STUDI KASUS PERTEMUAN 6
Packet Tracer - Configuring SSH
Topology
Addressing Table
|
Device |
Interface |
IP Address |
Subnet Mask |
|
S1 |
VLAN 1 |
10.10.10.2 |
255.255.255.0 |
|
PC1 |
NIC |
10.10.10.10 |
255.255.255.0 |
Objectives
Part 1: Secure Passwords
Part 2: Encrypt Communications
Part 3: Verify SSH Implementation
Background
SSH should replace Telnet for management connections. Telnet
uses insecure plain text communications. SSH provides security for remote
connections by providing strong encryption of all transmitted data between
devices. In this activity, you will secure a remote switch with password
encryption and SSH.
Part 1: Secure
Passwords
a.
Using the command prompt on PC1, Telnet to S1. The
user EXEC and privileged EXEC password is cisco.
b.
Save the current configuration so that any
mistakes you might make can be reversed by toggling the power for S1.
c.
Show the current configuration and note that the
passwords are in plain text. Enter the command that encrypts plain text passwords.
S1(config)#
service password-encryption
d.
Verify that the passwords are encrypted.
Part 2: Encrypt
Communications
Step 1:
Set the IP domain name and generate secure keys.
It is generally not safe to use Telnet, because data is
transferred in plain text. Therefore, use SSH whenever it is available.
a.
Configure the domain name to be netacad.pka.
S1(config)#
ip domain-name netacad.pka
b.
Secure keys are needed to encrypt the data.
Generate the RSA keys using a 1024 key length.
S1(config)#crypt
key generate rsa
How
many bits in the modulus [512]: 1024
Step 2:
Create an SSH user and reconfigure the VTY lines
for SSH-only access.
a.
Create an administrator
user with cisco as the secret password.
S1(config)#
username administrator secret cisco
b.
Configure the VTY lines to check the local
username database for login credentials and to only allow SSH for remote
access. Remove the existing vty line password.
S1(config-line)#
login local
S1(config-line)#
transport input ssh
S1(config-line)#
no password cisco
Part 3: Verify
SSH Implementation
a.
Exit the Telnet session and attempt to log back
in using Telnet. The attempt should fail.
b.
Attempt to log in using SSH. Type ssh and press Enter without any parameters to reveal the command usage
instructions. Hint: The -l option is the letter “L”, not
the number 1.
c. Upon successful login, enter privileged EXEC mode and save the configuration. If you were unable to successfully access S1, toggle the power and begin again at Part 1.
Packet Tracer - Configuring Switch Port Security
Topology
Addressing
Table
|
Device |
Interface |
IP Address |
Subnet Mask |
|
S1 |
VLAN 1 |
10.10.10.2 |
255.255.255.0 |
|
PC1 |
NIC |
10.10.10.10 |
255.255.255.0 |
|
PC2 |
NIC |
10.10.10.11 |
255.255.255.0 |
|
Rogue Laptop |
NIC |
10.10.10.12 |
255.255.255.0 |
Objective
Part 1: Configure Port Security
Part 2: Verify Port Security
Background
In this activity, you will configure and verify port security
on a switch. Port security allows you to restrict a port’s ingress traffic by
limiting the MAC addresses that are allowed to send traffic into the port.
Part 1: Configure
Port Security
a.
Access the command line for S1 and enable port security on Fast Ethernet ports 0/1 and 0/2.
S1(config)# interface range fa0/1 – 2
S1(config-if-range)# switchport
port-security
b.
Set the maximum so that only one device can
access the Fast Ethernet ports 0/1 and 0/2.
S1(config-if-range)# switchport
port-security maximum 1
c.
Secure the ports so that the MAC address of a
device is dynamically learned and added to the running configuration.
S1(config-if-range)# switchport
port-security mac-address sticky
d.
Set the violation so that the Fast Ethernet
ports 0/1 and 0/2 are not disabled when a violation occurs, but packets are
dropped from an unknown source.
S1(config-if-range)# switchport
port-security violation restrict
e.
Disable all the
remaining unused ports. Hint: Use the range
keyword to apply this configuration to all the ports simultaneously.
S1(config-if-range)# interface range fa0/3
– 24 , gi1/1 – 2
S1(config-if-range)# shutdown
Part 2: Verify
Port Security
a.
From PC1,
ping PC2.
b.
Verify port security is enabled and the MAC
addresses of PC1 and PC2 were added to the running
configuration.
c.
Attach Rogue
Laptop to any unused switch port and notice that the link lights are red.
d.
Enable the port and verify that Rogue Laptop can ping PC1 and PC2. After verification, shut down the port connected to Rogue Laptop.
e.
Disconnect PC2
and connect Rogue Laptop to PC2’s port. Verify that Rogue Laptop is unable to ping PC1.
f.
Display the port security violations for the
port Rogue Laptop is connected to.
S1# show port-security interface fa0/2
g.
Disconnect Rouge
Laptop and reconnect PC2. Verify
PC2 can ping PC1.
h.
Why is PC2
able to ping PC1, but the Rouge Laptop is not?
The port security that was enabled on the port only allowed the device, whose MAC was learned first, access to the port while preventing all other devices access
Packet Tracer - Troubleshooting Switch Port Security
Topology
Scenario
The employee who normally uses PC1 brought his laptop from
home, disconnected PC1 and connected the laptop to the telecommunication outlet.
After reminding him of the security policy that does not allow personal devices
on the network, you now must reconnect PC1 and re-enable the port.
Requirements
·
Disconnect Home
Laptop and reconnect PC1 to the
appropriate port.
-
When PC1
was reconnected to the switch port, did the port status change? No
-
Enter the command to view the port status. What
is the state of the port?
- S1# sh int fa0/1
FastEthernet0/1 is administratively down,
line protocol is down (disabled)
-
Which port security command enabled this
feature?
·
Enable the port using the necessary command.
·
S1(config)#
int fa0/1
·
S1(config-if)# no shut
·
Verify connectivity. PC1 should now be able to ping PC2.
Suggested
Scoring Rubric
Packet Tracer scores
90 points. Answers to the questions are worth 10 points.
Packet Tracer – Configuring OSPFv2 in a Single Area
Topology
Addressing
Table
|
Device |
Interface |
IP Address |
Subnet Mask |
Default Gateway |
|
R1 |
G0/0 |
172.16.1.1 |
255.255.255.0 |
N/A |
|
S0/0/0 |
172.16.3.1 |
255.255.255.252 |
N/A |
|
|
S0/0/1 |
192.168.10.5 |
255.255.255.252 |
N/A |
|
|
R2 |
G0/0 |
172.16.2.1 |
255.255.255.0 |
N/A |
|
S0/0/0 |
172.16.3.2 |
255.255.255.252 |
N/A |
|
|
S0/0/1 |
192.168.10.9 |
255.255.255.252 |
N/A |
|
|
R3 |
G0/0 |
192.168.1.1 |
255.255.255.0 |
N/A |
|
S0/0/0 |
192.168.10.6 |
255.255.255.252 |
N/A |
|
|
S0/0/1 |
192.168.10.10 |
255.255.255.252 |
N/A |
|
|
PC1 |
NIC |
172.16.1.2 |
255.255.255.0 |
172.16.1.1 |
|
PC2 |
NIC |
172.16.2.2 |
255.255.255.0 |
172.16.2.1 |
|
PC3 |
NIC |
192.168.1.2 |
255.255.255.0 |
192.168.1.1 |
Objectives
Part 1: Configure OSPFv2 Routing
Part 2: Verify the Configurations
Background
In this activity, the IP addressing is already configured.
You are responsible for configuring the three router topology with basic single
area OSPFv2 and then verifying connectivity between end devices.
Part 1: Configure
OSPFv2 Routing
Step 1:
Configure OSPF on the R1, R2 and R3.
Use the following requirements to configure OSPF routing on
all three routers:
-
Process ID 10
-
Router ID for each router: R1 = 1.1.1.1; R2 =
2.2.2.2; R3 = 3.3.3.3
-
Network address for each interface
-
LAN interface set to passive (do not use the default keyword)
Step 2:
Verify OSPF routing is operational.
On each router, the routing table should now have a route
to every network in the topology.
Part 2: Verify
the Configurations
Each PC should be able to ping the other two PCs. If not,
check your configurations.
Komentar
Posting Komentar