Section 4 Tasks
• Read today’s lesson notes (below)
• Review yesterday’s lesson notes
• Complete today’s lab
• Read the ICND1 cram guide
Switches and routers do not come with any security configuration. You need to add this depending upon your business requirements. The commands and procedures to secure your switch are pretty much the same as those for your router. Now it’s time to move on to the practical steps you can take to secure your router from attempts to log in and reconfigure, either accidentally or maliciously.
My first job at Cisco was on the core team. Our role involved helping customers with access control lists, IOS upgrades, disaster recovery, and related tasks. One of the first things which struck me was how many engineers didn’t lock down their routers with a password. Many of those who did used the password “password” or “cisco” – probably two of the most easily guessed, I would imagine!
In this section of the guide, we will look at the basic steps you should take on every network to protect your routers.
Today you will learn about the following:
• Protecting physical access
• Telnet access
• Protecting Enable mode
• Router logging
• Securing the switch
This module maps to the following CCNA syllabus requirements:
• Configure and verify network device security features, such as:
° Device password security
° Enable secret versus enable
° Transport
° Disable Telnet
° SSH
° VTYs
° Physical security
° Service password
• Describe external authentication methods
• Configure and verify Switch Port Security features, such as:
° Sticky MAC
° MAC address limitation
° Static/dynamic
° Violation modes
° Err disable
° Shutdown
° Protect restrict
° Shut down unused ports
° Err disable recovery
• Assign unused ports to an unused VLAN
• Set native VLAN to something other than VLAN 1
• Configure and verify NTP as a client
Protecting Physical Access
Strange that when you consider the disastrous consequences of losing network access for a business, you often find their router sitting underneath somebody’s desk! Network equipment should be stored in a secure room with keypad access, or at least lock and key access. Cisco routers can be very valuable pieces of equipment, and they are attractive targets to thieves. The larger the network, the more valuable the equipment, and the higher the need to protect the data and router configuration files.
Console Access
The console port is designed to give physical access to the router to permit initial configurations and disaster recovery. Anybody having console access can completely wipe or reconfigure the files, so, for this reason, the console port should be protected with a password by adding either a password or a local username and password, as illustrated below:
• Add a password
Router(config)#line console 0 Router(config-line)#password cisco Router(config-line)#login
• Or add a local username and password
Router(config)#username paul password cisco Router(config)#line console 0 Router(config-line)#login local
You can also create a timeout on the console (and VTY) lines so that it disconnects after a certain period of time. The default is 5 minutes.
Router(config)#line console 0 Router(config-line)#exec-timeout ? <0-35791> Timeout in minutes Router(config-line)#exec-timeout 2 ? <0-2147483> Timeout in seconds <cr> Router(config-line)#exec-timeout 2 30 Router(config-line)#
Telnet Access
You can’t actually Telnet into a router unless somebody adds a password to the Telnet or VTY lines. Again, you can add a password to the VTY lines or tell the router to look for a local username and password (in the configuration file or username and password stored on a RADIUS/TACACS server), as shown below:
Router(config-line)#line vty 0 15 Router(config-line)#password cisco Router(config-line)#login ← or login local
The output below is a Telnet session from one router to another. You can see the hostname change when you get Telnet access. The password will not show as you type it:
Router1#telnet 192.168.1.2 Trying 192.168.1.2 ...Open User Access Verification Username: paul Password: Router2>
If you have a security IOS image, you can configure the router to permit only SSH access rather than Telnet. The benefit of this is that all data is encrypted. If you try to Telnet after SSH has been enabled, the connection will be terminated:
Router1(config)#line vty 0 15 Router1(config-line)#transport input ssh Router2#telnet 192.168.1.2 Trying 192.168.1.2 ...Open [Connection to 192.168.1.2 closed by foreign host]
Protecting Enable Mode
Enable mode gives configuration access to the router, so you will want to protect this also. You can configure an enable secret or an enable password. In fact, you could have both at the same time, but this is a bad idea.
An enable password is unencrypted, so it can be seen in the router configuration. An enable secret is given level 5 (MD5) encryption, which is hard to break. Newer IOS releases (starting with 15.0(1)S) can also use level 4 (SHA256) encryption, which is superior to MD5 encryption (this level 5 encryption will be deprecated eventually). You can add the command service password encryption to your enable password, but this can be cracked easily because it is level 7 encryption (i.e., low security; Cisco calls it “over the shoulder security,” as it only requires someone looking over your shoulder to memorise a slightly harder phrase and then crack it using password 7 decryption tools on the Internet). You can see level 7 and level 5 encryption in the output below:
Router(config)#enable password cisco Router(config)#exit Router#show run enable password cisco Router(config)#enable password cisco Router(config)#service password-encryption Router#show run enable password 7 0822455D0A16 Router(config)#enable secret cisco Router(config)#exit Router#show run enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0
Bear in mind that if you forget the enable password, you will have to perform a password recovery on the router or switch. Google the term for the particular model you are using because the process differs. For routers, it involves reloading the device, pressing the designated break key on your keyboard, setting the configuration register to skip the startup configuration file (usually to 0x2142), and then issuing a copy start run command so you can create a new password.
For switches, it is a bit more complicated (again, Google the term for the particular model you are using), but it can also be done using a little trick – hold down the MODE button for eight seconds while powering on the switch. The switch will boot up with a blank configuration, and the last startup configuration will be saved to the flash in the file named config.text.renamed so it can be copied back to running configuration and modified with another password.
Protecting User Access
Cisco IOS offers the ability to give users individual passwords and usernames, as well as access to a restricted list of commands. This would be useful if you have tiers of network support. An example of this is shown in the following output:
RouterA#config term Enter configuration commands, one per line. End with CNTL/Z. RouterA(config)#username paul password cisco RouterA(config)#username stuart password hello RouterA(config)#username davie password football RouterA(config)#line vty 0 4 RouterA(config-line)#login local RouterA(config-line)#exit RouterA(config)#exit
You can specify access levels for user accounts on the router. You may want, for example, junior network team members to be able to use only some basic troubleshooting commands. It is also worth remembering that Cisco routers have two modes of password security, User mode (Exec) and Privileged mode (Enable).
Cisco routers have 16 different privilege levels (0 to 15) available to configure, where 15 is full access, as illustrated below:
RouterA#conf t Enter configuration commands, one per line. End with CNTL/Z. RouterA(config)#username support privilege 4 password soccer LINE Initial keywords of the command to modify RouterA(config)#privilege exec level 4 ping RouterA(config)#privilege exec level 4 traceroute RouterA(config)#privilege exec level 4 show ip interface brief RouterA(config)#line console 0 RouterA(config-line)#password basketball RouterA(config-line)#login local ← password is needed RouterA(config-line)#^z
The support person logs in to the router and tries to go into configuration mode, but this command and any other command not available are not valid and cannot be seen:
RouterA con0 is now available Press RETURN to get started. User Access Verification Username: support Password: RouterA#config t ← not allowed to use this command ^ % Invalid input detected at ‘^’ marker.
You can see the default privilege levels at the router prompts:
Router>show privilege Current privilege level is 1 Router>en Router#show priv Router#show privilege Current privilege level is 15 Router#
Updating the IOS
Admittedly, updating the IOS can sometimes introduce new bugs or problems into your network, so it is best practice to do this on the advice of Cisco if you have a TAC support contract. In general, though, keeping your IOS up to date is highly recommended. Updating your IOS:
• Fixes known bugs
• Closes security vulnerabilities
• Offers enhanced features and IOS capabilities
Router Logging
Routers offer the ability to log events. They can send the log messages to your screen or a server if you wish. You should log router messages, and there are eight levels of logging severity available (you need to know them for the exam), as shown in bold in the output below:
logging buffered ? <0-7>Logging severity level alerts—Immediate action needed (severity=1) critical—Critical conditions (severity=2) debugging—Debugging messages (severity=7) emergencies—System is unusable (severity=0) errors—Error conditions (severity=3) informational—Informational messages (severity=6) notifications—Normal but significant conditions (severity=5) warnings—Warning conditions (severity=4)
You can send the logging messages to several places:
Router(config)#logging ? A.B.C.D IP address of the logging host buffered Set buffered logging parameters console Set console logging parameters host Set syslog server IP address and parameters on Enable logging to all enabled destinations trap Set syslog server logging level userinfo Enable logging of user info on privileged mode enabling
Logging messages will usually be displayed on the screen when you are consoled into the router. This can prove somewhat annoying if you are typing configuration commands. Here, I’m typing a command (underlined) when it’s interruped by a console logging message:
Router(config)#int f0/1 Router(config-if)#no shut Router(config-if)#end Router# *Jun 27 02:06:59.951: %SYS-5-CONFIG_I: Configured from console by console show ver *Jun 27 02:07:01.151: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
You can either turn off logging messages with the no logging console command or you can set Farai says – “The command transport input all is enabled by default for all VTY lines, while transport input none is enabled by default for other lines.” them to not interrupt as you type with the logging synchronous command, which re-enters the line you were typing before being interrupted by the logging message (also available on VTY lines).
Router(config)#line con 0 Router(config-line)#logging synchronous Router(config-line)# Router(config-line)#exit Router(config)#int f0/1 Router(config-if)#shut Router(config-if)#exit Router(config)# *Jun 27 02:12:46.143: %LINK-5-CHANGED: Interface FastEthernet0/1, changed state to administratively down Router(config)#exit
It’s worth mentioning here that you won’t see console output when you are Telnetted (or using SSH) into the router. If you want to see logging messages when Telnetted in, then issue the terminal monitor command.
Simple Network Management Protocol (SNMP)
SNMP is a service you can use to manage your network remotely. It consists of a central station maintained by an administrator running the SNMP management software and smaller files (agents) on each of your network devices, including routers, switches, and servers.
Several vendors have designed SNMP software, including HP, Cisco, IBM, and SolarWinds. There are also open source versions available. This software allows you to monitor bandwidth and activity on devices, such as logins and port status.
You can remotely configure or shut down ports and devices using SNMP. You can also configure it to send alerts when certain conditions are met, such as high bandwidth or ports going down. We will cover SNMP in more detail on Section 40 because it is part of the ICND2 syllabus.
Securing the Switch
Prevent Telnet Access
Telnet traffic sends the password in clear text, which means that it could easily be read on the configuration or by a network sniffer, if one was attached to your network.
Telnet is actually disabled by default (i.e., you need to set a password and, optionally, a username to get it working). However, if you still want to have remote access to the management ports, you can enable SSH traffic to the switch with the transport input ssh command, which was discussed earlier.
Farai says – “The command transport input all is enabled by default for all VTY lines, while transport input none is
enabled by default for other lines.”
Enable SSH
When possible, you should always use SSH instead of Telnet and SNMP to access your switches. SSH stands for secure shell and allows a secure exchange of information between two devices on a network. SSH uses public-key cryptography to authenticate the connecting device. Telnet and SNMP versions 1 and 2 are unencrypted and susceptible to packet sniffing (SNMP version 3 offers confidentiality – encryption of packets to prevent snooping by an unauthorised source). SSH, on the other hand, is encrypted.
To enable SSH you must have a version of IOS that supports encryption. A quick way to find this out is the show version command. Look for K9 in the file name and/or the security statement of Cisco Systems.
Switch#sh version Cisco IOS Software, C3560 Software (C3560-ADVIPSERVICES K9-M), Version 12.2(35)SE1, RELEASE SOFTWARE (fc1) Copyright (c) 1986-2006 by Cisco Systems, Inc. Compiled Tue 19-Dec-06 10:54 by antonio Image text-base: 0x00003000, data-base: 0x01362CA0 ROM: Bootstrap program is C3560 boot loader BOOTLDR: C3560 Boot Loader (C3560-HBOOT-M) Version 12.2(25r)SEC, RELEASE SOFTWARE (fc4) Switch uptime is 1 hour, 8 minutes System returned to ROM by power-on System image file is “flash:/c3560-advipservicesk9-mz.122-35.SE1.bin” This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html If you require further assistance please contact us by sending email to [email protected]. --More
NOTE: If you do not have a security version of IOS, you must purchase a license for it.
For an encrypted connection , you will need to create a private/public key on the switch (see below). When you connect, use the public key to encrypt the data and the switch will use its private key to decrypt the data. For authentication, use your chosen username/password combination. Next, set the switch hostname and domain name because the private/public keys will be created using the hostname.domainname nomenclature. Obviously, it makes sense for the key to be named something representing the system.
Firstly, make sure that you have a hostname other than the default one, which is Switch. Next, add your domain name (this typically matches your FQDN in Windows Active Directory). Then, create the crypto key that will be used for encryption. The modulus will be the length of the keys you want to use, in the range from 360 to 2048, with the latter being the most secure; 1024 and above is considered secure. At this point, SSH is enabled on the switch. There are a few maintenance commands you should enter as well. The ip ssh time-out 60 will time out any SSH connection that has been idle for 60 seconds. The ip ssh authentication-retries 2 will reset the initial SSH connection if authentication fails two times. This will not prevent the user from establishing a new connection and retrying authentication. This process is illustrated in the output below:
Switch(config)#hostname SwitchOne SwitchOne(config)#ip domain-name mydomain.com SwitchOne(config)#crypto key generate rsa Enter modulus: 1024 SwitchOne(config)#ip ssh time-out 60 SwitchOne(config)#ip ssh authentication-retries 2
You can optionally enable SSH version 2 with the ip ssh version 2 command. Let’s take a look at one of the keys. In this example, the key was generated for HTTPS. Because the key was automatically generated when enabling HTTPS, the name will also be auto-generated.
firewall#show crypto key mypubkey rsa Key name: HTTPS_SS_CERT_KEYPAIR.server Temporary key Usage: Encryption Key Key is not exportable. Key Data: 306C300D 06092A86 4886F70D 01010105 00035B00 30580251 00C41B63 8EF294A1 DC0F7378 7EF410F6 6254750F 475DAD71 4E1CD15E 1D9086A8 BD175433 1302F403 2FD22F82 C311769F 9C75B7D2 1E50D315 EFA0E940 DF44AD5A F717BF17 A3CEDBE1 A6A2D601 45F313B6 6B020301 0001
To verify that SSH is enabled on the switch, enter the following command:
Switch#show ip ssh SSH Enabled - version 1.99 Authentication timeout: 120 secs; Authentication retries: 2 Switch#
If you have SSH enabled, you should probably disable Telnet and HTTP. When you enter the transport input command, any protocol entered after it is allowed. Any protocol not entered is not allowed. In the output below, you can see that only SSH is allowed:
line vty 0 15 transport input ssh
The following output shows that both SSH and Telnet are allowed:
line vty 0 15 transport input ssh telnet
You can disable HTTP access with one simple command:
Switch(config)#no ip http server
To view the status of the HTTP server on the switch:
Switch#show ip http server status HTTP server status: Disabled HTTP server port: 80 HTTP server authentication method: enable HTTP server access class: 0 HTTP server base path: flash:html Maximum number of concurrent server connections allowed: 16 Server idle time-out: 180 seconds Farai says – “You can encrypt the enable secret password with the service password-encryption command.” Server life time-out: 180 seconds Maximum number of requests allowed on a connection: 25 HTTP server active session modules: ALL HTTP secure server capability: Present HTTP secure server status: Enabled HTTP secure server port: 443 HTTP secure server ciphersuite: 3des-ede-cbc-sha des-cbc-sha rc4-128-md5 rc4-12 HTTP secure server client authentication: Disabled HTTP secure server trustpoint: HTTP secure server active session modules: ALL
You could also apply an access control list to the VTY lines and permit only SSH. We will cover access control lists on Section 9.
Set an Enable Secret Password
Global Configuration mode will permit a user to configure the switch or router and erase configurations, as well as reset passwords. You must protect this mode by setting a password or a secret password (which actually prevents the user from getting past User mode). The secret password will be displayed on the routers running the configuration file, whereas the enable secret password will be encrypted.
I’ve already mentioned that you can actually have both a password and an enable secret password on your router and switch, but this can cause confusion. Just set the enable secret password. The configuration file below illustrates how to issue a command without dropping back to Privileged mode by typing do before the command:
Switch1(config)#enable password cisco Switch1(config)#do show run Building configuration... Current configuration: 1144 bytes hostname Switch1 enable password cisco
Farai says – “You can encrypt the enable secret password with the service password-encryption command.”
You can erase most lines of configuration by issuing it again with the word no before the command. It is also worth noting that, as Farai says, you can issue a service passwordencryption command, but this only offers weak (level 7) encryption, whereas below, the secret password has strong (MD5) encryption :
Switch1(config)#no enable password Switch1(config)#enable secret cisco Switch1(config)#do show run Building configuration... Current configuration: 1169 bytes hostname Switch1 enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0 [strong level 5 password]
Services
You should always disable the services you are not going to use. Cisco has done a good job by not enabling insecure or rarely used services/protocols; however, you might want to disable them just to make sure. There are some services that are helpful as well. The majority of services are found under the command service in Global Configuration mode.
Switch(config)# service ? compress-config Compress the configuration file config TFTP load config files counters Control aging of interface counters dhcp Enable DHCP server and relay agent disable-ip-fast-frag Disable IP particle-based fast fragmentation exec-callback Enable EXEC callback exec-wait Delay EXEC startup on noisy lines finger Allow responses to finger requests hide-telnet-addresses Hide destination addresses in telnet command linenumber enable line number banner for each exec nagle Enable Nagle’s congestion control algorithm old-slip-prompts Allow old scripts to operate with slip/ppp pad Enable PAD commands password-encryption Encrypt system passwords password-recovery Disable password recovery prompt Enable mode specific prompt pt-vty-logging Log significant VTY-Async events sequence-numbers Stamp logger messages with a sequence number slave-log Enable log capability of slave IPs tcp-keepalives-in Generate keepalives on idle incoming network connections tcp-keepalives-out Generate keepalives on idle outgoing network connections tcp-small-servers Enable small TCP servers (e.g., ECHO) telnet-zeroidle Set TCP window 0 when connection is idle timestamps Timestamp debug/log messages udp-small-servers Enable small UDP servers (e.g., ECHO)
Generally speaking, the most common services to enable/disable are listed below. The
description of the service is in brackets [ ].
• no service pad [packet assembler/disassembler, used in asynchronous networking; rarely used]
• no service config [prevents the switch from getting its config file from the network]
• no service finger [disables the finger server; rarely used]
• no ip icmp redirect [prevents ICMP redirects, which can be used for router poisoning]
• no ip finger [another way to disable the finger service]
• no ip gratuitous-arps [disable to prevent man-in-the-middle attacks]
• no ip source-route [disables user-provided hop-by-hop routing to destination]
• service sequence-numbers [in each log entry, gives it a number and increases sequentially]
• service tcp-keepalives-in [prevents the router from keeping hung management sessions open]
• service tcp-keepalives-out [same as service tcp-keepalives-in]
• no service udp-small-servers [disables echo, chargen, discard, daytime; rarely used]
• no service tcp-small-servers [disables echo, chargen, discard; rarely used]
• service timestamps debug datetime localtime show-timezone [timestamps each logged packet (in debug mode) with the date and time, using local time, and shows the timezone]
• service timestamps log datetime localtime show-timezone [timestamps each logged packet (not in debug mode) with the date and time, using local time, and shows the timezone – very useful for observing the log file (especially if the clock is set up correctly) ]
Change the Native VLAN
The native VLAN is used by the switch to carry specific protocol traffic, such as Cisco Discovery Protocol (CDP), VLAN Trunking Protocol (VTP), Port Aggregation Protocol (PAgP), and Dynamic Trunking Protocol (DTP) information. The default native VLAN is always VLAN 1; however, the native VLAN can be manually changed to any valid VLAN number (except for 0 and 4096, because these are in the reserved range of VLANs).
You can verify the native VLAN with the commands (issued per interface) illustrated in the output below:
Switch#show interfaces FastEthernet0/1 switchport Name: Fa0/1 Switchport: Enabled Administrative Mode: trunk Operational Mode: trunk Administrative Trunking Encapsulation: dot1q Operational Trunking Encapsulation: dot1q Negotiation of Trunking: On Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) Voice VLAN: none
Having ports in VLAN 1 is considered a security vulnerability which allows hackers to gain access to network resources. To mitigate this problem, it is advisable to avoid putting any hosts into VLAN 1. You can also change the native VLAN on all trunk ports to an unused VLAN:
Switch(config-if)#switchport trunk native vlan 888
NOTE: This is one of the key objectives in the CCNA syllabus, so bear it in mind.
You can also prevent native VLAN data from passing on the trunk with the command below:
Switch(config-if)#switchport trunk allowed vlan remove 888
Change the Management VLAN
You can also add an IP address to the switch to allow you to Telnet to it for management purposes. This is referred to as a Switch Virtual Interface (SVI). It is a wise precaution to have this management access in a VLAN other than VLAN 1, as shown in the output below:
Switch(config)#vlan 3 Switch(config-vlan)#interface vlan3 %LINK-5-CHANGED: Interface Vlan3, changed state to up Switch(config-if)#ip address 192.168.1.1 255.255.255.0
Turn Off CDP
Cisco Discovery Protocol (CDP) will be covered later, but for now, you just need to know that it is turned on by default on most routers and switches universally and per interface, and its function is to discover attached Cisco devices. You may not want other Cisco devices to see information about your network devices, so you can turn this off, at least on the devices at the edge of your network which connect to other companies or your ISP.
Farai says – “CDP is not enabled by default on all platforms, such as ASR routers, for example.”
In the output below, you can see how a router connected to my switch is able to see basic information when I issue the show cdp neighbor detail command:
Router#show cdp neighbor detail Device ID: Switch1 Entry address(es): Platform: Cisco 2960, Capabilities: Switch Interface: FastEthernet0/0, Port ID (outgoing port): FastEthernet0/2 Holdtime: 176 Version : Cisco Internetwork Operating System Software IOS (tm) C2960 Software (C2960-I6Q4L2-M), Version 12.1(22)EA4, RELEASE SOFTWARE(fc1) Copyright (c) 1986-2005 by Cisco Systems, Inc. Compiled Wed 18-May-05 22:31 by jharirba advertisement version: 2 Duplex: full Router#
The command below will turn off CDP for the entire device:
Switch1(config)#no cdp run
To turn off CDP for a particular interface, issue the following command:
Switch1(config)#int FastEthernet0/2 Switch1(config-if)#no cdp enable
Add a Banner Message
A banner message will show when a user logs in to your router or switch. It won’t offer any actual security but it will display a warning message of your choice. In the configuration below, I chose the letter Y as my delimiting character, which tells the router that I’ve finished typing my message:
Switch1(config)#banner motd Y Enter TEXT message. End with the character ‘Y’. KEEP OUT OR YOU WILL REGRET IT Y Switch1(config)#
When I Telnet to the switch from my router, I can see the banner message. The mistake was choosing Y as the delimiting character because it cuts off my message:
Router#telnet 192.168.1.3 Trying 192.168.1.3 ...Open KEEP OUT OR
Banner messages can be:
• Shown before the user sees the login prompt – MOTD (message of the day)
• Shown before the user sees the login prompt – Login
• Shown to the user after the login prompt – Exec (used when you want to hide information from unauthorised users)
Banner inputs as part of the labs in this book. I suggest that you learn to configure all three types and test them by logging in to the router. You will have different choices depending upon your platform and IOS:
Router(config)#banner ? LINE c banner-text c, where ‘c’ is a delimiting character exec Set EXEC process creation banner incoming Set incoming terminal line banner login Set login banner motd Set Message of the Day banner prompt-timeout Set Message for login authentication timeout slip-ppp Set Message for SLIP/PPP
Set a VTP Password
VTP ensures that accurate VLAN information is passed between the switches on your network. In order to protect these updates, you should add a VTP password on your switch (it should match on all switches in the VTP domain), as illustrated in the output below:
Switch1(config)#vtp domain 60days Changing VTP domain name from NULL to 60days Switch1(config)#vtp password cisco Setting device VLAN database password to cisco Switch1(config)#
Restrict VLAN Information
By default, switches permit all VLANs across the trunk links. You can change this by specifying which VLANs can pass, as illustrated in the following output:
Switch1(config)#int FastEthernet0/4 Switch1(config-if)#switchport mode trunk Switch1(config-if)#switchport trunk allowed vlan ? WORD VLAN IDs of the allowed VLANs when this port is in trunking mode add add VLANs to the current list all all VLANs except all VLANs except the following none no VLANs remove remove VLANs from the current list Switch1(config-if)#switchport trunk allowed vlan 7-12 Switch1#show interface trunk Port Mode Encapsulation Status Native vlan Fa0/4 on 802.1q trunking 1 Port Vlans allowed on trunk Fa0/4 7-12
Error Disable Recovery
A series of events can cause Cisco switches to put their ports into a special disabled mode called err-disabled. This basically means that a particular port has been disabled (shut down) due to an error. This error can have multiple causes, one of the most common being a violation of a port security policy. This is a normal behaviour when an unauthorised user tries to connect to a switch port and it prevents rogue devices from accessing the network.
An err-disabled port might look something like this:
Switch# show interface f0/1 FastEthernet0/1 is down, line protocol is down [err-disabled] .....
In order to re-activate an err-disabled interface, manual intervention is necessary via issuing the shutdown and no shutdown commands on the interface (referred to a bouncing the port by network engineers). However, some situations might require automatic recovery of the original port state instead of waiting for an administrator to manually enable the port. The err-disable recovery mode functions by configuring the switch to automatically re-enable an err-disabled port after a certain period, based on the event that generated the failure. This provides granularity in deciding which events can be monitored by the err-disable recovery function.
The command to do this is the errdisable recovery cause, entered under Global Router Configuration mode:
Switch(config)#errdisable recovery cause ? all Enable timer to recover from all causes bpduguard Enable timer to recover from bpdu-guard error disable state dtp-flap Enable timer to recover from dtp-flap error disable state link-flap Enable timer to recover from link-flap error disable state pagp-flap Enable timer to recover from pagp-flap error disable state rootguard Enable timer to recover from root-guard error disable state udld Enable timer to recover from udld error disable state ......
The errdisable recovery cause command can vary based on the device model, but the most common parameters are:
• all
• arp-inspection
• bpduguard
• dhcp-rate-limit
• link-flap
• psecure-violation
• security-violation
• storm-control
• udld
The time after which the port is automatically restored is 300 seconds by default on most platforms, but this can be manually configured with the errdisable recovery interval global configuration command:
Switch(config)#errdisable recovery interval ? <30-86400> timer-interval(sec)
The show errdisable recovery command will provide information about the active features monitored by the err-disable recovery function and about the interfaces being monitored, including the time left until the interface is enabled.
Switch#show errdisable recovery ErrDisable Reason Timer Status ----------------- --------------arp-inspection Disabled bpduguard Disabled channel-misconfig Disabled dhcp-rate-limit Disabled dtp-flap Disabled gbic-invalid Disabled inline-power Disabled l2ptguard Disabled link-flap Disabled mac-limit Disabled link-monitor-failure Disabled loopback Disabled oam-remote-failure Disabled pagp-flap Disabled port-mode-failure Disabled psecure-violation Enabled security-violation Disabled sfp-config-mismatch Disabled storm-control Disabled udld Disabled unicast-flood Disabled vmps Disabled Timer interval: 300 seconds Interfaces that will be enabled at the next timeout: Interface Errdisable reason Time left(sec) --------- ----------------- -------------- Fa0/0 psecure-violation 193
External Authentication Methods
Rather than store usernames and passwords locally, you can use a server which typically runs either AAA or TACACS+. The advantage to this method is not having to manually enter usernames and passwords on each individual router and switch. Instead, they are stored on the server database.
TACACS+ stands for Terminal Access Controller Access Control System Plus. It is a Cisco proprietary protocol that uses TCP port 49. TACACS+ provides access control for network devices, including routers, and network access servers via one or more centralised servers.
RADIUS stands for Remote Authentication Dial-In User Service. It is a system of distributed network security that secures remote access to the network and a client/server protocol that uses UDP. RADIUS is open standard.
If you have TACACS+ or RADIUS, you may wish to enable Authentication, Authorization, and Accounting (AAA). AAA is installed on a server and monitors a database of user accounts for the network. Users’ access, protocols, connections, and disconnect reasons, as well as many other features, can be monitored.
Routers and switches can be configured to query the server when a user attempts to log in. The server then validates the user. You should not be expected to configure these protocols for the CCNA exam.
Router Clock and NTP
The time on a switch is often overlooked; however, it is very important. When you encounter security violations, SNMP traps, or logging of events, it uses a timestamp. If the time on your switch is incorrect, it will be difficult figuring out when the event happened. For example, let’s take a look at the switch below and check the time:
Switch#show clock *23:09:45.773 UTC Tue Mar 2 1993
The time is not accurate, so let’s change it. But first, let’s set some attributes:
clock timezone CST -6 clock summer-time CDT recurring clock summer-time CST recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
First, let’s set the time zone. I’m in the Central time zone and I’m 6 hours off of GMT. Next, tell the switch that summertime (the time change) is recurring. Finally, set what the summertime time really is. Now, let’s set the time and date:
Switch#clock set 14:55:05 June 19 2007 Switch# 1d23h: %SYS-6-CLOCKUPDATE: System clock has been updated from 17:26:01 CST Tue Mar 2 1993 to 14:55:05 CST Tue Jun 19 2007, configured from console by console. Switch#show clock 14:55:13.858 CST Tue Jun 19 2007
Notice that the clock was set in Enable mode, not Configuration mode. Alternatively, you can use NTP. NTP stands for Network Time Protocol and it allows you to synchronise your switch’s clock to an atomic clock, ensuring very accurate time.
Switch(config)#ntp server 134.84.84.84 prefer Switch(config)#ntp server 209.184.112.199
You can see whether your clock has synchronised with your NTP sources with the following two commands:
Switch#show ntp associations Switch#show ntp status
We will cover NTP in more detail on Section 40.
Shut Down Unused Ports
Unused or “empty” ports within any network device pose a security risk, as someone might plug a cable into them and connect an unauthorised device to the network. This can lead to a number of issues, including:
• Network not functioning as it should
• Network information vulnerable to outsiders
This is why you should shut down every port that is not used on routers, switches, and other network devices. Depending upon the device, the shutdown state might be the default, but you should always verify this.
Shutting down a port is done with the shutdown command under the Interface Configuration mode:
Switch#conf t Switch(config)#int fa0/0 Switch(config-if)#shutdown
You can verify a port is in the shutdown state in multiple ways, one of which is using the show ip interface brief command:
Router(config-if)#do show ip interface brief Interface IP-Address OK? Method Status Protocol FastEthernet0/0 unassigned YES unset administratively down down FastEthernet0/1 unassigned YES unset administratively down down
Note that the administratively down status means that the port has been manually shut down. Another way to verify the shutdown state is using the show interface command:
Router#show interface fa0/0 FastEthernet0/0 is administratively down, line protocol is down Hardware is Gt96k FE, address is c200.27c8.0000 (bia c200.27c8.0000) MTU 1500 bytes, BW 10000 Kbit/sec, DLY 1000 usec, ......
Cisco Discovery Protocol (CDP)
Now is as good a time as any to discuss Cisco Discovery Protocol.
CDP is a hot exam topic because it provides a means to discover information about network devices before any configuration has been applied. This is a very useful troubleshooting tool; however, it also presents a security risk.
CDP is Cisco proprietary, which means it will only work on Cisco devices. It is a Layer 2 service used by devices to advertise and discover basic information about directly connected neighbours. The IEEE version of CDP is Link Layer Discovery Protocol (LLDP), but this is not included in the CCNA syllabus.
Because CDP is a Layer 2 service it does not require IP addresses to be conifigured in order to exchange information. The interface need only be enabled. If an IP address is configured, then this will be included in the CDP message.
CDP is a very powerful troubleshooting tool and you will be expected to understand how to use it in the exam. Figure 4.1 below shows CDP outputs from Router 0. Imagine if you were asked to troubleshoot this network but had no topology diagram to work from.
Figure 4.1 – CDP Outputs from Router 0
The following configuration outputs correspond to Figure 4.1:
Router0#show cdp neighbors Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge, S - Switch, H -Host, I - IGMP, r - Repeater, P - Phone Device ID Local Interface Holdtime Capability Platform Port Switch Fas 0/0 165 S 2960 Fas 0/1 Router Fas 0/1 169 R C1841 Fas 0/0 Router0#
You can see more information by adding the detail command to the end:
Router0#show cdp neighbors detail Device ID: Switch Entry address(es): Platform: cisco 2960, Capabilities: Switch Interface: FastEthernet0/0, Port ID (outgoing port): FastEthernet0/1 Holdtime: 178 Version : Cisco IOS Software, C2960 Software (C2960-LANBASE-M), Version 12.2(25)FX, RELEASE SOFTWARE (fc1) Copyright (c) 1986-2005 by Cisco Systems, Inc. Compiled Wed 12-Oct-05 22:05 by pt_team advertisement version: 2 Duplex: full --------------------------- Device ID: Router Entry address(es): IP address : 192.168.1.2 Platform: cisco C1841, Capabilities: Router Interface: FastEthernet0/1, Port ID (outgoing port): FastEthernet0/0 Holdtime: 122 Version : Cisco IOS Software, 1841 Software (C1841-ADVIPSERVICESK9-M), Version 12.4(15)T1, RELEASE SOFTWARE (fc2) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2007 by Cisco Systems, Inc. Compiled Wed 18-Jul-07 04:52 by pt_team advertisement version: 2 Duplex: full
Now you can see the IOS release, model, IP address, and other information. Remember that you still haven’t configured an IP address on Router 0 yet.
We’ve already covered how to disable CDP on the device or interface only. Two other commands are show cdp, which displays protocol information for the device, and show cdp entry <Router>, which shows information about a specific device by imputting the name. I recommend that you spend some time checking CDP outputs during the labs you will configure in this guide.
Router0#show cdp Global CDP information: Sending CDP packets every 60 seconds Sending a holdtime value of 180 seconds Sending CDPv2 advertisements is enabled Router0#show cdp ? entry Information for specific neighbor entry interface CDP interface status and configuration neighbors CDP neighbor entries traffic CDP statistics | Output modifiers <cr>
Switch Port Security
The port security feature is a dynamic Catalyst switch feature that secures switch ports, and ultimately the CAM table, by limiting the number of MAC addresses that can be learned on a particular port or interface. With the port security feature, the switch maintains a table that is used to identify which MAC address (or addresses) can access which local switch port. Additionally, the switch can also be configured to allow only a certain number of MAC addresses to be learned on any given switch port. Port security is illustrated below in Figure 4.2:
Figure 4.2 – Port Security Operation
Figure 4.2 shows four ports on a Catalyst switch configured to allow a single MAC address via the port security feature. Ports 1 through 3 are connected to hosts whose MAC address matches the address permitted by port security. Assuming no other filtering is in place, these hosts are able to forward frames through their respective switch ports. Port 4, however, has been configured to allow a host with MAC address AAAA.0000.0004, but instead a host with MAC address BBBB.0000.0001 has been connected to this port. Because the host MAC and the permitted MAC are not the same, port security will take appropriate action on the port as defined by the administrator. The valid port security actions will be described in detail in a subsequent section.
The port security feature is designed to protect the switched LAN from two primary methods of attack. These attack methods, which will be described in the following sections, are:
• CAM table overflow attacks
• MAC spoofing attacks
CAM Table Overflow Attacks
Switch CAM tables are storage locations that contain lists of known MAC addresses on physical ports, as well as their VLAN parameters. Dynamically learned contents of the switch CAM table, or MAC address table, can be viewed by issuing the show mac-address-table dynamic command, as illustrated in the following output:
VTP-Server-1#show mac-address-table dynamic Mac Address Table -------------------------------------------Vlan Mac Address Type Ports ---- ----------- -------- -----2 000c.cea7.f3a0 DYNAMIC Fa0/1 2 0013.1986.0a20 DYNAMIC Fa0/2 6 0004.c16f.8741 DYNAMIC Fa0/3 6 0030.803f.ea81 DYNAMIC Fa0/4 8 0004.c16f.8742 DYNAMIC Fa0/5 8 0030.803f.ea82 DYNAMIC Fa0/6 Total Mac Addresses for this criterion: 6
Switches, like all computing devices, have finite memory resources. This means that the CAM table has a fixed, allocated memory space. CAM table overflow attacks target this limitation by flooding the switch with a large number of randomly generated invalid source and destination MAC addresses until the CAM table fills up and the switch is no longer able to accept new entries. In such situations, the switch effectively turns into a hub and simply begins to broadcast all newly received frames to all ports (within the same VLAN) on the switch, essentially turning the VLAN into one big Broadcast domain.
CAM table attacks are easy to perform because common tools, such as MACOF and DSNIFF, are readily available to perform these activities. While increasing the number of VLANs (which reduces the size of Broadcast domains) can assist in reducing the effects of CAM table attacks, the recommended security solution is to configure the port security feature on the switch.
MAC Spoofing Attacks
MAC address spoofing is used to spoof a source MAC address in order to impersonate other hosts or devices on the network. Spoofing is simply a term that means masquerading or pretending to be someone you are not. The primary objective of MAC spoofing is to confuse the switch and cause it to believe that the same host is connected to two ports, which causes the switch to attempt to forward frames destined to the trusted host to the attacker as well. Figure 4.3 below shows the CAM table of a switch connected to four different network hosts:
Figure 4.3 – Building the Switch CAM Table
In Figure 4.3, the switch is operating normally and, based on the CAM table entries, knows the MAC addresses for all the devices connected to its ports. Based on the current CAM table, if Host 4 wanted to send a frame to Host 2, the switch would simply forward the frame out of its FastEthernet0/2 interface toward Host 2.
Now, assume that Host 1 has been compromised by an attacker who wants to receive all traffic destined for Host 2. By using MAC address spoofing, the attacker crafts an Ethernet frame using the source address of Host 2. When the switch receives this frame, it notes the source MAC address and overwrites the CAM table entry for the MAC address of Host 2, and points it to port FastEthernet0/1 instead of FastEthernet0/2, where the real Host 2 is connected. This concept is illustrated below in Figure 4.4:
Figure 4.4 – MAC Address Spoofing
Referencing Figure 4.4, when Host 3 or Host 4 attempts to send frames to Host 2, the switch will forward them out of FastEthernet0/1 to Host 1 because the CAM table has been poisoned by a MAC spoofing attack. When Host 2 sends another frame, the switch relearns its MAC address from FastEthernet0/2 and rewrites the CAM table entry once again to reflect this change. The result is a tug-of-war between Host 2 and Host 1 as to which host owns this MAC address.
In addition, this confuses the switch and causes repetitive rewrites of MAC address table entries, causing a Denial of Service (DoS) attack on the legitimate host (i.e., Host 2). If the number of spoofed MAC addresses used is high, this attack could have serious performance consequences for the switch that is constantly rewriting its CAM table. MAC address spoofing attacks can be mitigated by implementing port security.
Port Security Secure Addresses
The port security feature can be used to specify which specific MAC address is permitted access to a switch port, as well as to limit the number of MAC addresses that can be supported on a single switch port. The methods of port security implementation described in this section are as follows:
• Static secure MAC addresses
• Dynamic secure MAC addresses
• Sticky secure MAC addresses
Static secure MAC addresses are statically configured by network administrators and are stored in the MAC address table, as well as in the switch configuration. When static secure MAC addresses are assigned to a secure port, the switch will not forward frames that do not have a source MAC address that matches the configured static secure MAC address or addresses.
Dynamic secure MAC addresses are dynamically learned by the switch and are stored in the MAC address table. However, unlike static secure MAC addresses, dynamic secure MAC address entries are removed from the switch when the switch is reloaded or powered down. These addresses must then be relearned by the switch when it boots up again.
Sticky secure MAC addresses are a mix of static secure MAC addresses and dynamic secure MAC addresses. These addresses can be learned dynamically or configured statically and are stored in the MAC address table, as well as in the switch running configuration. This means that when the switch is powered down or rebooted, it will not need to dynamically discover the MAC addresses again because they are already saved in the configuration file (if you save the running configuration).
Port Security Actions
Once port security has been enabled, administrators can define the actions the switch will take in the event of a port security violation. Cisco IOS software allows administrators to specify four different actions to take when a violation occurs, as follows:
• Protect
• Shutdown (default)
• Restrict
• Shutdown VLAN (outside of the CCNA syllabus)
The protect option forces the port into Protected Port mode. In this mode, the switch will simply discard all Unicast or Multicast frames with unknown source MAC addresses. When the switch is configured to protect a port, it will not send out a notification when operating in Protected Port mode, meaning that administrators would never know when any traffic was prevented by the switch port operating in this mode.
The shutdown option places a port in an err-disabled state when a port security violation occurs. The corresponding port LED on the switch is also turned off when this configured action mode is used. In Shutdown mode, the switch sends out an SNMP trap and a syslog message, and the violation counter is incremented. This is the default action taken when port security is enabled on an interface.
The restrict option is used to drop packets with unknown MAC addresses when the number of secure MAC addresses reaches the administrator-defined maximum limit for the port. In this mode, the switch will continue to restrict additional MAC addresses from sending frames until a sufficient number of secure MAC addresses is removed, or the number of maximum allowable addresses is increased. As is the case with the shutdown option, the switch sends out an SNMP trap and a syslog message, and the violation counter is incremented.
The shutdown VLAN option is similar to the shutdown option; however, this option shuts down a VLAN instead of the entire switch port. This configuration could be applied to ports that have more than one single VLAN assigned to them, such as a voice VLAN and a data VLAN, as well asto trunk links on the switches.
Configuring Port Security
Before configuring port security, it is recommended that the switch port be statically configured as a Layer 2 access port (it can only be configured on static access or trunk ports, not on dynamic ports). This configuration is illustrated in the following output:
VTP-Server-1(config)#interface FastEthernet0/1 VTP-Server-1(config-if)#switchport VTP-Server-1(config-if)#switchport mode access
NOTE: The switchport command is not required in Layer 2-only switches, such as the Catalyst 2950 and Catalyst 2960 series switches. However, it must be used on Multilayer switches, such as the Catalyst 3750, Catalyst 4500, and Catalyst 6500 series switches.
By default, port security is disabled; however, this feature can be enabled using the
switchportport-security [mac-address {mac-address} [vlan {vlan-id | {access | voice}}] | macaddress
{sticky} [mac-address | vlan {vlan-id | {access | voice}}] [maximum {value} [vlan
{vlan-list | {access | voice}}]]
interface configuration command. The options that areavailable with this command are described below in Table 4.1:
Table 4.1 – Port Security Configuration Keywords
Configuring Static Secure MAC Addresses
The following output illustrates how to enable port security on an interface and to configure a static secure MAC address of 001f:3c59:d63b on a switch access port:
VTP-Server-1(config)#interface GigabitEthernet0/2 VTP-Server-1(config-if)#switchport VTP-Server-1(config-if)#switchport mode access VTP-Server-1(config-if)#switchport port-security VTP-Server-1(config-if)#switchport port-security mac-address 001f.3c59.d63b
The following output illustrates how to enable port security on an interface and to configure a static secure MAC address of 001f:3c59:d63b in VLAN 5 on a switch trunk port:
VTP-Server-1(config)#interface GigabitEthernet0/2 VTP-Server-1(config-if)#switchport VTP-Server-1(config-if)#switchport trunk encapsulation dot1q VTP-Server-1(config-if)#switchport mode trunk VTP-Server-1(config-if)#switchport port-security VTP-Server-1(config-if)#switchport port-security mac-address 001f.3c59.d63b vlan 5
The following output illustrates how to enable port security on an interface and to configure a static secure MAC address of 001f:3c59:5555 for VLAN 5 (the data VLAN) and a static secure MAC address of 001f:3c59:7777 for VLAN 7 (the voice VLAN) on a switch access port:
VTP-Server-1(config)#interface GigabitEthernet0/2 VTP-Server-1(config-if)#switchport VTP-Server-1(config-if)#switchport mode access VTP-Server-1(config-if)#switchport access vlan 5 VTP-Server-1(config-if)#switchport voice vlan 7 VTP-Server-1(config-if)#switchport port-security VTP-Server-1(config-if)#switchport port-security maximum 2 VTP-Server-1(config-if)#switchport port-security mac-address 001f.3c59.5555 vlan access VTP-Server-1(config-if)#switchport port-security mac-address 001f.3c59.7777 vlan voice
It is very important to remember that when enabling port security on an interface that is also configured with a voice VLAN in conjunction with the data VLAN, the maximum allowed secure addresses on the port should be set to 2. This is performed via the switchport port-security maximum 2 interface configuration command, which is included in the output above.
One of the two MAC addresses is used by the IP phone and the switch learns about this address on the voice VLAN. The other MAC address is used by a host (such as a PC) that may be connected to the IP phone. This MAC address will be learned by the switch on the data VLAN.
Verifying Static Secure MAC Address Configuration
Global port security configuration parameters can be validated by issuing the show portsecurity command. The following shows the output printed by this command based on default values:
VTP-Server-1#show port-security Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action (Count) (Count) (Count) ------------------------------------------------------- Gi0/2 1 1 0 Shutdown ------------------------------------------------------------------ Total Addresses in System : 1 Max Addresses limit in System : 1024
As seen in the output above, by default, only a single secure MAC address is permitted per port. In addition, the default action in the event of a violation is to shut down the port. The text in bold indicates that only a single secured address is known, which is the static address configured on the interface. The same can also be confirmed by issuing the show port-security interface [name] command, as illustrated in the following output:
VTP-Server-1#show port-security interface gi0/2 Port Security : Enabled Port status : SecureUp Violation mode : Shutdown Maximum MAC Addresses : 1 Total MAC Addresses : 1 Configured MAC Addresses : 1 Sticky MAC Addresses : 0 Aging time : 0 mins Aging type : Absolute SecureStatic address aging : Disabled Security Violation count : 0
NOTE: The modification of the other default parameters in the output above will be described in detail as we progress through this section.
To see the actual configured static secure MAC address on the port, the show port-security address or the show running-config interface [name] command must be used. The following output illustrates the show port-security address command:
VTP-Server-1#show port-security address
Secure Mac Address Table
------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- -----------
1 001f.3c59.d63b SecureConfigured Gi0/2
--------------------------------------------------------------------
Total Addresses in System : 1
Max Addresses limit in System : 1024
Configuring Dynamic Secure MAC Addresses
By default, when port security is enabled on a port, the port will dynamically learn and secure one MAC address without any further configuration from the administrator. To allow the port to learn and secure more than a single MAC address, the switchport port-security maximum [number] command must be used. Keep in mind that the [number] keyword is platformdependent and will vary on different Cisco Catalyst switch models.
Real-World Implementation
In production networks with Cisco Catalyst 3750 switches, it is always a good idea to determine what the switch will be used for, and then select the appropriate Switch Database Management (SDM) template via the sdm prefer {access | default | dual-ipv4-and-ipv6 {default | routing | vlan} | routing | vlan} [desktop] global configuration command.
Each template allocates system resources to best support the features being used or that will be used. By default, the switch attempts to provide a balance between all features. However, this may impose a limit on the maximum possible values for other available features and functions. An example would be the maximum possible number of secure MAC addresses that can be learned or configured when using port security.
The following output illustrates how to configure a switch port to dynamically learn and secure up to two MAC addresses on interface GigabitEthernet0/2:
VTP-Server-1(config)#interface GigabitEthernet0/2 VTP-Server-1(config-if)#switchport VTP-Server-1(config-if)#switchport mode access VTP-Server-1(config-if)#switchport port-security VTP-Server-1(config-if)#switchport port-security maximum 2
Verifying Dynamic Secure MAC Addresses
Dynamic secure MAC address configuration can be verified using the same commands as those illustrated in the static secure address configuration examples, with the exception of the show running-config command. This is because, unlike static or sticky secure MAC addresses, all dynamically learned addresses are not saved in the switch configuration and are removed if the port is shut down. These same addresses must then be relearned when the port comes back up. The following output illustrates the show port-security address command, which shows an interface configured for secure dynamic MAC address learning:
VTP-Server-1#show port-security address
Secure Mac Address Table
------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- ------------
1 001d.09d4.0238 SecureDynamic Gi0/2 -
1 001f.3c59.d63b SecureDynamic Gi0/2 -
------------------------------------------------------------------
Total Addresses in System : 2
Max Addresses limit in System : 1024
Configuring Sticky Secure MAC Addresses
The following output illustrates how to configure dynamic sticky learning on a port and restrict the port to dynamically learn up to a maximum of 10 MAC addresses:
VTP-Server-1(config)#interface GigabitEthernet0/2 VTP-Server-1(config-if)#switchport VTP-Server-1(config-if)#switchport mode access VTP-Server-1(config-if)#switchport port-security VTP-Server-1(config-if)#switchport port-security mac-address sticky VTP-Server-1(config-if)#switchport port-security maximum 10
Based on the configuration above, by default, up to 10 addresses will be dynamically learned on interface GigabitEthernet0/2 and will be added to the current switch configuration. When sticky address learning is enabled, MAC addresses learned on each port are automatically saved to the current switch configuration and added to the address table. The following output shows the dynamically learned MAC addresses (in bold font) on interface GigabitEthernet0/2:
VTP-Server-1#show running-config interface GigabitEthernet0/2 Building configuration... Current configuration : 550 bytes ! interface GigabitEthernet0/2 switchport switchport mode access switchport port-security switchport port-security maximum 10 switchport port-security mac-address sticky switchport port-security mac-address sticky 0004.c16f.8741 switchport port-security mac-address sticky 000c.cea7.f3a0 switchport port-security mac-address sticky 0013.1986.0a20 switchport port-security mac-address sticky 001d.09d4.0238 switchport port-security mac-address sticky 0030.803f.ea81 ...
The MAC addresses in bold text in the output above are dynamically learned and added to the current configuration. No manual administrator configuration is required to add these addresses to the configuration. By default, sticky secure MAC addresses are not automatically added to the startup configuration (NVRAM). To ensure that this information is saved to NVRAM, which means that these addresses are not relearned when the switch is restarted, it is important to remember to issue the copy running-config startup-config command, or the copy system:running-config nvram:startup-config command, depending upon the IOS version of the switch on which this feature is implemented. The following output illustrates the show port-security address command on a port configured for sticky address learning:
VTP-Server-1#show port-security address
Secure Mac Address Table
------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- ------------
1 0004.c16f.8741 SecureSticky Gi0/2 -
1 000c.cea7.f3a0 SecureSticky Gi0/2 -
1 0013.1986.0a20 SecureSticky Gi0/2 -
1 001d.09d4.0238 SecureSticky Gi0/2 -
1 0030.803f.ea81 SecureSticky Gi0/2 -
-------------------------------------------------------------------
Total Addresses in System : 5
Max Addresses limit in System : 1024
You can also set an aging time and type on the switch, but this is going beyond the CCNA-level requirements. (Have a try on your own time if you wish.)
Configuring the Port Security Violation Action
As stated earlier, Cisco IOS software allows administrators to specify four different actions to take when a violation occurs, as follows:
• Protect
• Shutdown (default)
• Restrict
• Shutdown VLAN (this is outside the CCNA syllabus)
These options are configured using the switchport port-security [violation {protect | restrict | shutdown | shutdown vlan}] interface configuration command. If a port is shut down due to a security violation, it will show as errdisabled, and the shutdown and then no shutdown command will need to be applied to bring it back up.
Switch#show interfaces FastEthernet0/1 status Port Name Status Vlan Duplex Speed Type Fa0/1 errdisabled 100 full 100 100BaseSX
Cisco do want you to know which violation action triggers an SNMP message for the network
administrator and a logging message, so here is that information for you in Table 4.2 below:
Table 4.2 – Port Security Violation Actions
Make sure that you memorise the table above for the exam!
The following output illustrates how to enable sticky learning on a port for a maximum of 10 MAC addresses. In the event that an unknown MAC address (e.g., an eleventh MAC address) is detected on the port, the port will be configured to drop the received frames:
VTP-Server-1(config)#interface GigabitEthernet0/2 VTP-Server-1(config-if)#switchport port-security VTP-Server-1(config-if)#switchport port-security mac-address sticky VTP-Server-1(config-if)#switchport port-security maximum 10 VTP-Server-1(config-if)#switchport port-security violation restrict
Verifying the Port Security Violation Action
The configured port security violation action is validated via the show port-security command, as shown in the following output:
VTP-Server-1#show port-security Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action (Count) (Count) (Count) Gi0/2 10 5 0 Restrict Total Addresses in System : 5 Max Addresses limit in System : 1024
If logging is enabled and either the Restrict mode or the Shutdown Violation mode is configured on the switch, messages similar to those shown in the following output will be printed on the switch console, logged into the local buffer, or sent to a syslog server:
VTP-Server-1#show logging ... [Truncated Output] ... 04:23:21: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0013.1986.0a20 on port Gi0/2. 04:23:31: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 000c.cea7.f3a0 on port Gi0/2. 04:23:46: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0004.c16f.8741 on port Gi0/2.
One final point is that switch security can be configured on Packet Tracer, but many of the commands and show commands don’t work.
Section 4 Questions
1. Write out the two ways of configuring console passwords. Write the actual commands.
2. Which command will permit only SSH traffic into the VTY lines?
3. Which command will encrypt a password with level 7 encryption?
4. Name the eight levels of logging available on the router.
5. Why would you choose SSH access over Telnet?
6. Your three options upon violation of your port security are protect, _______, and _______.
7. How would you hard set a port to accept only MAC 0001.c74a.0a01?
8. Which command turns off CDP for a particular interface?
9. Which command turns off CDP for the entire router or switch?
10. Which command adds a password to your VTP domain?
11. Which command would permit only VLANs 10 to 20 over your interface?
Section 4 Answers
1. The password xxx and login local commands (username and password previously configured).
2. The transport input ssh command.
3. The service password-encryption command.
4. Alerts, critical, debugging, emergencies, errors, informational, notifications, and warnings.
5. SSH offers secure, encrypted traffic.
6. Shutdown and restrict.
7. Issue the switchport port-security mac-address x.x.x.x command.
8. The no cdp enable command.
9. The no cdp run command.
10. The vtp password xxx command.
11. The switchport trunk allowed vlan 10-20 command.
Section 4 Labs
Basic Router Security Lab
Topology
Purpose
Learn some basic steps to take to lock down your router.
Walkthrough
1. Log in using Protect Enable mode with an enable secret password. Test this by logging out of Privileged mode and then logging back in.
Router#conf t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#enable secret cisco Router(config)#exit Router# %SYS-5-CONFIG_I: Configured from console by console Router#exi Router con0 is now available Press RETURN to get started. Router>en Password: Router#
2. Set an enable password and then add service password encryption. This is rarely done on live routers because it is not secure.
Router(config)#no enable secret Router(config)#enable password cisco Router(config)#service pass Router(config)#service password-encryption Router(config)#exit Router# %SYS-5-CONFIG_I: Configured from console by console Router#show run Building configuration... Current configuration: 480 bytes ! version 12.4 no service timestamps log datetime msec no service timestamps debug datetime msec service password-encryption ! hostname Router ! enable password 7 0822455D0A16
3. Protect the Telnet lines. Set a local username and password and have users enter this when connecting to the router.
Router(config)#line vty 0 ? <1-15> Last Line number <cr> Router(config)#line vty 0 15 Router(config-line)#login local Router(config-line)#exit Router(config)#username in60days password cisco Router(config)#
You have tested Telnet before, but feel free to add a PC and Telnet into the router so you are prompted for a username and password.
4. Protect the console port with a password. Set one directly on the console port.
Router(config)#line console 0 Router(config-line)#password cisco
You can test this by unplugging and plugging your console lead back into the router. You can also protect the auxiliary port on your router if you have one:
Router(config)#line aux 0 Router(config-line)#password cisco
5. Protect the Telnet lines by permitting only SSH traffic in. You can also permit only SSH traffic outbound. You will need a security image for this command to work.
Router(config)#line vty 0 15 Router(config-line)#transport input ssh Router(config-line)#transport output ssh
6. Add a banner message of the day (MOTD). Set the character which tells the router you have finished your message as “X” (the delimiting character).
Router(config)#banner motd X Enter TEXT message. End with the character ‘X’. Do not use this router without authorization. X Router(config)# Router(config)#exit Router# %SYS-5-CONFIG_I: Configured from console by console Exit Router con0 is now available Press RETURN to get started. Do not use this router without authorization. Router>
7. Turn off CDP on the entire router. You could disable it on an interface only with the no cdp enable interface command.
Router(config)#no cdp run
You can test whether this is working by connecting a switch or router to your router before you turn off CDP and issuing the show cdp neighbor (detail) command.
8. Set the router to send logging messages to a host on the network.
Router#conf t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#logging ? A.B.C.D IP address of the logging host buffered Set buffered logging parameters console Set console logging parameters host Set syslog server IP address and parameters on Enable logging to all enabled destinations trap Set syslog server logging level userinfo Enable logging of user info on privileged mode enabling Router(config)#logging 10.1.1.1
Basic Switch Security Lab
Topology
Please note that your switch will need to have a security image which permits basic security settings.
Purpose
Learn how to apply basic security settings to a Cisco switch.
Walkthrough
1. Connect a PC or laptop to your switch. In addition, set up a console connection for your configuration. The port to which you connect your PC will be the one you configure security settings on in this lab. I have chosen FastEthernet 0/1 on my switch.
2. Log in to the VTY lines and set up Telnet access referring to a local username and password.
Switch#conf t Enter configuration commands, one per line. End with CNTL/Z. Switch(config)#line vty 0 ? <1-15> Last Line number <cr> Switch(config)#line vty 0 15 Switch(config-line)#? Switch(config-line)#login local Switch(config-line)#exit Switch(config)#username in60days password cisco Switch(config)#
3. Add an IP address to VLAN 1 on the switch (all ports are in VLAN 1 automatically). Additionally, add the IP address 192.168.1.1 to your PC’s FastEthernet interface.
Switch(config)#interface vlan1 Switch(config-if)#ip address 192.168.1.2 255.255.255.0 Switch(config-if)#no shut %LINK-5-CHANGED: Interface Vlan1, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan2, changed state to up Switch(config-if)#^Z ← press Ctrl+Z keys Switch# Switch#ping 192.168.1.1 ← test connection from switch to PC Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 31/31/32 ms Switch#
4. Test Telnet by Telnetting from your PC to your switch.
5. Your IT manager changes his mind and wants only SSH access, so change this on your VTY lines. Only certain models and IOS versions will support the SSH command.
Switch(config)#line vty 0 15 Switch(config-line)#transport input ssh
6. Now Telnet from your PC to the switch. Because only SSH is permitted, the connection should fail.
7. Set port security on your switch for the FastEthernet port. It will fail if you have not hard set the port to access (as opposed to dynamic or trunk).
Switch(config)#interface FastEthernet0/1 Switch(config-if)#switchport port-security Command rejected: FastEthernet0/1 is a dynamic port. Switch(config-if)#switchport mode access Switch(config-if)#switchport port-security Switch(config-if)#
8. Hard set the MAC address from your PC to be permitted on this port. You can check this with the ipconfig/all command on your PC command line. Then check the port security status and settings.
Switch(config-if)#switchport port-security mac-address 0001.C7DD.CB18 Switch(config-if)#^Z Switch#show port-security int FastEthernet0/1 Port Security : Enabled Port Status : Secure-up Violation Mode : Shutdown Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 1 Total MAC Addresses : 1 Configured MAC Addresses : 0 Sticky MAC Addresses : 0 Last Source Address:Vlan : 0001.C7DD.CB18:1 Security Violation Count : 0
9. Change the MAC address on your PC, or if you can’t do this, plug another device into the switch port. This should make the port shut down due to a breach in the security settings. The screenshot below shows where you would change the MAC address in Packet Tracer.
10. You should see your FastEthernet port go down immediately.
Switch# %LINK-5-CHANGED: Interface FastEthernet0/1, changed state to administratively down %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down Switch# %SYS-5-CONFIG_I: Configured from console by console Switch#show port-security interface FastEthernet0/1 Port Security : Enabled Port Status : Secure-shutdown Violation Mode : Shutdown Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 1 Total MAC Addresses : 0 Configured MAC Addresses : 0 Sticky MAC Addresses : 0 Last Source Address:Vlan : 0001.C7DD.CB19:1 Security Violation Count : 1
NOTE: Please repeat this lab until you understand the commands and can type them without looking at the Walkthrough section (and do the same for all the other labs in this book).