Lab 3-1 Enhancing The Security of The Initial Configuration

Lab 3-1 Enhancing the Security of the Initial Configuration
Task 1: Add Password Protection
Step 2:
Enter this sequence of commands into the Branch router:
Branch>enable
Branch#configure terminal
Enter configuration commands, one per line.
End with CNTL/Z.
Branch(config)#line console 0
Branch(config-line)#password cisco
Branch(config-line)#login
Step 3:
You will be asked for the password that you configured in the previous step.
Branch(config-line)#end
Branch#exit
Branch con0 is now available
Press RETURN to get started.
User Access Verification
Password: cisco
Branch>
Step 4:
Branch>enable
Branch#show running-config | section line con
line con 0
exec-timeout 60 0
password cisco
logging synchronous
login
Step 5:
Enter the following command sequence into the Branch router:
End with CNTL/Z.
Branch(config)#username ccna secret cisco

Branch(config)#line console 0
Branch(config-line)#login local
Step 6:
You will be asked for a username and password. Enter the credentials that you created in the previous step.
Branch(config-line)#end
Branch#exit

Username: ccna
Password: cisco
Branch>
Step 7:
Note that the password is encrypted, not in cleartext. You could use the service password-encryption command to encode the cleartext password, but this encryption type is weak.
Branch#show running-config | section username
username ccna secret 5 $1$w0Z7$bHhgCAXtLexdTxFqk2Ufn1
Step 8:
Enter this sequence of commands into the Branch router:
End with CNTL/Z.
Branch(config)#line vty 0 4
Branch(config-line)#login local
Branch(config-line)#exit
Branch(config)#
Step 9:
Enter the appropriate credentials to log into the Branch router. Exit Telnet session.
PC1>telnet 10.1.1.1
Trying 10.1.1.1 ... Open

Username: ccna
Password: cisco
Branch>exit
[Connection to 10.1.1.1 closed by foreign host]

PC1>
Step 10:
Enter this command on the Branch router:
Branch(config)#enable secret cisco

Branch(config)#exit
Branch#
*Mar 20 17:16:24.300: %SYS-5-CONFIG_I: Configured from console by ccna on console
Branch#
Step 11:
Branch#disable
Branch>enable
Password:cisco
Branch#
Step 12:
Branch#copy running-config startup-config

Destination filename [startup-config]? <Enter>
Building configuration...
[OK]
Step 13:
Branch#show running-config | section enable

enable secret 4 tnhtc92DXBhelxjYk8LWJrPV36S2i4ntXrpb4RFmfqY
Step 14:
Enter this sequence of commands on SW1:
SW1(config)#enable secret cisco

SW1(config)#username ccna secret cisco
SW1(config)#line console 0
SW1(config-line)#login local
SW1(config-line)#line vty 0 4
SW1(config-line)#login local
Step 15:
SW1(config-line)#end
SW1#exit
SW1 con0 is now available

Username: ccna
Password: cisco
SW1>
Step 16:
Enter this command on the SW1 switch:
SW1#copy running-config startup-config

[OK]
Step 17:
SW1>enable
Password: cisco
SW1#
Step 18:
Enter the appropriate credentials to log into the switch. Exit Telnet session.
PC1>telnet 10.1.1.11
Trying 10.1.1.11 ... Open

Username: ccna
Password: cisco
SW1>exit

PC1>
Task 2: Enable SSH Remote Access
Step 1:
Enter this sequence of commands on the Branch router:
Branch(config)#ip domain-name cisco.com

Branch(config)#crypto key generate rsa
The name for the keys will be: Branch.cisco.com
Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take
few minutes.
How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
Branch(config)#line vty 0 4
Branch(config-line)#transport input ssh
Branch(config-line)#exit
Branch(config)#ip ssh version 2
Step 2:

[OK]
Step 3:
Enter this sequence of commands on the SW1 switch:
SW1(config)#ip domain-name cisco.com

SW1(config)#crypto key generate rsa
The name for the keys will be: SW1.cisco.com
Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take
few minutes.
How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

SW1(config)#line vty 0 4
SW1(config-line)#transport input ssh
SW1(config-line)#ip ssh version 2
Step 4:
PC1>telnet 10.1.1.1
Trying 10.1.1.1 ...
% Connection refused by remote host
PC1>
Step 5:
Leave the connection open for the next step.
PC1#ssh -l ccna 10.1.1.1

Password: cisco
Branch>
Step 6:
Branch>show users
10
Line
User
Host(s)
Idle
0 con 0
ccna
idle
00:24:52
Location
2 vty 0
ccna
Interface
User
idle
00:00:00 10.1.1.100
Mode
Branch>exit
PC1>
Step 7:
PC1>ssh -l ccna 10.1.1.11

Password: cisco
SW1>
Step 8:

[OK]
Task 3: Limit Remote Access to Selected Network Addresses
Step 1:
Enter this sequence of commands on the SW1 switch:
SW1#configure terminal
11
Idle
Peer Address
End with CNTL/Z.
SW1(config)#access-list 1 permit host 10.1.1.1

SW1(config)#access-list 1 deny any log
Step 2:
SW1(config)#line vty 0 4
SW1(config-line)#access-class 1 in
Step 3:
You should not be successful, because the ACL that you defined allows only the Branch router to establish sessions to switch SW1.
PC1>ssh -l ccna 10.1.1.11

% Connection refused by remote host
PC1>
Step 4:
You should be successful.
Branch#ssh -l ccna 10.1.1.11

Password: cisco
SW1>exit
12
Branch#
Exit SSH session from SW1 switch.
Step 5:
Notice that the counters for both the permit and deny statements increased. If you did not define an explicit deny statement, a remote session from PC1 would still be denied, but you would not be able to see coun
for denied remote session attempts.
SW1#show access-lists
Standard IP access list 1
10 permit 10.1.1.1 (2 matches)
20 deny
any log (1 match)
The number of matchs shown is typical. However, your values may be larger if you attempted the SSH connection more than once.
Step 6:

[OK]
Task 4: Configure a Login Banner
Step 1:
Enter the following command on the Branch router:
Branch(config)#banner login #
Enter TEXT message.
13
End with the character '#'.
**********
Warning
*************
Access to this device is restricted to authorized persons only!

Un-authorized access is prohibited. Violators will be prosecuted.
***********************************************#
Branch(config)#
Step 2:
Notice the login banner that you were presented with as you logged in.
Branch#logout
**********
Warning
*************
14

***********************************************
Username: ccna
Password: cisco
Step 3:

[OK]
Step 4:
Enter the following command on the SW1 switch:
SW1(config)#banner login #
Enter TEXT message.
End with the character '#'.
**********
*************
Warning

15
***********************************************#
SW1(config)#
Step 5:
Notice the login banner that you were presented with as you logged in.
SW1#logout
SW1 con0 is now available
**********
Warning
*************

***********************************************
16

Username: ccna
Password:
SW1>
Step 6:
SW1>enable
Password:cisco
[OK]
17

Lab 3-1 Enhancing The Security of The Initial Configuration

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Lab 3-1 Enhancing The Security of The Initial Configuration

Încărcat de

Drepturi de autor:

Formate disponibile

Lab 3-1 Enhancing the Security of the Initial Configuration

Task 1: Add Password Protection

End with CNTL/Z.

Branch con0 is now available

Press RETURN to get started.