How To Fix A Student Computer With A Cisco Ipa (Cisco) Ios 2.2.4.2 (Cio) And Ipa 2.3.2-2.5 (Ipa) (Cson)



Similar documents
Configuring Port Security

Configuring Port Security

Network Security. Topology. Spring This is the logical topology of the network environment used for testing.

Configuring DHCP Snooping

MAC Address Table Attribute Configuration

Security Considerations in IP Telephony Network Configuration

Lab Configure IOS Firewall IDS

Lab Diagramming Intranet Traffic Flows

Note: This case study utilizes Packet Tracer. Please see the Chapter 5 Packet Tracer file located in Supplemental Materials.

Lab Configuring the Cisco 2960 Switch

CCNA Exploration: Accessing the WAN Chapter 7 Case Study

Lab Configuring the PIX Firewall as a DHCP Server

Basic Wireless Configuration

Lab - Using IOS CLI with Switch MAC Address Tables

Configuring DHCP Snooping and IP Source Guard

Lab Configure Intrusion Prevention on the PIX Security Appliance

Chapter 2 Lab 2-2, Configuring EtherChannel Instructor Version

Lab Diagramming External Traffic Flows

Lab Creating a Logical Network Diagram

Lab Developing ACLs to Implement Firewall Rule Sets

Session Title: Exploring Packet Tracer v5.3 IP Telephony & CME. Scenario

Lab Analyzing Network Traffic

Configure IOS Catalyst Switches to Connect Cisco IP Phones Configuration Example

Chapter 2 Reading Organizer

Configuring Network Load Balancing for vethernet

Lab Configuring Access Policies and DMZ Settings

Lab Characterizing Network Applications

Device Interface IP Address Subnet Mask Default Gateway

Lab Configure Cisco IOS Firewall CBAC

Felix Rohrer. PT Activity 7.5.3: Troubleshooting Wireless WRT300N. Topology Diagram

Lab Configure Cisco IOS Firewall CBAC on a Cisco Router

Lab Use Network Inspector to Observe STP Behavior

Lab: Basic Router Configuration

Lab Load Balancing Across Multiple Paths

CCT vs. CCENT Skill Set Comparison

Lab Managing the MAC Address Table

Skills Assessment Student Training Exam

Lab 4.4.8a Configure a Cisco GRE over IPSec Tunnel using SDM

Lab Configure and Test Advanced Protocol Handling on the Cisco PIX Security Appliance

Lab a Configure Remote Access Using Cisco Easy VPN

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD SEGURIDAD EN REDES. NIVEL I. VERSION 2.0

Remote PC Guide for Standalone PC Implementation

Lab Advanced Telnet Operations

Cisco - Configure the 1721 Router for VLANs Using a Switch Module (WIC-4ESW)

PT Activity: Configure Cisco Routers for Syslog, NTP, and SSH Operations

Lab Review of Basic Router Configuration with RIP. Objective. Background / Preparation. General Configuration Tips

Lab 7-1 Configuring Switches for IP Telephony Support

Lab 3.5.1: Basic VLAN Configuration (Instructor Version)

ICND IOS CLI Study Guide (CCENT)

Lab Organizing CCENT Objectives by OSI Layer

What is VLAN Routing?

: Interconnecting Cisco Networking Devices Part 1 v2.0 (ICND1)

IP Addressing and Subnetting. 2002, Cisco Systems, Inc. All rights reserved.

MEDIA ACCESS CONTROL (MAC) ADDRESS SPOOFING ATTACKS

Lab Configure Remote Access Using Cisco Easy VPN

Lab Configuring DHCP with SDM and the Cisco IOS CLI

Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance

Computer Networks I Laboratory Exercise 1

LAB THREE STATIC ROUTING

Network security includes the detection and prevention of unauthorized access to both the network elements and those devices attached to the network.

Objectives. Router as a Computer. Router components and their functions. Router components and their functions

Configuring IPS High Bandwidth Using EtherChannel Load Balancing

How To Configure InterVLAN Routing on Layer 3 Switches

CCNA R&S: Introduction to Networks. Chapter 5: Ethernet

Securing end devices

Applicazioni Telematiche

Integration with IP Phones

TABLE OF CONTENTS NETWORK SECURITY 1...1

1 Basic Configuration of Cisco 2600 Router. Basic Configuration Cisco 2600 Router

Lab 8.4.3a Managing Cisco IOS Images with TFTP

Lab Configuring PAT with SDM and Static NAT using Cisco IOS Commands

Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance

Lab Diagramming Traffic Flows to and from Remote Sites

Lab Configuring Basic Router Settings with the Cisco IOS CLI

FSM73xx GSM73xx GMS72xxR Shared access to the Internet across Multiple routing VLANs using a Prosafe Firewall

Implementing Cisco IOS Network Security

Interconnecting Cisco Networking Devices, Part 1 (ICND1) v3.0

CCNA Discovery Networking for Homes and Small Businesses Student Packet Tracer Lab Manual

Network Detector Setup and Configuration

Lab 5.5 Configuring Logging

Lab Configuring Access Policies and DMZ Settings

Packet Sniffing on Layer 2 Switched Local Area Networks

Introduction. What is a Remote Console? What is the Server Service? A Remote Control Enabled (RCE) Console

Cisco Certified Network Associate Exam. Operation of IP Data Networks. LAN Switching Technologies. IP addressing (IPv4 / IPv6)

Router Lab Reference Guide

The Trivial Cisco IP Phones Compromise

Lab Introductory Lab 1 - Getting Started and Building Start.txt

Lab 8.3.3b Configuring a Remote Router Using SSH

Lab Configuring Basic Router Settings with the Cisco IOS CLI

Network Simulator Lab Study Plan

Connect the Host to attach to Fast Ethernet switch port Fa0/2. Configure the host as shown in the topology diagram above.

GLBP - Gateway Load Balancing Protocol

Procedure: You can find the problem sheet on Drive D: of the lab PCs. Part 1: Router & Switch

CS 326e F2002 Lab 1. Basic Network Setup & Ethereal Time: 2 hrs

LAB Configuring NAT. Objective. Background/Preparation

Chapter 7 Lab 7-1, Configuring Switches for IP Telephony Support

DHCP Server Port-Based Address Allocation

HOW TO CONFIGURE CISCO FIREWALL PART I

LAYER 2 ATTACKS & MITIGATION TECHNIQUES

Lab Creating a Network Map using CDP Instructor Version 2500

Transcription:

Lab 10.2.4 Mitigate Layer 2 Attacks Objective Scenario Topology In this lab, the students will complete the following tasks: Mitigate against CAM table overflow attack with appropriate Cisco IOS commands. Mitigate against MAC spoofing attacks with appropriate Cisco IOS commands. Mitigate against DHCP starvation attacks with appropriate Cisco IOS commands. The XYZ Company has a number of 2950 switches that are deployed throughout the building in order to provide network access for the employees. Attacks that use Layer 2 of the OSI model are quickly gaining sophistication and popularity. The network administrator must mitigate the effects of these attacks as much as possible. This figure illustrates the lab network environment. Preparation Begin with the standard lab topology and verify the starting configuration on the pod switch. Access the pod switch console port using the terminal emulator on the Windows 2000 server. If desired, save the switch configuration to a text file for later analysis. Refer back to the Student Lab Orientation if more help is needed. 1-6 Network Security 1 v2.0 Lab 10.2.4 Copyright 2005, Cisco Systems, Inc.

Tools and resources In order to complete the lab, the following is required: Command List Standard IOS Firewall lab topology Console cable HyperTerminal A second PC to be used to test the configuration In this lab exercise, the following switch commands will be used. Refer to this list if assistance or help is needed during the lab exercise. Switch Commands Command arp timeout seconds show port-security [address] [interface interface-id] switchport port-security switchport port-security macaddress mac-addr switchport port-security maximum max-addr switchport port-security violation {shutdown restrict protect} ip dhcp snooping ip dhcp snooping vlan vlan_id {,vlan_id} ip dhcp snooping trust ip dhcp snooping limit rate rate Description To configure how long an entry remains in the Address Resolution Protocol (ARP) cache, use the arp timeout command in interface configuration mode. To restore the default value, use the no form of this command. To display the port security settings for an interface or for the switch, use the show port-security command. Enables port security on the interface. To set the maximum number of secure MAC addresses on an interface, use the switchport-portsecurity mac-address command. Use the no form of this command to remove a MAC address from the list of secure MAC addresses. Sets the maximum number of secure MAC addresses for the interface. The range is 1 to 128; the default is 128. Set the security violation mode for the interface. Enables DHCP snooping globally. Enable DHCP snooping on a VLAN or range of VLANs. A single VLAN can be identified by VLAN ID number, or start and end VLAN IDs can be used to specify a range of VLANs. The range is 1 to 4094. Configure the interface as trusted or untrusted. The default is untrusted. Configure the number of DHCP packets per second than an interface can receive. The range is 1 to 4294967294. The default is no rate limit configured. Step 1 Mitigate the CAM Table Overflow Attack Complete the following steps to mitigate against CAM table overflow attack with appropriate Cisco IOS commands: Note The enable secret password for the pod switch is cisco. 2-6 Network Security 1 v2.0 Lab 10.2.4 Copyright 2005, Cisco Systems, Inc.

a. Enter the interface configuration mode for port FastEthernet 0/12 SwitchP(config)#interface fastethernet 0/12 SwitchP(config-if)# (Where P = pod number) b. Set the port mode to access. SwitchP(config-if)# switchport mode access c. Enable port security on the selected interface. SwitchP(config-if)# switchport port-security d. Configure the maximum number of MAC addresses that can be configured or learned on this port. The default is 1. SwitchP(config-if)# switchport port-security maximum 1 e. Configure an action to be taken when a violation occurs. The default is shutdown. SwitchP(config-if)# switchport port-security violation shutdown 1. What other options are available for actions to be taken when a violation to occur? f. Record the MAC address of the student PC for use in the next step. For example, 0000.ffff.1111 g. Configure a static MAC address entry for the device that will be attached to the port. SwitchP(config-if)# switchport port-security mac-address 0000.ffff.1111 h. Plug the student PC into the port Fa0/12 and try to ping the gateway. C:\WINNT\system32>ping 10.0.P.2 1. Was the ping successful? i. Return to privileged EXEC mode. SwitchP(config-if)# end SwitchP# j. Verify the port security settings for port Fa0/12. SwitchP# show port-security interface fastethernet 0/12 Port Security Port Status Violation Mode Aging Time Aging Type : Enabled : Secure-up : Shutdown : 0 mins : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 1 Total MAC Addresses : 1 Configured MAC Addresses : 1 Sticky MAC Addresses : 0 3-6 Network Security 1 v2.0 Lab 10.2.4 Copyright 2005, Cisco Systems, Inc.

Last Source Address : 0000.0000.0000 Security Violation Count : 0 k. Verify that the MAC address of the student PC is configured as a secure address. SwitchP# show port-security address Secure Mac Address Table ------------------------------------------------------------------- Vlan Mac Address Type Ports Remaining Age (mins) ---- ----------- ---- ----- ------------- 30P 0000.ffff.1111 SecureConfigured Fa0/12 - ------------------------------------------------------------------- Total Addresses in System (excluding one mac per port) : 0 Max Addresses limit in System (excluding one mac per port) : 1024 1. What address type is shown for the MAC address of the student PC? Step 2 Mitigate MAC Spoofing Attacks Complete the following steps to mitigate against CAM table overflow attack with appropriate Cisco IOS commands. a. Enter the interface configuration mode for port FastEthernet 0/12 SwitchP(config)#interface fastethernet 0/12 SwitchP(config-if)# (Where P = pod number) b. Configure the maximum number of MAC addresses that can be configured or learned on this port. SwitchP(config-if)# switchport port-security maximum 1 c. Configure an action to be taken when a violation occurs. SwitchP(config-if)# switchport port-security violation shutdown d. Specify an ARP timeout of ten seconds. The default is four minutes. SwitchP(config-if)# arp timeout 10 e. Unplug the student PC from port Fa 0/12. Plug another PC that does not have the correct MAC address into port Fa 0/12. f. Return to privileged EXEC mode. SwitchP(config-if)# end SwitchP# 4-6 Network Security 1 v2.0 Lab 10.2.4 Copyright 2005, Cisco Systems, Inc.

g. Use the following commands to verify that the interface Fa 0/12 is shut down due to a security violation. SwitchP# show port-security Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action (Count) (Count) (Count) --------------------------------------------------------------------------- Fa0/12 1 1 1 Shutdown --------------------------------------------------------------------------- Total Addresses in System (excluding one mac per port) : 0 Max Addresses limit in System (excluding one mac per port) : 1024 SwitchP# show port-security interface fastethernet 0/12 Port Security Port Status Violation Mode Aging Time Aging Type : Enabled : Secure-shutdown : Shutdown : 0 mins : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 1 Total MAC Addresses : 1 Configured MAC Addresses : 1 Sticky MAC Addresses : 0 Last Source Address Security Violation Count : 1 : 0000.ffff.2222 2. What state is the port in after the security violation occurs? SwitchP# show interfaces status err-disabled Port Name Status Reason Fa0/12 Step 3 Mitigate DHCP Starvation Attacks err-disabled psecure-violation Complete the following steps to mitigate against DHCP starvation attacks with appropriate Cisco IOS commands. a. Enable DHCP snooping globally. SwitchP(config)# ip dhcp snooping b. Enable DHCP snooping on VLAN 301. SwitchP(config)# ip dhcp snooping vlan 301 c. Switch to interface configuration mode for interface Fa 0/12. SwitchP(config)# interface fastethernet 0/12 5-6 Network Security 1 v2.0 Lab 10.2.4 Copyright 2005, Cisco Systems, Inc.

d. Configure the interface as trusted. The no keyword can be used to configure an interface to receive messages from an untrusted client. The default is untrusted. SwitchP(config-if)# ip dhcp snooping trust e. Configure the number of DHCP packets per second than an interface can receive to be 100. The default is no rate limit configured. SwitchP(config-if)# ip dhcp snooping limit rate 100 1. What is the range of DHCP packets per second that can be configured on the interface? h. Return to privileged EXEC mode. SwitchP(config-if)# end SwitchP# f. Verify the DHCP snooping configuration. SwitchP# show ip dhcp snooping Switch DHCP snooping is enabled DHCP snooping is configured on following VLANs: 301 Insertion of option 82 is enabled Interface Trusted Rate limit (pps) ------------------------ ------- ---------------- FastEthernet0/12 yes 100 6-6 Network Security 1 v2.0 Lab 10.2.4 Copyright 2005, Cisco Systems, Inc.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information