Cisco Networking/CCENT/Security
This lesson covers security.
Objectives and Skills
[edit | edit source]Objectives and skills for the security portion of Cisco CCENT certification include:[1]
- Configure and verify network device security features
- Device password security
- Enable secret vs. enable
- Transport
- Disable telnet
- SSH
- VTYs
- Physical security
- Service password
- Describe external authentication methods
- Configure and verify switch port security
- Sticky mac
- MAC address limitation
- Static/dynamic
- Violation modes
- Err disable
- Shutdown
- Protect restrict
- Shutdown unused ports
- Err disable recovery
- Assign unused ports in unused VLANs
- Putting Native VLAN to other than VLAN 1
Readings
[edit | edit source]- Wikipedia: Network security
- Wikipedia: Access control
- Wikipedia: MAC filtering
- Cisco: How to secure your Cisco Catalyst switch
- Cisco: Security Checklist
Multimedia
[edit | edit source]Examples
[edit | edit source]Device Security
[edit | edit source]- Review Cisco Networking/CCENT/IOS Basics#Password Configuration
- Review Cisco Networking/CCENT/Remote Management#Line Configuration
- Review Cisco Networking/CCENT/Remote Management#Interface Configuration
- Review Cisco Networking/CCENT/Remote Management#SSH Configuration
Port Security Configuration
[edit | edit source]Note: The following commands are not supported by NM-16ESW network modules. See Cisco: EtherSwitch Network Module 802.1x Authentication for an alternative. Port security is included in the Cisco CCENT exam, but 802.1x implementation is not.
switchport port-security
[edit | edit source]To enable port security on an interface, use the switchport port-security command in interface configuration mode.[2]
switchport port-security
switchport port-security mac-address
[edit | edit source]To add a MAC address to the list of secure MAC addresses, use the switchport port-security mac-address command in interface configuration mode.[3]
switchport port-security mac-address { <mac-addr> | sticky [<mac-addr>] [ vlan <vlan> [voice] | <vlan-list> ] } switchport port-security mac-address 1a:6f:7c:8e:2h:3a switchport port-security mac-address default
switchport port-security maximum
[edit | edit source]To set the maximum number of secure MAC addresses on a port, use the switchport port-security maximum command in interface configuration mode.[4]
switchport port-security maximum <maximum> [ vlan <vlan> | <vlan-list> ] switchport port-security maximum 1
switchport port-security violation
[edit | edit source]To set the action to be taken when a security violation is detected, use the switchport port-security violation command in interface configuration mode.[5]
switchport port-security violation { shutdown | restrict | protect } switchport port-security violation shutdown switchport port-security violation restrict switchport port-security violation protect
show port-security
[edit | edit source]To display port-security settings for an interface or for the switch, use the show port-security command in global configuration mode.[6]
show port-security [interface interface_id] [address] show port-security show port-security interface fastethernet 1/1 show port-security address
Command Sequence
[edit | edit source]A command sequence to configure port security might be similar to the following.
enable configure terminal interface range fa1/0 - 15 switchport port-security mac-address sticky switchport port-security maximum 1 switchport port-security violation restrict exit exit show port-security show port-security address exit
Activities
[edit | edit source]- Configure and verify device security.
- Add a router, an EtherSwitch router, and four VPCS PCs to a new GNS3 project and start the devices.
- Add links to connect the following.
- R1 FastEthernet0/0 <-> ESW1 FastEthernet1/0
- PC1 Ethernet0 <-> ESW1 FastEthernet1/1
- PC2 Ethernet0 <-> ESW1 FastEthernet1/2
- PC3 Ethernet0 <-> ESW1 FastEthernet1/3
- PC4 Ethernet0 <-> ESW1 FastEthernet1/4
- Set the following IP addresses, subnet masks, and default gateways for the switch and PCs.
- R1 FastEthernet0/0: 192.168.1.1 255.255.255.0
- ESW1 VLAN1: 192.168.1.10 255.255.255.0 192.168.1.1
- PC1 Ethernet0: 192.168.1.11 255.255.255.0 192.168.1.1
- PC2 Ethernet0: 192.168.1.12 255.255.255.0 192.168.1.1
- PC3 Ethernet0: 192.168.1.13 255.255.255.0 192.168.1.1
- PC4 Ethernet0: 192.168.1.14 255.255.255.0 192.168.1.1
- Add username and password security to the console, aux, and vty lines, add a password to protect global configuration mode, and encrypt all passwords on both routers using the following commands.
enable
configure terminal
username
line
login local
enable secret
service password-encryption
- Allow only SSH connections to the vty lines of both routers using the following commands.
hostname
ip domain-name
crypto key generate rsa
ip ssh version 2
line vty 0 4
transport input ssh
- Verify the configuration on both routers using the following command.
show running-config
- Exit the router console session and open the console again to test the configuration.
- Exit the router console session and open a console on the aux line to test the configuration.
- Test vty configuration using the following command to verify that telnet access is no longer supported.
telnet
- Test vty configuration using the following command to remotely manage one router from the other.
ssh
- Configure and verify switch port security. Note: EtherSwitch routers do not support the switchport port-security command. Use a Cisco switch, if available, or review CiscoSkills.net: Configuring Port Security.
- Add dynamic port security and limit connections to only 1 allowed device per port in restricted mode using the following commands.
switchport port-security mac-address
switchport port-security maximum
switchport port-security violation
- Shutdown unused ports.
- Verify the configuration using the following commands.
show port-security
show port-security address
- Test the configuration by pinging all four PCs. The test should be successful for all devices.
- Remove and add links to connect the following.
- PC3 Ethernet0 <-> ESW1 FastEthernet1/4
- PC4 Ethernet0 <-> ESW1 FastEthernet1/3
- Test the configuration by pinging all four PCs. The test should be successful for PC1 and PC2, and unsuccessful for PC3 and PC4.
- Verify the configuration using the following commands.
show port-security
show port-security address
- Remove and add links to connect the following.
- PC3 Ethernet0 <-> ESW1 FastEthernet1/3
- PC4 Ethernet0 <-> ESW1 FastEthernet1/4
- Test the configuration by pinging all four PCs. The test should be successful for all devices.
- Add dynamic port security and limit connections to only 1 allowed device per port in restricted mode using the following commands.
- Configure VLAN security.
- Use the configuration from above. Change the native VLAN to VLAN 10, put existing devices in VLAN 10, and assign unused ports to VLAN 99 using the following commands on the EtherSwitch router.
enable
vlan database
vlan
exit
configure terminal
interface range
switchport access
- Test the configuration by pinging all four PCs. The test should be successful for all devices.
- Remove and add links to connect the following.
- PC4 Ethernet0 <-> ESW1 FastEthernet1/5
- Test the configuration by pinging all four PCs. The test should be successful for PC1, PC2, and PC3, and unsuccessful for PC4.
- Configure the router to access the EtherSwitch router on VLAN 10 using the following commands.
enable
configure terminal
interface
encapsulation
exit
- Test the configuration by pinging the switch from the router. The test should be successful.
- Use the configuration from above. Change the native VLAN to VLAN 10, put existing devices in VLAN 10, and assign unused ports to VLAN 99 using the following commands on the EtherSwitch router.
Lesson Summary
[edit | edit source]- Network security consists of the policies adopted to prevent and monitor authorized access, misuse, modification, or denial of a computer network and network-accessible resources.[7]
- Network security requires physical security, access control, authentication, and authorization.[8]
- Cisco IOS supports Authentication, Authorization, and Accounting (AAA) using either RADIUS or TACACS+ protocols.[9]
- MAC filtering is a security access control method whereby the 48-bit address assigned to each network card is used to determine access to the network.[10]
- MAC filtering can be circumvented by identifying a valid MAC through observation and then spoofing one's own MAC into a validated one.[11]
- MAC spoofing may done in the Windows Registry or by using command-line tools on a Linux platform.[12]
- Cisco Catalyst switches support MAC filtering on a port-by-port basis using port security.[13]
- Port security may be configured statically with a list, dynamically based on the first given number of addresses detected, or a combination of these two methods.[14]
- When port security is configured, the default settings are to allow only one MAC address per port, and to shut down the port if the allowed number of addresses is exceeded.[15]
- Rather than shutting down the port, the port security violation mode may be set to
restrict
access and send an SNMP alert.[16] - Port security shutdown ports may also be set to recover automatically using the
errdisable recovery cause psecure-violation
command in global configuration mode.[17] - The default erridsable recovery time is 300 seconds. This may be altered using the
errdisable recovery interval
command.[18] - Port security dynamic MAC addresses are not remembered by default. They may be added to the running configuration by enabling
sticky
mode.[19] - To enable port security on an interface, use the
switchport port-security
command in interface configuration mode.[20] - To add a MAC address to the list of secure MAC addresses, use the
switchport port-security mac-address
command in interface configuration mode.[21] - To set the maximum number of secure MAC addresses on a port, use the
switchport port-security maximum
command in interface configuration mode.[22] - To set the action to be taken when a security violation is detected, use the
switchport port-security violation
command in interface configuration mode.[23] - To display port-security settings for an interface or for the switch, use the
show port-security
command in global configuration mode.[24] - Additional switch security options include shutting down unused ports, assigning unused ports to unused VLANs, and setting the native VLAN to a VLAN other than 1.[25]
Key Terms
[edit | edit source]- AAA
- An acronym for authentication, authorization, and accounting, which generically refers to a protocol used for this purpose.[26]
- RADIUS (Remote Authentication Dial-In User Service)
- A networking protocol that provides centralized authentication, authorization, and accounting (AAA) management for users who connect and use a network service.[27]
- TACACS+ (Terminal Access Controller Access-Control System Plus
- A protocol developed by Cisco and released as an open standard that handles authentication, authorization, and accounting (AAA) services.[28]
Review Questions
[edit | edit source]-
Network security consists of _____.Network security consists of the policies adopted to prevent and monitor authorized access, misuse, modification, or denial of a computer network and network-accessible resources.
-
Network security requires _____.Network security requires physical security, access control, authentication, and authorization.
-
Cisco IOS supports Authentication, Authorization, and Accounting (AAA) using _____.Cisco IOS supports Authentication, Authorization, and Accounting (AAA) using either RADIUS or TACACS+ protocols.
-
MAC filtering is _____.MAC filtering is a security access control method whereby the 48-bit address assigned to each network card is used to determine access to the network.
-
MAC filtering can be circumvented by _____.MAC filtering can be circumvented by identifying a valid MAC through observation and then spoofing one's own MAC into a validated one.
-
MAC spoofing may done _____.MAC spoofing may done in the Windows Registry or by using command-line tools on a Linux platform.
-
Cisco Catalyst switches support MAC filtering on a port-by-port basis using _____.Cisco Catalyst switches support MAC filtering on a port-by-port basis using port security.
-
Port security may be configured _____.Port security may be configured statically with a list, dynamically based on the first given number of addresses detected, or a combination of these two methods.
-
When port security is configured, the default settings are _____.When port security is configured, the default settings are to allow only one MAC address per port, and to shut down the port if the allowed number of addresses is exceeded.
-
Rather than shutting down the port, the port security violation mode may be set to _____.Rather than shutting down the port, the port security violation mode may be set to restrict access and send an SNMP alert.
-
Port security shutdown ports may also be set to _____.Port security shutdown ports may also be set to recover automatically using the errdisable recovery cause psecure-violation command in global configuration mode.
-
The default errdisable recovery time is _____ seconds. This may be altered using the _____ command.The default errdisable recovery time is 300 seconds. This may be altered using the errdisable recovery interval command.
-
Dynamic addresses are not remembered by default. They may be added to the running configuration by enabling _____ mode.Dynamic addresses are not remembered by default. They may be added to the running configuration by enabling sticky mode.
-
To enable port security on an interface, use the _____ command in interface configuration mode.To enable port security on an interface, use the switchport port-security command in interface configuration mode.
-
To add a MAC address to the list of secure MAC addresses, use the _____ command in interface configuration mode.To add a MAC address to the list of secure MAC addresses, use the _____ command in interface configuration mode.
-
To set the maximum number of secure MAC addresses on a port, use the _____ command in interface configuration mode.To set the maximum number of secure MAC addresses on a port, use the switchport port-security maximum command in interface configuration mode.
-
To set the action to be taken when a security violation is detected, use the _____ command in interface configuration mode.To set the action to be taken when a security violation is detected, use the switchport port-security violation command in interface configuration mode.
-
To display port-security settings for an interface or for the switch, use the _____ command in global configuration mode.To display port-security settings for an interface or for the switch, use the show port-security command in global configuration mode.
-
Additional switch security options include _____, _____, and _____.Additional switch security options include shutting down unused ports, assigning unused ports to unused VLANs, and setting the native VLAN to a VLAN other than 1.
Assessments
[edit | edit source]- Flashcards: Quizlet: CCENT - Security
- Quiz: Quizlet: CCENT - Security
See Also
[edit | edit source]- Computer Networks/Security
- Cisco Press: Switchport Security Concepts and Configuration
- Cisco Press: Design Best Practices for VLANs
- Cisco: Errdisable Port State Recovery
References
[edit | edit source]- ↑ Cisco: ICND1 Exam Topics
- ↑ Cisco: IOS Interface and Hardware Component Command Reference
- ↑ Cisco: IOS Interface and Hardware Component Command Reference
- ↑ Cisco: IOS Interface and Hardware Component Command Reference
- ↑ Cisco: IOS Interface and Hardware Component Command Reference
- ↑ Cisco: Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide
- ↑ Wikipedia: Network security
- ↑ Wikipedia: Access control
- ↑ Cisco: Configuring Basic AAA on an Access Server
- ↑ Wikipedia: MAC filtering
- ↑ Wikipedia: MAC filtering
- ↑ Wikipedia: MAC filtering
- ↑ Wikipedia: MAC filtering
- ↑ Wikipedia: MAC filtering
- ↑ Wikipedia: MAC filtering
- ↑ Cisco: Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide
- ↑ Cisco: Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide
- ↑ Cisco: Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide
- ↑ Cisco: Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide
- ↑ Cisco: IOS Interface and Hardware Component Command Reference
- ↑ Cisco: IOS Interface and Hardware Component Command Reference
- ↑ Cisco: IOS Interface and Hardware Component Command Reference
- ↑ Cisco: IOS Interface and Hardware Component Command Reference
- ↑ Cisco: Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide
- ↑ Cisco: ICND1 Exam Topics
- ↑ Wikipedia: AAA protocol
- ↑ Wikipedia: RADIUS
- ↑ Wikipedia: TACACS