Featured Article

Friday 29 November 2013

How to Configuring VLAN Trunking Protocol (VTP)

Traditions across multiple switches and maintaining VLAN on one of the biggest obstacles is that you want to add/remove and separate management VLAN on each switch. VLAN Trunking Protocol, also known as VTP is a technology, which allows the propagation of VLAN from a single switch to multiple Exchange Server-client way. In this lab you will dive into the configuration that you want to propagate VLAN from a single switch to multiple switches in VTP server and the VTP client mode.

In VTP world, VTP server is VLAN in the network communications management concentration points. Every time you create a new VLAN in VTP server, the VLAN is automatically propagated to the switches in the same VTP domain. Think of as a single autonomous system or individual collection shares the same VTP domain for VLAN switching. For example you have a large network of campus construction in the University. Design of three-layer model of the building will have a core of access and distribution. In this design, the distribution switch a VTP server. In most cases, the VTP server chassis switches or switch stack to provide redundancy to access converter.

Create a VLAN on the distribution switches will allow all exchangers access other access switches in the same VLAN as the different floors of the building, so you do not have 3 different switches, distribution and access to the two examples given in the create the VLAN on switch.

VTPv2 is available in large commercial network in the campus core VTPv2 is capable of transmitting up to 1005 VLAN, but once you hit the ceiling in VTP VLAN will need to migrate to the VTP version 3 to allow for the 4095 VLAN propagation.

There are currently three VTP version; this is a fairly new version of VTP version 3 offers more than one or two major advantages.

VTP version 1 was originally released this technology is configured as a VTP Server enables you to Exchange, VTP client, VTP transparent switch (4-11 discussion in a lab) and VTP mode off, completely disable VTP on CatOS switches.

VTP version 2 is not a lot different from v1 VTPv2 including support for token ring VLAN and VTP pruning. If these features are not needed in the network you don't need to start with a version upgrade to version two.

VTP version 3 on the other hand there has been a significant advantage over its predecessors, both to the most advantageous feature of modern network are VTP v3 supports the entire IEEE VLAN range 1-4095, also private VLAN information dissemination capacity. VTP v3 also gives a better administrative control by allowing you to configure the VTP domain which devices can update other devices the VLAN topology view. You can now select the VTP is opened on a per trunk basis to open or close the VTP and VTP server is now the primary and backup servers.

Step back now, ask yourself if someone else inserted and later databases with the same VTP domain and VLAN information entirely different network switches what's going to happen. The answer is very simple, you have a network of VLAN into the barrel as you change on all the switches, and pulled them out, new additions, and so on. When switches and ports to the VLAN is deleted it is at the time the specific VLAN, port access shut down. All in all, if this happens on your watch and its your fault you better update your resume.

But don't worry, there is hope!! The same VTP password, you can help prevent harmful VTP Server switch in the network. By using the VTP password matches the switch is a VTP server only if the password of the client.

VTP domain can be a unique location, but there is a domain name, is special, VTP domain: Null, this domain name is basically without a domain name, its blank and null object that represents the domain name. When it is changed, however you cannot change it back to Null.

In this lab, you will familiarize yourself with the following command;

Lab Instruction:

 Step 1. Configure SW1 and SW2 and SW3 is configured as a VTP server as a VTP client. Settings for Cisco on all three switches in the VTP domain name.


Configuring VTP and VTP domains by using VTP mode ModeType VTP domain and the domain name is shown below; set the VTP domain, please keep in mind that before this must be set the VTP mode, if you set the VTP domain on a client-side exchanger. If you need to change you must set its transparent VTP domain and then change the name, and/or password and then switch back to the VTP mode client.

SW1 con0 is now available
Press RETURN to get started.
SW1>enable
SW1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
SW1(config)#vtp mode server
Device mode already VTP SERVER.
SW1(config)#vtp domain CISCO
Changing VTP domain name from NULL to CISCO
SW1(config)#

 SW2 con0 is now available
Press RETURN to get started.
SW2>enable
SW2#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
SW2(config)#vtp domain CISCO
Domain name already set to CISCO.
SW2(config)#vtp mode client
Setting device to VTP CLIENT mode.

SW2(config)#

 SW3 con0 is now available
Press RETURN to get started.
SW3>enable
SW3#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
SW3(config)#vtp domain CISCO
Domain name already set to CISCO.
SW3(config)#vtp mode client
Setting device to VTP CLIENT mode.

SW3(config)#

 Step 2. Develop configured on the VTP servers by using the name of VLAN 10, and verify that it is correctly propagated to SW2 and SW3.


To accomplish this goal, you need to create a VLAN in VTP server, in this case is the SW1. Create VLAN as you would on any other VLAN, Cisco Catalyst series switches shown below;

SW1(config)#vlan 10
SW1(config-vlan)#name Development
SW1(config-vlan)#end
SW1#

How to Configuring a Management VLAN Interface

Switch in the world, called switched virtual interface for the VLAN logical interface. Exchanger you will see when you are configuring a VLAN interface these interfaces. You have the ability, like a FastEthernet interfaces to configure these interfaces. You can assign a VLAN interface IP address, the bridge group, interface descriptions, and even quality of service policies.

Have a VLAN interface to the 2nd tier equipment's ability to communicate with other devices on the 3rd floor. Multilayer switching uses the VLAN interface on multi-layer routing in an Exchange. Basically, the switch is a-rod on his router, which in Lab 4 20 discussions. Multilayer switched networks, switches, such as Cisco and Cisco 3,550 3,560 uses the VLAN interface as the default gateway for the host PC and other machines of the network to communicate with other IP networks.

For example, Cisco, with 3,550 VLAN,VLAN 10 and VLAN 20. Are assigned to each VLAN interface IP address of 192.168.10.0/24 and 192.168.20.0/24. When VLAN 10 on PC needs upward VLAN 20 PC, it will use the default gateway of the VLAN interface and switches to route data through the layer3 and converter and switch data reported in the Layer2 in the new VLAN.

Second layer only exchanger at any given time only a single active VLAN interface. Management VLAN interface this interface call. 2900XL,2950 layer two Cisco switches including Cisco and 2960.

In this lab, you will familiarize yourself with the VLAN interface configuration mode.

Lab Prerequisites:

  • Than load if you use GNS3 CCNA free Binder GNS3 topology than starting system R1 and SW1.
  • Building R1 and SW1 configuration console sessions respecting the hostname of the device (s).
  • For verification purposes you will need to be configured on R1 VTY line password and assign IP address 10.1.1.1/24 host to the R1 ′ s FastEthernet0/0 interface.
Lab Objectives:

  • Creating and naming the VLAN number 10 management.
  • Create VLAN 10 interface and assign IP addresses to 10.1.1.10/24
  • SW1 FastEthernet0/1 interface is assigned to VLAN 10.
  • By using R1 to Telnet IP address in VLAN 10 on SW1 to verify the management VLAN configuration.
Lab Instruction:

Free CCNA complete this lab you should be familiar with the previous labs in Binder commands required.

Step 1. Creating and naming the VLAN number 10 management.

SW1 con0 is now available
Press RETURN to get started.
SW1>enable
SW1>configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
SW1(config)#vlan 10
SW1(config-vlan)#name Management
SW1(config-vlan)#end
SW1#

Step 2. Create the VLAN 10 interface and assign it an IP address of 10.1.1.10/24.

To accomplish this goal requires first of all by entering global configuration, and then use the command interface VLAN interface configuration mode to create a VLAN interface # keep in mind create a VLAN number is proportional to the number of the VLAN interface. Vlan10 interface VLAN 10, interface Vlan20 will be used for VLAN 20.

SW1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
SW1(config)#interface vlan10
SW1(config-if)#ip address 10.1.1.10 255.255.255.0
SW1(config-if)#no shut
SW1(config-if)#

Step 3. Assign the FastEthernet0/1 interface on SW1 to VLAN 10.

SW1(config-if)#interface FastEthernet0/1
SW1(config-if)#switchport access vlan 10
SW1(config-if)#no shut
SW1(config-if)#end
SW1#

Step 4. By using R1 to Telnet IP address in VLAN 10 on SW1 to verify the management VLAN configuration.

R1#telnet 10.1.1.10
Trying 10.1.1.10 ... Open
User Access Verification
Password: 
SW1>

How to Creating Virtual Local Area Networks (VLANs)

Real World Application & Core Knowledge:

 Starting off first allows the use of a flat network definition. Flat network design network is a network engineer do not daisy chain hubs together with the knowledge of and/or switches to create a single large network includes hundreds of, if not tens of thousands of devices in a single subnet.

From a design point of view it was broadcast and control traffic can overwhelm the network crazy bad idea. In real-world production of multiple access network (such as Ethernet and you will find when you take the previous host for a given subnet 400+, can degrade network performance. 24 is the most common network size would solve the 254 available host IP address, subnet mask.

So how to create a network larger then 400+ node? Answer is actually quite simple 4 letter abbreviation is called VLAN. The most simple terms partition physical virtual local area network switch into multiple independent local area network so that traffic on a VLAN cannot communicate with another VLAN traffic unless it does a router. As a 2nd tier network isolation, can easily explain the VLAN and the 3rd layer of isolation as a subnet will be discussed at the 6th Festival.

To create a layer 2 VLAN control are the key factors in a given network segment size, in order to broadcast and control traffic and exposure in a given network segment.

Free CCNA SW1 Binder GNS3 topology processing, please keep in mind that SW2 and SW3 NM 16ESW switch module with Cisco 3,640 series routers. Of this switch module configuration, the Cisco Catalyst series switches. Router to configure VLAN nm -16ESW module installed, you will need to create a VLAN in the VLAN database configuration mode. Keep in mind that the VLAN database configuration mode is now depreciated in newer Cisco switches and Cisco IOS software on the exchangers create VLAN global configuration mode using the VLAN# name VLAN_NAME command now.

In addition please note that verifying NM 16ESW switch configuration commands are slightly different, and then the catalyst switch running Cisco IOS. Recommended buying Cisco Catalyst switches 2950 g, or preferably 3,550 in order to familiarize yourself with command on the Catalyst converter.


In this lab, you will familiarize yourself with the following command;

Lab Objectives:

  • SW1, create 3 VLAN. To name the sales VLAN 10, VLAN 20 and name development, marketing of VLAN 30.
  • Port Fa0/1 is assigned to VLAN 10, interface Fa0/3 interface Fa0/2 is assigned to VLAN 20 and be assigned to a VLAN 30. , You validate your configuration.


Lab Instruction:

 Step 1. About the SW1, create 3 VLAN. To name the sales VLAN 10, VLAN 20 and name development, marketing of VLAN 30.


To accomplish this goal using GNS3, you need to navigate to the VLAN database configuration mode use the VLAN database command in privileged mode. You can use VLAN in the VLAN database configuration mode number name vlan_name command to create a VLAN.

SW1 con0 is now available
Press RETURN to get started.
SW1>enable
SW1#config terminal
Enter configuration commands, one per line.  End with CNTL/Z.
SW1(config)#vlan 10
SW1(config-vlan)#name Sales
SW1(config-vlan)#vlan 20
SW1(config-vlan)#name Development
SW1(config-vlan)#vlan 30
SW1(config-vlan)#name Marketing
SW1(config-vlan)#end
SW1#

Step 2. Assign port Fa0/1 to VLAN 10, the interface Fa0/2 is assigned to VLAN 20, and interface Fa0/3 is assigned to VLAN 30. , Please verify your configuration.

To a specific VLAN configuration switch port interface in the interface configuration mode using the switch port access VLAN# command. VLAN configuration you want to verify your user or privileged mode on Catalyst series switches as follows NM16 ESW configured on the Cisco Catalyst series switches or displays the VLAN, use the show VLAN switch.

SW1#configure terminal
SW1(config)#interface Fa0/1
SW1(config-if)#switchport access vlan 10
SW1(config-if)#interface Fa0/2
SW1(config-if)#switchport access vlan 20
SW1(config-if)#interface Fa0/3
SW1(config-if)#switchport access vlan 30
SW1(config-if)#end
SW#show vlan
VLAN Name                             Status    Ports
---- ---------------------------- --------- -------------------------------
1    default                      active    Fa0/4, Fa0/5, Fa0/6, Fa0/7
                                            Fa0/8, Fa0/9, Fa0/10, Fa0/11
                                            Fa0/12, Fa0/16, Fa0/17, Fa0/18
                                            Fa0/19, Fa0/20, Fa0/21, Fa0/22
                                            Fa0/23, Fa0/24, Gi0/1, Gi0/2
10   Sales                               active    Fa0/1
20   Development                   active    Fa0/2
30   Marketing                        active    Fa0/3
1002 fddi-default                    act/unsup 
1003 token-ring-default          act/unsup 
1004 fddinet-default               act/unsup 
1005 trnet-default                   act/unsup 
SW1# 

How to Configure Cisco Discovery Protocol (CDP)

Real World Application & Core Knowledge:


 Cisco Discovery Protocol every day by network engineers worldwide record and all understand the physical network topology and not stall. CDP runs on the 2nd layer of the OSI model and exchanging information between IP addresses of most Cisco devices, physical link connection port identifier, interface device IOS version, device capabilities, such as the native VLAN, duplex and VTP management domain.


In this lab, you will familiarize yourself with the following command;

Lab Prerequisites:

  • Than load if you use GNS3 CCNA free Binder GNS3 topology than starting system R1 and SW1
  • Building R1 and SW1 configuration console sessions respecting the hostname of the device (s).
  • IP addresses configured on R1 ′ s FastEthernet0/0 interface 192.168.255.1/24
  • SW1 ′ s Vlan1 interface configuration on IP address 192.168.255.254/24.
Lab Objectives:

  • Use only R1, determine if SW1 IOS feature set and version that is running on.
  • Use only the SW1, determine the IP address of R1 through CDP learned.
  • Use only R1, determine the ports of R1 is connected to SW1.
  • Use only R1, determine if the native VLAN and VTP domain are on the R1 is connected directly to the switch ports.
  • Clear R1 on the CDP table, and verify that it has been cleared; ex post facto verifying R1 relearns about the SW1.
  • Change the default timer R1 and SW1 from one to sixty-one hundred and eightieths and verify that your configuration changes.
Step 1. Use the only the R1, determine if SW1 IOS feature set and version that is running on. To determine this information in user or privileged mode, as shown below on the R1 show CDP neighbors detail command is executed.

The statement as shown above with the bottom line SW1; run the enterprise/FW/ID plus IPSEC 3DES version 12.4 (13A).

Step 2. Use only the SW1, determine the IP address of R1 through CDP learned. To obtain this information, you will use the show CDP neighbors detail command on SW1 in user or privileged mode see below;

SW1#show cdp neighbors detail
-------------------------
Device ID: R1
Entry address(es): 
  IP address: 192.168.255.1
Platform: Cisco 3725,  Capabilities: Router Switch IGMP 
Interface: FastEthernet0/1,  Port ID (outgoing port): FastEthernet0/0
Holdtime : 168 sec
Version :
Cisco IOS Software, 3700 Software (C3725-ADVENTERPRISEK9-M), Version
12.4(15)T14, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by Cisco Systems, Inc.
Compiled Tue 17-Aug-10 12:08 by prod_rel_team
advertisement version: 2
VTP Management Domain: ''
Duplex: full
SW1#

The statement as shown above with the bottom line R1 has an IP address assigned to the interface of the CDP frame is sent out 192.168..

Step 3. Use the only the R1, determine the ports of R1 is connected to SW1. To obtain this information or CDP neighbor display you can use the show CDP neighbors detail command.

R1#show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
                  S - Switch, H - Host, I - IGMP, r - Repeater

Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
SW1                  Fas 0/0              125        R S I         3640       Fas 0/1
R1#

Step 4. Change the default timer on the R1 and SW1 from one to sixty-one hundred and eightieths and verify that your configuration changes. To make these changes using CDP timer and CDP Holdtime global configuration command. To verify that the changes in the user or privileged mode, use the show CDP command, as shown below;

R1>enable
R1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#cdp timer 15
R1(config)#cdp holdtime 45
R1(config)#end
%SYS-5-CONFIG_I: Configured from console by console         
R1#show cdp
Global CDP information:
Sending CDP packets every 15 seconds
Sending a holdtime value of 45 seconds
Sending CDPv2 advertisements is  enabled
R1#

Thursday 28 November 2013

How to Configure EXEC and Absolute Timeouts

It is a common meeting time with the corporate security policy. Put it in a simple way, exec timeout exec to be configured after you terminate the exec session session idle timeout. The default value is 10 minutes.

But an absolute timeout the maximum amount of time for a single session can remain established. So if you have 12 minutes to more than an absolute timeout the user is active, the session will be disconnected after 12 minutes.

Absolute timeout, sometimes to the force and the exec session access on the server to terminate either if idle state after a specified period.

  • Than load if you use GNS3 CCNA free Binder GNS3 topology than starting system R1.
  • Create R1 than configuring a device with the device console session respects the hostname (s).
  • Create a loopback interface on R1 and assigns its IP address 10.1.1.1/32
  • Creating a 15-level permissions the user name and password, and authenticate local settings VTY lines.

Vty line through R1 than by establishing a Telnet session to a Loopback0 interface IP address, verify that you have configured on the configuration 4 0 exec timeout for a minute. Once authenticated, wait one minute.
Than two minutes absolute timeout on the VTY lines configured, please delete previously configured on the R1 ′ s vty line exec timeout configuration. By establishing a Telnet session to a Loopback0 interface IP address and wait for two minutes to verify your configuration. If correctly configured you will be disconnected automatically after 120 seconds.

Lab Instruction:

Step 1. Configure vty lines 4 x 0 minutes exec timeout and verify that your configuration telnet'ing to Loopback0 IP address authentication, then idle for 1 minutes.

R1 con0 is now available
Press RETURN to get started.
R1>enable
R1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#line vty 0 4
R1(config-line)#exec-timeout 2
R1(config-line)#end
R1#telnet 10.1.1.1
Trying 10.1.1.1 ... Open
User Access Verification
Username: 
Password: 
R1#
[Connection to 10.1.1.1 closed by foreign host]
R1#

Step 2. Than two minutes absolute timeout on the VTY lines configured, please delete previously configured on the R1 ′ s vty line exec timeout configuration. By establishing a Telnet session to a Loopback0 interface IP address and wait for two minutes to verify your configuration. If correctly configured you will be disconnected automatically after 120 seconds.

R1#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#line vty 0 4
R1(config-line)#no exec-timeout
R1(config-line)#absolute-timeout 2
R1(config-line)#end
R1#telnet 10.1.1.1
Trying 10.1.1.1 ... Open
User Access Verification
Username: tom
Password: 
R1#
* Line timeout expired
[Connection to 10.1.1.1 closed by foreign host]
R1#

How to Configure Cisco IOS Web Server Authentication

Configure Cisco IOS Web server authentication (HTTP and HTTPS) is a common configuration used on the equipment used in the production network, such as Cisco routers running the host Web based device management interface of Cisco Security Device Manager (SDM) Cisco Catalyst converter Web interface hosting management only users of the Web interface for authentication.

  • Than load if you use GNS3 CCNA free Binder GNS3 topology than starting system R1.
  • Create R1 than configuring a device with the device console session respects the hostname (s).
  • Using GNS3 if you complete this lab than Ethernet NIO cloud is the need to connect to R1 ′ s FastEthernet1/0 interface. Reference laboratory for 1-8--configured to GNS3 Ethernet configuration NIO NIO cloud clouds.
  • Configuration for Web authentication in this lab level 15 privileges of the local user account.
  • With DHCP or static IP addresses, your local configuration of LAN FastEthernet0/0 interface, so you can access the Web browser Internet Explorer or Firefox browser through the exchanger.
Lab Objectives:

  • Configure R1 to use the domain name "stubarea.NET".
  • By using IP HTTP Secure-Server global configuration command to enable Cisco IOS secure Web server.
  • Configure Cisco IOS Web services authenticate local user database.
  • FastEthernet0/0 IP address by connecting to the device through the Internet Explorer or Firefox and use the lab the credentials configured in the prerequisites section to verify your configuration.
Lab Instruction:

R1 con0 is now available
Press RETURN to get started.
R1>enable
R1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#ip domain-name

Step 1. Cisco IOS security-enabled Web servers by performing the IP HTTP Secure-Server global configuration command, as shown below;

R11(config)#ip http secure-server
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
%SSH-5-ENABLED: SSH 1.99 has been enabled
R1(config)#

Step 2. Configuring Cisco IOS Web services authenticate local user database, as shown below;

R1(config)#ip http authentication local

Step 3. FastEthernet0/0 IP address by connecting to the device through the Internet Explorer or Firefox and use the lab the credentials configured in the prerequisites section to verify your configuration.

To view the full resolution of the images below, click the thumbnail image(s) to open the image in a new browser tab.


As shown in the above image you will be prompted to enter a user name and password. Provide a user name and password to create preconditions. Once you are authenticated successfully you will see the following page;


How to Configure the Password Encryption Service

Under today's 7th on the Cisco device-level encryption encryption standards were considered extremely weak. There are a lot of Web sites, provided a decipher script, allowing you to copy and paste the service password hash value is encrypted and decrypted hash value that you clear the text. Sample Web site is the Web site.

This lab will teach you how to configure the password encryption service, use a level on Cisco router or switch 7 encryption encrypts the plaintext password.

But it's very easy to use this encryption service is to prevent peak Tom from looking at your shoulder check plaintext passwords configuration is displayed on the screen.

Online posting configuration to delete the type 7 passwords are encrypted when you share, you can easily crack the password. Type 5 password using the MD5 hash value, is a one-way (non-reversible) 128-bit algorithm. This password cannot be "decrypted" due to the nature of the algorithm. When you authenticate the MD5 format password Cisco device, and match it to the machine encrypt your password string strings are stored in the configuration. If there is a match then authentication was successful, if not then authentication is not your password is rejected.

Head type 7 passwords are regarded as weak, and type 5 password is "uncrackable" PE se.

Type 5 password hashes cannot be decrypted with a rainbow table password hash values of type 5 is divided into 3 separate sections. Using the types found in the laboratory this laboratory 5 password hashes, $1 Cisco type 5 password, $ID2R means "salt" and $2AKUK4US6yUQVkggSMkLV0 is "salt" calculate MD5 hash value. Cisco does not publish "salt" technically how to use MD5 hashing so it is "unknown".

Salt is used to ensure that they are unique and exclusive to the salts functions to write MD5 strings in the extra security. For example, let us say the actual password after using the phrase, prehashed the password value in the second character of the randomly generated password is Hello123, and Cisco parts of salt than "his" $SALT "under llo123 will give you a unique MD5 strings. Ultimately I am tryign to point is that Cisco using salt features of these technologies are proprietary. Keep in head in the salt is random generated of and and password hash storage in together, makes it almost impossible, even created for each current value of standard MD5 Rainbow table of Rainbow, because you not knows in the "salt" how using you of function cannot prepared a feet was set on each may of password as salt random generated of each using Shi of Rainbow table in the found of Cisco equipment Shang of password "secret xxxx enabled" command.

So when someone tells you that you can crack Type5 rainbow tables is not correct because the standard rainbow tables will not work, because a standard rainbow tables do not have every possible MD5 hashes of salted passwords hashed Cisco IOS can generate value.

Step 1. Configure the user account to use the local user name Tom and Cisco's secret

R1 con0 is now available
Press RETURN to get started.
R1>enable
R1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#username tom secret Cisco

Step 2. Configure a user account to use the local user name John and password Cisco;

R1(config)#username john password Cisco

Step 3. Tom and John--verify that the user account was created by viewing the running configuration. Tip: you can view the user name in the configuration of the round using a regular expression, as follows;

R1(config)#do show run | inc username
username tom privilege 15 secret 5 $1$ID2R$2AKUK4US6yUQVkggSMkLV0
username john privilege 15 password 0 Cisco
R1(config)#

Step 4. In global configuration mode by performing the service password-encryption see below; enable password encryption service

R1(config)#service password-encryption

Step 5. Verify, after John's user name is encrypted by viewing the user name in the configuration of the round is shown below; enable password encryption service

R1(config)#do show run | inc username
username tom privilege 15 secret 5 $1$ID2R$2AKUK4US6yUQVkggSMkLV0
username john privilege 15 password 7 106D000A0618
R1(config)#

How to Configuring VTY Lines ACL

It is common security policies in your production network, used to control the access control list specifies that only a specific subnet of the remote management of network devices and/or host network access management establish a remote session to the device.

This lab will teach you how to configure the ACL to control access to specific networks and/or host exec session is established through a VTY line is used for remote management.


  • If you are using GNS3, than the boot devices start free CCNA R1,R2, R3 and SW1 load Binder GNS3 topology.
  • Establish a with R1, R2, R3, and SW1 to configure their respectable name of the host device console session.
  • FastEthernet0/0 10.1.1.1/24 IP address is configured on the interface of R1.
  • FastEthernet0/0 10.1.1.2/24 IP address is configured on the interface of R2.
  • FastEthernet0/0 10.1.1.3/24 IP address is configured on the interface of R3.
  • Level 15 privileges will be used to validate local R1 VTY exec session is configured on a local user name and password.
  • Configure R1 accepts Telnet and SSH sessions.


Lab Objectives:

  • Creates a named extended access lists are called VTY_ACCESS
  • Denied access to the vty line via a telnet host version 10.1.1.3.
  • Allows the network 10.1.1.0/24 using Telnet or SSH
  • Denies all other traffic and log rejected attempts to connect.
  • Access class command configure vty line of the access list.
  • Please verify your configuration and connectivity using R2 and R3.

One of the biggest new features and 12.3T of the main line are managed using the extended access list, allow specific traffic to Cisco device connections to vty lines by using a specific protocol; IE,Telnet or SSH exec sessions.

Step 1. Known as VTY_ACCESS of a named access list configured on R1


R1 con0 is now available
Press RETURN to get started.
R1>enable
R1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#ip access-list extended VTY_ACCESS
R1(config-ext-nacl)#

Step 2. Denying access to vty lines via a telnet host version 10.1.1.3. In order to accomplish this goal, you need to specify the host version 10.1.1.3 as source and target any EQ Telnet as shown below;

R1(config-ext-nacl)#10 deny tcp host 10.1.1.3 any eq telnet

When traffic destined to the device control plane, in ACL, it is represented as 0.0.0.0/0;AKA: any

Step 3. Allow the network 10.1.1.0/24 using Telnet or SSH. This goal will require two access lists, one for the Telnet (TCP port 23) and another for SSH (TCP port 22) is shown below;

R1(config-ext-nacl)#20 permit tcp 10.1.1.0 0.0.0.255 any eq 22
R1(config-ext-nacl)#30 permit tcp 10.1.1.0 0.0.0.255 any eq 23

Step 4. Deny all other traffic and log the denied connection attempts.

R1(config-ext-nacl)#500 deny ip any any log

Step 5. Use the class command on vty lines configured access list.

R1(config-ext-nacl)#line vty 0 4
R1(config-line)#access-class VTY_ACCESS in
R1(config-line)#end
R1#

Step 6. Verify that your configuration and connectivity using R2 and R3.

Verify connectivity using the R2 and R3 first must verified before your visit on-R1 in the IP access list using the list displayed

R1#show access-list
Extended IP access list VTY_ACCESS
10 deny tcp host 10.1.1.3 any eq telnet
20 permit tcp 10.1.1.0 0.0.0.255 any eq 22
30 permit tcp 10.1.1.0 0.0.0.255 any eq telnet
500 deny ip any any log
R1#

You can verify that Telnet is rejected by executing in privileged mode displays the access list command on R1 ACL using a vty line. This will show you each of the access control list entries; next to the hit count

R1#show access-list
Extended IP access list VTY_ACCESS
10 deny tcp host 10.1.1.3 any eq telnet (1 match)
20 permit tcp 10.1.1.0 0.0.0.255 any eq 22 (4 matches)
30 permit tcp 10.1.1.0 0.0.0.255 any eq telnet (6 matches)
500 deny ip any any log
R1#

How to Configuring Named Access Control Lists

Real World Application:

 Numbered access lists with main downfall was edited in the ability to access a particular row in the list. Unfortunately the only way to do this is to edit the lines in the text editor and delete and re-add the ACL completely. Numbered access lists can still be found in networks around the world, but engineers now commonly use a named access list, the minimum required to ensure compatibility with the ability to fly on time edit ACL. Also has the great advantage of a named ACL is a descriptive name, such as the ACL named "VTY_ACCESS", its pretty obvious that ACL access control for vty line.

Lab Objectives:

  • Named access lists configuration standards are called INSIDE_IN and permits only inbound access 10.1.1.0/24; place an explicit deny lines refused to transport the 500 and log statements. This access list is applied inbound interfaces Fa0/1
  • Called OUTSIDE_IN configuring extended named access list and deny hosts 71.23.44.50 and 204.221.190.5 EQ www, allows all other communication. This access list is applied inbound on interface FastEthernet0/0
Lab Instruction:

Named access lists are numbered access lists, but with the addition of the name and the line number. Now, you can specify which row to place ACE in the ACL. For example, you have an ACL with lines 5, 10, 15, 20, 25, 30, and you need to adhere to the line between 10, 15 and 20, and now you have this capability without the need to remove the entire access list entries. New ACE statement followed in the naming of a specific line number in the access list configuration mode.

Step 1. First target countries to create standard named access lists, and allow only the network 10.1.1.0/24, and configuring up 500, ACE of deny and log all denied traffic. Syntax is used to complete this goal; IP access-list standard ACLNAME, as shown below.


R1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#ip access-list standard INSIDE_IN
R1(config-std-nacl)#

When a named access list configuration mode, the common start of each ACE with a specific row number. If no line number is specified, then the ACE is placed on the bottom of the ACL. It is the increase of the common ACL by line number 5 or 10. Complete the first laboratory of the target configuration row 10, allows the 10.1.1.0/24 and explicitly deny all other 500 lines of communication to enable logging.

R1(config-std-nacl)#10 permit 10.1.1.0 0.0.0.255
R1(config-std-nacl)#500 deny any log

Now in order to apply this named access-list to an interface you must navigate to the correct interface and execute the ip access-group command followed by the ACL name and direction as shown below;

R1(config-std-nacl)#exit
R1(config)#int f0/1
R1(config-if)#ip access-group INSIDE_IN in

You can verify your access-list configuration by executing the show access-list command;

R1(config-if)#do show access-list
Standard IP access list INSIDE_IN
10 permit 10.1.1.0, wildcard bits 0.0.0.255
500 deny   any log
R1(config-if)#

As you can see you have enough space between line10 and line 500 is explicitly denied, at a later time to inject more declarations of an access control list entry.

Step 2. Called OUTSIDE_IN configuring extended named access list and deny hosts 71.23.44.50 and 204.221.190.5 EQ www, allows all other communication. This access list is applied inbound interface Fa0/0; last

R1(config-if)#exit
R1(config)#ip access-list extended OUTSIDE_IN
R1(config-ext-nacl)#10 deny ip host 71.23.44.50 any
R1(config-ext-nacl)#20 deny tcp host 204.221.190.5 any eq www
R1(config-ext-nacl)#500 permit ip any any

Inbound on R1 ′ s FastEthernet0/0 interface now allocates a new extension named access list you create, as follows;

R1(config-ext-nacl)#exit
R1(config)#int f0/0
R1(config-if)#ip access-group OUTSIDE_IN in

To verify your access list configuration from privileged mode, or by using the configuration mode displays the access list is OUTSIDE_IN command is executed the order shown below;

 R1(config-ext-nacl)#do sh access-list OUTSIDE_IN
Extended IP access list OUTSIDE_IN
10 deny ip host 71.23.44.50 any
20 deny tcp host 204.221.190.5 any eq www
500 permit ip any any
R1(config-ext-nacl)#

How to Configuring Numbered ACL's

Real World Application:

 Access control lists for all network security Foundation. Device ACL to control traffic and to prevent unwanted traffic from a specific source to a specific destination. This laboratory will discuss and demonstrate numbered access lists are not due to the newer access list named advantage is quite common. Numbered access lists of biggest downfall was involved with editing time numbered ACL. Unfortunately, you can't manually ACE (access control list) which can lead to time-consuming editing ACL ACE row 10, line numbering for a specific line in the ACL.


However, as a Cisco network engineer you can still see the number of the field in the access lists from the old deployment or do not know the new way of configuring the ACL, lack of experienced network engineers no matter what, remains a CCNA certification goals.

Lab Prerequisites:

  • Than load if you use GNS3 CCNA free Binder GNS3 topology than starting system R1, R2, and SW1.
  • Establish a console session with R1 and R2 devices.
  • Configure R1 with 10.1.1.2/24 ′ s FastEthernet0/0 IP address of the interface 10.1.1.1/24 and R2 ′ s FastEthernet0/0 interface
  • Verify that you can ping R2 ′ s Ethernet interface before starting this lab, from R1 and vice versa.
Lab Instruction:

There are several different specific ranges of numbered access-list used to perform different types of access control as shown below from the Cisco CLI context sensitive help;


R1(config)#access-list ?
  <1-99>               IP standard access list
  <100-199>         IP extended access list
  <1000-1099>     IPX SAP access list
  <1100-1199>     Extended 48-bit MAC address access list
  <1200-1299>     IPX summary address access list
  <1300-1999>     IP standard access list (expanded range)
  <200-299>         Protocol type-code access list
  <2000-2699>     IP extended access list (expanded range)
  <2700-2799>     MPLS access list
  <300-399>         DECnet access list
  <600-699>         Appletalk access list
  <700-799>         48-bit MAC address access list
  <800-899>         IPX standard access list
  <900-999>         IPX extended access list
  compiled             Enable IP access-list compilation
  dynamic-extended  Extend the dynamic ACL absolute timer
  rate-limit             Simple rate-limit specific access list

Step 1. To complete this lab, the first number you will need to create a standard access list. Context-sensitive means you'll notice by reference to a standard IP access list number ranges between 1 and 99. You can choose your own numbers to accomplish this goal, but for demonstration purposes, will use the number 50. IP destination country you need to block inbound access on the R1 host 10.1.1.2 ′ s FastEthernet0/0 interface but allows all other communication. As shown in the example;

R1 con0 is now available
Press RETURN to get started.
R1>enable
R1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#access-list 50 deny host 10.1.1.2
R1(config)#access-list 50 permit any

Now that the numbered access-list is created you need to apply it in the ingress direction of interface Fa0/0 on Router 1 as shown below;

R1(config)#interface fa0/0
R1(config-if)#ip access-group 50 in

You can verify your configuration by pinging R1′s Fa0/0 interface from R2, as a prerequisite you should have been able to ping the IP prior to applying the access-list. Now if configured correctly your pings will be Unreachable;

R2>ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
R2>

You can also verify access list works performed by the privileged mode on the R1 show access-list command. As shown in the following command and you will notice that the first ACE of the hit number is 8;

R1(config-if)#end
R1#show access-list
Standard IP access list 50
10 deny   10.1.1.2 (8 matches)
20 permit any
R1#

Change the IP address on R2′s FastEthernet interface to 10.1.1.3/24 and verify test your access-list again to ensure traffic destined to destinations excluding 10.1.1.2/32 is permitted;

R2>enable
R2#configure terminal
R2(config)#interface fa0/0
R2(config-if)#ip add 10.1.1.3 255.255.255.0
R2(config-if)#end
R2#

Step 2. Now it's time to create an extended access list of numbers. As previously shown in the CLI in the context-sensitive help, you will see the extended scope of access list numbered 100 to 199, but then adds Cisco to expand, both standard and extended numbered access lists. In this goal, you need to create an access list to block Telnet traffic oubound R1 ′ s Fa0/0 interface to 10.1. version 1.3 on the telnet host, and allows all other communication. Because the Telnet TCP communication, you need to match TCP traffic through the specified ACE only and specifically after the match as your destination agreements needed to prevent traffic from reaching the target with 22 (Telnet) to the destination port number, as shown below;

R1#configure terminal
R1(config)#access-list 150 deny tcp any host 10.1.1.3 eq telnet 
R1(config)#access-list 150 permit ip any any

This access list is now required in R1 interface Fa0/0 ′ s; application of export orientation on

R1(config)#interface fa0/0
R1(config-if)#ip access-group 150 out

Because of how Cisco equipment sources of traffic from its own nature, this goal cannot be tested unless another network and a static route configuration, will be discussed in a later section. Traffic from one router does not process outbound access list. However, anything from a network to host 10.1. version 1.3 is equal to the Telnet Protocol to traverse a router's traffic will be dropped.

Inbound and outbound access lists can be configured on a Cisco device and you have routers are traffic police said authorized traffic to pass what traffic gets knocked into the bucket and look at it.

General rule of thumb when dealing with access lists. The most effective order of the access-list extended access lists you should place the nearest source of standard access lists as possible and as close as possible to the target

Also bear in mind that there is an implicit deny at the end of each access list, means that you cannot configure the Deny statement sensible approach, it is as the configuration end of the access list "rejected any" same thing. Therefore, by default, unless you allow it to traffic will be dropped. Engineers often place an explicit deny access list during the period after the end of the statement as a method to access the list of troubleshooting log denied traffic.

How to Configuring SSH Access

Real World Application:

 Telnet is not cutting the cheese when it comes to the production network remote management security. As you are aware, Telnet does not seal mounted payload, so with that being said online that anyone can sniff, transportation and reconstruction of the Telnet communication, turn on password can be reckoned a major loophole, as well as other types of confidential sensitive information is transmitted in the network through the Telnet Protocol.

Since the birth of this Telnet a known problem resolved with the Secure Shell, also known as introduction to SSH.


SSH in a nutshell are basically Telnet with encryption to securely package the traffic load to prevent sniffing does not need this sort of traffic. SSH can use different types of encryption algorithms of data encryption standard (DES), AES 256-bit CBC on the way.

Lab Prerequisites:

  • If you are using GNS3, loaded free CCNA Binder GNS3 topology and R1.
  • Establish a console session with the Router 1.
  • Create and configure a loopback interface with the IP address 10.1.1.1/24
  • By VTY lines to establish a remote session SSH order needed to create any user name and password in the local user database.
  • Should configure the VTY line authentication to authenticate a database on this computer. (Please note that you can use to log on locally or the level AAA authentication list for this purpose)
Lab Instruction:

Step 1. Generate RSA keys are generally used as requirements, you need to change the host name to another then the default host name "router" host name. In this case, you can use the R1 is shown below;


Router con0 is now available
Press RETURN to get started.
Router>enable
Password: 
Router#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#hostname R1
R1(config)#

Step 2. Generating RSA certificates on a Cisco device before another requirement is to set the domain name. The purpose of this lab, the domain name will be set to looks like this;

R1(config)#ip domain-name

Step 3. Now, you're ready to generate the RSA certificate functionality. To generate a RSA authentication you will perform cryptographic key generation RSA key modulus modulus keysize range command followed by [360-2048]. As shown below, uses a 1024-bit modulus key generate RSA certificates

R1(config)#crypto key generate rsa general-keys modulus 1024
The name for the keys will be: R1.freeccnaworkbook.com
% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
R1(config)#
%SSH-5-ENABLED: SSH 1.99 has been enabled
You will notice immediately generated RSA keys are generally used, SSH v1.99 is enabled. Note larger keysize, the longer it to generate.

Once you have enabled SSH v1.99, you can use SSH v2 Protocol to connect to a remote terminal emulator PuTTY, SecureCRT, and other; discover Cisco devices exclude HyperTerminal as it does not support encrypted connections.

Step 5. Configuring the transport input accepts only SSH protocol VTY lines by performing the transport input SSH vty line configuration mode is shown;

R1(config)#line vty 0 4
R1(config-line)#transport input ssh

Step 6. Verify that your SSH configuration using Cisco IOS SSH client and SSH into the router's loopback interface 10.1.1.1

Minimum documentation exists about Cisco IOS SSH client. Using Cisco IOS contextual explanation? See the ssh command options that are available.

R1(config-line)#end
R1#ssh -l john 10.1.1.1
Password:
R1#show ssh
Connection Version Mode Encryption  Hmac        State             Username
0          1.99    IN   aes128-cbc  hmac-sha1          Session started   john
0          1.99    OUT  aes128-cbc  hmac-sha1       Session started   john
%No SSHv1 server connections running.
R1#

Configuring AAA Authentication via TACACS+

Real World Application:

 Not a network engineer wants to spend countless hours of your time to maintain hundreds of local user accounts on a Cisco device. This question is to see for many, many years ago, resolving with the AAA level. Aaa you can Configuring the opposite it is a Cisco router, or switch device to a centralized user authentication, database authentication. Cisco sales known as the Cisco access servers, typically used for more then 50 nodes in the network to provide centralized authentication, authorization, and accounting services solutions for network equipment.

Please note that the content found in the lab is not part of the CCNA (640-802) exam objectives, however the material could be found new CCNA security certification (exam: 840-553--Institute for non-aligned). The laboratory was created to provide you with a basic understanding of the AAA grade, typically used in the production network authentication, authorization, and accounting.

Lab Prerequisites:
  • If you are using GNS3, loaded free CCNA Binder GNS3 topology and R1.
  • Establish a console session with the Router 1.
  • Before completing the laboratory 3-3, try this lab.
  • Create a local user account with 15-level permissions and passwords.
Lab Instruction:

Step 1. First of all, you need to configure a TACACS server host address and key, this key keygoeshere by performing a TACACS server host x.x.x.x is shown below;

Router con0 is now available
Press RETURN to get started.
Router>enable
Router#configure terminal
Router(config)#tacacs-server host 10.1.1.20 key Password!

Step 2. Now configure AAA-level login authentication list named CONSOLE_AUTH, for the first time to a TACACS server back to the local user database authentication and fault tolerance in the event of a server failure. As shown in the previous Lab 3-2 AuthType is local. AAA login authentication AuthType below the list in order from first to last in the grammar. To configure the list to a TACACS server to verify, before adding group TACACS + local

To complete the 2nd goal; to a TACACS server for authentication, and then cut to a local database server fails, perform laboratory 3-2; Append the login TACACS authentication CONSOLE_AUTH and local groups to it, as shown below;

Router(config)#line con 0
Router(config-line)#login authentication CONSOLE_AUTH group tacacs local

You will not be able to verify the actual authentication TACACS server, because there are no TACACS server in this lab. You can download a trial copy of Cisco ACS and build server to authenticate Cisco equipment, but this is within the scope of the CCNA security and CCNA. For verification purposes using a 15-level permissions are prerequisites for configuring native database user name and password.

Router con0 is now available
Press RETURN to get started.
User Access Verification
Username: john
Password: 
Router>

How to Configuring AAA Authentication Lists

Real World Application and Core Knowledge:

 This is a very simple, several Cisco equipment companies usually use the RADIUS or TACACS + user authentication and authorization. Local authentication is only used as a backup method when a communications failure with the AAA server. AAA server, but they will be TACACS+ (pronounced "tack hammer plus") or the RADIUS provides a centralized point of management for controlling authentication and authorization of Cisco suppliers of equipment or other devices of the device is not used for administrative purposes, but for other authentication methods (such as VPN remote SSL VPN, 802.1 x authentication and proxy server authentication.

Please note that the goal of this laboratory is not part of the CCNA (640-802) exam objectives, such material can be found, however the new CCNA security certification (exam: 840-553--Institute for non-aligned). This lab was created to provide you with a basic understanding of AAA grade, typically used in the production of network authentication, authorization, and accounting.

When you configure AAA new model, license is not configured by default, and is therefore on a newer IOS images with features you will not automatically be placed in the 15-level privilege user account to log on to Cisco routers and switches, privileged mode, as you do in older non-AAA authentication methods locally. To resolve this problem you need to add their own AAA authorization statement specifies the console. This is by performing a AAA-level authorization console global configuration command.

The same concept applies to authorized through a VTY line, you will need to configure the default permission level authorization the authorization list command through the native database, this is the command to execute by the AAA authorization exec default local global configuration level. If you're still using a TACACS + or RADIUS server, will authenticate the authorized list in place of the authentication server database when a failure occurs in server groups.


Note that when enabled in the AAA new-model, if you save your configuration without a user name and/or you are locking the device, will have to perform a password recovery default authentication lists.

Lab Objectives:

  • By executing enable AAA AAA new mode command in global configuration level.
  • Configure AAA login authentication list named CONSOLE_AUTH and authenticate to native database only.
  • Configuration control named CONSOLE_AUTH is created using a list of authentication to authenticate
  • Through the router logs to verify that your configuration completely out and back.
Lab Instruction:

Step 1. Through the AAA new-model global configuration mode command enables AAA-level. This allows new authentication and disable legacy authentication methods (such as line passwords.

 Router con0 is now available
Press RETURN to get started.
Router>enable
Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#aaa new-model

Step 2. Configure AAA login authentication list named CONSOLE_AUTH and only for native database for authentication.
Configure AAA login authentication list syntax is; AAA-level authentication to log on to LISTNAME AUTHTYPE
CONSOLE_AUTH is the name of the list to this goal, the authentication type is local looks like this;

Router(config)#aaa authentication login CONSOLE_AUTH local

 Step 3. Now you are ready to configure the console line to try an exec session in the list to the AAA-level logon authentication authenticates the user you just created. This is a single command line configuration mode, performs login authentication listname

Router(config)#line con 0
Router(config-line)#login authentication CONSOLE_AUTH

Step 4. By fully logout and back through the router Console logging to verify your configuration. If correctly configured you should be prompted to enter a user name and password now looks like this;

 Router(config-line)#end
Router#exit
Router con0 is now available
Press RETURN to get started.
User Access Verification
Username: john
Password: 

Configuring Local User Authentication

Real World Application:

 Usually with Cisco devices, more than one user to access and configure the device, hence the need to implement Cisco devices have different individuals in different administrative responsibilities required access level different user credentials.


This lab will discuss and demonstrate local user account profile requirements.

Lab Prerequisites:
  • If you are using GNS3, loaded free CCNA Binder GNS3 topology and R1.
  • Establish a console session with the Router 1.
  • Loopback0 interface configuration the host address of 10.1.1.1
Lab Objectives:




  • Configure the password for the user account with the name Tom Cisco$123 and level 15 privileges assigned to this user.
  • Configure the password for the user account with the name Sally LetMeSee! And level 1 the permissions assigned to the user.
  • Configure VTY lines 4 use the login local command line configuration mode for the local user database authentication for incoming exec session 0.
  • Interface Loopback0 reverse Telnet is used to verify your configuration.
Lab Instruction:

Step 1. The first objects you want, create a user account with a user name and password to Cisco$123 and Tom grant this user privilege level 15.


Router con0 is now available
Press RETURN to get started.
Router>enable
Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#username tom privilege 15 secret Cisco$123

Step 2. Create a user account with the username of Sally and password of LetMeSee! and grant this user level 1 privileges.

Router(config)#username sally privilege 1 secret LetMeSee!

With 15-level permissions to create a user account, place the user in privileged mode after successful authentication, so the user will not need to provide an enable password. Assigned 15-level permissions, use caution.

Step 3. Configure VTY lines 4 the local user database to authenticate an incoming exec session 0. This is done by performing a local login line configuration mode.

Router(config)#line vty 0 4
Router(config-line)#login local

The 4th step. Loopback0 interface, reverse Telnet is used to verify your configuration. You will receive a user name and a password, and after successful authentication based on credentials should grant you exec shell session in user mode, if Sally or privileged mode with the user name, if you are using user name Tom, as shown below;

Routerconfig-line)#end
Router#telnet 10.1.1.1
Trying 10.1.1.1 ... Open
User Access Verification
Username: tom
Password: 
Router#

Configuring Basic Password Authentication

Real World Application:

Is sideways importance of safety in production networks, especially the Internet facing network. Secure Cisco routers or switches are not expose your risk virtually an unlimited number of networks. This lab will teach you in the Cisco IOS software to ensure that your Cisco router and exchanger basics of password authentication.

Lab Prerequisites:
  • If you are using GNS3, load Binder CCNA free topology and R1.
  • Establish a console session with the Router 1.
Lab Objectives:

  • Configure the console line password, so that any attempt to establish a console session to the device will prompt for a password. When you are finished, please verify your configuration.
  • Configuration 0 line VTY password, so that any attempt to establish a Telnet/SSH to a device session will prompt for a password. When you are finished, please verify your configuration.
  • Configure the enable password and enable secret. When you are finished, please verify the configuration.
  • Configuration guides passwords so that anyone trying to build to your device (router) guides the session will prompt for a password.
Lab Instruction:

Step 1. To meet the console password protection in the console first, you will need to navigate to the console line configuration mode looks like this;


         --- System Configuration Dialog ---

Would you like to enter the initial configuration dialog? [yes/no]: no

Press RETURN to get started!

Router>enable
Router#configure terminal
Router(config)#line console 0
Router(config-line)#

Once the console line configuration mode, you can perform the password passwordgoeshere, as shown below to set passwords, the password is being set to Cisco123;

Router(config-line)#password Cisco123

Just set the password-password authentication is not enabled. You need to tell the router prompts the incoming session requires a password on the console line. This is done by performing the logon command line configuration mode see below;

Router(config-line)#login

Now you can test your console line the exec password, but first you have to end your session by typing the end and exit and then attempts to establish a new exec session from the console looks like this;

Router(config-line)#end
Router#exit
Router con0 is now available
Press RETURN to get started.
User Access Verification
Password: 
Router>

Step 2. Now its time to configure VTY (virtual teletype) line. VTY lines are used to create a virtual line exec session via Telnet or SSH. You apply passwords to the lines and in the same way you used the console looks like this;

Router>enable
Router#config terminal
Router(config)#line vty 0 4
Router(config-line)#password Cisco321
Router(config-line)#login

Note that in this example, the password is set to Cisco321, just to prove that you can have a different password per line. In order to verify this configuration; typically you will need an Ethernet connection to your device, in accordance with this requirement you will need to assign IP address to the interface. For example assigning 10.1.1.1 interface loopback0, as follows;

Router(config-line)#interface lo0
Router(config-if)#ip add 10.1.1.1 255.255.255.255
Router(config-if)#end
Router#

To configure vty line password that you can telnet to your local interface to start a Telnet exec session, as shown below;

Router#telnet 10.1.1.1
Trying 10.1.1.1 ... Open
User Access Verification
Password:
Password: 
Router>

As you can see you are prompted to enter the VTY line password. If you enter the console line password, you will be denied access, but entered the vty line password, you will be authorized to start an exec session, as shown in the figure.

Once you establish a Telnet session to the router, try to gain privileged access. You will notice immediately that will prompt you to enter without a set so you cannot access level "enable" password.

Router>enable
Password: 
Password: 
Password: 
% Bad passwords

Router>

Subscribe to: Posts (Atom)

Popular Posts

Powered by Blogger.