Routing ¢3 Switeling Version FO Infrastructure Security www.noasolutions.com loor Opposite to banjara function hall,Banjarahills road no 7036826345 Page 1About the Author Sikandar Shaik, a dual CCIE (RS/SP# 35012). is a highly experienced and extremely driven senior technical instructor and network consultant. He has been training networking courses for more than 10 years, teaching on a wide range of topics including Routing and Switching, Service Provider and Security (CCNA to CCIE). In addition, he has been developing and updating the content for these courses. He has assisted many engineers in passing out the lab examinations and securing certifications. Sikandar Shaik is highly skilled at designing, planning, coordinating, maintaining, troubleshooting and iplementing changes to various aspects of multi-scaled, multi-platform, multi-protocol complex networks as well as course development and instruction for a technical workforce in a varied networking environment. His experience includes responsibilities ranging from operating and maintaining PC's and peripherals to network control programs for multi-faceted data communication networks in LAN, MAN and WAN environments. Sikandar Shaik has delivered instructor led trainings in several states in India as well as in abroad in countries like China, Kenya and UAE. He has also worked as a Freelance Cisco Certified Instructor globally for Corporate Major Clients. Acknowledgment First and foremost | would like to thank the Almighty for his continued blessings and for always being there for me. You have given me the power and confidence to believe in myself and pursue my dreams. | could never have done this without the faith | have in you, Secondly | would like to thank the NOA Solutions team for their continued support, dedication and hard work which helped me in delivering a better product. | would like to thank my family for understanding my long nights at the computer. | have spent a lot of time on preparing workbooks and this workbook would not have been possible without their support and encouragement. | would also like to recognize the cooperation of my students who took my trainings and workbooks. | believe my workbooks have helped them in upskilling themselves with respect to the subject and technologies and | will continue preparing workbooks for the updated technology versions. Shaik Gouse Moinuddin Sikandar CCIE x 2 (RS/SP) Feedback Please send feedback if there are any issues with respect to the content of this workbook. | would also appreciate suggestions from you which can improve this workbook further. Kindly send your feedback and suggestions at info@noasolutions.com NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution on’ Page 2INDEX Access-Controllist Standard ACL... 5 LAB: STANDARD ACCESS-LIST u Extended ACL... 15 LAB: EXTENDED ACCESS-LIST .. 19 Named ACL 22 LAB : Restricting Telnet Access ... 28 Routing protocol and ACL... 32 LAB : Routing protocol and ACL : .....seseseeee cessesesseenesenesee cesses 34 LAB: Deny OSPF / EIGRP Traffic: 38 TIME BASED ACL . LAB-2 : Time Based ACL IPv6 ACL. Device Access Security Basic Login passwords .. 59 65 70 Login password Enhancements soss.ssssssosssestesessesessnatensess LAB : Cisco Login Enhancements . Cisco 1S Resilient Configuration... AAA Authenitcation using external servers ..sssseeseseesetessta LAB: AAA Authentication: ....cssesssssssssssseeeesesesusstsssssssscssessesseseseessssnisesenssssseee OL User Accounts & Privilege levels 99 LAB : User accounts and privilege Levels 102 Role based Access control 107 LAB : Role Based Access Control ( Views) .. Layer2 Seaur Understanding switch security issues 4 Port security 6 LAB: PORT-SECURITY .. 122 DHCP snooping 128 LAB : DHCP Snooping : 131 LAB : IP Source Guard 14 Dynamic ARP inspection 144 Noa solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution om Page 3LAB : Dynamic ARP inspection 151 StOFM COMO! seeseeneeee Sere ee 156 Private VLAN 158 LAB : PRIVATE VLAN 165 Vian ACL. W7 IPv6 First Hop security .. 179 IPv6 RA Guard 183 DHCPv6 Guard . 186 NOA solutions,N.K Arcade, 2nd & 3rd floor,Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution ‘on Page 4NA. ACCESS CONTROL LIST (ACL) ACCESS CONTROL LIST (ACL) NSA, » ACLis a set of rules which will alow or deny the specific traffic moving through the router > Itisa Layer 3 security which controls the flow of traffic from one router to another. so called as Packet Filtering Firewall, NOA solutions,N.K Arcade, 2nd & 3rd floor,Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions.com Page 5Types of Access-list MOA. MOA. ‘STANDARD ACCESS LIST EXTENDED ACCESS LIST V. The accesslist number range is1 99 1. The access-list number range is 100 199 Can block a Network, Host and Subnet 2. We can allow or deny @ Network, All services are blocked. Host, Subnet and Service Implemented closest to the destination. 3, Selected services can be blocked. Filtering is done based on only source IP | 4. Implemented closest to the source. address 5. Filtering is done based on source IP . destination IP , protocol, port no Noa solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions.com Page 6Lab : standard access-list NEA hd. TASK: Configure the Appropriate router as per the rules given. peel ne eee taner cae Cet pee tr aera pa opm err er pein ore ara Sear NOTE: the Above ACL rules should not affect the other communication NA. Router(config)# accesslist Creation of Standard Access List Noa solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution om Page 7OA. To write ACL Statement (On which Router to implement ACL. 2. Identify Source & Destination 2 Infout Ensure that the router you are implementing ACL must be the transit router. ‘Think your router as destination ( incoming as source). Wild card mask Tells the router which portion of the bits to match or ignore. must match 1 ignore 255.255.255.255 ~255.255.255.0 Global Subnet Mask = Customized Subnet Mask Wild Card Mask > Wild Card Mask for Network will be Inverse mask » Wild Card Mask for a Host will be always 0.0.0.0 Noa solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 om Page & Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutionSenate NA. Router(configh#accessst R2(config)# accesslist 15 deny 192.168.1.1 0.0.0.0 R-2(confighFaccessiist 15 deny host 192.168.1.2 R2(confighfaccesslst 15 deny 192.168.3.0 0.0.0.255 R-2(config)#accessist 15 permit any Understanding IN / OUT NA. » Into the router » Out of the router Sp28 atone eewazoat a Noa solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution om Page 9ZA. R2(conigh# acceselit 15 deny 192,168.11 0.0.0.0 R2(confgifaccessiist 15 deny host 192.168.1.2 R2(confgiaccessiist 15 deny 192.168.3.0 0.0.0.255 R2(confightaccessiit 15 permit any Implementation: -2(config) interface festEthernet 0/0 Re2(configseip acces-group 15 out Rain access Standar IP aces it 15 deny bos 192168.11 deny hos 192168.12 deny 192.168.3.0 0.00255 permit any Noa solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions..com Page 10LAB: STANDARD ACCESS-LIST f 192.168.2.1 192.165.22 192.168.3.1 192.168.3.2 168.1.0/24 192.168.2.0/24 eee Pre-requirement for LAB (check previous labs) 1) Design the topology (connectivity ) 2) Assign the IP address according to diagram. 3) Make sure that interfaces used should be in UP UP state 4) Any dynamic routing Protocol or static routing 5) Verify Routing table and reachability between the LAN’s (using PING and TRACE commands) ‘TASK: Configure the Appropriate router as per the rules given Deny the host 192.168.1.1 communicating with 192.168.2.0 Deny the host 192.168.1.2 communicating with 192,168.2.0 Deny the network 192.168.3.0 communicating with 192.168.2.0 Permit all the remaining traffic NOTE: the Above ACL rules should not affect the other communication NOTE: Before creating the ACL, make sure that the routing configured is correct and all the three LAN devices are able to communicate with each other using PING command PC>ipconfig IP Address Subnet Mas Default Gateway. 255.255.255.0 PC>ping 192.168.2.1 Pinging 192.168.2.1 with 32 bytes of data: Reply from 192.168.2.1: bytes=32 ti Reply from 192.168.2.1: bytes=32 tim Reply from 192.168.2.1: bytes=32 tim Reply from 192.168.2.1: bytes=32 tim PC>ipconfig NOA solutions,N.K Arcade, 2nd & 3rd Floor Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution com Page 11192.168.1.2 255,255.255.0 Default Gateway. 192.168.1.100 PC>ping 192.168.2.1 Pinging 192.168.2.1 with 32 bytes of dat Reply from 192.168.2.1: bytes=32 tims Reply from 192.168.2.1: bytes=32 tim Reply from 192.168.2.1: bytes=32 tims Reply from 192.168.2.1: bytes=32 tim PC>ipconfig IP Addres: Subnet Mask. Default Gateway. 192.168.3.1 255,255.255.0 192.168.3.100 PC>ping 192.168.2.1 Pinging 192.168.2.1 with 32 bytes of dat Reply from 192.168.2.1: bytes=32 tim Reply from 192.168.2.1: bytes=32 tim Reply from 192.168.2.1: bytes=32 tim Reply from 192.168.2.1: bytes=32 tim ROUTER -2 Creating the ACL rules according to requirement: R-2(config)# accesslist 15 deny 192.168.1.1 0.0.0.0 R-2(config)faccesslist 15 deny host 192.168.1.2 t 15 deny 192.168.3.0 0.0.0.255 any R-2(config)#access: R-2(config)#access Implementation: R-2(config)#interface fastEthernet 0/0 R-2(config-if}#ip access-group 15 out Verificatio R-2#sh access-lists Standard IP access list 15 deny host 192.168.1.1 deny host 192.168.1.2 deny 192.168.3.0 0.0.0.255 permit any Pc>ipconfig IP Addres: Subnet Mask. 2 255.255.255.0 NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions. com Page 12Default Gateway... : 192.168.1.100 Pc>ping 92.16821 Pinging 192.16: Reply from Reply from 10.0.0.2: Destination host unreachable. Reply from 10.0.0.2: Destination host unreachable. Reply from 10.0.0.2: Destination host unreachable. with 32 bytes of data: PC>ping 192.168.3.1 Pinging 192.168.3.1 with 32 bytes of data: Reply from 192.168.3.1: bytes=32 tim Reply from 192.168.3.1: bytes=32 tim Reply from 192.168.3.1: bytes=32 tim Reply from 192.168.3.1: bytes=32 time=13ms TTL=125 PC>ipconfig IP Addressiennnneies 19216812 Subnet Mas! 255.255.255.0 192.168.1.100 Default Gateway. PC>ping 192.168.2.1 Pinging 192.168.2.1 with 32 bytes of data: Reply from 10.0.0.2: Destination host unreachable, Reply from 10.0.0.2: Destination host unreachable. Reply from 10.0.0.2: Destination host unreachable. Reply from 10.0.0.2: Destination host unreachable. PC>ipeonfig IP Addres: Subnet Mask. Default Gateway. Pc>ping 192.168.2.1 Pinging 192.168.2.1 with 32 bytes of data: Reply from 192.168.2.1: bytes=32 tims 255.255.2550 192.168.1100 Reply from 192.168.2.1: bytes=32 time=24ms TTL=126 PC>ipconfig IP Addressisstiusnsnnnean! T92T68.3.1 subnet Mas! 255.255.255.0 192.168.3.100 Default Gateway. PC>ping 192.168.2.1 NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions. com Page 13Pinging 192.168.2.1 with 32 bytes of data: Reply from 11.0.0.1: Destination host unreachable. Reply from 11.0.0.1: Destination host unreachable. Reply from 11.0.0.1: Destination host unreachable. PC>ping 192.168.1.1 Pinging 192.168.1.1 with 32 bytes of data: Reply from 192.168. Reply from 192.168. Reply from 192.168. Reply from 192.168. NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution on Page 14Access-list Rules NA, » Works in Sequential order. » All deny statements have to be given First (preferable most cases ) » There should be at least one Permit statement (mandatory) » An implicit deny blocks all traffic by default when there is no match (an invisible statement). » Can have one access-list per interface per direction. ({e.) Two accesstliss per interface, ‘one in inbound direction and one in outbound direction, » Any time a new entry is added to the access lis, it will be placed at the bottom of the list. Using a text editor for access lists is highly suggested. » You cannot remove one line from an access list. Extended Access-list @A., 1 The access-list number range is 100 - 199 ‘We can allow or deny a Network, Host, Subnet and Service Selected services can be blocked. Implemented closest to the source. Filtering is done based on source IP , destination IP , protocol, port no Se25 Noa solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution om Page 15nt, cotentcemmccinortecipmnn MODAL, Deny the uerson LAN. 192.166:2.0 shoud no access 192:168..3 HTTP serie 2 Deny the wserson AN 192188..0 should not acess 192,168..4 FTP service > Deny the wueron LAN, 192.69..1 sould not acest 192.1681.9 HTTP sevice 4 Deny the wert on LAN 192.163.2.0 should not get DNS verve from ONS ever 192.168..4 Deny the user frm the os between 192168.3.2 and 192168..2 should ot be able to send ICMP (ing race menager Remaining hoss and servis shouldbe permited NOTE: the Above ACL rules should not affect the other communication Operators: eq (equal to) neq (not equal to) It (less than) gt (greater than) NOA solutions,N.K Arcade, 2nd & 3rd floor,Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution om Page 16Extended ACL Syntax MOA. Router(contigh accesslist ‘ < destination wildeard mask> Router(configfinterface Router(configiffip access group MOA. Rifconfig)tacceniit 145 deny tep 192.169.2.0 0.0.0255 host 192.168.13 eq www Rifconfig)faccesist 145 deny tep192.168.3.0 0.0.0.255 host 192.168.14 eq fip ifconfig) 4acces ist 145 deny tep host 192.168.3.1 ort 192.168.1.3 eq warw Reifconfig)laccessiit 145 deny udp 192.168.2.0 0.00255 host 192.168.14 eq domain ifconfig) taccest 145 deny lemp hor 192.168.3.2 host 192.168.1.2 echo ifconfig)daccestsst 145 deny lemp hos 192.168.3.2 host 192.168.1.2 echo-reply Relfconfightaccesslist 145. permit Ip any any Noa solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions.com Page 17Implementatic OA, Rl(contigi# interface fastEthemet 0/0 R(contigit Ip accessgroup 145. out OR Ra(configyt Interface serial 0/0 Ral(contigi# fp accessgroup 145 in Noa solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution om Page 18LAB: _ EXTENDED ACCESS-LIST 192.1682 192.168.22 to2tesa1 19210832 192.168.2.0/24 192.168.3.0/24 1) Design the topology (connectivity ) 2) Assign the IP address according to diagram 3) Make sure that interfaces used should be in UP UP state 4) Any dynamic routing Protocol. or static routing, 5) Verify Routing table and reachability between the LAN’s (using PING and TRACE commands) TASK: Configure the Appropriate router as per the rules given below 1. Deny the users on LAN 192.168,2.0 should not access 192.168.1.3 HTTP service 2. Deny the users on LAN. 192.168.3.0 should not access 192.168.1.4 FTP. service 3. Deny the users on LAN 192.168.3.1 should not access 192.168.1.3 HTTP service 4, Deny the users on LAN 192.168.2.0 should not get DNS service from DNS server 192.168.1.4 5. Deny the users from the host between 192.168.3.2 and 192.168.1.2 should not be able to send ICMP ( ping /trace ) messages 6. Remaining hosts and services. should be permitted NOTE: the Above ACL rules should not affect the other communication Router —1 RA(config)#access-list 145 deny tep 192.168.2.0 0.0.0.255 host 192.168.1.3 eq www Rel(configh#access-list 145 deny tep 192.168.3.0 0.0.0.255 host 192.168.1.4 eq ftp Rel(configh#access-list 145 deny tcp host 192.168.3.1 host 192.168.1.3 eq www. Rel(config) #access-list 145 deny udp 192.168.2.0 0.0.0.255 host 192.168.1.4 eq ? <0-65535> Port number bootpe —_ Bootstrap Protocol (BOOTP) client (68) bootps aaa Protocol (BOOTP) server (67) NOA solutions,N.K Arcade, 2nd & 3rd floor,Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution com Page 19isakmp Internet Security Association and Key Management Protocol (500) non500-isakmp Internet Security Association and Key Management Protocol (4500) snmp Simple Network Management Protocol (161) tftp Trivial File Transfer Protocol (69) Rel(config)#accesslist 145 deny udp 192.168.2.0 0.0.0.255 host 192.168.1.4 eq domain Rel(config)#access-list 145 deny icmp host 192.168.3.1 host 192.168.1.1 ? <0-256> type-num host-unreachable —_host-unreachable net-unreachable _net-unreachable port-unreachable _port-unreachable protocol-unreachable protocol-unreachable ttexceeded ttl-exceeded unreachable unreachable Rel(config)#access-list 145 deny icmp host 192.168.3.2 host 192.168.1.2 echo R-l(config)#access-list 145 deny icmp host 192.168.3.2 host 192.168.1.2 echo-reply Rel(config)#access-list 145 permit i Implementatic Rel(config)# interface fastEthernet 0/0 Rel(configeif}# ip access-group 145 out OR Rel(config)# interface serial 0/0 R-l(config-if}# ip access-group 145. in Verificati PC>ipconfig IP Address. Subnet Mask.. 255.255.2550 192.168.3.100 Default Gateway.. Pc>ping 192.168.1.2 pig mg 192.168.1.2 with 32 bytes of data: Request timed out. Request timed out. Request timed out. PC>ping 192.168.1.1 Pinging 192.168.1.1 with 32 bytes of data: NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution on’ Page 20Reply from 192.168.1.1: bytes=32 time=20ms TTL=125 Reply from 192.168.1.1: bytes=32 tim Reply from 192.168.1.1: bytes=32 tim Reply from 192.168.1.1: bytes=32 tim NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions. com Page 21Named ACL NOA, > Accesslists are identified using Names rather than Numbers. » Names are Case-Sensitive + No limitation of Numbers here. » One Main Advantage is Editing of ACL is Possible (i.e) Removing a specific statement from the ACL is possible. » 10S version 11.2 oF later allows Named ACL Creotion of Standard Named Access List Router(contig|# ip access-list standard Router(contig-stc-nac!) # Implementation of Standard Named Access List Router(config) #interface Router(config+t}#ip access-group NOA solutions,N.K Arcade, 2nd & 3rd floor,Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution om Page 22LAB:_ STANDARD NAMED ACL ta 192,168.21 192.108.2.2 192,168.31 192.168.3.2 192.168.3.0/24 192.168.2.0/24 TASK: ‘+ Configure Standard Named ACL ‘+ Use the same Rules as Lab-1 Before creating the ACL, make sure that the routing configured is correct and all the three LAN devices are able to communicate with each other using PING command. PC>ipconfig IP Address. Subnet Mask. Default Gateway. 255.255.255.0 192.168.1.100 PC>ping 192.168.2.1 Pinging 192.168.2.1 with 32 bytes of data: Reply from 192.168.2.1: bytes=32 7ms TTL=126 Reply from 192.168.2.1: bytes=32 time=20ms TTL=126 Reply from 192.168.2.1: bytes=32 ti Reply from 192.168.2.1: bytes=32 tim PC>ipconfig IP Addres 192.168.1.2 Subnet Mask..eisssseueniset 255,255.255.0 Default Gateway. : 192.168.1.100 PC>ping 192.168.2.1 Pinging 192.168.2.1 with 32 bytes of data: Reply from 192.168.2.1: bytes=32 time=I6ms TTL=126 Reply from 192.168.2.1: bytes=32 tim Reply from 192.168.2.1: bytes=32 tim Reply from 192.168.2.1: bytes=32 tim NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution: com Page 23PC>ipconfig IP Addres: Subnet Mask. Default Gateway 192.168.3.1 255.255.255.0 + 192.168,3.100 PC>ping 192.168.2.1 Pinging 192.168.2.1 with 32 bytes of data: Reply from 192.168.2.1: bytes=32 tim Reply from 192.168.2.1: bytes=32 tim Reply from 192.168.2.1: bytes=32 tim Reply from 192.168.2.1; bytes=32 time=23ms TTL=126 Creating an Access-list as per the given rules R-2(config)#ip access-list standard CCNA R-2(config-std-nacl)#deny 192.168.1.1 0.0.0.0 R-2(config-std-nacl)#deny host 192.168.1.2 R-2(config-std-nacl)#deny 192.168.3.0 0.0.0.255 R-2(config-std-nacl)#permit any R-2(config-ste-nacl}#exit Implementat R-2(config)# interface fastEthernet 0/0 R-2(config-if# ip access-group CCNA out R.2esh access-ists Standard IP access list CENA deny host 192.168.1.1 deny host 192.168.1.2 deny 192.168.3.0 0.0.0.255 permit any PC>ipconfig IP Addres Reply from Reply from 10.0.0.2: Destination host unreachable. Reply from 10.0.0.2: Destination host unreachable. Reply from 10.0.0.2: Destination host unreachable. PC>ping 192.168.3.1 NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions. com Page 24Pinging 192.168.3.1 with 32 bytes of data: 32 time Reply from 192.168.3.1: bytes=32 time=13ms TTL=125 PC>ipeontig IP Addressiscinsnnneent 19216812 Subnet Mask. 255.255.255.0 Default Gateway. 192.168.1100 PC>ping 192.168.2.1 Pinging 192.168.2.1 with 32 bytes of data: Reply . Reply from 10.0.0.2: Destination host unreachable. Reply from 10.0.0.2: Destination host unreachable. Reply from 10.0.0.2: Destination host unreachable. SERVER> ipconfig IP Addres Subnet Mas 255.255.255.0 Default Gateway. 192.168.1.100 SERVER>ping 192.168.2.1 Pinging 192.168.2.1 with 32 bytes of dat Reply from 192.168.2.1: bytes=32 tim Reply from 192.168,2.1: bytes=32 time=17ms TT! Reply from 192.168.2.1: bytes=32 tim Reply from 192.168.2.1: bytes=32 tim PC>ipeonfig IP Adidressieennneennies 192168.3.1 Subnet Mas 255.255.255.0 Default Gateway... + 192.168,3.100 PC>ping 192.168.2.1 Pinging 192.168.2.1 with 32 bytes of data: Reply Reply from 11. Reply from 11. Reply from 11. 0.1: Destination host unreachable. 0.1: Destination host unreachable. 0.1: Destination host unreachable. PC>ping 192.168.1.1 Pinging 192.168.1.1 with 32 bytes of data: Reply from 192.168.1.1: bytes=32 time NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions. com Page 25Creation of Extended Named Access List Router(contig)# ip access-list extended Router(config-ext-nacl)# < destination wildcard mask> Router{config) #interface Router{config-i tip access-group LAB:_ NAMED EXTENDED ACL ev03 van oases 4 mre sasosas toeton22 seavenan smzsena.2 192.168.1.0/24 192.168.2.0/24 '192.168.3.0/24 ‘+ Configure Standard Named ACL ‘+ Use the same Rules as Lab-2 R-l(config)#ip access-list extended CCNP R(config-ext-nacl)#deny tcp 192.168.2.0 0.0.0.255 host 192.168.1.3 eq www NOA solutions,N.K Arcade, 2nd & 3rd floor,Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution com Page 26R-l(config-ext-nacl)# deny tep 192.168.3.0 0.0.0.255 host 192.168.1.4 eq ftp R-(config-ext-nacl}# deny tep host 192.168.3.1 host 192.168.1.3 eq www R-(config-ext-nacl}#deny udp 192.168.2.0 0.0.0.255 host 192.168.1.4 eq domi echo Rel(config-ext-nacl)# deny icmp host 192.168.3.1 host 192.168. R-l(config-ext-nacl}#deny icmp host 192.168.3.1 host 192.168.1.1 echo-reply R-(config-ext-nacl}# permit ip any any Implementation: R-(config# interface fastEthernet 0/0 R-l(config-if}# ip access-group CCNP out OR R-(config)# interface serial 0/0 Re(config-if)# ip access-group CCNP. in Relish access lists Extended IP access list CENP deny tep 192:168.2.0 0.0.0.255 host 192.168.1.3 eq www deny tep 192.168.3.0 0.0.0.255 host 192.168.1.4 eq ftp deny tep host 192.168.3.1 host 192.168.1.3 eq www deny udp 192,168.2.0 0.0.0.255 host 192.168.1.4 eq domain deny icmp host 192.168.3.1 host 192.168.1.1 echo deny icmp host 192.168.3.1 host 192.168.1.1 echo-reply permit ip any any Verification: PC>ipconfig IP Addres: Subnet Mask. Default Gateway. 255,255.255.0 192.168.3.100 PC>ping 192.168.1.2 Pinging 192.168.1.2 with 32 bytes of data: Request timed out. Request timed out. Request timed out. PC>ping 192.168.1.1 Pinging 192.168.1.1 with 32 bytes of data. Reply from 192.168.1.1; bytes=32 time=20ms TTL=125 NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions. com Page 27Restricting Telnet Access To The Router NEA to Specified Networks Or Hosts eT > restrict the users who can telnet and who should not > access-class command on the VTY lines » Compare only the telnet Traffic on VTY line. ene ES ‘ont eemteeemes Sng Soo Restricting Telnet Access To The Router NGA, to Specified Networks Or Hosts a ‘TASK: Allow only the hosts 192.168.1.1 and 192.168.1.2_t0 telnet RI. any other host should be ‘denied of they try to telnet RI RA(contigtacces st 20 permit host 192.168.1.1 R.A(contigtaccesst 20 permit host 192.168.1.2 Implementation Ralconfigiine vty 04 Rilconfigtine)fpassword csco Ralconfigtine)élogin Rel(configtine)# access-lass 20 in Reconfigtine)fend Noa solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution com Page 28LAB : Restricting Telnet Access to the Router to Specified Networks or Hosts Should You Secure Your Telnet Lines on a Router? TASK: You're monitoring your network and notice that someone has telnetted into your core router by using the show users command. You use the disconnect command and they are disconnected from the router, but you notice they are back into the router a few minutes later. You are thinking about putting an access list on the router interfaces, but you don’t want to add a lot of latency on each interface since your router is already pushing a lot of packets. The access-class command illustrated in this lab is the best way to do restrict the users who can telnet and who should not Because it doesn’t use an access list that just sits on an interface looking at every packet that is coming and going. This can cause overhead on the packets trying to be routed. ‘When you put the access-class command on the VTY lines, only packets trying to telnet into the router will be looked at and compared. This provides nice, easy-to-configure security for your router. 0521 192.168.22 soatosa1 192.1082 '102.168.1.0/24 192.168.2.0/24 192.168.3.0/24 Allow only the hosts 192.168.1.1 and 192.168.1.2 to telnet RI. any other host should be denied of they try to telnet RI Creating ACL which permits only hosts 192.168.1.1 and 192.168.1.2 (means by default deny all the other hosts) R-l(config)#access-list 20 permit host 192.168.1.1 R-l(config)#access-list 20 permit host 192.168.1.2 Implementation Rel(config}#line vty 04 Rel(configline)#password cisco Rel(configcline)#login RA(configdine)# access-class 20 in R-l(configcline)#end NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution om Page 29Verification: PC>ipconfig Subnet Mask.. Default Gateway.. 255.255.255.0 192.168.1.100 PC>telnet 192.168.1.100 Trying 192.168.1.100 ... Open User Access Verification PC>ipconfig 1 Acres T9RN6BLD Subnet Mask.. 255,255.255.0 Default Gateway.. 192.168.1.100 PC>telnet 192.168.1.100 Trying 192.168.1.100 ...Open User Access Verification From both the host (192.168.1.1 and 192.168.1.2) telnet to RI is successful (from above outputs) Telnet from any other users should be denied automatically as per our requirement ( verify below outputs) ‘Try Telnet from 192.168.1.3 to RI PC>ipconfig IP Addressiennennneen’ 19216813 Subnet Mask.. 255.255.255.0 Default Gateway. + 192.168.1.100 PC>telnet 192.168.1.100 Trying 192.168.1.100... ‘Try Telnet from 192.168.1.4 to RI Pc>ipconfig IP Addres Subnet Mask.. Default Gateway.. 255.255.255.0 192.168.1.100 PC>telnet 192.168.1.100 NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution on’ Page 30Trying 192.168.1.100 ... % Connection refused by remote host ‘Try Telnet from R2 to RI R-2>enable R-2#telnet 10.0.0.1 Reldsh access-lsts Standard IP access list 12 permit host 192.168.1.1 (2 match(es)) permit host 192.168.1.2 (2 match(es)) deny any (13 match(es)) Relish users line User Host(s) Idle Location * Ocond idle 00:00: idle 00: idle 00:00:39 NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions. com Page 31Routing Protocol & ACL wore ie Tita Ss 2(config) access-list 12 permit 10.0.0.0 0.255.255.255 R2(config)¥int s1/0 R2(config-i) ip aceese-group 12 in R2(config-if#end R2(config)ip acceselist extended CCIE R2(config-ext-nacl) permit tep any any eq fp R2(config ext nacl) permit tep any any eq telnet R2(configrext-nac)Wexit R2(config)ine 1/0 2(configf)#lp access group CCIE In Routing Protocol & ACL R2(config) ip access-list extended EIGRP R2(config-ext-nacl)#deny eigrp any any R2(config-ext-nacl)#permit ip any any Ra(config-ext-nacl)#int s1/0 R2(config-iffip access-group EIGRP in NOA solutions,N.K Arcade, 2nd & 3rd floor,Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution om Page 32Routing Protocol & ACL MA. R2(config)#ip access-list extended OSPF pa R2(config-ext-nacl)#permit ip any any ate . 1.2 a, : R2{config-ext-nac)fint s1/0 R2{config-if}tip access-group OSPF in ‘OR R2{config)#accesslist 151 deny ip any host 224.0.0.5 R2{config)#access-list 151 deny ip any host 224.0.0.6 R2{config)#access-list 151 permit ip any any R2{config)#int s1/0 R2{config-iffip access-group 151 in NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution om Page 33LAB : Routing protocol and AC! a 7 FO/O 4 FO/O TASK: * Configure EIGRP and OSPF Routing on RI/R2 and advertise the interfaces given in the diagram. Ri(config)#router ospf 1 Ri(config-router)# network 1.0.0.0 0.255.255.255 area O Ri(config-router)# network 10.0.0.0 0.255.255.255 area 0 Ri(config-router)#exit Ri(config)#router eigrp 100 Ri(config-router)# network 1.0.0.0 Ri(config-router)# network 10.0.0.0 Ri(config-router) exit Ra(config)#router ospf 1 R2(config-router)# network 1.0.0.0 0.255.255.255 area 0 R2(config-router)# network 20.0.0.0 0.255.255.255 area 0 R2(config-router)#exit R2(config)#router eigrp 100 R2(config-router)# network 1 R2(config-router)# network 20.0.0.0 R2(config-router) #exit R2#sh ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 1.0.3.1 0 FULYY- 00:00:34 11.1.1 Serialt/0 R2#sh ip eigrp neighbors EIGRP-IPv4 Neighbors for AS(100) H_ Address Interface Hold Uptime SRTT RTO Q Seq (ec) (ms) Cnt Num O 144 seo 11 00:04:27 1126 5000 0 12 R2#sh ip route eigrp Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D- EIGRP, EX - EIGRP external, © - OSPF, IA - OSPF inter area NI-- OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions. com Page 34El - OSPF external type 1, E2 - OSPF external type 2 1-15-15, su - IS-IS summary, LI - IS-IS level-l, 12 - IS-IS level-2 ja - IS-IS inter area, * - candidate default, U - per-user static route © ODR, P - periodic downloaded static route, H - NHRP, | - LISP + - replicated route, % - next hop override Gateway of last resort is not set D_— 10.0.0.0/8 [90/2172416] via 1.1. TASK: * Configure standard ACL on R2 s1/0 inbound to permit only traffic sourced from 10.0.0.0 (RI-LAN) * Ensure that the ACL should not drop OSPF or EIGRP traffic.. 1, 00:04:28, Seriall/O R2(config)#access-list 12 permit 10.0.0.0 0.255.255.255 R2(config)#int s1/0 R2(config-if#ip access-group 12 in Ra(config-iffend After some time you will see both the EIGRP and OSPF neighbors will go down once dead time expires.. the reason is ACL on R2 s1/0 interface which allows traffic from source 10.0.0.0 only. as per the default drop all the remaining traffic ( here OSpf and Elgrp packets) R2#sh ip ospf neighbor R2#sh ip eigrp neighbors EIGRP-IPv4 Neighbors for AS(100) To permit OSPF and EIGRP traffic we need to permit traffic sourced from RI (host 1.1.1.1) on R2. R2(config)#access-list 12 permit host 1.1.1.1 R2(config)#end R2Ash ip ospf neighbor Neighbor ID Pri_ State Dead Time Address Interface 1.03.1 © FULY- — 00:00:36 LLL.1 _Seriall/0 Raifsh ip elgrp neighbors EIGRP-IPv4 Neighbors for AS(100) H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num ol sevo 12 00:00:15 224 1344 0 17 R2fsh access-ists Standard IP access list 12 NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution on’ Page 3520 permit 1.1.1.1 (20 matches) 10 permit 10.0.0.0, wildcard bits 0.255.255.255 TAS! © Remove the standard ACL on R2 * Configure extended ACL to allow only telnet/FTP traffic between RI and R2 LAN * Configure ACL on RI s1/0 interface. * Ensure that the ACL should not drop OSPF or EIGRP traffic.. R2(config)#int s1/0 R2(config-if#no ip access-group 12 in Ra(config-iNifexit Ra(config)#no access-list 12 R2(config)¥end Ra(config)#ip access-list extended CCIE Ra(config-ext-nacl}#permit tep any any eq ftp R2(config-ext-nacl)#permit tep any any eq telnet Ra(config-ext-nadl} exit, Ra(config)#int s1/O R2(config-iN#ip access-group CCIE in Ra(config-i#end * After some © the reason is ACL on R2 51/0 interface which allows traffic for FTP or TELNET. + as per the default drop all the remaining traffic ( here Ospf and Elgrp packets). R2#sh ip ospf neighbor Raffsh ip elgrp neighbors e you will see both the EIGRP and OSPF neighbors will go down once dead time expires.. © To ensure that the ACL should not drop OSPF or EIGRP traffic we need to add permit statament which matches OSPF and EIGRP packets. R2(config)#ip access-list extended CCIE R2(config-ext-nacl)#permit ospf any any R2(config-ext-nacl)#permit eigrp any any Ra(config-ext-nacl)#exit R2#sh ip eigrp neighbors EIGRP-IPv4 Neighbors for AS(100) H_ Address Interface Hold Uptime SRTT RTO Q Seq NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions. com Page 36(se) (ms) Cnt Num 0 Wad sevo 11.00:00:12 217 1302 0 21 R2#sh ip ospf neighbor Neighbor ID Pri. State Dead Time Address Interface 1.0.3.1 0 FULIY- — 00:00:36 1.1.1.1 Seriall/0 NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution on’ Page 37LAB: Deny OSPF / EIGRP Traffic: * Sometimes when we are doing some troubleshooting in the lab exam , the possible issue can also be some ‘ACL which was configured effecting the neighborship in any protocol. + In this lab, we will verify how the ACL can be possibly configured to Deny Routing protocol traffic using, EIGRP and OSPF as our routing protocols. R1 81/0 1.1.1.1 had s1/0 we, vika ro “— (20.1.1.1 TASK: Configure OSPF on all routers and advertise the connected interfaces as per the diagram : Ri(config)#router ospf 1 RI(config-router)#network 10,0.0.0 0.255.255.255 area 0 RI(config-router)#network 1.0.0.0 0,255.255.255 area 0 Ri(config-router)#exit R2(config)#router ospf 1 R2(config-router) network 20.0.0.0 0.255.255.255 area 0 R2(config-router) #network 1.0.0.0 0.255.255.255 area 0 R2(config-router)#end R2#sh ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 1.0.3.1 0 FUL - 00:00:36 1.1.1.1 Seriall/0 TASK: Configure EIGRP on all routers and advertise the connected interfaces as per the diagram : Ri(config)#router eigrp 100 RI(config-router)#network 10.0.0.0 Ri(config-router)#network 1.0.0.0 Ri(config-router)#exit R2(config)#router eigrp 100 R2(config-router)#¢network 20.0.0.0 R2(config-router)#network 1.0.0.0 R2(config-router)#end R2¥#sh ip route NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution on’ Page 38Codes: L.- local, C - connected, 5 - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, © - OSPF, IA - OSPF inter area NI - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 EI - OSPF external type 1, E2 - OSPF external type 2 i IS-IS, su - ISIS summary, LI - IS-IS level-t, 12 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route © - ODR, P - periodic downloaded static route, H - NHRP, | - LISP + - replicated route, % - next hop override Gateway of last resort is not set 1.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 1.0.0.0/8 is directly connected, Seriall/0 L 1.1.1.2/32 is directly connected, Seriall/0 12.0.0.0/8 is variably subnetted, 8 subnets, 2 masks, C _ 12,0.0.0/24 is directly connected, Loopback L_ 12,0.0.1/32 is directly connected. Loopback0 C 12,0.1.0/24 is directly connected, Loopbackl L_ 12.0.1.1/32 is directly connected, Loopbackl C 12,0.2.0/24 is directly connected, Loopback2 L 12.0.2.1/32 is directly connected, Loopback2 C 12,0.3.0/24 is directly connected, Loopback3 L_ 12.0.3.1/32 is directly connected, Loopback3 20.0.0.0/8 is variably subnetted, 2 subnets. 2 masks C — 20.0.0.0/8 is directly connected. FastEthernet0/0 L_ 20.1.1.1/32 is directly connected, FastEthernet0/O By default in the routing table router installs the routes learned through EIGRP (AD =90 ) instead of OSPF (AD = M10) , decided based on Adminsitrative Distance TASK: Configure ACL to deny EIGRP packets on R2. Ensure that all the remaining traffic is permitted. R2(config)#ip access-list extended EIGRP R2(config-ext-nacl)#deny eigrp any any R2(config-ext-nacl) permit ip any any R2(config-ext-nacl)dint s1/O R2(config-if}#ip access-group EIGRP in R2#clear ip eigrp neighbors R2#sh ip eigrp neighbors EIGRP-IPv4 Neighbors for AS(100) NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution on’ Page 39R2#debug eigrp packets (UPDATE, REQUEST, QUERY, REPLY, HELLO, UNKNOWN, PROBE, ACK, STUB, SIAQUERY, SIAREPLY) EIGRP Packet debugging is on *Mar 19 13:39:40,947: EIGRP: Sending HELLO on Fa0/0 - paklen 20 *Mar 19 13:39:40.947: AS 100, Flags OxO:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0 Ra# *Mar 19 13:39:43,615: EIGRP: Sending HELLO on Se1/0 - paklen 20 *Mar 19 13:39:43.619: AS 100, Flags Ox0:(NULL), Seq 0/0 interface 0/0 iidbQ un/rely 0/0 Ra# *Mar 19 13:39:45.327: EIGRP: Sending HELLO on Fa0/O - paklen 20 *Mar 19 13:39:45.331: AS 100, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0 Ra¢ *Mar 19 13:39:48,035: EIGRP: Sending HELLO on Se1/0 - paklen 20 *Mar 19 13:39:48,035: AS 100, Flags Ox0:(NULL), Seq 0/0 interface 0/0 iidbQ un/rely 0/0 Ra¢ *Mar 19 13:39:49.683: EIGRP: Sending HELLO on Fa0/O - paklen 20 *Mar 19 13:39:49,683: AS 100, Flags 0x0:(NULL), Seq 0/0 interface 0/0 iidbQ un/rely 0/0 Rae igtp is sending hello messages on s1/0 but its not receiving on s/O because of ACL dropping EIGRP packets R2#sh access-list Extended IP access list EIGRP 20 permit ip any any (10 matches) R2#undebug all All possible debugging has been turned off R2ésh ip route Gateway of last resort is not set 1.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 1.0.0.0/8 is directly connected, Seriall/0 L_1.1.1.2/32 is directly connected, Seriall/0 © 10.0.0.0/8 [110/65] via 1.1.1.1, 00:02:07, Serial1/0 12.0.0.0/8 is variably subnetted, 8 subnets, 2 masks 12.0.0.0/24 is directly connected, LoopbackO 12.0.0.1/32 is directly connected, LoopbackO 12.0.1.0/24 is directly connected, Loopback! 12.0.1.1/32 is directly connected, Loopbackl 12.0,2.0/24 is directly connected, Loopback2 arara NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution on’ Page 4012.0.2.1/32 is directly connected, Loopback2 C 12,0.3.0/24 is directly connected, Loopback3 L_ 12.0.3.1/32 is directly connected, Loopback3 20.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 20.0.0.0/8 is directly connected, FastEthernet0/0 L_ 20.1.1.1/32 is directly connected, FastEthernet0/O + Now R2 install the routes learned from OSPF as EIGRP neighborship is not established on R2 with RI + Sometimes when we are doing some troublshooting in the lab exam , the possible issue can also be some ACL which was configured effecting the neighborship in any protocol. TASK : Remove the EIGRP acl under interface and configure acl to deny OSPF R2(config)#NO ip access-list extended EIGRP R2 (config)#int s/0 R2 (config-if)#NO ip access-group EIGRP in R2(config)#ip access-list extended OSPF R2(config-ext-nacl)#deny ospfany any R2(config-ext-nacl)#permit ip any any R2(config-ext-nacl)#int s1/0 R2(config-if}#fip access-group OSPF in OR R2(config)#access-list 151 deny ip any host 224.0.0.5 R2(config)#access-list 151 deny ip any host 224.0.0.6 R2(config)#access-list 151 permit ip any any R2(config)#int s1/0 R2(config-if#ip access-group 151 in R2(config-ii#end R2fclear ip ospf process RI#sh ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 12.031 0 INIT 00:00:32 11.1.2 Seriall/o NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution om Page 41Time Based ACL » Allows you to restrictor allow resources based on time periods or day. > time range relies on the router system clock Steps to configure : 1. Define a time range when ACL action must take place: 2. Define an ACL and apply time range to its statements: 3. Apply Access List to the interface you need. (Sia NPA PA. ‘on weekdays ( IM-F) between 9 AM to 5 PM Permit Telnet Traffic mi 81/0 1011 al ane. Ra{config timerrange DENY_FTP 2{eonfigtimerange}® periodic weckdays 09:00 to 17:00 Ra(configsimerange)# ext 2{configtime-range TELNET R2{conigtime-range} absolute start 09:00 1 january 2015 end 17:00 31 january 2015 R2(configtimerange}éend R2(config)#aceess.tst IS deny tep any any eq fiptimesrange DENY_ FTP R2(configh# access 15 permit tep any any eq telnet time-ange TELNET R2(confg)#accessst 1S permit ospf any any R2(config)int 70 R2(confg-if)ip accese-group 115 in NOA solutions,N.K Arcade, 2nd & 3rd floor,Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions.com Page 42+ Allow telnet from Jan 1 to Feb 28 2012 on all weekdays 9.00 am to 5.00 pm + RI hasto telnet to R3 on the above time successfully R2{config)ttime-ronge WEEKDAYS R2(confighfpetlodkc weekdays 09:00 to 17:00 oe A 3 (configtimesrange)# absolute start 09:00 1 jan 2012 end 17:00 28 feb 2012 R2{conig)faccesslst 102 permit tep any any eq 23 time-range WEEKDAYS R2(conigh# access-list 102 permit ospfany any R2{config:fint 1A 2(config-ip acces group 102 out Fo/0 30.1-1-1/8 TASK: Configure OSPF as Routing protocol to provide Reachability Ri(config)#router ospf 1 Ri(config-router) #network 10.0.0.0 0.255.255.255 area 0 Ri(config-router) #network 1.0.0.0 0.255.255.255 area 0 Ri(config-router) fexit R2(config)#router ospf 1 NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall, Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution ‘om Page 43R2(config-router) #network 20.0.0.0 0.255.255.255 area 0 R2(config-router) network 1.0.0.0 0.255.255.255 area 0 R2(config-router) #network 2.0.0.0 0.255.255.255 area 0 R2(config-router)#end R3(config)#router ospf 1 3 (config-router) #network 30.0.0.0 0.255.255.255 area O 3 (config-router) #network 2.0.0.0 0.255.255.255 area 0 R2(config-router)#end R3¢sh ip ospf neighbor Neighbor ID Pri. State Dead Time Address Interface 12.0.3.1 © FUL - 00:00:36 2.2.2.1 Seriall/0 R3#sh ip route ospf Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D- EIGRP, EX - EIGRP external, © - OSPF, IA - OSPF inter area NI-- OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 El - OSPF external type 1, E2 - OSPF external type 2 i IS-IS, su = IS-IS summary, LI - IS-IS level-l, 12 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route © - ODR, P - periodic downloaded static route, H - NHRP, | - LISP + - replicated route, % - next hop override Gateway of last resort is not set © 1.0.0.0/8 [10/128] via 2.2.2.1, 00:03:12, Seriall/O © 10.0.0.0/8 [110/129] via 2.2.2.1, 00:00:05. Seriall/0 © 20.0.0.0/8 [110/65] via 2.2.2.1, 00:03:12, Seriall/0 TASK: Configure TIME BASED ACL on R2 which ‘+ Allow telnet from Jan I to Feb 28 2012 on all weekdays 9.00 am to 5.00 pm ‘+ RI has to telnet to R3 on the above time successfully. ‘+ Ensure that OSPF traffic is permitted on WAN interfaces R2(config)#time-range WEEKDAYS R2(config)#periodic weekdays 09:00 to 17:00 R3(configtime-range)# absolute start 09:00 1 jan 2012 end 17:00 28 feb 2012 Configure ACL and implement it on the interface on R2: R2(config)#access-list 102 permit tep any any eq 23 time-range WEEKDAYS R2(config)# access-list 102 permit ospf any any int sI/1 if}#ip access-group 102 out Ra(confi Ra(confi NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions. com Page 44Verification: R2Ashow time-range time-range entry: WEEKDAYS (inactive) absolute start 09:00 01 January 2012 end 17:00 28 February 2012 periodic weekdays 9:00 to 17:00 used in: IP ACL entry R2#show clock *00:32:01.687 UTC Fri Mar 12002 R2#dlock set 10:00:00 2 Jan 2012 Ridtelnet 2.2.2.2 Trying 2.2.2.2 ... Open RB> R2#dock set 10:00:00 1 march 2012 Riftelnet 2.2.2.2 Trying 2.2.2.2 % Destination unreachable: gateway or host down R2#dlock set 19:00:00 20 Feb 2012 Riftelnet 2.2.2.2 Trying 2.2.2.2 % Destination unreachable; gateway or host down, R2#dlock set 12:00:00 14 Feb 2012 Ri#telnet 2.2.2.2 Trying 2.2.2.2 ... Open NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution on Page 45LAB-2 : Time Based ACL we (FOO Lila Foo a 20.1.1.1 TASK: * Connect RI-R2 as per the Diagram. Ri(config)#router ospf 1 R1(config-router)# network 1.0.0.0 0.255.255.255 area 0 Ri(config-router)# network 10.0.0.0 0.255.255.255 area 0 Ri(config-router)#end R2(config)#router ospf 1 R2(config-router)# network 1.0.0.0 0.255.255.255 area 0 R2(config-router)#network 20.0.0.0 0.255.255.255 area 0 R2(config-router) fend R2#sh ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 1.0.3.1 O FULIY- 00:00:39 1.1.1.1 Serialt/0 R2#sh ip route ospf Codes: L - local, C - connected. S - static, R - RIP, M - mobile, B - BGP D- EIGRP, EX - EIGRP external, © - OSPF, IA - OSPF inter area N1- OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 El - OSPF external type 1. E2 - OSPF external type 2 i IS-IS, su - IS-IS summary, LI - IS-IS level-l, 12 - IS-IS level-2 ja - IS-IS inter area, * - candidate default, U - per-user static route © ODR, P - periodic downloaded static route, H - NHRP, | - LISP + = replicated route, % - next hop override Gateway of last resort is not set TASK : Configure Time based ACL as per the given conditions. * Deny FTP Traffic on weekdays ( M-F) between 9 AM to 5 PM © Permit Telnet Traffic January 1 - January 319 AM to 5 PM © Ensure that the OSPF traffic should be get dropped. NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall, Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution: on’ Page 46R2#sh clock R2(config)# time-range DENY_FTP R2(config+time-range)# periodic weekdays 09:00 to 17:00 R2(config+time-range)# exit R2(config)#time-range TELNET R2(configtime-range)Fabsolute start 09:00 1 january 2015 end 17:00 31 january 2015 R2(config+time-range)#end R2#sh time-range time-range entry: DENY_FTP (active) periodic weekdays 9:00 to 17:00 time-range entry: TELNET (inactive) absolute start 09:00 O1 January 2015 end 17:00 31 January 2015 R2(config)#access-list 115 deny tep any any eq fip time-range DENY_FTP Ra(config)# accesslist 115 permit tcp any any eq telnet time-range TELNET R2(config)#access-list 115 permit ospf any any R2(config)#int s1/0 R2(config-if}#ip access-group 115 in Ra(config-i#end R2#sh clock R2#R2#sh access-lists Extended IP access list 115, 10 deny tcp any any eq ftp time-range DENY_FTP (active) 20 permit tep any any eq telnet time-range TELNET (inactive) 30 permit ospf any any (11 matches) R2(config)#line vty 0.4 Ra(config-line)#password cisco R2(config-line)#login R2(config-line)#exit Riftelnet 1.1.1.2 Rlfsh clock NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions. com Page 47in the month of january march 19 2015. * Change the time and date on R2 to match the ACL time range * Ensure that you should be allowed to telnet on R2. R2#sh clock R2fclock set 10:10:10 jan 10 2015 R2#sh clock R2#sh time-range time-range entry: DENY_FTP (inactive) periodic weekdays 9:00 to 17:00 used in: IP ACL entry time-range entry: TELNET (active) absolute start 09:00 O1 January 2015 end 17:00 31 January 2015 used in: IP ACL entry Riftelnet 1.1.1.2 Trying 1.1.1.2 ... Open User Access Verification Password: R2>exit R2#tsh access-lists Extended IP access list 115 10 deny tep any any eq fip time-range DENY_FTP (inactive) 20 permit tcp any any eq telnet time-range TELNET (active) (48 matches) 30 permit ospf any any (56 matches) if we try to telnet on R2, we are not able to telnet here as the time range for telnet allowed is only allowed NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions. com Page 48IPV6 ACL NA, > ACLisa set of rules which will allow or deny the specific traffic moving through the router > Itisa Layer 3 security which controls the flow of traffic from one router to another. > Itis also called as Packet Filtering Firewall. » If you've worked with IPv4 access lists (ACLs) on Cisco IOS before, 1Pu6 ACLs will feel quite familiar to you. IPV6 ACL (compared to IPv4 ACL) MOA. > IPv6 supports only named, extended access lists > IPV6 ACE addresses use CIDR notation instead of wildcard masks. > IPV6 ACLs are applied to interfaces using the command Ipv6 traffic-ilter. > IPV6 ACLs are applied to lines using the command ipv6 access-class. NOA solutions,N.K Arcade, 2nd & 3rd floor,Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution ‘om Page 49IPv6 ACL lab | Configure ACL to deny RI 10/0 Interface communicating with R3. any interface. 2 Configure ACL to deny RI loop Interface communicating with R3 loop 0 » Configure ACL to deny R2 (0/0 Interface should not be able to telnet R3_ 0/0 4 Configure ACLto deny RI loop! Interface should not be able to access http service on R3 loop! 5 Configure ACL to deny R2 loop 2 Interface should not be able to access DNS service on R3_loop 2 © Configure ACL to deny RI loop 3 interface should not be able to ping or trace R3 loop 3 » Make sure that the above ACL should not effect the others OA. 3 (config) fipy6 accesstst CCIE 3(configipyG-ael\# deny fpy6 host FCOO:s:1 any (config ipv6-acll# deny fpy6 host 2001: host 200%: R3(configsipvé-acl\# deny tep host 2001:2 host FCO0:33: (config ipv6-acl\# deny tep host 20011 R3(convigipvé-ecli# deny iemp host 2001: 11:3 host 2001 R3(con/igipvéacli# permit ipv6 any any R3(confighint sO Sac R3 (config flpv6 traffic fter CCIE in RR (configififexit ee ee NOA solutions,N.K Arcade, 2nd & 3rd floor,Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions.com Page 50LAB : IPV6 ACL Loopback 2001 22: Loopback Loopback 2001:1111::1/128 TASK: * Configure IPv6 addressing as per the diagram ‘+ Advertise the interfaces using OSPFv3 to provide Reachability Rish ipv int brief FastEthemet0/0 [up/up] FE8O::CEOI:I2FF:FECO:0 FOO: Seriall/o [up/up] FE8O::CEOI:I2FF:FECO:0 2001:1; Serialt/1 [up/up] FE8O::CEOI:I2FF:FECO:0 2001:1 Seriall/2 [administratively down/down] Serialt/3 [administratively down/down] Loopbacko [up/up] EOL:I2FF:FECO:0 {up/up] EOL:12FF:FECO:0 2001:117 Loopback2 [up/up] FE8O::CEOI:12FF:FECO:0 2OO1TIM::2 Loopback3 [up/up] FE8O::CEOI:I2FF:FECO:0 2001:111::3 NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution com Page 51R2#sh ipv int brief FastEthemet0/0 [up/up] FE80::CEO2:12FF:FECO:0 FC00:22::2 Seriall/o [up/up] FE80::CEO2:12FF:FECO: 2001 Serialt/1 [up/up] FES 2001:23: Seriall/2 [administratively down/down] Seriall/3 [administratively down/down] Loopbacko [up/up] FE8O::CEO2:12FF:FECO:0 2001::2 Loopback! {up/up] FE8O::CEO2:12FF:FECO:0 2001:2222::1 Loopback2 [up/up] FE8O::CEO2:12FF:FECO:0 2001:2222::2 Loopback3 [up/up] FE8O::CEO2:12FF:FECO:0 2001:2222::3 R34sh ipv int brief Fastéthemet0/0 [up/up] FE80::CEO3:12FF:FECO:0 FC00:33::3 Seriall/o [up/up] FE8O::CEO3:12FF:FECO:0 2001:23: Seriall/1 [up/down] FE80::CEO3:12FF:FECO:0 2001:34::3 Seriall/2 [administratively down/down] Seriall/3 [administratively down/down] Loopbacko [up/up] FE8O::CEO3:12FF:FECO:0 2001::3 Loopback! [up/up] FE80::CE03:12FF:FECO:0 2001:3333::1 Loopback2 [up/up] NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions. com Page 52FE80::CEO3:12FF:FECO:0 2001:3333::2 Loopback3 {up/up] FE8O::CEO3:12FF:FECO:0 2001:3333::3 TASK: configure OSPF to provide reachability between connected and Loopback interfaces: Ri(config)#ipv6 unicast-routing Ri(config)# ipv6 router ospf 1 Ri(config-ttr)# router-id 1.11.1 Ri(config-rtr)# exit Ri(config)# int f0/0 Ri(config-if}# ipvé ospf I area 0 Ri(configif)# exit Ri(config)# int s1/0 Ri(config-if}# ipvé ospf 1 area 0 Ri(configif)#exit Ri(config)# int loop 0 Ri(config-if}# ipvé ospf 1 area 0 Ri(configif)#exit Ri(config)# int loop 1 Ri(configeif}# ipv6 ospf 1 area 0 Ri(config-ifyexit Ri(config)# int loop 2 Ri(configeif)# ipv6 ospf area 0 Ri(config-if}#exit Ri(config)# int loop 3 Ri(configeif)# ipv6 ospf I area 0 Ri(configsif)# exit R2(config)# ipv6 unicast-routing R2(config)# ipv6 router ospf 1 R2(config-rtr)# router-id 2.2.2.2 Ra(config-rtr}# exit R2(config)# int f0/0 R2(config-if# ipv6 ospf 1 area 0 R2(config-iN# exit Ra(config)# int s1/O R2(config-i# ipv6 ospf 1 area 0 Ra(config-iN#fexit, R2(config)#int s1/1 NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions. com Page 53R2(config-if#ipv6 ospf 1 area 0 Ra(config-iN#exit, R2(config)# int loop 0 R2(config-i# ipv6 ospf 1 area 0 Ra(config-iN#exit, R2(config)# int loop 1 R2(configiit R2(config)# int loop 2 if# ipv6 ospf 1 area O iffexit R2(config)# if}# ipv6 ospf 1 area 0 it exit 3 (config)#ipvé unicast-routing R3(config)# ipv6 router ospf 1 R3(config-rtr)# router-id 3.3.3.3 R3(config)# R3(config-if# ipv6 ospf 1 area 0 R3(config)# R3(config-if# ipv6 ospf 1 area 0 R3(config-if}fexit R3(config)# int loop 2 R3(config-f)# ipv6 ospf 1 area 0 R3(config-Nfexit R3(config)# int loop 3 R3(config-f)# ipv6 ospf 1 area 0 R3(config-iN# exit R2fsh ipv6 ospf neighbor Neighbor ID Pri. State Dead Time Interface ID Interface 3.3.3.3 1 FULY- — 00:00:32 5 Serialt/1 Ml 1 FUL’ - — 00:00:30 5 Seriall/O NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions. com Page 54R2#sh ipv6 route ospf IPv6 Routing Table - 21 entries Codes: C - Connected, L - Local, $ - Static, R - RIP, B - BGP U-- Per-user Static route I1- ISIS L1, 12 - ISIS L2, IA - ISIS interarea, IS - ISIS summary (O- OSPF intra, Ol - OSPF inter, OE! - OSPF ext 1, OE2 - OSPF ext 2 ONI - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2 © 200::1/128 [110/64] via FE8O::CEO1:I2FF:FECO:0, Serial1/O 2001::3/128 [110/64] via FE8O::CEO3:12FF:FECO: © 2001:1111::1/128 [110/64] via FE8O::CEO1:I2FF:FECO:0, Seriall/O © 2001:1111::2/128 [110/64] via FE8O::CEOU:I2FF:FECO:0, Seriall/O © 2001:1111::3/128 [110/64] via FE8O::CEO1:I2FF:FECO:0, Seriall/O © 2001:3333::1/128 [110/64] E03:12FF:FECOx :3333::2/128 [110/64] via FE8O::CEO3:12FF:FECO: © 2001:3333::3/128 [110/64] Seriali/1 Serialt/1 Serialt/1 Serialt/1 via FE8O::CEOI:12FF:FECO:0, Seriall/0 © FC00:33::3/128 [110/64] via FE8O::CEO3:12FF:FECO:0, Seriall/1 TASK: ‘© Configure ACL to deny RI 0/0 interface communicating with R3_any interface.. © Configure ACL to deny RI loop 0 interface communicating with R3 loop 0 ‘+ Configure ACL to deny R2_ 0/0 interface should not be able to telnet R3_f0/0 ‘© Configure ACL to deny RI loop 1 interface should not be able to access http service on R3 loop 1 ‘+ Configure ACL to deny R2 loop 2 interface should not be able to access dns service on R3 loop 2 ‘* Configure ACL to deny RI loop 3 interface should not be able to ping or trace R3 loop 3 ‘+ Make sure that the above ACL should not effect the others. R3(config)#ipv6 access-list CCIE R3(config-ipv6-acl)# deny ipv6 host FCO0:11: R3(config-ipv6-acl)# deny ipv6 host 2001 R3(config-ipv6-acl)# deny tcp host 20 :3 eq telnet R3(config-ipv6-acl}# deny tep host 2001:1111::1 host 2001:3333::1 eq www R3(config-ipv6-acl)# deny udp host 2001:2222: eq domain R3(config-ipv6-acl)#deny ICMP host 2001:1111: echo-request R3(config-ipv6-acl}# deny icmp host 2001:111 echo-reply NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions. com Page 55R3(config-ipv6-acl)# permit ipvé any any R3(config)#int s1/0 R3(config-if)#ipv6 trafficcfilter CCIE in R3(config-ifexit Rl#ping {c00:33::3 source fc00:1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to FC00:3 Packet sent with a source address of FCOO: Success rate is O percent (0/5) . timeout is 2 seconds: Ri#ping fc00:3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to FC00: mt Success rate is 100 percent (5/5), round-trip min/avg/max = 24/46/88 ms . timeout is 2 seconds: Ri#ping {c00:33::3 source 2001:1111::1 ‘Type escape sequence to abort. Sending 5. 100-byte ICMP Echos to FC00:33: Packet sent with a source address of 2001:111 mt Success rate is 100 percent (5/5), round-trip min/avg/max = 24/34/44 ms . timeout is 2 seconds: R34sh ipv6 access-list IPV6 access list CCIE deny ipvé host 2001::1 host 2001::3 sequence 20 deny tcp host 2001::2 host FC00:33::3 eq telnet sequence 30 deny tep host 2001:1111::1 host 2001:3333::1 eq www sequence 40 deny udp host 2001:2222::2 host 2001:333. deny icmp host 200 host 2001:3333::3 echo-request sequence 60 deny icmp host 2001:1111::3 host 2001:3333::3 echo-reply sequence 70 permit ipv6 any any (17 matches) sequence 80 eq domain sequence 50 Rl#ping 2001::3 source 2001::1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001::3, timeout is 2 seconds: Packet sent with a source address of 2001::1 Success rate is O percent (0/5) R3#sh ipv6 access-list NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution on’ Page 56IPV6 access list CCIE deny ipvé host FCO0:11::1 any (10 matches) sequence 10 deny ipv6 host 2001: host 2001::3 (5 matches) sequence 20 deny tep host 2001::2 host FC00:33::3 eq telnet sequence 30 deny tep host 2001:1111::1 host 2001:3333::1 eq www sequence 40 deny udp host 2001:2222::2 host 2001:3333::2 eq domain sequence 50 deny icmp host 2001:1111::3 host 2001:3333::3 echo-request sequence 60 deny icmp host 2001:1111::3 host 2001:3333::3 echo-reply sequence 70 permit ipv6 any any (20 matches) sequence 80 R3(config)#line vty 0.4 R3(config-line)#no login R3(config-line}#exit Ra#telnet fc00: Trying FCOO: ‘% Destination unreachable: gateway or host down, /source-interface loopback 0 R3#sh ipv6 access-list IPVv6 access list CCIE deny ipvé host FCO0:11::1 any (10 matches) sequence 10 deny ipv6 host 2001::1 host 2001::3 (5 matches) sequence 20 deny tep host 2001::2 host FC00:33::3 eq telnet (1 match) sequence 30 deny tep host 2001:1111::1 host 2001:3333::1 eq www sequence 40 deny udp host 2001:2222::2 host 2001:3333::2 eq domain sequence 50 deny icmp host 2001:1111::3 host 2001:3333::3 echo-request sequence 60 deny icmp host 2001:1111::3 host 2001:3333::3 echo-reply sequence 70 permit ipv6 any any (51 matches) sequence 80 Ra#ttelnet £c00:33: Trying FCO w- Open R3>exit [Connection to fc00:33::3 closed by foreign host] Ridping 2001:3333::3 source 2001:1111::3 ‘Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001:333: Packet sent with a source address of 2001:111 Success rate is O percent (0/5) . timeout is 2 seconds: 3 R3Ash ipv6 access-list IPV6 access list CCIE deny ipvé host FCO0:1 1 any (10 matches) sequence 10 NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution om Page 57deny ipv6 host 2001::1 host 2001::3 (5 matches) sequence 20 deny tep host 2001::2 host FCO0:33::3 eq telnet (I match) sequence 30 deny tep host 2001:1111::1 host 2001:3333::1 eq www sequence 40 deny udp host 2001:2222::2 host 2001:3333::2 eq domain sequence 50 deny icmp host 2001:1111::3 host 2001:3333::3 echo-request (5 matches) sequence 60 deny icmp host 2001:1111::3 host 2001:3333::3 echo-reply sequence 70 permit ipv6 any any (73 matches) sequence 80 NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution on’ Page 58)-\Solutions| Gaawnra revs Cece Without names, network devices are difficult to identify for configuration purposes. NOAsommi Global configuration mode ae Router # configure terminal Configuring Device Ni Router (config) # iguring Device Names Router (config) # hostname NOA Hostnames allow devices to be ores identified by network administrators over a network or the Internet. NOA solutions,N.K Arcade, 2nd & 3rd floor,Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution com Page 59NOAsomon Assigning Passwords See eee » Console » Auxiliary » VI line (telnet) NOAsorma Assigning console password: —— Router(config) # line con 0 Router(config-line) # password Router(config-line) # login (line mode) Router(configline) # exit Assigning Auxiliary password: Router(config) # line aux 0 Router(config-line) # password Router(config-line) # login (ine mode) Router(configiine) # exit Assigning Telnet password: Router(config) # line vty 0.4 Router(contig-line) #password Router(config-line) Plogin (line mode) Router(config-line) #exit NOA solutions,N.K Arcade, 2nd & 3rd floor,Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution com Page 60NOAsomon awe tates Ce eee Enable Password Router> enable Password: 0. Router(config) # enable password ‘The will be password saved in clear text oR Router(config) # enable secret ‘The password will be saved in encrypted text Rms Encrypting Password Display NOAsummns (config)# service password-encryption NOA solutions,N.K Arcade, 2nd & 3rd floor,Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution com Page 61NOAsomon To save the configuration: Saray a eg Chr Router # copy running-config. startup-config. (OR) Router # write memory (OR) Router # write Erase all Configurtions NOA # erase startup-config NOA # reload NOAsomans Gaawer a evig Cece Banner Messages (config)# banner motd # .. # Limiting Device Access - MOTD Banner hee | = ‘timate Lp rue so 5 seu sat, auerand NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution com Page 62TO change the Hostname of the router Router(config)# hostname HYDERABAD HYDERABAD (config)# ‘TO ASSIGN CONSOLE PASSWORD HYDERABAD (config)#line console 0 HYDERABAD (config-line)#password ciscol23 HYDERABAD (config-line)#login HYDERABAD(config-line)¥end SYS-CON I Configured om console by cole HYDERABAD# exit HYDERABAD cond is now available Press RETURN to get started, User Access Verification (Enter the console password which was configured) HYDERABAD> HYDERABAD>enable HYDERABAD# conf terminal Enter configuration commands, one per line. End with CNTVZ. HYDERABAD (config)# line vty 04 HYDERABAD (config-line)¥ password ccnal23 HYDERABAD (config-line)# login HYDERABAD (configtline)# exit HYDERABAD(config)é enable password ccnp123 HYDERABAD (config)# exit HYDERABAD exit HYDERABAD con0 is now available Press RETURN to get started. User Access Verification NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution on’ Page 63(Enter the console password which was configured) HYDERABAD> enable (Enter the enable password wl was configured) HYDERABAD# HYDERABADF show running-config Building configuration... Current configuration : 480 bytes ! version 12.2 no service timestamps log datetime msec no service timestamps debug datetime msec no service password-encryption ! hostname HYDERABAD ! ! ! ! HYDERABAD configure terminal HYDERABAD(config)# enable secret ccie123 HYDERABAD(config)# exit HYDERABAD# show running-config Building configuration... Current configuration : 527 bytes ! version 12.2 jestamps log datetime msec no service timestamps debug datetime msec no service password-encryption ! hostname HYDERABAD ! ! i enable secret 5 gISmiERFS2R7PDAGAXERITSDY 74 enable password cenp123 ! NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution on’ Page 64OA. 1OS Device Access Security AAA, Privilege levels, Assigning Passwords » Console oe > Auxiliary / » VTY line (telnet) Noa solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions.com Page 65Access Port Passwords ZA. Command to restriet access to RI(ConTi)# enable secret ico privileged EXEC mode ‘Commands to establish a Commands to establish a login login password for dial-up password on incoming Telnet sessions modem connections Ri(contay Hine viy 04 Ri(conig)# Tine au O Ri(configtine)# password csco Bifconfigtine)# password csco Ri (confine) login Bi(conigsine)# login outer —_— t= a PC wah Terminal Emusation Sotware PC wth Terminal ifconfig line con O iconfg-line\# password cisco Rilconfigline # ‘Commands to establi login don the Emulation Sofware Unattended connections should be disabled Ri(contfig)# line console 0 Ricontfigline)# password consolel23, I(configuline)# exectimeout 5 0 i(configtine)# login i(contiguline)# logging synchronous ‘console line MOA, Ri(config)# line aux 0 Riconfig-line)# password clcosuxpass Ri{config-ine)# exectimeout 5 0 Rifconfig-ine}# login Ri(config-line)# exit Riconfig)# line vty 04 Rifconfig-ine}# password ciscovtypass RI(config-ine)# exec-timeout 5 0 Rifconfig-tine}# login + Foradalitional security, the exec timeout command causes the line to log out after 5 minutes of Inactivity. NOA solutions,N.K Arcade, 2nd & 3rd floor, Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution The logging synchronous comenand prevents console messages from Interrupting command entry. Opposite to banjara function hall,Banjarahills road no 1 Page 66All passwords in the configuration file should be encrypted Ri(config)# service password-encryption NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution om Page 67To increase the security of passwords, use additional configuration parameters: ‘Minimum password lengths should be enforced Unattended connections should be disabled Al passwords in the configuration file should be encrypted Password Security (config) seeuty passwords minength 10 Rifconfighenable secret cisco RI(config)# enable secret ciscol2345 NA. Router (config) #login block-for attempts ‘within RI (config)# login block-for 60 attempts 2 within 30 + Use the login block-for command to help prevent brute-force login attempts from a virtual connection, such as Telnet, SSH, or HTTP. + This can help slow down dictionary attacks and help protect the router from a possible DoS attack. NOA solutions,N.K Arcade, 2nd & 3rd floor,Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution om Page 68Passwords Best practices NEA, ‘An acceptable password length is 10 or more characters ‘Complex passwords include a mix ‘of upper and lowercase letters, numbers, symbols and spaces, Avoid any password based on repetition, dictionary words, letter or number sequences, usernames, relative or pet names, or biographical information Deliberately misspell a password (Security = Security) Change passwords often, seater Do not write passwords down and leave them in obvious places NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution om Page 69LAB : Cisco Login Enhancements TASK. * Configure a minimum password length for all router passwords. * Use the security passwords command to set a minimum password length of 10 characters. Ri(config)# security passwords min-length 10 Ri(config)fenable secret cisco TASK: Configure the enable secret encrypted password on both routers. Ri(config)# enable secret ciscol2345 ‘TASK: Configure basic console, auxiliary port, and virtual access lines. Note: + Passwords in this taskaare set to aiminimum of 10 characters but are relatively simple for the benefit of performing the lab. * More complex passwords are recommended in a production network. + Configure a console password and enable login for routers. * For additional security, the exectimeout command causes the line to log out after 5 minutes of inactivity. * The logging synchronous command prevents console messages from interrupting command entry. + To avoid repetitive logins during this lab, the exec-timeout command can be set to 0 O.which prevents it from expiring, However, this is not considered a good security practice. Ri(config)# line console 0 Ri(configsline)# password consolel23 Ri(configline)# exec-timeout 5 0 Ri(config-line)# login R(configcline)# logging synchronous TASK: Configure a password for the AUX port for router RI. RI(config)# line aux 0 Ri(configcline)# password ciscoauxpass Ri(configcline)# exec-timeout 5 0 Ri(configline)# login Ri(configeline)# exit Ri(config)# line vty 04 Ri(configcline)# password ciscovtypass Ri(configeline)# exec-timeout 5 0 Ri(configcline)# login NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall, Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution on’ Page 70RI(configcline)#end Riffsh running-config Building configuration, Current configuration : 1766 bytes ! Last configuration change at 1: version 15.2 service timestamps debug datetime msec service timestamps log datetime msec 54 UTC Fri Mar 27 2015, hostname RI ! security passwords min-length 10 enable secret 5 §1$ruu.$/YVTdBnpONm2AOFKNx9fq. line con 0 exectimeout 50 Password consolel23 logging synchronous login stopbits 1 line aux 0 execttimeout 5.0 Password ciscoauxpass logging synchronous login stopbits 1 line vty 04 exec-timeout 5 0 login ! ! End TASK: Encrypt clear text passwords. Use the service password-encryption command to encrypt the console, aux, and vty passwords. Ri(config)# service password-encryption Rl#sh running-config Building configuration... Current configuration : 1840 bytes NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions. com Page 71| Last configuration change at 16: 10:16 UTC Fri Mar 27 2015 version 15.2 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption hostname RI 1 security passwords min-length 10 enable secret 5 §1$ruu.$/YVTdBnpONm2AOFKNX9fq. ! line con 0 execttimeout 5 0 privilege level 15 logging synchronous privilege level 15 logging synchronous login stopbits 1 line vty 04 execttimeout 50 login 1 1 end TAS! © Create local username : admin , Password : ciscol23_on RI. * Ensure that RI should be able to login via cosole or VTY using username and password. ( login local) 192.168.1.100 fo/o a Rt 192.168.14 NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution on’ Page 72Ri(config)#username admin password cisco Ri(config)#line con 0 Ri(config-line)#login local Ri(configcline)#exit Ri(config)#exit Rifexit RI cond is now available Press RETURN to get started, Username: admin Password: Ri>enable Password: To verify Telnet Access R1(config)#username admin password cisco {already created username in the previous task) Ri(config)# int f0/0 Ri(configif)# ip address 192.168.1.100 255.255.255.0 Ri(configsif)# no shutdown Ri(config-if)# exit Ri(config)#line vty 0.4 Ri(config-line)#login local Ri(config-line)Fexit Get in to PC command line to verify Telnet : Pc>ipconfig FastEthernet0 Connection:(default port) Link-local IPv6 Addres IP Address. Subnet Mask.. Default Gateway. : FE80::20 2 192.168.1.1 255.255.2550 192.168.1.100 :85FF:FECT:199D PC>ping 192.168.1.100 Pinging 192.168.1.100 with 32 bytes of data: Reply from 192.168.1.100: bytes=32 time=Ims TTL=255 NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions. com Page 73Reply from 192.168.1.100: bytes=32 time=Oms TTL=255 Reply from 192.168.1.100: byte Reply from 192.168.1.100: byte: Ping statistics for 192.168.1.1 Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = Oms, Maximum = Ims, Average = Oms PC>telnet 192.168.1.100 Trying 192.168.1.100 ...Open User Access Verification Username: admin Password: Ri>enable Password: TASK: Enhanced Virtual Login Security on Routers. + PC and Router are preconfigured with IP addressing as per the diagram * Configure the router to protect against login attacks. * Use the login block-for command to configure a 60 second login shutdown (quiet mode timer) if two failed login attempts are made within 30 seconds. 192.168.1100 fole [| a RI 192.168.14 * Use the login block-for command to help prevent brute-force login attempts from a virtual connection,such as Telnet, SSH, or HTTP. + This can help slow down dictionary attacks and help protect the router from a possible Dos attack. From the user EXEC or privileged EXEC prompt. issue the show login command to see the current router login attack settings. RI# show login No login delay has been applied. No Quiet-Mode access list has been configured. Router NOT enabled to watch for login Attacks Ri(config)# login block-for 60 attempts 2 within 30 Ri(config)# exit NOA solutions,N.K Arcade, 2nd & 3rd floor,Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution ‘om Page 74Rlfshow login A default login delay of 1 seconds is applied. No Quiet-Mode access list has been configured, Router enabled to watch for login Attacks. Router presently in Normal-Mode. Current Watch Window remaining time 26 seconds. Present login failure count 0. Rit ‘+ Telnet from PC and provide wrong login information and see login blocked. PC>telnet 192.168.1.100 Trying 192.168.1.100 ... Open User Access Verification Username: difkidt Password: Username: dfdkfj Password: Pc>telnet 192.168.1.100 me 192.168.1.100 ... Pc> Router#show login A default login delay of 1 seconds is applied. No Quiet-Mode access list has been configured. Router enabled to watch for login Attacks. If more than 2 login failures occur in 30 seconds or less, logins will be disabled for 60 seconds. NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution on Page 75Router presently in Normal-Mode. Current Watch Window Time remaining: 4 seconds. Login failures for current window: 0. Total login failures: 1. NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions. com Page 76Cisco IOS Resilient Configuration NGA, » Used to prevent 10S, configurations from being deleted, » Hides the IOS, configs on flash/NVRAM. ifconfig secure boot-image Al(confg? secure boot ong | ier of fay ‘Lore 23587052 Jan 920101751658 +0000 atadriperieAtmE 2626 Tin 128257568 bytes toa (104544608 ts ae) ZA. Ri(configh secure boot image 12823756 yes otal OUSD646 Wyte re) NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution om Page 77NGA. Router show secure bootet 10S eellence router kd FHKHIOSISUQ 105 image resence version 12-4 activated at 02:00:30 UTC Sun Oct 17 2010 Secure archive Nashc1B-acvipserviesk9-ma 124.24.T.bin type is image Cl) [ file sie is 23587052 bytes, ran ie is 23752654 bytes Runnable image. entry point x80012000, run from ram 10 configuration reelence version 12.4 activated at 02:00:41 UTC Sun Oet 17 2010 Secure achive iss tunel 20101017-020040." type i contig configuration archive size 1544 bytes [A this point, we notice that our IOS image ile on Flash is now hidden ier of fash 2 rae 660 Sep 262010 07.2812 40000 voncat 12625755 yes al OUSEAS Wes ee) natn an ied Contin NZA. Router# show secure bootiet To restore our orignal configuration, we simply have to extract It from the secure archive and sve It 0 Fra Next, we can replace the current running configuration withthe archived config using the configure replace command, Router(confg seare boot confi restore asharchived config, ios eslionce-configuaton succesfully restored a fasharchived-config, Router(eonfigyt end Router# configure replace flasharchived config Ener Yf you ae sure you want to proceed. ? [56K Total number of pase: 1 Rollback Done NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions. com Page 78LAB : Cisco 10S Resilient Configuration ‘+ feature enables a router to secure the running image and maintain a working copy of the configuration so that those files can withstand malicious attempts to erase the contents of persistent storage (NVRAM and flash). ‘+ The feature secures the smallest working set of files to preserve persistent storage space. No extra space is required to secure the primary Cisco IOS image file. we're going to examine a related Cisco 1OS security feature, dubbed resilient configuration. This feature enables critical router files, namely the IOS image and configuration, to persist despite destructive events such as deletion of the startup configuration or a format of the Flash filesystem. The feature does not require any external services; all persistent files are stored locally on the router. Enabling Resilient Configuration ‘+ The binary 10S image used to boot the router is stored on the Flash filesystem, which is a type of memory very similar to that found inside a USB thumbdrive. The startup configuration file is stored on a separate filesystem, NVRAM. ‘+ The contents of both filesystems can be viewed with the dir command. Router# dir flash: Directory of flash:/ 2 -tw- 600 Sep 26 2010 07:28:12 +00:00 vian.dat 128237568 bytes total (104644608 bytes free) Router# dir nvram: Directory of nvram:/ 189 -rw- 1396 startup-config 190 - 24 private-config 191 -w- 1396 underlying-config 1 tw 0 ifindex-table 2-w- 593 1OS-Self-Sig#3401.cer 3-32 persistent-data 4 tw 2945 ‘cwmp_inventory 21-rw 581 lOS-Self-Sig#T.cer 196600 bytes total (130616 bytes free) The resilient image and configuration features are enabled with one command each. Router(config)# secure boot-image Router(config)# secure boot-config NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution «Page 79+ The secure boot-image command enables Cisco 10S image resilience, which hides the file from dir and show commands. «The file cannot be viewed, copied, modified, or removed using EXEC mode commands. (It can be viewed in ROMMON mode.) ‘+ When turned on for the first time, the running image is secured. The secure boot-config command takes a snapshot of the router running configuration and securely archives it in persistent storage (flash). The combination of the secured IOS image and configuration file is referred to as the bootset. We can verify the secure configuration with the command show secure bootset. Router# show secure bootset 10 resilience router id FHK110913UQ 1S image resilience version 12.4 activated at 02:00:30 UTC Sun Oct 17 2010 Secure archive flash:cl81x-advipservicesk9-mz.124-24.T.bin type is image (elf) [] file size is 23587052 bytes, run size is 23752654 bytes Runnable image. entry point 0x80012000, run from ram. 10 configuration resilience version 12.4 activated at 02:00:41 UTC Sun Oct 17 2010 Secure archive flash:.runcfg-20101017-020040.ar type is config configuration archive size 1544 bytes At this point, we notice that our IOS image file on Flash is now hidden. Router# dir flash: Directory of flash:/ 2 -rw- 600 Sep 26 2010 07:28:12 +00:00 vlan.dat 128237568 bytes total (104636416 bytes free) TASK : Restoring an Archived Configuration ‘+ Now suppose that the router’s startup configuration file is erased (accidentally or otherwi router is reloaded. ‘+ Naturally, it boots with a default configuration. The resilient configuration feature will even appear to be disabled. ) and the Router# erase startup-config Erasing the nvram filesystem will remove all configuration files! Continue? [confirm] [Ok] Erase of nvram: complete Router# show startup-config startup-config is not present NOA solutions,N.K Arcade, 2nd & 3rd floor,Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution om Page 80Router reload System configuration has been modified, Save? [yes/no]: n Proceed with reload? [confirm] Router> enable Router# show secure bootset ‘+ To restore our original configuration, we simply have to extract it from the secure archive and save it to Flash, + Next, we can replace the current running configuration with the archived config using the configure replace command. Router(config)# secure boot-config restore flash:archived-config ios resilience:configuration successfully restored as flash:archived-config Router(config)# end Router# configure replace flash:archived-config, Enter Y if you are sure you want to proceed. ? [ho]: ¥ Total number of passes: 1 Rollback Done ‘+ This will apply all necessary additions and deletions to replace the current running configuration with the contents of the specified configuration file, which is assumed to be a complete configuration, not a partial configuration, ‘+ Don't forget to save the running configuration once the restoration is complete (copy run start). NOTE ‘© Be aware that the resilient configuration file is not automatically updated along with the startup configuration. ‘+ To update it, you must first delete the existing resilient configuration and issue the secure boot-config, command again. The secure bootset features can only be disabled from the console line. Router(config}# no secure boot-config ‘You must be logged on the console to apply this command ‘command “no secure boot-config " In fact, attempting to disable either part of the secure bootset generates a handy syslog message to alert administrators: NOA solutions,N.K Arcade, 2nd & 3rd floor,Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions. com Page 81Router(config)# no secure boot-config Router(config)# secure boot-config Restoring an Archived IOS: Here we can see that it persists even when the Flash filesystem appears to have been formatted. Router# format flash: Format operation may take a while. Continue? [confirm] Format operation will destroy all data in "flash:". Continue? [confirm] Writing Monlib sectors... Monlib write complete Format: All system sectors written. OK... Format: Total sectors in formatted partition: 250848 Format: Total bytes in formatted partition: 128434176 Format: Operation completed successfully. Format of flash: complete Router# dir Directory of flash:/ No files in directory 128237568 bytes total (104640512 bytes free) Router# reload Proceed with reload? [confirm] *Oct 17 02:37:37,127: %SYS-5-RELOAD: Reload requested by console, Reload Reason : Reload Command. System Bootstrap, Version 12.3(8r)YH8, RELEASE SOFTWARE (fc2) Technical Support: http://www.cisco.com/techsupport Copyright (c) 2006 by cisco Systems, Inc. C1800 platform with 131072 Kbytes of main memory with parity disabled Upgrade ROMMON initialized program load complete, entry point: 0x80012000, size: OxcOcO Initializing ATA monitor library... program load complete, entry point: 0x80012000, size: OxcOcO NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution on’ Page 82Initializing ATA monitor library... program load complete, entry point: 0x80012000, size: 0x167e724 Self decompressing the image : ##AHERHERREARAEHREREREEEREFIEERAE ERE REET RHREREE FAERIE EERE TER EER ERE PRE ERR ARETE ERIE AERA EERE EER RRP RR EPH E # HEE EEE EAE EEE EEE EE EE EE [OK] Restricted Rights Legend Use, duplication, or disclosure by the Government is subject to restrictions as set forth in subparagraph (0 of the Commercial Computer Software - Restricted Rights clause at FAR sec. 52.227-19 and subparagraph (6) () (ii) of the Rights in Technical Data and Computer Software clause at DFARS sec. 252.227-7013. cisco Systems, Inc. 170 West Tasman Drive San Jose, California 95134-1706 Cisco 10S Software, C181X Software (C181X-ADVIPSERVICESK9-M), Version 12.4(24)T. RELEASE SOFTWARE (el) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2009 by Cisco Systems. Inc. Compiled Thu 26-Feb-09 03:22 by prod_rel_team Router> enable Password: Router# dir Directory of flash:/ No files in directory 128237568 bytes total (104640512 bytes free) Routerf show version Cisco 10S Software, C181x Software (CTETXADVIPSERVICESKOINA)) VERON 12.4(24)T, RELEASE SOFTWARE (fel) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2009 by Cisco Systems, Inc Compiled Thu 26-Feb-09 03:22 by prod_rel_team NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions. com Page 83Authentication — Local Database A. > Creates individual user account/password on each device » Provides accountability » User accounts must be configured locally on each device RI(convig)¥ username Admin secret noal23 ifconfig) line vty 0.4 Ri(configine)# togin local User Acces Verifston Password io? ai gin invalid (tae Username Admin 4 Login invalid Local Database Method Authentication — Local Database (contd) XA, router(config)fuserame sikandar pasword noal23 router(config)éline vty 0.4 router(config-ine) login local router(configuine)#exit Router#telnet 192.168.1.100 Trying 10.1.1.1 .. Open User Access Verification, Username: Sikandar password: NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution on’ Page 84Authentication - Local Database (contd) OA. Drawbacks of Local user Authentication Username & passwords are stored locally No centralized control ‘More Administrative task Not scalable sontest.or2e Using External Server Based Authentication NA. » Username & passwords are stored in remote Server. » Allows centralized Authentication. » Reduces Administrative Task ia » Scalable. NOA solutions,N.K Arcade, 2nd & 3rd floor,Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution com Page 85External Authentication using AAA Authorization ‘whlch resources the we lowes to ees ane wien ‘Authentication ‘operations the wei allowed to perfor? ‘Who are you? ‘Accounting What aid you send ton? Self-Contained AAA Authentication NGA, Remote Client Le o Router ‘SelF-Contained AKA |. The client establishes a connection with the route. 2. The AAA router prompts the user fora username and password, 43. The router authenticates the username and patsword using the local database and the user is thorized to acces the network based on information in the local + Used for small networks » Stores usernames and passwords locally in the Cisco router NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution om Page 86Server-Based AAA Authentication NA, . » Both RADIUS and TACACS+ are client/server AAA protocols. » Authenticate a username/password combination, » Determine if a user is allowed to connect to the client. Cisco Secure ACS for ‘Windows Server eco Secure ACS Express, Overview of TACACS+ and RADIUS NA. TASAGS* or RADIUS protocols are used to communicate between the clients and AMA security servers ‘Terminal Access Controller Access Control System Remote authentication dial in user service ico Secure ACS for ‘Windows Server Cisco Secure ACS Express NOA solutions,N.K Arcade, 2nd & 3rd floor,Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions.com Page 87Local AAA Authentication Configuration a(config)aaa new-model l(config)#username sikandar password noal23 .l(config)#aaa authentication login default local Ra(config}ttine console 0/ vty 04 a(configstine)#login authentication default Ral(confgtine)Mexit series ore Server-Based AAA Authentication XA, > Centrally validate users wishing to gain access to a resource such as a router » Uses an external database server Cisco Secure Access Control Server (ACS) for Windows Server Cisco Secure ACS Solution Engine Cisco Secure ACS Express » More appropriate if there are multiple routers AAA Siete Remote Client o eae Sener Server Based ANA 1. The client establishes » connection with the router 2. The AAA router prompts the user fora username and password 3, The router authenticates the username and password using a rernote AAA server 4 The user is authorized fo acces the network based on information on the remote AAA Server NOA solutions,N.K Arcade, 2nd & 3rd floor,Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution om Page 8&