Scribd
Upload
57 views4 pages

Configure Basic Settings: 1-Configure Interface IP Addresses

The document describes configurations for basic security settings on a switch including interface IP addresses, disabling DNS lookup, HTTP access, enable and console passwords, SSH server configuration, trunk and access port configuration, STP security features like PortFast and BPDU Guard, port security, and DHCP snooping.

Uploaded by

MOU RFIX
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
57 views4 pages

Configure Basic Settings: 1-Configure Interface IP Addresses

The document describes configurations for basic security settings on a switch including interface IP addresses, disabling DNS lookup, HTTP access, enable and console passwords, SSH server configuration, trunk and access port configuration, STP security features like PortFast and BPDU Guard, port security, and DHCP snooping.

Uploaded by

MOU RFIX
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 4

Configure basic settings

1-Configure interface IP addresses:

S1(config)# interface vlan 1


S1(config-if)# ip address 192.168.1.2 255.255.255.0
S1(config-if)# no shutdown

2-Prevent the router or switch from attempting to translate incorrectly entered commands by
disabling DNS lookup

S1(config)# no ip domain-lookup

3-HTTP access to the switch is enabled by default. Prevent HTTP access by


disabling the HTTP server and HTTP secure server.

S1(config)# no ip http server


S1(config)# no ip http secure-server

Not:e: The switch must have a cryptography IOS image to support the ip http secure-server
command. HTTP access to the router is disabled by default.

4-Configure the enable secret password.

S1(config)# enable algorithm-type scrypt secret “password”

5-Configure console password.

S1(config)# line console 0


S1(config-line)# password ciscoconpass
S1(config-line)# exec-timeout 5 0
S1(config-line)# login
S1(config-line)# logging synchronous

Configure the SSH Server


1-Configure a domain name.

S1(config)# ip domain-name ccnasecurity.com


2-Configure a privileged user for login from the SSH client.

S1 (config)# username admin privilege 15 algorithm-type scrypt secret


cisco12345

3-Generate the RSA encryption key pair for the router.

S1(config)# crypto key generate rsa general-keys modulus 1024


The name for the keys will be: S1.ccnasecurity.com

% The key modulus size is 1024 bits


% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

S1(config)#
00:15:36: %SSH-5-ENABLED: SSH 1.99 has been enabled

4- Configure SSH version 2

S1(config)# ip ssh version 2

5-Verify the SSH configuration.

S1# show ip ssh

6-Configure SSH timeouts and authentication parameters.

S1(config)# ip ssh time-out 90


S1(config)# ip ssh authentication-retries 2

7-Verify the SSH configuration.

8-Configure the incoming vty lines.

S1(config)# line vty 0 4


S1(config-line)# privilege level 15
S1(config-line)# exec-timeout 5 0
S1(config-line)# login local
S1(config-line)# transport input ssh
S1(config-line)# exit

9-Disable login for switch vty lines 5 to 15 by allowing no transport input

S1(config)# line vty 5 15


S1(config-line)# transport input none

10-Save the running configuration to the startup configuration.

S1# copy running-config startup-config

Configure Secure Trunks and Access Ports


Task 1: Secure Trunk Ports

Step 1: Configure S1 as the root switch.


S1(config)# spanning-tree vlan 1 priority 0
S1(config)# exit

Prevent VLAN hopping attacks.

-Prevent the use of DTP on S1 and S2.

S1(config)# interface f0/1


S1(config-if)# switchport nonegotiate

S2(config)# interface f0/1


S2(config-if)# switchport nonegotiate

Verify the trunking configuration on port F0/1.

S1# show interfaces f0/1 trunk


S1# show run | begin 0/1

Secure Access Ports


Network attackers hope to spoof their system, or a rogue switch that they add to the network, as the
root bridge in the topology by manipulating the STP root bridge parameters.. If a port that is
configured with PortFast receives a BPDU, STP can put the port into the blocking state by using a
feature called BPDU guard.

Step 1: Disable trunking on S1 & S2access ports.

Protect Against STP Attacks


The topology has only two switches and no redundant paths, but STP is still active. In this
step, you will enable switch security features that can help reduce the possibility of an
attacker manipulating switches via STP-related methods.

Step 1: Enable PortFast on S1 and S2 access ports.

PortFast is configured on access ports that connect to a single workstation or server, which
enables them to become active more quickly.

a. Enable PortFast on the S1 Fa0/5 access port & S2.

S1(config)# interface f0/5


S1(config-if)# spanning-tree portfast

Step 2: Enable BPDU guard on the S1 and S2 access ports.

BPDU guard is a feature that can help prevent rogue switches and spoofing on access ports.

a. Enable BPDU guard on the switch port F0/6.


S1(config)# interface f0/6
S1(config-if)# spanning-tree bpduguard enable
S2(config)# interface f0/18
S2(config-if)# spanning-tree bpduguard enable

Note: PortFast and BPDU guard can also be enabled globally with the spanning-tree portfast
defaultand spanning-tree portfast bpduguard commands in global configuration mode.

S1# show spanning-tree interface f0/6 detail


S2# show spanning-tree summary

Configure Port Security and Disable Unused Ports


S1(config)# interface f0/5
S1(config-if)# shutdown
S1(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum 3
S1(config-if)# switchport port-security mac-address xxxx.xxxx.xxxx
Or
Switch(config-if)# switchport port-security mac-address mac-address sticky
Switch(config-if)# switchport port-security mac-address violation restrict
S1(config-if)# no shutdown

Configure DHCP Snooping


Set Up DHCP

R1(config)# ip dhcp pool CCNAS


R1(dhcp-config)# network 192.168.1.0 255.255.255.0
R1(dhcp-config)# default-router 192.168.1.1
R1(config)# ip dhcp excluded-address 192.168.1.1 192.168.1.4

Step 1: Enable DHCP snooping globally.


S1(config)# ip dhcp snooping
S1(config)# ip dhcp snooping information option

Step 2: Enable DHCP snooping for VLAN 1


S1(config)# ip dhcp snooping vlan 1

Step 3: Limit the number of DHCP requests on an interface.


S1(config)# interface f0/6
S1(config-if)# ip dhcp snooping limit rate 10
S1(config-if)# exit

Step 4: Identify the trusted interface(s). DHCP responses are only permitted through trusted
ports.
S1(config)# interface f0/5
S1(config-if)# description connects to DHCP server
S1(config-if)# ip dhcp snooping trust

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy