Documente Academic
Documente Profesional
Documente Cultură
0
CCNA Security [210-260]
Day 1:
Lab 1: Enabling Services (Telnet, SSH, HTTP) for Remote Access
Lab 2: Application of ACL (Standard, Extended & Named)
Lab 3: Routing Protocol Authentication (RIPv2, EIGRP, OSPF,
BGPv4)
Lab 1:
1. Enable Basic Routing between R1, R2 and R3
[Static/Default/RIP/EIGRP/OSPF].
Now, we can remotely control R3 from R1 & R2, by Telnet, SSH & HTTP.
======================================================L
ab 2:
Task: Block R2 to access R3, but R1 will able to access R3.
Standard ACL [It can permit or deny trafiic based only on the source
address(s)].:
access-list 10 deny host 10.2.2.2
access-list 10 deny host 10.1.1.2
access-list 10 permit any
Create an extended access-list [Block R2 for telnet access & Block R1 for
SSH, allow all other services]
access-list 101 deny tcp host 10.1.1.2 host 10.2.2.1 eq 23
access-list 101 deny tcp host 10.2.2.1 host 10.2.2.1 eq 23
access-list 101 deny tcp host 10.1.1.1 host 10.2.2.1 eq 22
access-list 101 permit ip any any
Named ACL: We can manipulate the created policies, at any time as per
requirement.
We are going to do the same task with extended ACL i.e. Block R2 for
telnet access & Block R1 for SSH, allow all other services.
conf t
ip access-list extended ABC
no 10
no 20
no 30
10 deny tcp host 10.1.1.2 host 10.2.2.1 eq 22
20 deny tcp host 10.2.2.1 host 10.2.2.1 eq 22
30 deny tcp host 10.1.1.1 host 10.2.2.1 eq 23
Verification: Check Telnet, SSH & HTTP connectivity from R1 & R2, &
check the hits in ACL (show access-list).
======================================================
Lab 3: Routing Protocol Authentication
Lab 3.1: RIPv2 [Clear-Text Authentication]
Enable RIPv2 between R1, R2 & R3.
R1:
key chain RIPkey
key 1
key-string cisco123
interface GigabitEthernet0/0
ip rip authentication key-chain RIPkey
R2:
key chain RIPkey
key 1
key-string cisco123
interface GigabitEthernet0/0
ip rip authentication key-chain RIPkey
interface GigabitEthernet0/1
ip rip authentication key-chain RIPkey
R3:
key chain RIPkey
key 1
key-string cisco123
interface GigabitEthernet0/0
ip rip authentication key-chain RIPkey
In the above output you can now see the aut value set to 2 indicating
MD5 authentication, followed by the keyid of 1.
Take special note of this value as it will be important in the next step.
You can use different keys in between R1 & R2; and R2 & R3.
Verification:
R1#debug eigrp packet
Output (example):
(UPDATE, REQUEST, QUERY, REPLY, HELLO, IPXSAP, PROBE, ACK,
STUB, SIAQUERY, SIAREPLY)
EIGRP Packet debugging is on
R1#
Feb 1 12:35:20.583: EIGRP: Sending HELLO on Gi0/0 - paklen 60
Feb 1 12:35:20.583: AS 100, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0
iidbQ un/rely 0/0
Feb 1 12:35:20.583: {type = 2, length = 40}
Feb 1 12:35:20.583: {vector = {
Feb 1 12:35:20.583: {00020010 00000001 00000000 00000000
00000000 E9
DDCD9F F0D68CAF 5A4CEBD4}
Feb 1 12:35:20.583: {12C14427}
Feb 1 12:35:20.583: }
Feb 1 12:35:20.583: {type = 1, length = 12}
Feb 1 12:35:20.583: {vector = {
Feb 1 12:35:20.583: {01000100 0000000F}
Feb 1 12:35:20.583: }
Feb 1 12:35:20.583: {type = 4, length = 8}
Feb 1 12:35:20.583: {vector = {
Feb 1 12:35:20.583: {08000200}
Feb 1 12:35:20.583: }
Feb 1 12:35:21.535: EIGRP: received packet with MD5 authentication,
key id = 1
Feb 1 12:35:21.535: EIGRP: Received HELLO on Gi0/0 - paklen 60 nbr
136.1.13.3
Feb 1 12:35:21.535: AS 100, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0
iidbQ un/
rely 0/0 peerQ un/rely 0/0
Feb 1 12:35:21.535: {type = 2, length = 40}
Feb 1 12:35:21.535: {vector = {
Feb 1 12:35:21.535: {00020010 00000001 00000000 00000000
00000000 63
697363 6F313233 6B657900}
Feb 1 12:35:21.535: {00000000}
Feb 1 12:35:21.535: }
Feb 1 12:35:21.535: {type = 1, length = 12}
Feb 1 12:35:21.535: {vector = {
Feb 1 12:35:21.535: {01000100 0000000F}
Feb 1 12:35:21.539: }
Feb 1 12:35:21.539: {type = 4, length = 8}
Feb 1 12:35:21.539: {vector = {
Feb 1 12:35:21.539: {05020300}
Feb 1 12:35:21.539: }un
Feb 1 12:35:24.947: EIGRP: Sending HELLO on Gi0/0 - paklen 60
Feb 1 12:35:24.947: AS 100, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0
iidbQ un/
rely 0/0
Feb 1 12:35:24.947: {type = 2, length = 40}
Feb 1 12:35:24.947: {vector = {
Feb 1 12:35:24.947: {00020010 00000001 00000000 00000000
00000000 E9
DDCD9F F0D68CAF 5A4CEBD4}
Feb 1 12:35:24.947: {12C14427}
Feb 1 12:35:24.947: }
Feb 1 12:35:24.947: {type = 1, length = 12}
R2>en
R3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#router bgp 65539
R3(config-router)#neighbor 10.1.1.1 remote-as 65539
R3(config-router)#neigh 10.1.1.1 update-source loo0 [create loopback
address 3.3.3.3]
BGP Authentication:
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#router bgp 65539
R1(config-router)#neighbor 10.2.2.1 password ciscoBGP
R3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#router bgp 65539
R3(config-router)#neighbor 10.1.1.1 password ciscoBGPpass
R3(config-router)#end
Verification:
Now clear the BGP process to reset the neighbor and negotiate
authentication.
R3#clear ip bgp *
Feb 1 12:53:34.743: %BGP-5-ADJCHANGE: neighbor 10.1.1.1 Down
User reset
Feb 1 12:53:34.743: %BGP_SESSION-5-ADJCHANGE: neighbor 10.1.1.1
IPv4 Unicast topology base removed from session User reset
Feb 1 12:53:35.663: %BGP-5-ADJCHANGE: neighbor 150.1.1.1 Up
As you can see, the neighbor came back up. Now let's verify that
authentication is in use.
R1#sh ip bgp neighbors | in BGP
BGP neighbor is 10.2.2.1, remote AS 65539, internal link
BGP version 4, remote router ID 10.2.2.1
BGP state = Established, up for 00:06:23
BGP table version 1, neighbor version 1/0