6.5.1.1 Lab - Securing Layer 2 Switches - Instructor
6.5.1.1 Lab - Securing Layer 2 Switches - Instructor
6.5.1.1 Lab - Securing Layer 2 Switches - Instructor
Topology
IP Addressing Table
Objectives
Part 1: Configure Basic Switch Settings
Build the topology.
Configure the hostname, IP address, and access passwords.
Part 2: Configure SSH Access to the Switches
Configure SSH access on the switch.
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 1 of 45
Lab – Securing Layer 2 Switches
Background / Scenario
The Layer 2 infrastructure consists mainly of interconnected Ethernet switches. Most end-user devices, such
as computers, printers, IP phones, and other hosts, connect to the network via Layer 2 access switches. As a
result, switches can present a network security risk. Similar to routers, switches are subject to attack from
malicious internal users. The switch Cisco IOS software provides many security features that are specific to
switch functions and protocols.
In this lab, you will configure SSH access and Layer 2 security for S1 and S2. You will also configure various
switch protection measures, including access port security, switch storm control, and Spanning Tree Protocol
(STP) features, such as BPDU guard and root guard. Lastly, you use Cisco SPAN to monitor traffic to specific
ports on the switch.
Note: The router commands and output in this lab are from a Cisco 1841 router using Cisco IOS software,
release 15.1(4)M8 (Advanced IP Services image). The switch commands and output are from Cisco WS-
C2960-24TT-L switches with Cisco IOS Release 15.0(2)SE4 (C2960-LANBASEK9-M image). Other routers,
switches, and Cisco IOS versions can be used. See the Router Interface Summary Table at the end of the lab
to determine which interface identifiers to use based on the equipment in the lab. Depending on the router, or
switch model and Cisco IOS version, the commands available and output produced might vary from what is
shown in this lab.
Note: Make sure that the routers and switches have been erased and have no startup configurations.
Instructor Note: Instructions for initializing the network devices are provided in Lab 0.0.0.0.
Required Resources
1 Router (Cisco 1841 with Cisco IOS Release 15.1(4)M8 Advanced IP Services image or comparable)
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 2 of 45
Lab – Securing Layer 2 Switches
2 Switches (Cisco 2960 with cryptography IOS image for SSH support – Release 15.0(2)SE4 or
comparable)
2 PCs (Windows Vista or Windows 7 with SSH Client, Wireshark, and Nmap/Zenmap)
Ethernet cables as shown in the topology
Console cables to configure Cisco networking devices
Instructor Notes:
This lab is divided into four parts. Each part can be administered individually or in combination with others as
time permits. The focus is configuring security measures on S1 and S2. R1 serves as a gateway connection
and is mainly used to change the MAC address connected to S1 for port security testing.
Students can work in teams of two for switch configuration, one person configuring S1 and the other
configuring S2.
The basic running configurations for the router and two switches are captured after Parts 1 and 2 of the lab
are completed. The running configurations for S1 and S2 are captured after Parts 3 and 4 and are listed
separately. All configurations are found at the end of the lab.
Step 2: Configure basic settings for the router and each switch.
Perform all tasks on R1, S1, and S2. The procedure for S1 is shown here as an example.
a. Configure hostnames, as shown in the topology.
b. Configure interface IP addresses, as shown in the IP Addressing Table. the following configuration
displays the VLAN 1 management interface on S1:
S1(config)# interface vlan 1
S1(config-if)# ip address 192.168.1.2 255.255.255.0
S1(config-if)# no shutdown
c. To prevent the router or switch from attempting to translate incorrectly entered commands, disable DNS
lookup. S1 is shown here as an example.
S1(config)# no ip domain-lookup
d. HTTP access to the switch is enabled by default. To prevent HTTP access, disable the HTTP server and
HTTP secure server.
S1(config)# no ip http server
S1(config)# no ip http secure-server
Note: The switch must have a cryptography IOS image to support the ip http secure-server command.
HTTP access to the router is disabled by default.
e. Configure the enable secret password.
S1(config)# enable secret cisco12345
f. Configure console password.
S1(config)# line console 0
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 3 of 45
Lab – Securing Layer 2 Switches
Step 6: Save the basic configurations for the router and both switches.
Save the running configuration to the startup configuration from the privileged EXEC mode prompt.
S1# copy running-config startup-config
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 4 of 45
Lab – Securing Layer 2 Switches
Step 2: Configure a privileged user for login from the SSH client.
a. Use the username command to create the user ID with the highest possible privilege level and a secret
password.
S1(config)# username admin privilege 15 secret cisco12345
b. Exit to the initial switch login screen, and log in with this username. What was the switch prompt after you
entered the password?
____________________________________________________________________________________
____________________________________________________________________________________
The privileged EXEC (enable) prompt #. With a privilege level of 15, the login defaults to privileged EXEC
mode.
Step 4: Generate the RSA encryption key pair for the router.
The switch uses the RSA key pair for authentication and encryption of transmitted SSH data.
Configure the RSA keys with 1024 for the number of modulus bits. The default is 512, and the range is from
360 to 2,048.
S1(config)# crypto key generate rsa general-keys modulus 1024
The name for the keys will be: S1.ccnasecurity.com
S1(config)#
00:15:36: %SSH-5-ENABLED: SSH 1.99 has been enabled
Instructor Note: Encryption methods are detailed in Chapter 7.
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 5 of 45
Lab – Securing Layer 2 Switches
Step 1: (Optional) Download and install an SSH client on PC-A and PC-B.
If the SSH client is not already installed, download PuTTY from the following link:
http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
Note: The procedure described here is for PuTTY and pertains to PC-A.
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 6 of 45
Lab – Securing Layer 2 Switches
d. Click Open.
Note: Upon first connection, the user is prompted with a PuTTY Security Alert stating that the server’s
host key is not cached in the registry.
e. In the PuTTY Security Alert window, click Yes to cache the server’s host key.
f. In the PuTTY window, enter the admin username and password cisco12345.
g. At the S1 privileged EXEC mode prompt, enter the show users command.
S1# show users
What users are connected to S1 at this time?
____________________________________________________________________________________
____________________________________________________________________________________
You should see at least two users, one for your console connection and another for the SSH interface.
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 7 of 45
Lab – Securing Layer 2 Switches
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 1
Address 001d.4635.0c80
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 8 of 45
Lab – Securing Layer 2 Switches
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 9 of 45
Lab – Securing Layer 2 Switches
Step 3: Change the native VLAN for the trunk ports on S1 and S2.
a. Changing the native VLAN for trunk ports to an unused VLAN helps prevent VLAN hopping attacks.
From the output of the show interfaces trunk command in the previous step, what is the current native
VLAN for the S1 Fa0/1 trunk interface?
____________________________________________________________________________________
It is set to the default VLAN 1.
b. Set the native VLAN on the S1 Fa0/1 trunk interface to an unused VLAN 99.
S1(config)# interface fa0/1
S1(config-if)# switchport trunk native vlan 99
S1(config-if)# end
c. The following message should display after a brief period of time:
02:16:28: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on
FastEthernet0/1 (99), with S2 FastEthernet0/1 (1).
What does the message mean?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
The S1 Fa0/1 native VLAN is now 99, but the S2 native VLAN is still 1. Both ends of the trunk must share
the same native VLAN for trunking to occur.
d. Set the native VLAN on the S2 Fa0/1 trunk interface to VLAN 99.
S2(config)# interface fa0/1
S2(config-if)# switchport trunk native vlan 99
S2(config-if)# end
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 10 of 45
Lab – Securing Layer 2 Switches
Name: Fa0/1
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: Off
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 99 (Inactive)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk private VLANs: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 11 of 45
Lab – Securing Layer 2 Switches
<output omitted>
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 12 of 45
Lab – Securing Layer 2 Switches
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 13 of 45
Lab – Securing Layer 2 Switches
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 14 of 45
Lab – Securing Layer 2 Switches
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 15 of 45
Lab – Securing Layer 2 Switches
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 16 of 45
Lab – Securing Layer 2 Switches
Max Addresses limit in System (excluding one mac per port) : 8192
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 17 of 45
Lab – Securing Layer 2 Switches
Step 8: (Optional) Move active ports to a VLAN other than the default VLAN 1.
As a further security measure, you can move all active end user and router ports to a VLAN other than the
default VLAN 1 on both switches.
a. Configure a new VLAN for users on each switch using the following commands:
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 18 of 45
Lab – Securing Layer 2 Switches
S1(config)# vlan 20
S1(config-vlan)# name Users
S2(config)# vlan 20
S2(config-vlan)# name Users
b. Add the current active access (non-trunk) ports to the new VLAN.
S1(config)# interface range fa0/5 - 6
S1(config-if-range)# switchport access vlan 20
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 19 of 45
Lab – Securing Layer 2 Switches
Protected: true
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none
c. Deactivate protected port on interfaces Fa0/6 and Fa0/7 using the following commands:
S1(config)# interface range fastEthernet 0/6 - 7
S1(config-if-range)# no switchport protected
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 20 of 45
Lab – Securing Layer 2 Switches
on the source port can be ingress only, egress only or both. S1 port Fa0/5 is connected to R1, so ingress
traffic from R1 and egress to R1 on switch port Fa0/5 will be monitored.
S1(config)# monitor session 1 source interface fa0/5 both
Note: You can specify monitor tx (transmit) or rx (receive) traffic. The both keyword includes tx and rx.
The source can be a single interface, a range of interfaces, a single VLAN, or a range of VLANs.
b. Set the SPAN destination interface.
S1(config)# monitor session 1 destination interface fa0/6
All traffic from S1 Fa0/5, where R1 is connected, will be copied to the SPAN destination port Fa0/6, where
PC-A with Wireshark is connected.
Note: The destination can be an interface or a range of interfaces.
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 21 of 45
Lab – Securing Layer 2 Switches
b. Click I Agree to the License agreement and accept the defaults by clicking Next when prompted.
Note: In the Install WinPcap screen, select the install WinPcap options, and select Start WinPcap
service option to have other users besides those with administrative privileges run Wireshark.
c. Click Start for the LAN interface adapter with IP address 192.168.1.10.
d. Generate some traffic from PC-B (192.168.1.11) to R1 interface Fa0/1 (192.168.1.1) using ping. This
traffic will go from S2 port Fa0/18 to S2 port Fa0/1 across the trunk link to S1 port Fa0/1, and then exit
interface Fa0/5 on S1 to reach R1.
PC-B:\> ping 192.168.1.1
e. Observe the results in Wireshark on PC-A. If you have not pinged 192.168.1.1 before, you will see the
initial ARP request broadcast from PC-B (Intel NIC) to determine the MAC address of the R1 Fa0/1
interface with IP address 192.168.1.1 and the ARP reply from the R1 Cisco Ethernet interface. After the
ARP request, the pings (echo request and replies) can be seen going from PC-B to R1 and from R1 to
PC-B through the switch. The filter !(ip.dst == 192.168.1.255) was applied to the Wireshark results.
Note: Your screen should look similar to the one below. Some additional packets might be captured in
addition to the pings, such as the R1 Fa0/1 LOOP reply.
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 22 of 45
Lab – Securing Layer 2 Switches
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 23 of 45
Lab – Securing Layer 2 Switches
c. Install Nmap/Zenmap.
c. Clear the previous capture in Wireshark and start a new capture by clicking Capture > Start. When
prompted, click Continue without saving.
d. In the Zenmap program, click Scan to start the simulated attack.
e. Observe the results on the Wireshark window on PC-A. Notice the number and types of ports tried by the
simulated Zenmap attack from PC-B (192.168.1.11) to R1 Fa0/1 (192.168.1.1). The filter,
ip.host==192.168.1.1, was applied to the Wireshark result. Your screen looks similar to the following:
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 24 of 45
Lab – Securing Layer 2 Switches
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 25 of 45
Lab – Securing Layer 2 Switches
Note: S2 is acting as a regular switch, forwarding frames based on destination MAC addresses and switch
ports. The traffic entering S2 through port Fa0/1 utilizes R1’s MAC address as the destination for the Ethernet
frame; therefore, to forward those packets to PC-B, the R1’s MAC address must be the same as PC-B. To
accomplish this, R1’s Fa0/1 MAC address is modified using the IOS CLI to simulate PC-B’s MAC address.
This requirement is specific to the NETLAB+ environment.
Note: NETLAB+ VM NIC’s must be configured for promiscuous mode for the capture part of this lab to work.
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 26 of 45
Lab – Securing Layer 2 Switches
analyzed. On S1, port Fa0/5 is connected to R1 so traffic from the switch port Fa0/5 to R1 will be
monitored.
S1(config)# monitor session 1 source interface fa0/5 tx
Note: The source can be a single interface, a range of interfaces, a single VLAN, or range of VLANs.
e. Set the SPAN destination interface.
S1(config)# monitor session 1 destination interface fa0/1
All egress traffic from S1 Fa0/5, where R1 is connected, will be copied to the SPAN destination port
Fa0/1, where PC-B with Wireshark is connected.
Note: The destination can be an interface or a range of interfaces.
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 27 of 45
Lab – Securing Layer 2 Switches
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 28 of 45
Lab – Securing Layer 2 Switches
c. Clear the previous capture in Wireshark and start a new capture by clicking Capture > Start. When
prompted, click Continue without saving.
d. In the Zenmap program, click Scan to start the simulated attack.
e. Observe the results on the Wireshark window on PC-B. Notice the number and types of ports tried by the
simulated Zenmap attack from PC-A (192.168.1.10) to R1 Fa0/1 (192.168.1.1). A filter, such as
ip.host==192.168.1.1, can be applied to the results. Your screen should look similar the following:
Reflection
1. Why should port security be enabled on switch access ports?
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
Answers will vary, but should include that port security allows a limited number of hosts to use the port and a
PC cannot be connected and use the network without authorization.
2. Why should port security be enabled on switch trunk ports?
_______________________________________________________________________________________
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 29 of 45
Lab – Securing Layer 2 Switches
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
Answers will vary, but should include trunk security can help to prevent VLAN hopping and STP attacks from
rogue switches.
3. Why should unused ports on a switch be disabled?
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
Answers will vary, but should include that an unauthorized device cannot be plugged into an unused switch
port and use the network, because the unused ports have to be administratively enabled to be utilized.
Router Model Ethernet Interface #1 Ethernet Interface #2 Serial Interface #1 Serial Interface #2
1800 Fast Ethernet 0/0 Fast Ethernet 0/1 Serial 0/0/0 (S0/0/0) Serial 0/0/1 (S0/0/1)
(Fa0/0) (Fa0/1)
1900 Gigabit Ethernet 0/0 Gigabit Ethernet 0/1 Serial 0/0/0 (S0/0/0) Serial 0/0/1 (S0/0/1)
(G0/0) (G0/1)
2801 Fast Ethernet 0/0 Fast Ethernet 0/1 Serial 0/1/0 (S0/1/0) Serial 0/1/1 (S0/1/1)
(Fa0/0) (Fa0/1)
2811 Fast Ethernet 0/0 Fast Ethernet 0/1 Serial 0/0/0 (S0/0/0) Serial 0/0/1 (S0/0/1)
(Fa0/0) (Fa0/1)
2900 Gigabit Ethernet 0/0 Gigabit Ethernet 0/1 Serial 0/0/0 (S0/0/0) Serial 0/0/1 (S0/0/1)
(G0/0) (G0/1)
Note: To find out how the router is configured, look at the interfaces to identify the type of router and how many
interfaces the router has. There is no way to effectively list all the combinations of configurations for each router
class. This table includes identifiers for the possible combinations of Ethernet and Serial interfaces in the device.
The table does not include any other type of interface, even though a specific router may contain one. An
example of this might be an ISDN BRI interface. The string in parenthesis is the legal abbreviation that can be
used in Cisco IOS commands to represent the interface.
Device Configs
Note: ISR G2 devices have GigabitEthernet interfaces instead of FastEthernet Interfaces.
R1 after Part 1
R1# show run
Building configuration...
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 30 of 45
Lab – Securing Layer 2 Switches
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable secret 5 $1$9QsA$j3iPwiFWfyzf7aUTPCx4N1
!
no aaa new-model
dot11 syslog
ip source-route
!
ip cef
no ip domain lookup
!
no ipv6 cef
multilink bundle-name authenticated
!
archive
log config
hidekeys
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1/0
!
interface FastEthernet0/1/1
!
interface FastEthernet0/1/2
!
interface FastEthernet0/1/3
!
interface Serial0/0/0
no ip address
shutdown
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 31 of 45
Lab – Securing Layer 2 Switches
no fair-queue
clock rate 2000000
!
interface Serial0/0/1
no ip address
shutdown
clock rate 2000000
!
interface Vlan1
no ip address
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
control-plane
!
line con 0
exec-timeout 0 0
password ciscoconpass
logging synchronous
login
line aux 0
line vty 0 4
exec-timeout 5 0
password ciscovtypass
login
!
scheduler allocate 20000 1000
end
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 32 of 45
Lab – Securing Layer 2 Switches
!
username admin privilege 15 secret 5 $1$4wFJ$kkMPfR018tmxyA.EYjzcL1
no aaa new-model
system mtu routing 1500
ip subnet-zero
!
no ip domain-lookup
ip domain-name ccnasecurity.com
!
crypto pki trustpoint TP-self-signed-1177881728
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1177881728
revocation-check none
rsakeypair TP-self-signed-1177881728
!
crypto pki certificate chain TP-self-signed-1177881728
certificate self-signed 01
3082024B 308201B4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31313737 38383137 3238301E 170D3933 30333031 30303030
35305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31373738
38313732 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100D672 72BEEC40 3BEC4CCD 89A17229 8DAF7B32 B5AAC97E 36A42E09 ED343DCC
D991B5FE 05AFACB5 D172CBA2 5CD06D9D F5D00D2C 45431F4D 9208DEB1 4388AE2E
FAB7EB4A 95F8507E 661FCD1D 14D3DC66 710321E3 D0D6C251 2694EBE7 1EB8B0E5
2481F8E0 97F87915 8460A263 F707E4EE 755EAF2F D5F91CA1 214C4061 7E765F78
3B9D0203 010001A3 73307130 0F060355 1D130101 FF040530 030101FF 301E0603
551D1104 17301582 1353312E 63636E61 73656375 72697479 2E636F6D 301F0603
551D2304 18301680 14A92574 DB10AF57 A43F49B0 FB75E447 7B54971E 46301D06
03551D0E 04160414 A92574DB 10AF57A4 3F49B0FB 75E4477B 54971E46 300D0609
2A864886 F70D0101 04050003 818100CD 70FE21A0 5DF46B29 C5DC21DB 206FEF81
E1D23BCD 71569F38 B995DB67 AD7B8F0A 113D6F45 D7F0C826 E043BB0E 20554EEA
4EEA8FEA C01C4F2A C0F9E8F2 F4AB23DE 02FFFF87 A0820E7B E26506C5 7AFA76E9
FD9B6334 72BD0412 583D64D1 10B07BDD 0C153BB1 F7F48040 B64DAB66 5B2E4EE4
3789D223 F8B8B263 2CC466F7 A8F852
quit
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
ip ssh time-out 90
ip ssh authentication-retries 2
!
interface FastEthernet0/1
!
interface FastEthernet0/2
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 33 of 45
Lab – Securing Layer 2 Switches
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 34 of 45
Lab – Securing Layer 2 Switches
interface Vlan1
ip address 192.168.1.2 255.255.255.0
no ip route-cache
!
no ip http server
no ip http secure-server
!
control-plane
!
line con 0
exec-timeout 0 0
password ciscoconpass
logging synchronous
login
line vty 0 4
exec-timeout 5 0
privilege level 15
login local
transport input ssh
line vty 5 15
transport input none
!
end
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 35 of 45
Lab – Securing Layer 2 Switches
ip domain-name ccnasecurity.com
!
crypto pki trustpoint TP-self-signed-1177881728
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1177881728
revocation-check none
rsakeypair TP-self-signed-1177881728
!
crypto pki certificate chain TP-self-signed-1177881728
certificate self-signed 01
3082024B 308201B4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31313737 38383137 3238301E 170D3933 30333031 30303030
35305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31373738
38313732 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100D672 72BEEC40 3BEC4CCD 89A17229 8DAF7B32 B5AAC97E 36A42E09 ED343DCC
D991B5FE 05AFACB5 D172CBA2 5CD06D9D F5D00D2C 45431F4D 9208DEB1 4388AE2E
FAB7EB4A 95F8507E 661FCD1D 14D3DC66 710321E3 D0D6C251 2694EBE7 1EB8B0E5
2481F8E0 97F87915 8460A263 F707E4EE 755EAF2F D5F91CA1 214C4061 7E765F78
3B9D0203 010001A3 73307130 0F060355 1D130101 FF040530 030101FF 301E0603
551D1104 17301582 1353312E 63636E61 73656375 72697479 2E636F6D 301F0603
551D2304 18301680 14A92574 DB10AF57 A43F49B0 FB75E447 7B54971E 46301D06
03551D0E 04160414 A92574DB 10AF57A4 3F49B0FB 75E4477B 54971E46 300D0609
2A864886 F70D0101 04050003 818100CD 70FE21A0 5DF46B29 C5DC21DB 206FEF81
E1D23BCD 71569F38 B995DB67 AD7B8F0A 113D6F45 D7F0C826 E043BB0E 20554EEA
4EEA8FEA C01C4F2A C0F9E8F2 F4AB23DE 02FFFF87 A0820E7B E26506C5 7AFA76E9
FD9B6334 72BD0412 583D64D1 10B07BDD 0C153BB1 F7F48040 B64DAB66 5B2E4EE4
3789D223 F8B8B263 2CC466F7 A8F852
quit
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
ip ssh time-out 90
ip ssh authentication-retries 2
!
interface FastEthernet0/1
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 36 of 45
Lab – Securing Layer 2 Switches
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
ip address 192.168.1.3 255.255.255.0
no ip route-cache
!
no ip http server
no ip http secure-server
!
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 37 of 45
Lab – Securing Layer 2 Switches
control-plane
!
line con 0
exec-timeout 0 0
password ciscoconpass
logging synchronous
login
line vty 0 4
exec-timeout 5 0
privilege level 15
login local
transport input ssh
line vty 5 15
no login
!
end
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 38 of 45
Lab – Securing Layer 2 Switches
rsakeypair TP-self-signed-1177881728
!
crypto pki certificate chain TP-self-signed-1177881728
certificate self-signed 01
3082024B 308201B4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31313737 38383137 3238301E 170D3933 30333031 30303030
35305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31373738
38313732 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100D672 72BEEC40 3BEC4CCD 89A17229 8DAF7B32 B5AAC97E 36A42E09 ED343DCC
D991B5FE 05AFACB5 D172CBA2 5CD06D9D F5D00D2C 45431F4D 9208DEB1 4388AE2E
FAB7EB4A 95F8507E 661FCD1D 14D3DC66 710321E3 D0D6C251 2694EBE7 1EB8B0E5
2481F8E0 97F87915 8460A263 F707E4EE 755EAF2F D5F91CA1 214C4061 7E765F78
3B9D0203 010001A3 73307130 0F060355 1D130101 FF040530 030101FF 301E0603
551D1104 17301582 1353312E 63636E61 73656375 72697479 2E636F6D 301F0603
551D2304 18301680 14A92574 DB10AF57 A43F49B0 FB75E447 7B54971E 46301D06
03551D0E 04160414 A92574DB 10AF57A4 3F49B0FB 75E4477B 54971E46 300D0609
2A864886 F70D0101 04050003 818100CD 70FE21A0 5DF46B29 C5DC21DB 206FEF81
E1D23BCD 71569F38 B995DB67 AD7B8F0A 113D6F45 D7F0C826 E043BB0E 20554EEA
4EEA8FEA C01C4F2A C0F9E8F2 F4AB23DE 02FFFF87 A0820E7B E26506C5 7AFA76E9
FD9B6334 72BD0412 583D64D1 10B07BDD 0C153BB1 F7F48040 B64DAB66 5B2E4EE4
3789D223 F8B8B263 2CC466F7 A8F852
quit
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
ip ssh time-out 90
ip ssh authentication-retries 2
!
!
interface FastEthernet0/1
switchport trunk native vlan 99
switchport mode trunk
switchport nonegotiate
storm-control broadcast level 50.00
!
interface FastEthernet0/2
shutdown
!
interface FastEthernet0/3
shutdown
!
interface FastEthernet0/4
shutdown
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 39 of 45
Lab – Securing Layer 2 Switches
!
interface FastEthernet0/5
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/6
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/7
shutdown
!
interface FastEthernet0/8
shutdown
!
interface FastEthernet0/9
shutdown
!
interface FastEthernet0/10
shutdown
!
interface FastEthernet0/11
shutdown
!
interface FastEthernet0/12
shutdown
!
interface FastEthernet0/13
shutdown
!
interface FastEthernet0/14
shutdown
!
interface FastEthernet0/15
shutdown
!
interface FastEthernet0/16
shutdown
!
interface FastEthernet0/17
shutdown
!
interface FastEthernet0/18
shutdown
!
interface FastEthernet0/19
shutdown
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 40 of 45
Lab – Securing Layer 2 Switches
!
interface FastEthernet0/20
shutdown
!
interface FastEthernet0/21
shutdown
!
interface FastEthernet0/22
shutdown
!
interface FastEthernet0/23
shutdown
!
interface FastEthernet0/24
shutdown
!
interface GigabitEthernet0/1
shutdown
!
interface GigabitEthernet0/2
shutdown
!
interface Vlan1
ip address 192.168.1.2 255.255.255.0
no ip route-cache
!
no ip http server
no ip http secure-server
!
control-plane
!
!
line con 0
exec-timeout 0 0
password ciscoconpass
logging synchronous
login
line vty 0 4
exec-timeout 5 0
privilege level 15
login local
transport input ssh
line vty 5 15
exec-timeout 0 0
no login
!
monitor session 1 source interface Fa0/5
monitor session 1 destination interface Fa0/6
end
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 41 of 45
Lab – Securing Layer 2 Switches
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 42 of 45
Lab – Securing Layer 2 Switches
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 43 of 45
Lab – Securing Layer 2 Switches
shutdown
!
interface FastEthernet0/12
shutdown
!
interface FastEthernet0/13
shutdown
!
interface FastEthernet0/14
shutdown
!
interface FastEthernet0/15
shutdown
!
interface FastEthernet0/16
shutdown
!
interface FastEthernet0/17
shutdown
!
interface FastEthernet0/18
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/19
shutdown
!
interface FastEthernet0/20
shutdown
!
interface FastEthernet0/21
shutdown
!
interface FastEthernet0/22
shutdown
!
interface FastEthernet0/23
shutdown
!
interface FastEthernet0/24
shutdown
!
interface GigabitEthernet0/1
spanning-tree guard root
!
interface GigabitEthernet0/2
shutdown
!
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 44 of 45
Lab – Securing Layer 2 Switches
interface Vlan1
ip address 192.168.1.3 255.255.255.0
no ip route-cache
!
no ip http server
!
control-plane
!
!
line con 0
exec-timeout 0 0
password ciscoconpass
logging synchronous
login
line vty 0 4
exec-timeout 5 0
privilege level 15
login local
line vty 5 15
no login
!
end
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 45 of 45