Implementing Securing the Local Area Network
Objective: Configure Securing the Local Area Network
TOPOLOGY:
In this lab, you will perform the following tasks: Part 1: Configure Basic Device Settings
• Build the topology
• Configure basic settings such as host name, interface IP addresses, and access passwords.
Part 2: Configure SSH Access to the Switches
• Configure SSH version 2 access on the switch.
• Configure an SSH client to access the switch.
• Verify the configuration.
Part 3: Configure Secure Trunks and Access Ports
• Configure trunk port mode.
• Change the native VLAN for trunk ports.
• Verify trunk configuration.
• Enable storm control for broadcasts.
• Configure access ports.
• Enable PortFast and BPDU guard.
• Verify BPDU guard.
• Enable root guard.
• Enable loop guard.
• Configure and verify port security.
• Disable unused ports.
• Move ports from default VLAN 1 to alternate VLAN.
• Configure the PVLAN Edge feature on a port.
Part 4: Configure IP DHCP Snooping
• Configure DHCP on R1.
• Configure Inter-VLAN communication on R1.
• Configure S1 interface G0/0 as a trunk.
• Verify DHCP operation on PC- A and B.
• Enable DHCP Snooping.
• Verify DHCP Snooping.
BACKGROUND
The Layer 2 infrastructure consists mainly of interconnected Ethernet switches. Most end-user devices, such as computers, printers, IP phones, and other hosts, connect to the network via Layer 2 access switches. As a result, switches can present a network security risk. Similar to routers, switches are subject to attack from malicious internal users. The switch Cisco IOS software provides many security features that are specific to switch functions and protocols.
In this lab, you will configure SSH access and Layer 2 security for S1-StudentID and S2-StudentID. You will also configure various switch protection measures, including access port security and Spanning Tree Protocol (STP) features, such as BPDU guard and root guard.
Note: The router commands and output in this lab are from a Cisco 1941 with Cisco IOS Release 15.4(3)M2 (UniversalK9-M). Other routers and Cisco IOS versions can be used. See the Router Interface Summary Table at the end of the lab to determine which interface identifiers to use based on the equipment in the lab. Depending on the router model and Cisco IOS version, the commands available and output produced might vary from what is shown in this lab.
Note: Before beginning, ensure that the switches have been erased and have no startup configurations.
Task 1: Configure Basic Device Settings
The desktop system assigned to you serves as an end-user terminal. You access and manage the lab environment from the student desktop system using GNS3 Software.
Students should perform the steps in this task individually.
In Part 1 of this lab, you set up the network topology and configure basic settings, such as the interface IP addresses, static routing, device access, and passwords.
Part 2: Configure SSH Access to the Switches
In Part 2, you will configure S1 and S2 to support SSH connections and install SSH client software on the PCs.
Note: A switch IOS image that supports encryption is required to configure SSH. If this version of image is not used you cannot specify SSH as an input protocol for the vty lines and the crypto commands are unavailable.
Task 1: Configure the SSH Server on S1 and S2 Using the CLI.
In this task, use the CLI to configure the switch to be managed securely using SSH instead of Telnet. SSH is a network protocol that establishes a secure terminal emulation connection to a switch or other networking device. SSH encrypts all information that passes over the network link and provides authentication of the remote computer. SSH is rapidly replacing Telnet as the preferred remote login tool for network professionals. It is strongly recommended that SSH be used in place of Telnet on production networks.
Task 2: Configure the SSH Client
SSH from R1 to S1 and S2 OR use PuTTy and Tera Term are two terminal emulation programs that can support SSHv2 client connections.
Part 3: Configure Secure Trunks and Access Ports
In Part 3, you will configure trunk ports, change the native VLAN for trunk ports, and verify trunk configuration.
Securing trunk ports can help stop VLAN hopping attacks. The best way to prevent a basic VLAN hopping attack is to explicitly disable trunking on all ports except the ports that specifically require trunking. On the required trunking ports, disable DTP (auto trunking) negotiations and manually enable trunking. If no trunking is required on an interface, configure the port as an access port. This disables trunking on the interface.
Note: Tasks should be performed on S1 or S2, as indicated.
Task 1: Secure Trunk Ports
Task 2: Secure Access Ports
Network attackers hope to spoof their system, or a rogue switch that they add to the network, as the root bridge in the topology by manipulating the STP root bridge parameters. If a port that is configured with PortFast receives a BPDU, STP can put the port into the blocking state by using a feature called BPDU guard.
Task 3: Protect Against STP Attacks
The topology has only two switches and no redundant paths, but STP is still active. In this step, you will enable switch security features that can help reduce the possibility of an attacker manipulating switches via STP-related methods.
Task 4: Configure Port Security and Disable Unused Ports
Switches can be subject to a CAM table, also known as a MAC address table, overflow, MAC spoofing attacks, and unauthorized connections to switch ports. In this task, you will configure port security to limit the number of MAC addresses that can be learned on a switch port and disable the port if that number is exceeded.
Part 4: Configure DHCP Snooping
DHCP snooping is a Cisco Catalyst feature that determines which switch ports can respond to DHCP requests. It enables only authorized DHCP servers to respond to DHCP requests and distribute network information to clients.
Task 1: Set Up DHCP
Task 2: Configure Inter-VLAN Communication
Task 3: Configure DHCP Snooping
Attachment:- Securing Local Area Netwrok.rar