cisco

Practical 1: Packet Tracer - Configure Cisco Routers for Syslog, NTP, and SSH Operations.
Step 1: Test connectivity. All devices should be able to ping all other IP addresses. 
Step 2: Configure OSPF MD5 authentication for all the routers in area 0. Configure 
OSPF MD5 authentication for all the routers in area 0. 
R1 (config)# router ospf 1 
R1(config-router)# area 0 authentication message-digest 
R2 (config)# router ospf 1 
R2 (config-router)# area 0 authentication message-digest 
R3 (config)# router ospf 1 
R3 (config-router)# area 0 authentication message-digest 
Step 3: Configure the MD5 key for all the routers in area 0. Configure an MD5 key on the serial 
interfaces on R1, R2 and R3. Use the password MD5pa55 for key 1. 
R1 (config)# interface s0/0/0 
R1(config-if)# ip ospf message-digest-key 1 md5 MD5pa55 
R2 (config)# interface s0/0/0 
R2(config-if)# ip ospf message-digest-key 1 md5 MD5pa55 
R2 (config-if)# interface s0/0/1 
R2(config-if)# ip ospf message-digest-key 1 md5 MD5pa55 
R3 (config)# interface s0/0/1 
R3(config-if)# ip ospf message-digest-key 1 md5 MD5pa55

Step 4: Verify configurations. a. Verify the MD5 authentication configurations using the commands show ip ospf interface. b. Verify end-to-end connectivity. Part 2: Configure NTP Step 1: Enable NTP authentication on PC-A. a. On PC-A, click NTP under the Services tab to verify NTP service is enabled. b. To configure NTP authentication, click Enable under Authentication. Use key 1 and password NTPpa55 for authentication. Step 2: Configure R1, R2, and R3 as NTP clients. R1(config)# ntp server 192.168.1.5 R2 (config)# ntp server 192.168.1.5 R3 (config)# ntp server 192.168.1.5 Verify client configuration using the command show ntp status. Step 3: Configure routers to update hardware clock. Configure R1, R2, and R3 to periodically update the hardware clock with the time learned from NTP. R1(config)# ntp update-calendar R2 (config)# ntp update-calendar R3 (config)# ntp update-calendar Exit global configuration and verify that the hardware clock was updated using the command show clock.

Step 4: Configure NTP authentication on the routers. Configure NTP authentication on R1, R2, and R3 using key 1 and password NTPpa55. R1(config)# ntp authenticate R1 (config)# ntp trusted-key 1 R1 (config)# ntp authentication-key 1 md5 NTPpa55 R2 (config)# ntp authenticate R2 (config)# ntp trusted-key 1 R2 (config)# ntp authentication-key 1 md5 NTPpa55 R3 (config)# ntp authenticate R3 (config)# ntp trusted-key 1 R3 (config)# ntp authentication-key 1 md5 NTPpa55 Step 5: Configure routers to timestamp log messages. Configure timestamp service for logging on the routers. R1(config)# service timestamps log datetime msec R2 (config)# service timestamps log datetime msec R3(config)# service timestamps log datetime msec

Part 3: Configure Routers to Log Messages to the Syslog Server Step 1: Configure the routers to identify the remote host (Syslog Server) that will receive logging messages. R1(config)# logging host 192.168.1.6 R2(config)# logging host 192.168.1.6 R3 (config)# logging host 192.168.1.6 The router console will display a message that logging has started. Step 2: Verify logging configuration. Use the command show logging to verify logging has been enabled. Step 3: Examine logs of the Syslog Server. From the Services tab of the Syslog Server's dialogue box, select the Syslog services button. Observe the logging messages received from the routers. Note: Log messages can be generated on the server by executing commands on the router. For example, entering and exiting global configuration mode will generate an informational configuration message. You may need to click a different service and then click Syslog again to refresh the message display.


Part 4: Configure R3 to Support SSH Connections Step 1: Configure a domain name. Configure a domain name of ccnasecurity.com on R3. R3(config)# ip domain-name ccnasecurity.com Step 2: Configure users for login to the SSH server on R3. Create a user ID of SSHadmin with the highest possible privilege level and a secret password of ciscosshpa55. R3 (config)# username SSHadmin privilege 15 secret ciscosshpa55 Step 3: Configure the incoming vty lines on R3. Use the local user accounts for mandatory login and validation. Accept only SSH connections. R3 (config)#line vty 0 4 R3 (config-line)# login local R3(config-line)# transport input ssh Step 4: Erase existing key pairs on R3. Any existing RSA key pairs should be erased on the router. R3(config)# crypto key zeroize rsa Note: If no keys exist, you might receive this message: No Signature RSA Keys found in configuration.

Step 5: Generate the RSA encryption key pair for R3. The router uses the RSA key pair for authentication and encryption of transmitted SSH data. Configure the RSA keys with a modulus of 1024. The default is 512, and the range is from 360 to 2048. R3 (config)# crypto key generate rsa The name for the keys will be: R3.ccnasecurity.com Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: 1024 % Generating 1024 bit RSA keys, keys will be non-exportable... [OK] Note: The command to generate RSA encryption key pairs for R3 in Packet Tracer differs from those used in the lab. Step 6: Verify the SSH configuration. Use the show ip ssh command to see the current settings. Verify that the authentication timeout and retries are at their default values of 120 and 3. Step 7: Configure SSH timeouts and authentication parameters. The default SSH timeouts and authentication parameters can be altered to be more restrictive. Set the timeout to 90 seconds, the number of authentication retries to 2, and the version to 2. R3 (config)# ip ssh time-out 90 R3 (config)# ip ssh authentication-retries 2 R3 (config)# ip ssh version 2 Issue the show ip ssh command again to confirm that the values have been changed.

Step 8: Attempt to connect to R3 via Telnet from PC-C. Open the Desktop of PC-C. Select the Command Prompt icon. From PC-C, enter the command to connect to R3 via Telnet. PC> telnet 192.168.3.1 This connection should fail because R3 has been configured to accept only SSH connections on the virtual terminal lines. Step 9: Connect to R3 using SSH on PC-C. Open the Desktop of PC-C. Select the Command Prompt icon. From PC-C, enter the command to connect to R3 via SSH. When prompted for the password, enter the password configured for the administrator ciscosshpa55. PC> ssh -1 SSHadmin 192.168.3.1 Step 10: Connect to R3 using SSH on R2. To troubleshoot and maintain R3, the administrator at the ISP must use SSH to access the router CLI. From the CLI of R2, enter the command to connect to R3 via SSH version 2 using the SSHadmin user account. When prompted for the password, enter the password configured for the administrator: ciscosshpa55. R2# ssh - 2-1 SSHadmin 10.2.2.1
Practical 2: Packet Tracer - Configure AAA Authentication on Cisco Routers
Part 1: Configure Local AAA Authentication for Console Access on R1 Step 1: Test connectivity. Ping from PC-A to PC-B. Ping from PC-A to PC-C. Ping from PC-B to PC-C. Step 2: Configure a local username on R1. Configure a username of Admin1 with a secret password of admin1pa55. R1(config)# username Admin1 secret admin1pa55 Step 3: Configure local AAA authentication for console access on R1. Enable AAA on R1 and configure AAA authentication for the console login to use the local database. R1(config)# aaa new-model
R1(config)# aaa authentication login default local Step 4: Configure the line console to use the defined AAA authentication method. Enable AAA on R1 and configure AAA authentication for the console login to use the default method list. R1 (config)# line console 0 R1(config-line)# login authentication default Step 5: Verify the AAA authentication method. Verify the user EXEC login using the local database. R1(config-line)# end %SYS-5-CONFIG I: Configured from console by console R1# exit R1 con is now available Press RETURN to get started. ************ AUTHORIZED ACCESS ONLY ************* UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED. User Access Verification Username: Adminl Password: adminlpa55 R1>
Part 2: Configure Local AAA Authentication for vty Lines on R1 Step 1: Configure domain name and crypto key for use with SSH. a. Use ccnasecurity.com as the domain name on R1. R1(config)# ip domain-name conasecurity.com b. Create an RSA crypto key using 1024 bits. R1(config)# crypto key generate rsa Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: 1024 Generating 1024 bit RSA keys, keys will be non-exportable... [OK] Step 2: Configure a named list AAA authentication method for the vty lines on R1. Configure a named list called SSH-LOGIN to authenticate logins using local AAA.
R1 (config)# aaa authentication login SSH-LOGIN local Step 3: Configure the vty lines to use the defined AAA authentication method. Configure the vty lines to use the named AAA method and only allow SSH for remote access. R1(config)# line vty 0 4 R1(config-line)# login authentication SSH-LOGIN R1(config-line)# transport input ssh R1(config-line)# end Step 4: Verify the AAA authentication method. Verify the SSH configuration SSH to R1 from the command prompt of PC-A.. PC> ssh -1 Admin1 192.168.1.1 Open Password: admin1pa55 Part 3: Configure Server-Based AAA Authentication Using TACACS+ on R2 Step 1: Configure a backup local database entry called Admin. For backup purposes, configure a local username of Admin2 and a secret password of admin2pa55. R2 (config)# username Admin2 secret admin2pa55 Step 2: Verify the TACACS+ Server configuration. Click the TACACS+ Server. On the Services tab, click AAA. Notice that there is a Network configuration entry for R2 and a User Setup entry for Admin2. Step 3: Configure the TACACS+ server specifics on R2. Configure the AAA TACACS server IP address and secret key on R2. Note: The commands tacacs-server host and tacacs-server key are deprecated. Currently, Packet Tracer does not support the new command tacacs server. R2 (config)# tacacs-server host 192.168.2.2 R2 (config)# tacacs-server key tacacspa55
Step 4: Configure AAA login authentication for console access on R2. Enable AAA on R2 and configure all logins to authenticate using the AAA TACACS+ server. If it is not available, then use the local database. R2 (config)# aaa new-model R2 (config)# aaa authentication login default group tacacs+ local Step 5: Configure the line console to use the defined AAA authentication method. Configure AAA authentication for console login to use the default AAA authentication method. R2(config)# line console 0 R2 (config-line)# login authentication default Step 6: Verify the AAA authentication method.
Verify the user EXEC login using the AAA TACACS+ server. R2(config-line)# end %SYS-5-CONFIG_I: Configured from console by console R2# exit R2 con is now available Press RETURN to get started. *** AUTHORIZED ACCESS ONLY ************* UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED. User Access Verification Username: Admin2 Password: admin2pa55 R2> Part 4: Configure Server-Based AAA Authentication Using RADIUS on R3 Step 1: Configure a backup local database entry called Admin. For backup purposes, configure a local username of Admin3 and a secret password of admin3pa55. R3(config)# username Admin3 secret admin3pa55 Step 2: Verify the RADIUS Server configuration. Click the RADIUS Server. On the Services tab, click AAA. Notice that there is a Network configuration entry for R3 and a User Setup entry for Admin3. Step 3: Configure the RADIUS server specifics on R3. Configure the AAA RADIUS server IP address and secret key on R3. Note: The commands radius-server host and radius-server key are deprecated. Currently Packet Tracer does not support the new command radius server. R3 (config)# radius-server host 192.168.3.2 R3 (config)# radius-server key radiuspa55
Step 4: Configure AAA login authentication for console access on R3. Enable AAA on R3 and configure all logins to authenticate using the AAA RADIUS server. If it is not available, then use the local database. R3 (config)# aaa new-model R3 (config)# aaa authentication login default group radius local Step 5: Configure the line console to use the defined AAA authentication method. Configure AAA authentication for console login to use the default AAA authentication method. R3 (config)# line console 0
R3(config-line)# login authentication default Step 6: Verify the AAA authentication method. Verify the user EXEC login using the AAA RADIUS server. R3 (config-line)# end %SYS-5-CONFIG_I: Configured from console by console R3# exit R3 con is now available Press RETURN to get started. ************ AUTHORIZED ACCESS ONLY ********* UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED. User Access Verification Username: Admin3 Password: admin3pa55 R3>
Practical 3: Configuring Extended ACLS - Scenario 1
Part 1: Configure, Apply and Verify an Extended Numbered ACL 
Step 1: Configure an ACL to permit FTP and ICMP. 
a. From global configuration mode on R1, enter the following command to determine the first valid number for an extended access list. 
R1(config)# access-list? 
<1-99> 
IP standard access list 
<100-199> IP extended access list
b. Add 100 to the command, followed by a question mark. R1(config)# access-list 100 ? deny Specify packets to reject permit Specify packets to forward remark Access list entry comment c. To permit FTP traffic, enter permit, followed by a question mark. R1 (config)# access-list 100 permit ? ahp Authentication Header Protocol eigrp Cisco's EIGRP routing protocol esp Encapsulation Security Payload gre Cisco's GRE tunneling 1cmp Internet Control Message Protocol ip Any Internet Protocol ospf OSPF routing protocol tcp Transmission Control Protocol udp User Datagram Protocol d. This ACL permits FTP and ICMP. ICMP is listed above, but FTP is not, because FTP uses TCP. Therefore, enter tcp to further refine the ACL help. R1 (config)# access-list 100 permit tcp? A.B.C.D Source address any A Any source host host single source host e. Notice that we could filter just for PC1 by using the host keyword or we could allow any host. In this case, any device is allowed that has an address belonging to the 172.22.34.64/27 network. Enter the network address, followed by a question mark. R1(config)# access-list 100 permit tcp 172.22.34.64? A.B.C.D Source wildcard bits f. Calculate the wildcard mask determining the binary opposite of a subnet mask. 255.255.255.224 0.0.0.31 g. Enter the wildcard mask, followed by a question mark. R1 (config)# access-list 100 permit tcp 172.22.34.64 0.0.0.31? A.B.C.D Destination address any Any destination host eq Match only packets on a given port number gt Match only packets with a greater port number host A single destination host Match only packets with a lower port number neq Match only packets not on a given port number range Match only packets in the range of port numbers 1t h. Configure the destination address. In this scenario, we are filtering traffic for a single destination, which is the server. Enter the host keyword followed by the server's IP address. R1 (config)# access-list 100 permit tcp 172.22.34.64 0.0.0.31 host 172.22.34.62 ? dscp Match packets with given dscp value eq Match only packets on established gt a given port number established Match only packets with a greater port number Match only packets with a lower port number neq It Match only packets not on a given port number precedence Match packets with given precedence value range Match only packets in the range of port numbers <cr> i. Notice that one of the options is <cr> (carriage return). In other words, you can press Enter and the statement would permit all TCP traffic. However, we are only permitting FTP traffic; therefore, enter the eq keyword, followed by a question mark to display the available options. Then, enter ftp and press Enter. R1(config)# access-list 100 permit tcp 172.22.34.64 0.0.0.31 host 172.22.34.62 eq ? <0-65535> Port number ftp File Transfer Protocol (21) pop3 Post Office Protocol v3 (110) smtp Simple Mail Transport Protocol (25) telnet Telnet (23) WWW World Wide Web (HTTP, 80) R1(config)# access-list 100 permit tcp 172.22.34.64 0.0.0.31 host 172.22.34.62 eq ftp j. Create a second access list statement to permit ICMP (ping, etc.) traffic from PC1 to Server. Note that the access list number remains the same and no particular type of ICMP traffic needs to be specified. R1 (config)# access-list 100 permit icmp 172.22.34.64 0.0.0.31 host 172.22.34.62 k. All other traffic is denied, by default. Step 2: Apply the ACL on the correct interface to filter traffic. From R1's perspective, the traffic that ACL 100 applies to is inbound from the network connected to Gigabit Ethernet 0/0 interface. Enter interface configuration mode and apply the ACL. R1 (config)# interface gigabitEthernet 0/0 R1(config-if)# ip access-group 100 in Step 3: Verify the ACL implementation. a. Ping from PC1 to Server. If the pings are unsuccessful, verify the IP addresses before continuing. b. FTP from PC1 to Server. The username and password are both cisco. PC> ftp 172.22.34.62 c. Exit the FTP service of the Server. ftp> quit d. Ping from PC1 to PC2. The destination host should be unreachable, because the traffic was not explicitly permitted. Part 2: Configure, Apply and Verify an Extended Named ACL Step 1: Configure an ACL to permit HTTP access and ICMP. a. Named ACLs start with the ip keyword. From global configuration mode of R1, enter the following command, followed by a question mark. R1(config)# ip access-list ? extended Extended Access List standard Standard Access List b. You can configure named standard and extended ACLs. This access list filters both source and destination IP addresses; therefore, it must be extended. Enter HTTP_ONLY as the name. (For Packet Tracer scoring, the name is case-sensitive.) R1 (config)# ip access-list extended HTTP ONLY c. The prompt changes. You are now in extended named ACL configuration mode. All devices on the PC2 LAN need TCP access. Enter the network address, followed by a question mark. R1 (config-ext-nacl)# permit tcp 172.22.34.96 ? A.B.C.D Source wildcard bits d. An alternative way to calculate a wildcard is to subtract the subnet mask from 255.255.255.255. 255.255.255.240 = 0. 0. 0.15 R1 (config-ext-nacl)# permit tcp 172.22.34.96 0.0.0.15 ? e. Finish the statement by specifying the server address as you did in Part 1 and filtering www traffic. R1 (config-ext-nacl) # permit tcp 172.22.34.96 0.0.0.15 host 172.22.34.62 eq www f. Create a second access list statement to permit ICMP (ping, etc.) traffic from PC2 to Server. Note: The prompt remains the same and a specific type of ICMP traffic does not need to be specified. R1 (config-ext-nacl)# permit icmp 172.22.34.96 0.0.0.15 host 172.22.34.62 g. All other traffic is denied, by default. Exit out of extended named ACL configuration mode. Step 2: Apply the ACL on the correct interface to filter traffic. From R1's perspective, the traffic that access list HTTP_ONLY applies to is inbound from the network connected to Gigabit Ethernet 0/1 interface. Enter the interface configuration mode and apply the ACL. R1 (config)# interface gigabitEthernet 0/1 R1 (config-if)# ip access-group HTTP ONLY in Step 3: Verify the ACL implementation. a. Ping from PC2 to Server. The ping should be successful, if the ping is unsuccessful, verify the IP addresses before continuing. b. FTP from PC2 to Server. The connection should fail. c. Open the web browser on PC2 and enter the IP address of Server as the URL. The connection should be successful. Practical 4: Configure IP ACLS to Mitigate Part 1: Verify Basic Network Connectivity Verify network connectivity prior to configuring the IP ACLs. Step 1: From PC-A, verify connectivity to PC-C and R2. a. From the command prompt, ping PC-C (192.168.3.3). b. From the command prompt, establish an SSH session to R2 Lo0 interface (192.168.2.1) using username SSHadmin and password ciscosshpa55. When finished, exit the SSH session. SERVER> ssh -1 SSHadmin 192.168.2.1 Step 2: From PC-C, verify connectivity to PC-A and R2. a. From the command prompt, ping PC-A (192.168.1.3). b. From the command prompt, establish an SSH session to R2 Lo0 interface (192.168.2.1) using username SSHadmin and password ciscosshpa55. Close the SSH session when finished. PC> ssh -1 SSHadmin 192.168.2.1 c. Open a web browser to the PC-A server (192.168.1.3) to display the web page. Close the browser when done. Part 2: Secure Access to Routers Step 1: Configure ACL 10 to block all remote access to the routers except from PC-C. Use the access-list command to create a numbered IP ACL on R1, R2, and R3. R1(config)# access-list 10 permit host 192.168.3.3 R2(config)# access-list 10 permit host 192.168.3.3 R3 (config)# access-list 10 permit host 192.168.3.3 Step 2: Apply ACL 10 to ingress traffic on the VTY lines. Use the access-class command to apply the access list to incoming traffic on the VTY lines. R1(config-line)# access-class 10 in R2 (config-line)# access-class 10 in R3(config-line)# access-class 10 in Step 3: Verify exclusive access from management station PC-C. a. Establish an SSH session to 192.168.2.1 from PC-C (should be successful). PC> ssh -1 SSHadmin 192.168.2.1 b. Establish an SSH session to 192.168.2.1 from PC-A (should fail). Part 3: Create a Numbered IP ACL 120 on R1 Create an IP ACL numbered 120 with the following rules: Permit any outside host to access DNS, SMTP, and FTP services on server PC-A. O Deny any outside host access to HTTPS services on PC-A. O Permit PC-C to access R1 via SSH. Note: Check Results will not show a correct configuration for ACL 120 until you modify it in Part 4. Step 1: Verify that PC-C can access the PC-A via HTTPS using the web browser. Be sure to disable HTTP and enable HTTPS on server PC-A. Step 2: Configure ACL 120 to specifically permit and deny the specified traffic. Use the access-list command to create a numbered IP ACL. R1(config)# access-list 120 permit udp any host 192.168.1.3 eq domain R1 (config)# access-list 120 permit tcp any host 192.168.1.3 eq smtp R1 (config)# access-list 120 permit tcp any host 192.168.1.3 eq ftp R1 (config)# access-list 120 deny tcp any host 192.168.1.3 eq 443 R1 (config)# access-list 120 permit tcp host 192.168.3.3 host 10.1.1.1 eq 22 Step 3: Apply the ACL to interface S0/0/0. Use the ip access-group command to apply the access list to incoming traffic on interface S0/0/0. R1(config)#interface s0/0/0 R1(config-if)# ip access-group 120 in Step 4: Verify that PC-C cannot access PC-A via HTTPS using the web browser. Part 4: Modify an Existing ACL on R1 Permit ICMP echo replies and destination unreachable messages from the outside network (relative to R1). Deny all other incoming ICMP packets. Step 1: Verify that PC-A cannot successfully ping the loopback interface on R2. Step 2: Make any necessary changes to ACL 120 to permit and deny the specified traffic. Use the access-list command to create a numbered IP ACL. R1(config)# access-list 120 permit icmp any any echo-reply R1(config)# access-list 120 permit icmp any any unreachable R1(config)# access-list 120 deny icmp any any R1(config)# access-list 120 permit ip any any Step 3: Verify that PC-A can successfully ping the loopback interface on R2. Part 5: Create a Numbered IP ACL 110 on R3 Deny all outbound packets with source address outside the range of internal IP addresses on R3. Step 1: Configure ACL 110 to permit only traffic from the inside network. Use the access-list command to create a numbered IP ACL. R3 (config)# access-list 110 permit ip 192.168.3.0 0.0.0.255 any Step 2: Apply the ACL to interface G0/1. Use the ip access-group command to apply the access list to incoming traffic on interface G0/1. R3 (config)# interface g0/1 R3(config-if)# ip access-group 110 in Part 6: Create a Numbered IP ACL 100 on R3 On R3, block all packets containing the source IP address from the following pool of addresses: any RFC 1918 private addresses, 127.0.0.0/8, and any IP multicast address. Since PC-C is being used for remote administration, permit SSH traffic from the 10.0.0.0/8 network to return to the host PC-C. Step 1: Configure ACL 100 to block all specified traffic from the outside network. You should also block traffic sourced from your own internal address space if it is not an RFC 1918 address. In this activity, your internal address space is part of the private address space specified in RFC 1918. Use the access-list command to create a numbered IP ACL. access-list 100 permit R3 (config)# 0.255.255.255 eq 22 host 192.168.3.3 R3 (config)# access-list 100 deny ip 10.0.0.0 0.255.255.255 any R3 (config)# access-list 100 deny ip 172.16.0.0 0.15.255.255 any R3 (config)# access-list 100 deny ip 192.168.0.0 0.0.255.255 any R3 (config)# access-list 100 deny ip 127.0.0.0 0.255.255.255 any R3 (config)# access-list 100 deny ip 224.0.0.0 15.255.255.255 any R3 (config)# access-list 100 permit ip any any Step 2: Apply the ACL to interface Serial 0/0/1. Use the ip access-group command to apply the access list to incoming traffic on interface Serial 0/0/1. R3(config)# interface s0/0/1 R3 (config-if)# ip access-group 100 in Step 3: Confirm that the specified traffic entering interface Serial 0/0/1 is handled correctly. a. From the PC-C command prompt, ping the PC-A server. The ICMP echo replies are blocked by the ACL since they are sourced from the 192.168.0.0/16 address space. b. Establish an SSH session to 192.168.2.1 from PC-C (should be successful). Step 4: Check results. Your completion percentage should be 100%. Click Check Results to see feedback and verification of which required components have been completed. Practical 7: Configure IOS Intrusion Prevention System (IPS) Using the CLI
Part 1: Enable IOS IPS Note: Within Packet Tracer, the routers already have the signature files imported and in place. They are the default xml files in flash. For this reason, it is not necessary to configure the public crypto key and complete a manual import of the signature files. Step 1: Enable the Security Technology package. a. On R1, issue the show version command to view the Technology Package license information. b. If the Security Technology package has not been enabled, use the following command to enable the package. R1 (config)# license boot module c1900 technology-package securityk9 c. Accept the end user license agreement. d. Save the running-config and reload the router to enable the security license. e. Verify that the Security Technology package has been enabled by using the show version command. Step 2: Verify network connectivity. a. Ping from PC-C to PC-A. The ping should be successful. b. Ping from PC-A to PC-C. The ping should be successful. Step 3: Create an IOS IPS configuration directory in flash. On R1, create a directory in flash using the mkdir command. Name the directory ipsdir. R1# mkdir ipsdir Create directory filename [ipsdir]? <Enter> Created dir flash:ipsdir Step 4: Configure the IPS signature storage location. On R1, configure the IPS signature storage location to be the directory you just created. R1(config)# ip ips config location flash:ipsdir Step 5: Create an IPS rule. On R1, create an IPS rule name using the ip ips name name command in global configuration mode. Name the IPS rule iosips. R1(config)# ip ips name iosips Step 6: Enable logging. IOS IPS supports the use of syslog to send event notification. Syslog notification is enabled by default. If logging console is enabled, IPS syslog messages display. a. Enable syslog if it is not enabled. R1 (config)# ip ips notify log b. If necessary, use the clock set command from privileged EXEC mode to reset the clock. R1 # c. Verify that the timestamp service for logging is enabled on the router using the show run command. Enable the timestamp service if it is not enabled. R1(config)# service timestamps log datetime msec d. Send log messages to the syslog server at IP address 192.168.1.50. R1 (config)# logging host 192.168.1.50 Step 7: Configure IOS IPS to use the signature categories. Retire the all signature category with the retired true command (all signatures within the signature release). Unretire the IOS_IPS Basic category with the retired false command. R1 (config)# ip ips signature- category R1 (config-ips-category)# category all R1 (config-ips-category-action)# retired true R1(config-ips-category-action)# exit R1(config-ips-category)# category ios_ips basic R1 (config-ips-category-action)# retired false R1(config-ips-category-action)# exit R1(config-ips-cateogry)# exit Do you want to accept these changes? [confirm] <Enter> Step 8: Apply the IPS rule to an interface. Apply the IPS rule to an interface with the ip ips name direction command in interface configuration mode. Apply the rule outbound on the G0/1 interface of R1. After you enable IPS, some log messages will be sent to the console line indicating that the IPS engines are being initialized. Note: The direction in means that IPS inspects only traffic going into the interface. Similarly, out means that IPS inspects only traffic going out of the interface. R1 (config)# interface g0/1 R1(config-if)# ip ips iosips out Part 2: Modify the Signature Step 1: Change the event-action of a signature. Un-retire the echo request signature (signature 2004, subsig ID 0), enable it, and change the signature action to alert and drop. R1 (config)# ip ips signature-definition R1 (config-sigdef)# signature 2004 0 R1 (config-sigdef-sig)# status R1 (config-sigdef-sig-status)# retired false R1(config-sigdef-sig-status)# enabled true R1(config-sigdef-sig-status)# exit R1(config-sigdef-sig)# engine R1 (config-sigdef-sig-engine)# event-action produce-alert R1 (config-sigdef- sig-engine)# event-action deny-packet-inline R1(config-sigdef-sig-engine)# exit R1 (config-sigdef-sig)# exit R1(config-sigdef)# exit Do you want to accept these changes? [confirm] <Enter> Step 2: Use show commands to verify IPS. Use the show ip ips all command to view the IPS configuration status summary. To which interfaces and in which direction is the iosips rule applied? G0/1 outbound. Step 3: Verify that IPS is working properly. a. From PC-C, attempt to ping PC-A. Were the pings successful? Explain. The pings should fail. This is because the IPS rule for event-action of an echo request was set to "deny- packet-inline". b. From PC-A, attempt to ping PC-C. Were the pings successful? Explain. The ping should be successful. This is because the IPS rule does not cover echo reply. When PC-A pings PC-C, PC-C responds with an echo reply. Step 4: View the syslog messages. a. Click the Syslog server. b. Select the Services tab. c. In the left navigation menu, select SYSLOG to view the log file. Step 5: Check results. Your completion percentage should be 100%. Click Check Results to see feedback and verification of which required components have been completed.



Comments

Post a Comment

Popular posts from this blog

python(BI)

PRACTICAL NO.1 AIM: Perform the data classification using classification algorithm.  1A. Perform the data classification using Naïve Baye’s Algorithm. from sklearn.datasets import load_iris iris = load_iris() X = iris.data y = iris.target from sklearn.model_selection import train_test_split X_train,X_test,y_train,y_test=train_test_split(X,y,test_size=0.4,random_state=1) from sklearn.naive_bayes import GaussianNB gnb=GaussianNB() gnb.fit(X_train,y_train) y_pred=gnb.predict(X_test) from sklearn import metrics print("Gaussian Naive Bayes model accuracy(in%):",metrics.accuracy_score(y_test,y_pred)*100) EXAMPLE-span.csv import numpy as np import pandas as pd from sklearn.feature_extraction.text import CountVectorizer from sklearn.naive_bayes import MultinomialNB df=pd.read_csv('/content/spam1.csv',encoding='latin-1') df=df[['Message','Category']] df.columns=['SMS','Type'] countvec=CountVectorizer(ngram_range=(1,4),stop_words='eng...
Read more

(PP-7)Create a class called Numbers, which has a single class attribute called MULTIPLIER, and a constructor which takes the parameters x and y (these should all be numbers). i. Write a method called add which returns the sum of the attributes x and y. ii. Write a class method called multiply, which takes a single number parameter a and returns the product of a and MULTIPLIER. iii. Write a static method called subtract, which takes two number parameters, b and c, and returns b - c. iv. Write a method called value which returns a tuple containing the values of x and y. Make this method into a property, and write a setter and a deleter for manipulating the values of x and y.

  7A . #calculator.py class number: multiplier=3 def __init__(self,x,y): self.x=x self.y=y def add(self): return self.x+self.y def multiply(self,a): return self.multiplier*a def subtract(b,c): return b-c T=number(2,4) print(T.add()) print(T.multiply(2)) print(number.subtract(4,2)) 7B.design the class that stores the info of students and display the same class student: def __init__(self,name,roll_no,address): self.name=name self.roll_no=roll_no self.address=address s=student("Bhavesh",406,"malad") print(s.name) print(s.roll_no) print(s.address) 7C.create a module student_details with functions display_name, marks_total & create new file that imports the module and display the functions. #student_details.py def display_name(Name): print("student Name:",Name) return def marks_total(p,c,m): print("Total marks obtained by student:",p+c+m) ret...
Read more