taller 4 seguridades en routers

Taller # 4Securing Layer 2 Switching

14/09/2014Integrantes:Katiuska Criollo, Johnny Segarra, Byron Asencio, Luis Pilay, Boris De la Torre

Taller 4 Securing Layer 2 Switching

Parte 1: Configuración Básica de Switch

1. Configuración del cableado entre los dispositivos como se muestra en la topología

2. Configuración de nombres de los dispositivos, asignación de password al usuario enable y asignar password a las conexiones de consola y vty, configuración de direcciones ip según plan de direccionamiento ( en R1, S1 y S2)

R1R1#show runBuilding configuration...

Current configuration : 703 bytes!version 12.4no service timestamps log datetime msecno service timestamps debug datetime msecno service password-encryption!hostname R1!!!enable secret 5 $1$mERr$WvpW0n5HghRrqnrwXCUUl.

!!!!!!!!!!no ip domain-lookup!!spanning-tree mode pvst!!!!interface FastEthernet0/0 no ip address duplex auto speed auto shutdown!interface FastEthernet0/1 description Enlace al S1 ip address 192.168.1.1 255.255.255.0 duplex auto speed auto!interface Vlan1 no ip address shutdown!ip classless!!!!!!!

line con 0 exec-timeout 5 0 password ciscoconpass logging synchronous login!line aux 0!line vty 0 4 exec-timeout 5 0 password ciscovtypass login!!!end

S1S1#show runBuilding configuration...

Current configuration : 1207 bytes!version 12.2no service timestamps log datetime msecno service timestamps debug datetime msecno service password-encryption!hostname S1!enable secret 5 $1$mERr$WvpW0n5HghRrqnrwXCUUl.!!!no ip domain-lookup!spanning-tree mode pvst!interface FastEthernet0/1!interface FastEthernet0/2!interface FastEthernet0/3

!interface FastEthernet0/4!interface FastEthernet0/5!interface FastEthernet0/6!interface FastEthernet0/7!interface FastEthernet0/8!interface FastEthernet0/9!interface FastEthernet0/10!interface FastEthernet0/11!interface FastEthernet0/12!interface FastEthernet0/13!interface FastEthernet0/14!interface FastEthernet0/15!interface FastEthernet0/16!interface FastEthernet0/17!interface FastEthernet0/18!interface FastEthernet0/19!interface FastEthernet0/20!interface FastEthernet0/21!interface FastEthernet0/22!interface FastEthernet0/23!interface FastEthernet0/24

!interface GigabitEthernet1/1!interface GigabitEthernet1/2!interface Vlan1 description VLan 1 S1 ip address 192.168.1.2 255.255.255.0!!line con 0 password ciscoconpass logging synchronous login exec-timeout 5 0!line vty 0 4 loginline vty 5 15 login!!end


Current configuration : 1207 bytes!version 12.2no service timestamps log datetime msecno service timestamps debug datetime msecno service password-encryption!hostname S2!enable secret 5 $1$mERr$WvpW0n5HghRrqnrwXCUUl.!!!no ip domain-lookup!

spanning-tree mode pvst!interface FastEthernet0/1!interface FastEthernet0/2!interface FastEthernet0/3!interface FastEthernet0/4!interface FastEthernet0/5!interface FastEthernet0/6!interface FastEthernet0/7!interface FastEthernet0/8!interface FastEthernet0/9!interface FastEthernet0/10!interface FastEthernet0/11!interface FastEthernet0/12!interface FastEthernet0/13!interface FastEthernet0/14!interface FastEthernet0/15!interface FastEthernet0/16!interface FastEthernet0/17!interface FastEthernet0/18!interface FastEthernet0/19!interface FastEthernet0/20!

interface FastEthernet0/21!interface FastEthernet0/22!interface FastEthernet0/23!interface FastEthernet0/24!interface GigabitEthernet1/1!interface GigabitEthernet1/2!interface Vlan1 description VLan 1 S2 ip address 192.168.1.3 255.255.255.0!!line con 0 password ciscoconpass logging synchronous login exec-timeout 5 0!line vty 0 4 loginline vty 5 15 login!!end

3. Verificar conectividad básica de la reda. Realizar Ping desde la PC-A y PC-B a la interfaz Fa0/1 del R1 (192.168.1.1)

4. Realizar Ping desde la PC-A (192.168.1.10) a la PC-B (192.168.1.11)

Parte 2 : Configurando conexiones SSH

1. Generando llave RSA en S1 y S2

2. Verificando conectividad por medio de SSH al S1 desde la PC-A y mostrar los usuarios conectados (show users)

3. Mostrar configuración de equipos


Current configuration : 1434 bytes!version 12.2no service timestamps log datetime msecno service timestamps debug datetime msecno service password-encryption!hostname S1!enable secret 5 $1$mERr$WvpW0n5HghRrqnrwXCUUl.!!!ip ssh authentication-retries 2ip ssh time-out 90no ip domain-lookupip domain-name ccnasecurity.com!username admin secret 5 $1$mERr$WvpW0n5HghRrqnrwXCUUl.!spanning-tree mode pvst!interface FastEthernet0/1!interface FastEthernet0/2!interface FastEthernet0/3!interface FastEthernet0/4!interface FastEthernet0/5!interface FastEthernet0/6!interface FastEthernet0/7!

interface FastEthernet0/8!interface FastEthernet0/9!interface FastEthernet0/10!interface FastEthernet0/11!interface FastEthernet0/12!interface FastEthernet0/13!interface FastEthernet0/14!interface FastEthernet0/15!interface FastEthernet0/16!interface FastEthernet0/17!interface FastEthernet0/18!interface FastEthernet0/19!interface FastEthernet0/20!interface FastEthernet0/21!interface FastEthernet0/22!interface FastEthernet0/23!interface FastEthernet0/24!interface GigabitEthernet1/1!interface GigabitEthernet1/2!interface Vlan1 description VLan 1 S1 ip address 192.168.1.2 255.255.255.0!

!line con 0 password ciscoconpass logging synchronous login exec-timeout 5 0!line vty 0 4 exec-timeout 5 0 login local transport input ssh privilege level 15line vty 5 15 login transport input none!!end


Current configuration : 1434 bytes!version 12.2no service timestamps log datetime msecno service timestamps debug datetime msecno service password-encryption!hostname S2!enable secret 5 $1$mERr$WvpW0n5HghRrqnrwXCUUl.!!!ip ssh authentication-retries 2ip ssh time-out 90no ip domain-lookupip domain-name ccnasecurity.com!username admin secret 5 $1$mERr$.82qvoGUQIH4qvaicridz0

!spanning-tree mode pvst!interface FastEthernet0/1!interface FastEthernet0/2!interface FastEthernet0/3!interface FastEthernet0/4!interface FastEthernet0/5!interface FastEthernet0/6!interface FastEthernet0/7!interface FastEthernet0/8!interface FastEthernet0/9!interface FastEthernet0/10!interface FastEthernet0/11!interface FastEthernet0/12!interface FastEthernet0/13!interface FastEthernet0/14!interface FastEthernet0/15!interface FastEthernet0/16!interface FastEthernet0/17!interface FastEthernet0/18!interface FastEthernet0/19!interface FastEthernet0/20

!interface FastEthernet0/21!interface FastEthernet0/22!interface FastEthernet0/23!interface FastEthernet0/24!interface GigabitEthernet1/1!interface GigabitEthernet1/2!interface Vlan1 description VLan 1 S2 ip address 192.168.1.3 255.255.255.0!!line con 0 password ciscoconpass logging synchronous login exec-timeout 5 0!line vty 0 4 exec-timeout 5 0 login local transport input ssh privilege level 15line vty 5 15 login transport input none!!end

Parte 3: Configurando Troncales Seguras y acceso a puertos seguros

1. Configurando el switch S1 como el switch raiz

2. Configurar puertos troncales en S1 y S2

3. Cambiar la VLAN nativa para los puertos troncales en S1 y S2

4. Prevenir el uso de DTP en S1 y S2

5. Habilitar el control de tormenta de Broadcast

6. Habilitando PortFast en acceso a puertos para S1 y S2

Tarea 4: Configurar seguridad en puertos y desahabilitar los puertos no usados.

1. Grabar la Mac Address del Fa0/0 del R1

2. Configurar seguridad basica de puertos

3. Cambiar la mac del router y probar el ping a la 192.168.1.10

4. Configuración de los dispositivos

R1R1#show runBuilding configuration...

Current configuration : 703 bytes!version 12.4no service timestamps log datetime msecno service timestamps debug datetime msecno service password-encryption!hostname R1!!!enable secret 5 $1$mERr$WvpW0n5HghRrqnrwXCUUl.!!!!!!!!!!no ip domain-lookup!!spanning-tree mode pvst!!!!interface FastEthernet0/0 no ip address duplex auto speed auto shutdown!

interface FastEthernet0/1 description Enlace al S1 ip address 192.168.1.1 255.255.255.0 duplex auto speed auto!interface Vlan1 no ip address shutdown!ip classless!!!!!!!line con 0 exec-timeout 5 0 password ciscoconpass logging synchronous login!line aux 0!line vty 0 4 exec-timeout 5 0 password ciscovtypass login!!!end


Current configuration : 1729 bytes!version 12.2no service timestamps log datetime msec

no service timestamps debug datetime msecno service password-encryption!hostname S1!enable secret 5 $1$mERr$WvpW0n5HghRrqnrwXCUUl.!!!ip ssh authentication-retries 2ip ssh time-out 90no ip domain-lookupip domain-name ccnasecurity.com!username admin secret 5 $1$mERr$WvpW0n5HghRrqnrwXCUUl.!spanning-tree mode pvstspanning-tree vlan 1 priority 0!interface FastEthernet0/1 switchport trunk native vlan 99 switchport mode trunk switchport nonegotiate storm-control broadcast level 50!interface FastEthernet0/2!interface FastEthernet0/3!interface FastEthernet0/4!interface FastEthernet0/5 switchport mode access switchport port-security mac-address 0000.F320.E502 spanning-tree portfast!interface FastEthernet0/6 switchport mode access spanning-tree portfast!interface FastEthernet0/7!

interface FastEthernet0/8!interface FastEthernet0/9!interface FastEthernet0/10!interface FastEthernet0/11!interface FastEthernet0/12!interface FastEthernet0/13!interface FastEthernet0/14!interface FastEthernet0/15!interface FastEthernet0/16!interface FastEthernet0/17!interface FastEthernet0/18!interface FastEthernet0/19!interface FastEthernet0/20!interface FastEthernet0/21!interface FastEthernet0/22!interface FastEthernet0/23!interface FastEthernet0/24!interface GigabitEthernet1/1!interface GigabitEthernet1/2!interface Vlan1 description VLan 1 S1 ip address 192.168.1.2 255.255.255.0!

!line con 0 password ciscoconpass logging synchronous login exec-timeout 5 0!line vty 0 4 exec-timeout 5 0 login local transport input ssh privilege level 15line vty 5 15 login transport input none!!end


Current configuration : 1628 bytes!version 12.2no service timestamps log datetime msecno service timestamps debug datetime msecno service password-encryption!hostname S2!enable secret 5 $1$mERr$WvpW0n5HghRrqnrwXCUUl.!!!ip ssh authentication-retries 2ip ssh time-out 90no ip domain-lookupip domain-name ccnasecurity.com!username admin secret 5 $1$mERr$.82qvoGUQIH4qvaicridz0!

spanning-tree mode pvst!interface FastEthernet0/1 switchport trunk native vlan 99 switchport mode trunk switchport nonegotiate storm-control broadcast level 50!interface FastEthernet0/2!interface FastEthernet0/3!interface FastEthernet0/4!interface FastEthernet0/5!interface FastEthernet0/6!interface FastEthernet0/7!interface FastEthernet0/8!interface FastEthernet0/9!interface FastEthernet0/10!interface FastEthernet0/11!interface FastEthernet0/12!interface FastEthernet0/13!interface FastEthernet0/14!interface FastEthernet0/15!interface FastEthernet0/16!interface FastEthernet0/17!interface FastEthernet0/18 switchport mode access

spanning-tree portfast spanning-tree bpduguard enable!interface FastEthernet0/19!interface FastEthernet0/20!interface FastEthernet0/21!interface FastEthernet0/22!interface FastEthernet0/23!interface FastEthernet0/24!interface GigabitEthernet1/1!interface GigabitEthernet1/2!interface Vlan1 description VLan 1 S2 ip address 192.168.1.3 255.255.255.0!!line con 0 password ciscoconpass logging synchronous login exec-timeout 5 0!line vty 0 4 exec-timeout 5 0 login local transport input ssh privilege level 15line vty 5 15 login transport input none!!end

taller 4 seguridades en routers

Documents

interface fastethernet018

interface fastethernet017

interface fastethernet04

interface fastethernet016

interface fastethernet015

interface fastethernet06

interface fastethernet014

interface fastethernet013