010

Lab 1.3.4 Creating an ACL

Step 1: Analyze the traffic filtering requirements

a. Determine the access and filtering requirements.

For this lab:

1) PC1 is a network administrator’s workstation. This host must be permitted FTP and HTTP access to the network server, and telnet access to the router FC-CPE-1.

2) PC2 is a general workstation that is to have HTTP access only. FTP services and Telnet access to the router is not permitted.

b. Having determined specific requirements, decide if all other traffic is to be allowed or denied.

List the benefits and potential problems to the following filtering scenarios:

Benefits of allowing all other traffic:

Jawab :

layanan yang ada untuk ke depannya tidak dihalangi atau diblokir

 

Potential problems with allowing all other traffic:

Jawab :

Trafik berbahaya dan tidak diinginkan tidak diblok

 

Benefits of denying all other traffic:

Jawab :

Trafik yang berbahaya dan tidak diinginkan diblok secara otomatis

 

Potential problems with denying all other traffic:

Jawab :

Layanan yang diimplementasikan ke depannya akan diblok secara otomatis.

 

Step 2: Design and create the ACL

a. Review, and then apply, ACL recommended practice.

  • • Always plan thoroughly before implementation.
  • • The sequence of the statements is important. Put the more specific statements at the beginning

and the more general statements at the end.

  • • Statements are added to the end of the ACL as they are written.
  • • Create and edit ACLs with a text editor and save the file.
  • • Use Named ACLs wherever possible.
  • • Use comments (remark option) within the ACL to document the purpose of the statements.
  • • To take effect, ACLs must be applied to an interface.
  • • An interface can have one ACL per Network Layer protocol, per direction.
  • • Although there is an implicit deny any statement at the end of every ACL, it is good practice to

configure this explicitly. This ensures that you remember that the effect is in place and allows

logging of matches to this statement to be used.

  • • ACLs with many statements take longer to process, which may affect router performance.
  • • Placement of ACLs:

o Standard: closest to destination (if have administrative authority on that router)

o Extended: closest to source (if have administrative authority on that router)

b. Consider the two approaches to writing ACLs:

  • • Permit specific traffic first and then deny general traffic.
  • • Deny specific traffic first and then permit general traffic.

 

When would it be best to permit specific traffic first and then deny general traffic?

Jawab :

ACL tanpa banyak statement mengurangi paket latency

When would it be best to deny specific traffic first and then permit general traffic?

 

Jawab :

 

When there is likely to be more traffic of the type to be denied – these packets are matched early in the ACL without having to traverse many statements, minimizing router latency.

 

c. Select one approach and write the ACL statements that will meet the requirements of this lab.

 

Allow PC1 to access server http and ftp

access-list 101 permit tcp host 10.0.0.10 host 172.17.1.1 eq www log

access-list 101 permit tcp host 10.0.0.10 host 172.17.1.1 eq ftp log

Allow PC2 to access web server

access-list 101 permit tcp host 10.0.0.201 host 172.17.1.1 eq www log

Allow PC1 ftp access to router Fa0/0

access-list 101 permit tcp host 10.0.0.10 host 10.0.0.1 eq telnet log

Deny all other traffic

access-list 101 ip deny any any log

 

After an ACL is written and applied to an interface, it is useful to know if the ACL statements are

having the desired effect. The number of packets that meet the conditions of each ACL statement can

be logged by adding the option log at the end of each statement.

 

Why is it important to know to how many times packets that match an ACL statement are denied?

Jawab :

 

This potentially shows the number of attempts at unauthorized access to denied services that may lead to further investigation of network usage.

 

Step 3: Cable and configure the given network

NOTE: If the PCs used in this lab are also connected to your Academy LAN or to the Internet, ensure that you

record the cable connections and TCP/IP settings so these can be restored at the conclusion of the lab.

 

a. Referring to the topology diagram, connect the console (or rollover) cable to the console port on the

router and the other cable end to the host computer with a DB-9 or DB-25 adapter to the COM 1 port.

Ensure that power has been applied to both the host computer and router.

 

b. Connect and configure the devices in accordance with the given topology and configuration. Your

instructor may substitute Discovery Server with an equivalent server for this lab.

 

c. Establish a HyperTerminal, or other terminal emulation program, from PC1 to Router R1.

 

d. From the global configuration mode issue the following commands:

Router(config)#hostname FC-CPE-1

FC-CPE-1(config)#interface FastEthernet0/0

FC-CPE-1(config-if)#ip address 10.0.0.1 255.255.255.0

FC-CPE-1(config-if)#no shutdown

FC-CPE-1(config-if)#exit

FC-CPE-1(config)#interface FastEthernet0/1

FC-CPE-1(config-if)#ip address 172.17.0.1 255.255.0.0

FC-CPE-1(config-if)#no shutdown

FC-CPE-1(config-if)#exit

FC-CPE-1(config)#line vty 0 4

FC-CPE-1(config-line)#password telnet

FC-CPE-1(config-line)#login

FC-CPE-1(config-line)#end

e. Ping between PC1 and Discovery Server to confirm network connectivity. Troubleshoot and establish

connectivity if the pings fail.

 

Step 4: Test the network services without ACLs

Perform the following tests on PC1:

a. Open a web browser on PC1 and enter the URL http://172.17.1.1 at the address bar.

What web page was displayed?

Jawab  :

 

Discovery Server Home Page

 

b. Open a web browser on PC1 and enter the URL ftp://172.17.1.1 at the address bar.

What web page was displayed?

Jawab  :

Discovery FTP Home Directory

c. On the Discovery FTP Home Directory, open the Discovery 1 folder. Click and drag a Chapter file to

the local Desktop. Did the file copy successfully?

Jawab  :

Ya

 

d. From the PC1 command line prompt, issue the command telnet 10.0.0.1, or use a Telnet client

(HyperTerminal or TeraTerm, for example) to establish a Telnet session to the router.

What response did the router display?

Jawab  :

 

Prompt untuk password Telnet dan login ke router

 

e. Exit the Telnet session.

Quit

Perform the following tests on PC2:

a. Open a web browser on PC2 and enter the URL http://172.17.1.1 at the address bar.

What web page was displayed?

Jawab  :

Discovery Server Home Page

 

b. Open a web browser on PC2 and enter the URL ftp://172.17.1.1 at the address bar.

What web page was displayed?

Jawab  :

Discovery FTP Home Directory

 

c. On the Discovery FTP Home Directory, open the Discovery 1 folder. Click and drag a Chapter file to

the local Desktop. Did the file copy successfully?

Jawab  :

Ya

 

d. From the PC2 command line prompt, issue the command telnet 10.0.0.1, or use a Telnet client

(HyperTerminal or TeraTerm, for example) to establish a Telnet session to the router.

What response did the router display?

Jawab  :

Prompt untuk password Telnet dan login ke router

 

e. Exit the Telnet session.

quit

 

Why was each of the above connections successful?

Jawab  :

There were no data access or filtering controls in place.

Successful connection was expected.

 

If any of the above connections was not successful, troubleshoot the network and configurations and

establish each type of connection from each host.

Step 5: Configure the network services ACL

From the global configuration mode issue the following commands:

a. Allow PC1 to access the web server and telnet to the router.

FC-CPE-1(config)#ip access-list extended Server-Access

FC-CPE-1(config-ext-nacl)#remark Allow PC1 access to server

FC-CPE-1(config-ext-nacl)#permit tcp host 10.0.0.10 host 172.17.1.1 eq

ftp www log

b. Allow PC2 to access the web server.

FC-CPE-1(config-ext-nacl)#remark Allow PC2 to access web server

FC-CPE-1(config-ext-nacl)#permit tcp host 10.0.0.201 host 172.17.1.1 eq

www log

c. Allow PC1 telnet access to router

FC-CPE-1(config-ext-nacl)#remark Allow PC1 to telnet router

FC-CPE-1(config-ext-nacl)#permit tcp host 10.0.0.10 host 10.0.0.1 eq telnet log

d. Deny all other traffic.

FC-CPE-1(config-ext-nacl)#remark Deny all other traffic

FC-CPE-1(config-ext-nacl)#deny ip any any log

FC-CPE-1(config-ext-nacl)#exit

Step 6: Apply the ACLs

a. Apply the Extended ACL to the router interface closest to the source.

FC-CPE-1(config)#interface FastEthernet0/0

FC-CPE-1(config-if)#ip access-group Server-Access in

FC-CPE-1(config-if)#end

b. From the Privileged EXEC mode, issue the show running-configuration command and

confirm that the ACLs have been configured and applied as required.

Reconfigure if errors are noted.

Step 7: Test the network services with ACLs

Perform the following tests on PC1:

a. Open a web browser on PC1 and enter the URL http://172.17.1.1 at the address bar.

What web page was displayed?

Jawab  :

Discovery Server Home Page

 

b. Open a web browser on PC1 and enter the URL ftp://172.17.1.1 at the address bar.

What web page was displayed?

Jawab  :

Discovery FTP Home Directory

 

c. On the Discovery FTP Home Directory, open the Discovery 1 folder. Click and drag a Chapter file to

the local Desktop. Did the file copy successfully?

Jawab  :

Ya

 

Why is this the outcome?

Jawab  :

Host ini memungkinkan akses FTP

 

d. From the PC1 command line prompt, issue the command telnet 10.0.0.1, or use a Telnet client

(HyperTerminal or TeraTerm, for example) to establish a Telnet session to the router.

What response did the router display?

Jawab  :

 

Prompt untuk password Telnet dan login ke router

 

Why is this the outcome?

Jawab  :

Host ini memungkinkan akses Telnet

 

e. Exit the Telnet session.

Perform the following tests on PC2:

a. Open a web browser on PC2 and enter the URL http://172.17.1.1 at the address bar.

What web page was displayed?

Jawab  :

Discovery Server Home Page

 

Why is this the outcome?

Jawab  :

Host ini memungkinkan akses web

 

b. Open a web browser on PC2 and enter the URL ftp://172.17.1.1 at the address bar.

What web page was displayed?

Jawab  :

error page cannot be displayed

Why is this the outcome?

Jawab  :

Host ini tidak memungkinkan akses FTP

 

c. From the PC2 command line prompt, issue the command telnet 10.0.0.1, or use a Telnet client

(HyperTerminal or TeraTerm, for example) to establish a Telnet session to the router.

What response did the router display?

Jawab  :

Telnet connection refused.

 

Why is this the outcome?

Jawab  :

Host tidak memungkinkan akses Telnet

 

If any of these transactions did not result in the expected outcome, troubleshoot the network and

configurations and retest the ACLs from each host.

 

Step 8: Observe the number of statement matches

a. From the Privileged EXEC mode, issue the command:

FC-CPE-1#show access-list Server-Access

List the number of matches logged against each ACL statement.

 

Step 9: Clean up

Erase the configurations and reload the routers and switches. Disconnect and store the cabling. For PC hosts

that are normally connected to other networks (such as the school LAN or to the Internet), reconnect the

appropriate cabling and restore the TCP/IP settings.

 

Challenge

Rewrite the Server-Access ACL used in this lab so that:

1) Administrator workstations are considered to be in the address range of 10.0.0.10 /24 to

10.0.0.15 /24 instead of a single host; and,

2) The general workstations have the address range of 10.0.0.16 /24 to 10.0.0.254 /24 instead of

being a single host.

 

Jawab  :

ip access-list extended Server-Access

remark Allow PC1 to access any IP traffic

permit ip host 10.0.0.0 0.0.0.15 172.17.1.1 log

remark Allow PC2 to access web server

permit ip host 10.0.0.0 0.0.0.255 172.17.1.1 eq www log

remark Deny all other traffic

deny ip any any log

Running config of router after lab completion:

FC-CPE-1#show run

Building configuration…

Current configuration : 1309 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname FC-CPE-1

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

!

resource policy

!

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

ip subnet-zero

ip cef

!

!

!

!

!

!

!

!

!

interface FastEthernet0/0

ip address 10.0.0.1 255.255.255.0

ip access-group Server-Access in

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 172.17.0.1 255.255.0.0

duplex auto

speed auto

!

interface FastEthernet0/0/0

!

interface FastEthernet0/0/1

!

interface FastEthernet0/0/2

!

interface FastEthernet0/0/3

!

interface Serial0/1/0

no ip address

shutdown

clock rate 125000

!

interface Serial0/1/1

no ip address

shutdown

clock rate 125000

!

interface Vlan1

no ip address

!

ip classless

!

ip http server

!

ip access-list extended Server-Access

remark Allow PC1 access to server

permit tcp host 10.0.0.10 host 172.17.1.1 eq ftp www

remark Allow PC2 to access web server

permit tcp host 10.0.0.201 host 172.17.1.1 eq www

remark Allow PC1 to telnet router

permit tcp host 10.0.0.10 host 10.0.0.1 eq telnet

remark Deny all other traffic

deny ip any any

!

!

control-plane

!

!

line con 0

line aux 0

line vty 0 4

password telnet

login

!

end

FC-CPE-1#

Lab 1.4.3 Monitoring VLAN Traffic

Task 1: Demonstrate Broadcasts across a Single LAN

Step 1: Prepare the switch for configuration

a. Referring to the topology diagram, connect the console (or rollover) cable to the console port on the

switch and the other cable end to the host computer with a DB-9 or DB-25 adapter to the COM 1 port.

Ensure that power has been applied to both the host computer and switch.

b. Establish a HyperTerminal, or other terminal emulation program, connection from PC1 to the switch.

c. Ensure that the switch is ready for lab configuration by verifying that all existing VLAN and general

configurations are removed.

1) Remove the switch startup configuration file from NVRAM.

Switch#erase startup-config

Erasing the nvram filesystem will remove all files! Continue? [confirm]

2) Press Enter to confirm.

The response should be:

Erase of nvram: complete

Step 2: Configure the PCs

a. Connect the two PCs to the switch as shown in the topology diagram.

b. Configure the two PCs to have the IP addresses and subnet mask shown in the topology table.

c. Clear the ARP cache on each PC by issuing the arp -d command at the PC command prompt.

d. Confirm that the ARP cache is clear by issuing the arp -a command.

Step 3: Generate and examine ARP broadcasts

a. Launch Wireshark on each PC and start the packet capture for the traffic seen by the NIC in each PC.

b. From the command line of each PC, ping all connected devices.

c. Monitor the operation of Wireshark. Note the ARP traffic registering on each PC.

d. Stop the Wireshark capture on each PC.

e. Examine the entries in the Wireshark Packet List (upper) Pane.

How many ARP captures occurred for each device?

ARP mengirim permintaan dan menbalas request uuntuk masing-masing perangkat yang di-ping

 

List the source IP addresses of the ARP request and replies:

Alamat IP asal adalah perangkat yang menerbitkan ping commans dan mereply dari perangkat yang sedang di-ping

 

Did each device receive an ARP request from every PC connected to the switch?

Ya

 

f. Exit Wireshark

Task 2: Demonstrate Broadcasts within Multiple VLANs

Step 1: Configure the VLANs on the switch

a. Using the established console session from PC1 to the switch, set the hostname by issuing the

following command from the global configuration mode:

Switch(config)# hostname FC-ASW-1

b. Set interfaces Fa0/1 and Fa0/2 to VLAN 10 by issuing the following commands from the global

configuration and interface configuration modes:

FC_ASW-1(config)#interface FastEthernet0/1

FC_ASW-1(config-if)#switchport access vlan 10

% Access VLAN does not exist. Creating vlan 10

FC_ASW-1(config-if)#interface FastEthernet0/2

FC_ASW-1(config-if)#switchport access vlan 10

c. Set interfaces Fa0/3 and Fa0/4 to VLAN 20 by issuing the following commands from the interface

configuration mode:

FC_ASW-1(config-if)#interface FastEthernet0/3

FC_ASW-1(config-if)#switchport access vlan 20

% Access VLAN does not exist. Creating vlan 20

FC_ASW-1(config-if)#interface FastEthernet0/4

FC_ASW-1(config-if)#switchport access vlan 20

FC_ASW-1(config-if)#end

d. Confirm that the interfaces are assigned to the current VLANs by issuing the show vlan command

from the Privileged EXEC mode. If the VLANs are not assigned correctly, troubleshoot the command

entries shown in Steps 1b and 1c and reconfigure the switch.

Step 2: Prepare the PCs

a. Clear ARP cache on each PC by issuing the arp -d command at the PC command prompt.

b. Confirm the ARP cache is clear by issuing the arp -a command.

Step 3: Generate ARP broadcasts

a. Launch Wireshark on each PC and start the packet capture for the traffic seen by the NIC in each PC.

b. From the command line of each PC, ping each of the other three devices connected to the switch.

c. Monitor the operation of Wireshark. Note the ARP traffic registering on the two PCs.

d. Stop the Wireshark capture on each PC.

e. Examine the entries in the Wireshark Packet List (upper) Pane.

 

How many ARP captures occurred for each PC?

Satu ARP merequest dan satu ARP mereply perangkat VLAN pada komputer

 

List the source IP addresses:

Tergantung pada PC masing-masing

 

What is the difference between the captured ARP packets for each PC this time and those captured

in Task 1?

Hanya permintaan ARP yang diterima dari perangkat pada VLAN yang sama.

 

How many Ethernet broadcast domains are present now?

2 broadcast termasuk VLAN 10 dan VLAN 20.

 

f. Exit Wireshark.

Step 4: Clean up

Erase the configuration and reload the switch. Disconnect and store the cabling. For PC hosts that are

normally connected to other networks (such as the school LAN or to the Internet), reconnect the appropriate

cabling and restore the TCP/IP settings.

Task 3: Reflection

a. Discuss the use of VLANS in keeping data traffic separated. What are the advantages of doing this?

– mengurani tekanan pada bandwidth dengan membatasi broadcast hanya pada host pada VLAN

– menyediakan keamanan dan penyaringan trafik dengan membatasi akses pengguna pada satu VLAN

b. When designing a network list different criteria that could be used to divide a network into VLANs.

– basis lokasi

– organisasi

– tipe trafik

Lab 1.4.5 Identifying Network Vulnerabilities

Step 1: Open the SANS Top 20 List

Using a web browser, go to http://www.sans.org/. On the resources menu, choose top 20 list.

The SANS Top-20 Internet Security Attack Targets list is organized by category. An identifying letter

indicates the category type, and numbers separate category topics. Router and switch topics fall under the

Network Devices category, N. There are two major hyperlink topics:

N1. VoIP Servers and Phones

N2. Network and Other Devices Common Configuration Weaknesses

Step 2: Review common configuration weaknesses

a. Click hyperlink N2. Network and Other Devices Common Configuration Weaknesses.

b. List the four headings in this topic.

Deskripsi

Common Default Configuration Issues

Kerentanan pada printer

Bagaimana mengantisipasi kerentanan tersebut

 

Step 3: Review common default configuration issues

Review the contents of N2.2 Common Default Configuration Issues. As an example, N.2.2.2 (in January

2007) contains information about threats associated with default accounts and values. A Google search on

“wireless router passwords” returns links to multiple sites that publish a list of wireless router default

administrator account names and passwords. Failure to change the default password on these devices can

lead to compromised security and vulnerability to attackers.

 

Step 4: Note the CVE references

The last line under several topics cites references to CVE or Common Vulnerability Exposure. The CVE name

is linked to the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD),

sponsored by the United States Department of Homeland Security (DHS) National Cyber Security Division

and US-CERT, which contains information about the vulnerability.

 

Step 5: Investigate a topic and associated CVE hyperlink

The remainder of this lab walks you through a vulnerability investigation and solution.

Choose a topic to investigate, and click on an associated CVE hyperlink. The link should open a new web

browser connected to http://nvd.nist.gov/ and the vulnerability summary page for the CVE.

NOTE: Because the CVE list changes, the current list may not contain the same vulnerabilities as

those in January 2007.

 

Step 6: Record vulnerability information

Complete the information about the vulnerability. Answers vary

Original release date:

Last revised:

Source:

Overview:

 

Step 7: Record the vulnerability impact

Under Impact, there are several values. The Common Vulnerability Scoring System (CVSS) severity is

displayed and contains a value between 1 and 10.

Complete the information about the vulnerability impact. Answers vary

CVSS Severity:

Access Complexity:

Authentication:

Impact Type:

 

Step 8: Record the solution

The References to Advisories, Solutions, and Tools section contains links with information about the

vulnerability and possible solutions.

Using the hyperlinks, write a brief description of the solution found on those pages.

 

Step 9: Reflection

The number of vulnerabilities to computers, networks, and data, continues to increase. Many national

governments have dedicated significant resources to coordinating and disseminating information about

security vulnerability and possible solutions. It remains the responsibility of the end user to implement the

solution. Think of ways that users can help strengthen security. Write down some user habits that create

security risks.

Penggunaan kata sandi yang lemah

Penulisan kata sandi

Tidak mengubah kata sandi secara teratur

Tidak mengamankan workstation ketika tidak dipakai

Tidak mengikuti prosedur ketika membocorkan informasi jaringan

Lab 1.4.6B Implementing Port Security

Task 1: Configure and Test the Switch Connectivity

Step 1: Prepare the switch for configuration

a. Referring to the topology diagram, connect the console (or rollover) cable to the console port on the

switch and the other cable end to the host computer with a DB-9 or DB-25 adapter to the COM 1 port.

Ensure that power has been applied to both the host computer and switch.

b. Establish a console terminal session from PC1 to switch S1.

c. Prepare the switch for lab configuration by ensuring that all existing VLAN and general configurations

are removed.

1) Remove the switch startup configuration file from NVRAM.

Switch#erase startup-config

Erasing the nvram filesystem will remove all files! Continue? [confirm]

2) Press Enter to confirm.

The response should be:

Erase of nvram: complete

d. Power cycle the switch and exit the initial configuration setup when the switch restarts.

Step 2: Configure the switch

Configure the hostname and VLAN 1 interface IP address as shown in the table.

Step 3: Configure the hosts attached to the switch

a. Configure the two PCs to use the same IP subnet for the address and mask as shown in the table.

b. Connect PC1 to switch port Fa0/1 and PC2 to switch port Fa0/4. The Linksys device is not connected

at this stage of the lab.

Step 4: Verify host connectivity

Ping between all PCs and the switch to verify correct configuration. If any ping was not successful,

troubleshoot the hosts and switch configurations.

Step 5: Record the host MAC addresses

Determine and record the Layer 2 addresses of the PC network interface cards.

(For Windows 2000, XP, or Vista, check by using Start > Run > cmd > ipconfig /all.)

PC1 MAC Address: _______________________________ e.g., 00-07-EC-93-3CD1

PC2 MAC Address: _______________________________ e.g., 00-01-C7-E4-ED-E6

Step 6: Determine what MAC addresses the switch has learned

a. At the privileged EXEC mode prompt, issue the show mac-address-table command to display

the PC MAC addresses that the switch has learned.

FC-ASW-1#show mac-address-table

Record the details displayed in the table.

Mac Address Table

——————————————-

Vlan Mac Address Type Ports

—- ———– ——– —–

1 0001.c7e4.ede6 DYNAMIC Fa0/1

1 0007.ec93.3cd1 DYNAMIC Fa0/4

b. Note the MAC addresses shown and the associated switch ports. Confirm that these addresses and

ports match the connected PCs.

How were these MAC addresses and port associations learned?

Sumber alamat MAC dari ping echo permintaan dan balasan ping (gema) dicatat terhadap port masuk.

Task 2 Configure and Test the Switch for Dynamic Port Security

Step 1: Set port security options

a. Disconnect all PCs Ethernet cables from the switch ports.

b. Ensure that the MAC address table is clear of entries. To confirm this, issue the clear macaddress-

table dynamic and show mac-address-table commands.

a. Clear the MAC address table entries.

FC-ASW-1#clear mac-address-table dynamic

b. Issue the show mac-address-table command.

Record the table entries.

Mac Address Table

——————————————-

Vlan Mac Address Type Ports

—- ———– ——– —–

c. Determine the options for setting port security on interface FastEthernet 0/4. From the global

configuration mode, enter interface fastethernet 0/4.

FC-ASW-1(config)#interface fa 0/4

Enabling switch port security provides options, such as specifying what happens when a security

setting is violated.

d. To configure the switch port FastEthernet 0/4 to accept only the first device connected to the port,

issue the following commands from the configuration mode:

FC-ASW-1(config-if)#switchport mode access

FC-ASW-1(config-if)#switchport port-security

e. In the event of a security violation, the interface should be shut down. Set the port security action to

shutdown:

FC-ASW-1(config-if)#switchport port-security violation shutdown

FC-ASW-1(config-if)#switchport port-security mac-address sticky

What other action options are available with port security?

protect, restrict

f. Exit the configuration mode.

Step 2: Verify the configuration

a. Display the running configuration.

What statements in the configuration directly reflect the security implementation?

interface FastEthernet0/4

switchport mode access

switchport port-security

switchport port-security mac-address sticky

b. Show the port security settings.

FC-ASW-1#show port-security interface fastethernet 0/4

Record the details displayed in the table.

Port Security : Enabled

Port Status : Secure-down

Violation Mode : Shutdown

Aging Time : 0 mins

Aging Type : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses : 1

Total MAC Addresses : 0

Configured MAC Addresses : 0

Sticky MAC Addresses : 0

Last Source Address:Vlan : 0000.0000.0000:0

Security Violation Count : 0

Step 3: Verify the port security

a. Connect PC1 to switch port Fa0/1 and PC2 to switch port Fa0/4.

b. From the command prompt ping from PC1 to PC2.

Was this successful? Ya

c. From the command prompt ping from PC2 to PC1.

Was this successful? Ya

d. From the console terminal session, issue the show mac-address-table command.

Record the details displayed in the table.

Mac Address Table

——————————————-

Vlan Mac Address Type Ports

—- ———– ——– —–

1 0001.c7e4.ede6 DYNAMIC Fa0/1

1 0007.ec93.3cd1 STATIC Fa0/4

e. Show the port security settings.

FC-ASW-1#show port-security interface fastethernet 0/4

Record the details displayed in the table.

Port Security : Enabled

Port Status : Secure-up

Violation Mode : Shutdown

Aging Time : 0 mins

Aging Type : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses : 1

Total MAC Addresses : 1

Configured MAC Addresses : 0

Sticky MAC Addresses : 1

Last Source Address:Vlan : 0001.c7e4.ede6:1 [pc2]

Security Violation Count : 0

Note the difference in entries recorded in Step 2 b.

–       Status port sekarang aman (PC terkoneksi)

–       Ada 1 alamat MAC yang lekat

–       Alamat sumber terakhir tampak

f. Confirm the status of the switch port.

ALSwitch#show interface fastethernet 0/4

What is the state of this interface?

FastEthernet0/4 is  up and line protocol is  up.

Step 4: Test the port security

a. Disconnect PC2 from Fa0/4

b. Connect PC2 to the Linksys using one of the ports on the Linksys LAN switch.

c. Use the Basic Setup tab to configure the Internet IP address on the Linksys device to the address

and mask, as shown in the table.

d. Configure PC2 to get an IP address using DHCP. Verify that PC2 receives an IP address from the

Linksys device.

e. Connect the Internet port on the Linksys to Fa0/4.

f. Ping from PC1 to PC2.

Was this successful? Tidak

g. Ping from PC2 to PC1.

Was this successful? Tidak

Record the output displayed on the console screen at the switch command line.

ERR_DISABLE: psecure-violation error detected on Fa0/4, putting Fa0/4

in err-disable state

%LINK-5-CHANGED: Interface FastEthernet0/4, changed state to

administratively down

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/4,

changed state to down

h. Issue the show mac-address-table command.

Record the details displayed in the table.

Mac Address Table

——————————————-

Vlan Mac Address Type Ports

—- ———– ——– —–

1 0001.c7e4.ede6 DYNAMIC Fa0/1

i. Show the port security settings.

FC-ASW-1#show port-security interface fastethernet 0/4

Record the details displayed in the table.

Port Security : Enabled

Port Status : Secure-shutdown

d. Configure PC2 to get an IP address using DHCP. Verify that PC2 receives an IP address from the

Linksys device.

e. Connect the Internet port on the Linksys to Fa0/4.

f. Ping from PC1 to PC2.

Was this successful?  Tidak

g. Ping from PC2 to PC1.

Was this successful? Tidak

Record the output displayed on the console screen at the switch command line.

ERR_DISABLE: psecure-violation error detected on Fa0/4, putting Fa0/4

in err-disable state

%LINK-5-CHANGED: Interface FastEthernet0/4, changed state to

administratively down

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/4,

changed state to down

h. Issue the show mac-address-table command.

Record the details displayed in the table.

Mac Address Table

——————————————-

Vlan Mac Address Type Ports

—- ———– ——– —–

1 0001.c7e4.ede6 DYNAMIC Fa0/1

i. Show the port security settings.

FC-ASW-1#show port-security interface fastethernet 0/4

Record the details displayed in the table.

Port Security : Enabled

Port Status : Secure-shutdown

Violation Mode : Shutdown

Aging Time : 0 mins

Aging Type : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses : 1

Total MAC Addresses : 1

Configured MAC Addresses : 0

Sticky MAC Addresses : 1

Last Source Address:Vlan : 0800.4606.fbb6:1

Security Violation Count : 1

Note the difference in entries recorded in Step 3 e.

–       Status port sekarang shutdown

–       Ada 1 security violation

–       Sumber terakhir diubah terhadap perangkat Linksys

Confirm the status of the switch port.

FC-ASW-1#show interface fastethernet 0/4

What is the state of this interface?

FastEthernet0/4 is down and line protocol is down.

 

Step 5: Reactivate the port

a. If a security violation occurs and the port is shut down, enter interface Fa0/4 configuration mode,

disconnect the offending device, and use the shutdown command to temporarily disable the port.

b. Disconnect the Linksys and reconnect PC2 to port Fa0/4. Issue the no shutdown command on the

interface.

c. Ping from PC1 to PC2. This may have to be repeated multiple times before success.

List reasons why multiple ping attempts may be necessary before success is achieved.

–       Spanning Tree Protocol perlu dijalankan

–       Permintaan ARP harus dikirim dan diterima.

–       Switch harus mempelajari port asosiasi MAC address

 

Step 6: Discuss switch port security using dynamic MAC address assignment

Advantages:

Alamat Host pada MAC tidak harus dicatat dan ditulis ketika saklar dikonfigurasi.
Ada fleksibilitas saat menghubungkan sejumlah besar host, menyediakan port yang digunakan dalam VLAN yang benar.

 

Disadvantages:

Jika host yang salah dihubungkan ke switch sebelum host yang benar, keamanan jaringan masih bisa dilanggar.
Host dapat dihubungkan ke VLAN yang salah.
Ketika sebuah NIC berubah di PC, atau ketika PC diganti, administrator jaringan secara manual harus mereset keamanan port.

 

Step 7: Clean up

Erase the configurations and reload the switches. Disconnect and store the cabling. For PC hosts that are

normally connected to other networks (such as the school LAN or to the Internet), reconnect the appropriate cabling and restore the TCP/IP settings.

 

Task 3: Reflection

When considering designing a typical enterprise network, it is necessary to think about points of security

vulnerability at the Access Layer. Discuss which Access Layer switches should have port security and those for which it may not be appropriate. Include possible future issues in regard to wireless and guest access to the network.

 

• Jenis host yang dihubungkan ke switch.
• Jenis pengguna – karyawan atau tamu
• Di mana akses dilakukan – di kantor yang aman atau di tempat umum
• Jenis akses – kabel atau nirkabel
• Investigasi keamanan fitur yang tersedia pada platform switch yang berbeda
• Bagaimana kebijakan keamanan port dapat diimplementasikan dan dikelola.
• statis dinamis versus keamanan port

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: