NAMA : TUGIYONO NIM : 15.240.0187
CCNA Discovery Introducing Routing and Switching in the Enterprise
Lab 2. Menerapkan Keamanan Dasar Pada Switch Security
Device Designation
IP Address
PC 1
192.168.1.3
255.255.255.0
192.168.1.1
PC 2
192.168.1.4
255.255.255.0
192.168.1.1
PC 3 Switch1
192.168.1.5 192.168.1.2
255.255.255.0 255.255.255.0
192.168.1.1 192.168.1.1
Subnet Mask
Default Gateway
Enable Secret Password
vty and Console Password
class
cisco
Tujuan
Mengkonfigurasikan password untuk memastikan akses ke CLI AMAN
Mengkonfigurasikan portsecurity..
Menotifikasi port yang tidak dipakai.
Menguji konfigurasi keamanan dengan mengkoneksikan hos lain kep port yang diamankan. Background / Preparation
Latar Belakang / Persiapan Set up jaringan yang sama dengan yang ada di diagram topologi. Sumber daya yang dibutuhkan berupa:
Satu buah Cisco 2960 or switch yang sejenis
Tiga PC, setidaknya dengan sebuah program terminal emulasi
Satu buah konektor rj-45-to-DB-9 beserta kabel konsolnya
Dua kabel eternet susunan straight-through (PC1 and PC2 to switch)
All contents are Copyright © 1992–2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 1 of 11
CCNA Discovery Introducing Routing and Switching in the Enterprise
Access ke command prompt PC
Access ke PC jaringan TCP/IP konfigurasi
Catatan: Pastikan switch telah di hapus dan tidak memiliki konfigurasi startup. Petunjuk untuk menghapus switch dan router disediakan di di modul praktek ini.
Langkah 1: Menghubungkan PC1 to the switch a. Hubungkan PC1 to FastEthernet switch port Fa0/1. konfigurasi PC1 to menggunakan the IP address, mask, and gateway yang Nampak pada table diatas b. Jalankan program sesi terminal emulation ke switch PC1.
Langkah 2: Menghubungkan PC2 to the switch a. Hubungkan PC2 ke FastEthernet switch port Fa0/4. b. Konfigurasi PC2 to menggunakan the IP address, mask, and gateway seperti tampak pada table diatas.
Langkah 3: KOnfigurasikan PC3 tetapi tidak dihubungkan Host ketiga diperlukan untuk praktek ini. a. Konfigurasikan PC3 menggunakan IPaddress 192.168.1.5. The subnet mask is 255.255.255.0, and the default gateway is 192.168.1.1. b. Jangan hubungkan dulu. Do not connect this PC to the switch yet. It will be used for testing security.
Langkah 4: Perform an initial configuration on the switch a. Konfigurasi console dan virtual terminal lines dengan menggunakan password dan diperlukan untuk login. the hostname of the switch as Switch1. Switch>enable Switch#config terminal Switch(config)#hostname Switch1 b. Set the privilegedEXECmode password to cisco. Switch1(config)#enable password cisco c.
Set the privilegedEXECmode secret password to class. Switch1(config)#enable secret class
d. Configure the console and virtual terminal lines to use a password and require it at login. Switch1(config)#line console 0 Switch1(config-line)#password cisco Switch1(config-line)#login Switch1(config-line)#line vty 0 15 Switch1(config-line)#password cisco Switch1(config-line)#login Switch1(config-line)#end e. Exit from the console session and log in again. Which password was required to enter privileged EXEC mode?_class Why? Karena level keamanan secret password lebih tinggi dibadingkan dengan password
Step 5: Configure the switch management interface on VLAN 1 a. Enter the interface configuration mode for VLAN 1. All contents are Copyright © 1992–2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 2 of 11
CCNA Discovery Introducing Routing and Switching in the Enterprise Switch1(config)#interface vlan 1 b. Set the IP address, subnet mask, and default gateway for the management interface. Switch1(config-if)#ip address 192.168.1.2 255.255.255.0 Switch1(config-if)#no shutdown Switch1(config-if)#exit Switch1(config)#ip default-gateway 192.168.1.1 Switch1(config)#end Why does interface VLAN1 require an IP address in this LAN? Sebagai pengenal atau host dari ruang VLAN 1, alamat dari ruang vlan1 atau ruang vlan1 ip address 192.168.1.2 255.255.255.0 What is the purpose of the default gateway?
ip default-gateway 192.168.1.1 Step 6: Verify the management LANs settings a. Verify that the IP address of the management interface on the switch VLAN 1 and the IP address of PC1and PC2 are on the same local network. Use the show running-config command to check the IP address configuration of the switch. b. Verify the interface settings on VLAN 1. Switch1#showinterface vlan 1
Switch1#show interface vlan 1 Vlan1 is up, line protocol is up Hardware is CPU Interface, address is 0030.a33a.cc1e (bia 0030.a33a.cc1e) Internet address is 192.168.1.2/24 MTU 1500 bytes, BW 100000 Kbit, DLY 1000000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set ARP type: ARPA, ARP Timeout 04:00:00 Last input 21:40:21, output never, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 1682 packets input, 530955 bytes, 0 no buffer Received 0 broadcasts (0 IP multicast) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 563859 packets output, 0 bytes, 0 underruns 0 output errors, 23 interface resets 0 output buffer failures, 0 output buffers swapped out Switch1#
All contents are Copyright © 1992–2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 3 of 11
CCNA Discovery Introducing Routing and Switching in the Enterprise What is the bandwidth on this interface?
MTU 1500 bytes, BW 100000 Kbit, DLY 1000000 usec, reliability 255/255, txload 1/255, rxload 1/255 What are the VLAN states?
Vlan1 is up, line protocol is up VLAN1 is up andline protocol is up
Step 7: Disable the switch from being an http server Turn off the feature of the switch being used as an http server. Switch1(config)#no ip http server
Step 8: Verify connectivity a. To verify that hosts and switch are correctly configured, ping the switch IP address from the hosts. Were the pings successful? Ya
If the ping is not successful, verify the connections and configurations again. Check to ensure that all cables are correct and that connections are seated. Check the host and switch configurations. b. Save the configuration.
All contents are Copyright © 1992–2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 4 of 11
CCNA Discovery Introducing Routing and Switching in the Enterprise Step 9: Record the host MAC addresses Determine and record the Layer 2 addresses of the PC network interface cards.From the command prompt of each PC, enter ipconfig /all. PC1 __________________________________________________
PC2 __________________________________________________
PC3 __________________________________________________
All contents are Copyright © 1992–2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 5 of 11
CCNA Discovery Introducing Routing and Switching in the Enterprise Step 10: Determine what MAC addresses the switch has learned Determine what MAC addresses the switch has learned by using the show mac-address-table command at the privileged EXEC mode prompt. Switch1#showmac-address-table Translating "showmac-address-table"...domain server (255.255.255.255) How many dynamic addresses are there? 255.255.255.255 How many total MAC addresses are there? 255 Do the MAC addresses match the host MAC addresses? Tidak
Step 11: View the show mac-address-table options View the options that the showmac-address-table command has available. Switch1(config)#showmac-address-table ?
What options are available?
Step 12: Setup a static MAC address Setup a static MAC address on FastEthernet interface 0/4.Use the address that was recorded for PC2 in Step 9. The MAC address 00e0.2917.1884 is used in this example statement only. Switch1(config)#mac-address-table static 00e0.2917.1884 vlan 1 interface fastethernet 0/4
Step 13:Verify the results a. Verify the MAC address table entries. Switch1#show mac-address-table
How many dynamic MAC addresses are there now? satu 00e0.2917.1774 All contents are Copyright © 1992–2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 6 of 11
CCNA Discovery Introducing Routing and Switching in the Enterprise How many static MAC addresses are there now? Satu 00e0.2917.1774 b. Remove the static entry from the MAC Address Table. Switch1(config)#nomac-address-table static 00e0.2917.1884 vlan 1 interface fastethernet 0/4
Step 14: List port security options a. Determine the options for setting port security on interface FastEthernet 0/4. Switch1(config)#interface fastethernet 0/4 Switch1(config-if)#switchport port-security ? What are some available options?Untuk mengamankan port / security port Command rejected: FastEthernet0/4 is a dynamic port. b. To allow the switch port FastEthernet 0/4 to accept only one device, configure port security. Switch1(config-if)#switchport mode access Switch1(config-if)#switchport port-security Switch1(config-if)#switchport port-security mac-address sticky c.
Exit configuration mode and check the port security settings. Switch1#show port-security Secure Port
MaxSecureAddr CurrentAddr SecurityViolation Security Action (Count) (Count) (Count) --------------------------------------------------------------------------Fa0/4 1 0 0 Shutdown ---------------------------------------------------------------------------
If a host other than PC2 attempts to connect to Fa0/4, what will happen? Terhubung / replay
All contents are Copyright © 1992–2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 7 of 11
CCNA Discovery Introducing Routing and Switching in the Enterprise Step 15: Limit the number of hosts per port a. On interface FastEthernet 0/4, set the port security maximum MAC count to 1. Switch1(config-if)#switchport port-security maximum 1. b. Disconnect the PC attached to FastEthernet 0/4. Connect PC3to FastEthernet 0/4. PC3 has been given the IP address of 192.168.1.5 and has not yet been attached to the switch. It may be necessary to ping the switch address 192.168.1.2 to generate some traffic. Record any observations. ________________________________________________________
Step 16: Configure the port to shut down if there is a security violation a. In the event of a security violation, the interface should be shut down. To make the port security shutdown, enter the following command: Switch1(config-if)#switchport port-security violation shutdown
What other action options are available with port security? ______________________________ _____________________________________________________________________________ b. If necessary, ping the switch address 192.168.1.2 from the PC3 192.168.1.5. This PC is now connected to interface FastEthernet 0/4. This ensures that there is traffic from the PC to the switch.
All contents are Copyright © 1992–2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 8 of 11
CCNA Discovery Introducing Routing and Switching in the Enterprise
c.
Record any observations. Lancar
d. Check the port security settings. Switch1#show port-security Secure Port
MaxSecureAddr CurrentAddr SecurityViolation Security Action (Count) (Count) (Count) --------------------------------------------------------------------------Fa0/4 1 1 0 Shutdown ---------------------------------------------------------------------------
Step 17: Show port 0/4 configuration information To see the configuration information for FastEthernet port 0/4 only, enter show interface fastethernet 0/4 at the privileged EXEC mode prompt. Switch1#show interface fastethernet 0/4
Switch1(config)#interface fa0/4 Switch1(config-if)#switchport port-security violation shutdown Switch1(config-if)#show port-security ^ % Invalid input detected at '^' marker. Switch1(config-if)#exit Switch1(config)#exit Switch1# %SYS-5-CONFIG_I: Configured from console by console Switch1#show port-security Switch1#show interface fastethernet 0/4 All contents are Copyright © 1992–2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 9 of 11
CCNA Discovery Introducing Routing and Switching in the Enterprise FastEthernet0/4 is up, line protocol is up (connected) Hardware is Lance, address is 00d0.bc9a.9704 (bia 00d0.bc9a.9704) BW 100000 Kbit, DLY 1000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 100Mb/s input flow-control is off, output flow-control is off ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:08, output 00:00:05, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue :0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 956 packets input, 193351 bytes, 0 no buffer Received 956 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 watchdog, 0 multicast, 0 pause input 0 input packets with dribble condition detected 2357 packets output, 263570 bytes, 0 underruns What is the state of this interface? FastEthernet0/4 is UP and line protocol is UP
Step 18: Reactivate the port a. If a security violation occurs and the port is shut down, use the shutdown / no shutdown commands to reactivate the port. b. Try reactivating this port a few times by switching between the original port 0/4 host and the new one.Plug in the original host, enter the no shutdown command on the interface, and ping using the command prompt. The ping will have to be repeated multiple times; alternately, use the ping 192.168.1.2 –n200 command. This command sets the number of ping packets to 200 instead of 4. Then switch hosts and try again.
Step 19: Disable unused ports Disable any ports not being used on the switch. Switch1(config)#interface range Fa0/2 – 3 Switch1(config-if-range)#shutdown Switch1(config-if-range)#exit Switch1(config)#interface range Fa0/5 – 24 Switch1(config-if-range)#shutdown Switch1(config)#interface range gigabitethernet0/1 - 2 Switch1(config-if-range)#shutdown
All contents are Copyright © 1992–2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 10 of 11
CCNA Discovery Introducing Routing and Switching in the Enterprise Step 20: Reflection a. Why would port security be enabled on a switch? Agar bisa di gunakan di akses maka di aktifkan dulu b. Why should unused ports on a switch be disabled? Untuk keamanan karena tidak digunakan jika ada orang yang mau jahat atau jahil bisa kita teramankan dengan disable port.
<<<<<< Tugiyono Merdeka >>>>>>>
All contents are Copyright © 1992–2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 11 of 11