CompNtwk : Lab 2.4.1 Establishing Technical Requirements

Step 1: Determine the technical requirements

1. Use word processing software to create a technical requirements document.
2. From the case study document and checklists developed in previous labs, identify and list the technical requirements that will enable the network upgrade to meet the FilmCompany business goals. The technical requirements document provides direction for the network designer in thez following decisions:

• Selecting network equipment
• Designing the topology
• Choosing protocols
• Selecting network services

1. Discuss these technical requirements with another student, or in a group. Consider the range of possible technical solutions to meet the business goals of the FilmCompany.

Step 2: Prioritize the technical requirements

The network designer works with the customer to create a prioritized list of technical requirements. This list will be used to define the project scope.

1. Rank the list of technical requirements in order of priority. Base this ranking on the information in the case study document and discussion with other students. It is useful to categorize the technical requirements into the following areas:

• Availability and Performance
• Security
• Scalability
• Manageability

1. List the ranked technical requirements in a table and assign a priority value as a percentage. The

total of the percentage values must equal 100.

Step 3: Reflection

When discussing technical requirements with the customer, the network designer must consider the technical level of the audience. Technical terms and jargon may not be clearly understood by the customer. Such terms should either be avoided or tailored to the level of detail and complexity that the customer can understand.

Compile a list of networking technical terms and jargon that may need to be expressed or explained to a nontechnical business customer. Develop an explanation or definition for each term that a non-technical business customer can understand for the purpose of discussing a network upgrade with them.

 

CompNtwk : Lab 2.3.3 Prioritizing Business Goals

Step 1: Determine the business goals

1. Use word processing software to create a business goals document.
2. From the sample interview in the FilmCompany case study document, identify and list the business goals that the network upgrade is expected to provide.
3. Identify and list at least four business goals from the case study interview.

Step 2: Prioritize the business goals

1. Rank the list of business goals in order of priority. Base this ranking on the information in the case study document and discussion with other students.
2. List the ranked business goals in a table and assign a priority value as a percentage. The total of the percentage values must equal 100.
3. Discuss your priority values with other students. If there are differences in priorities, discuss why this

Step 3: Reflection

Having prioritized the business goals as the stated objectives of a network upgrade project does not necessarily ensure that the project will be a success. These objectives need to be measured against success criteria to determine whether the business goals were achieved.

Before a project can be declared a success, the objectives must be shown to have met the success criteria statements. Consider and discuss possible success criteria based on the business goals for the FilmCompany network upgrade.

Jawaban:

Discussion and outcomes vary but may include:

• Achieve a customer satisfaction measure of at least four on a scale of five within four months after upgrade.
• Increase the media data volume by 80% with 2 months of upgrade completion.
• Achieve positive cash flow from the stadium contract within 12 months.
• Increase financial turnover by 75% within 18 months.
• Respond to 90% of customer non-live media production requests within 12 hours and 100% within 18 hours.
• Reduce unit production costs by 15% over 6 months and 20% over 12 months.
• Meet customer live media production targets 97.5% of the time.
• Total project cost does not exceed 105% of the initial budget.
• The actual delivery schedule is within 105% of the initial deadline.
• Load testing confirms successful scale-up to 10 concurrent users, with data throughput rates at no less than 85% of specifications.
• All unauthorized network intrusions are intercepted, prevented, logged, and reported.
• The mean time to failure under specified load conditions is at least 100 hours.
• At least 75% of existing network components were reused.

 

CompNtwk : Lab 2.3.2 Creating a Network Organization Structure

Step 1: Determine the network users

1. Use word processing software to create a network organization structure document.
2. Examine the FilmCompany case study document and the sample interview.
3. Identify and list the potential end users.
4. Diagram the relationship between these users.

Step 2: Assess impact of user network access

1. Identify and include the different types of existing and potential new network services the listed users may require. Group the users under the type of network services they use
2. The impact of adding new user groups to the network also needs to be assessed. Identify and include in the network organization structure document:

• • New user groups
• • The type of access required
• • Where access is allowed
• • The overall impact on security

1. Save your network user structure document and network organization diagram and retain it for the next stages of this network design case study.

Step 3: Reflection

The total number of users has a direct impact on the scale of the network at the Access Layer. The type of users and the services they require also have implications for the network structure. Discuss and consider the impact that the range of network services required by even a relatively small number of users can have on the network structure

 

CompNtwk : Lab 2.1.6 Observing Traffic Using Cisco Network Assistant

Step 1: Establish the network baseline criteria

Network baselining is the measuring and rating of the performance of a network as it transports data in real time.

Step 2: Configure network connectivity

NOTE: If the PCs used in this lab are also connected to your Academy LAN or to the Internet, ensure that you record the cable connections and TCP/IP settings so these can be restored at the conclusion of the lab.

1. Connect the devices in accordance with the given topology and configuration. Your instructor may substitute Discovery Server with an equivalent server for this lab.
2. See your instructor regarding device configuration. If the devices are not configured, then from the Admin PC, establish a terminal session in turn to each switch and the router using HyperTerminal or TeraTerm. Configure these devices in accordance with the configuration details provided.
3. Ping between all devices to confirm network connectivity. Troubleshoot and establish connectivity if

the pings fail.

 

Step 3: Set up Cisco Network Assistant

1. From the Admin PC, launch the Cisco Network Assistant program.
2. Set Cisco Network Assistant to discover the network. One method is to establish a “community” of devices. From the Application menu, click Communities.
3. In the Communities window, click Create.
4. In the Name field, enter FilmCompany.
5. List the four options available in the Discover field:
6. From the Discover drop-down list, select Devices in an IP address range.
7. At the Start IP address, enter 10.0.0.1
8. At the End IP address, enter 10.0.0.5
9. Click Start. The devices found will be listed.
10. Click OK on the Create Community and Communities dialog boxes. Note the range of icons now available on the top toolbar.
11. Click the Topology icon on the top toolbar and view the topology that Cisco Network Assistant has created.

Step 4: Examine Cisco Network Assistant features

Cisco Network Assistant provides a range of features to display text and graphical information about the network devices. From the topology view window, right click each device’s ID and select properties. What protocol is used to discover and obtain the device information displayed?

Jawaban: Cisco Discovery Protocol

Step 5: Examine sample Cisco Network Assistant output

Once devices are added to the community, the links can be monitored from the Monitor tab of Cisco Network Assistant.

Step 6: Clean up

Erase the configurations and reload the routers and switches. Disconnect and store the cabling. For PC hosts that are normally connected to other networks (such as the school LAN or to the Internet), reconnect the appropriate cabling and restore the TCP/IP settings.

Challenge

This lab focused on monitoring individual devices in a network. Consider, research, and discuss the network factors that should be included in network baseline measurements. Responses vary but examples include:

• • Testing and reporting of the physical connectivity
• • Normal network utilization
• • Peak network utilization
• • Average throughput of the network usage
• • Protocol usage

In-depth network analysis can identify problems with speed and accessibility and can find vulnerabilities and other problems within the network. Once a network baseline has been established, this information can be ensure the current network is optimized for peak performance. Network analysis techniques include:

• • Physical health analysis
• • Broadcast storm analysis
• • Network capacity overload analysis
• • Network throughput analysis
• • Transport and file retransmission analysis
• • Packet route and path cost analysis
• • End-to-end file transfer analysis

 

CompNtwk : Lab 2.1.3 Creating a Project Plan

Step 1: Evaluate the current network, operations, and network management infrastructure

1. Use word processing software to create a Project Plan Checklist document based on this lab.
2. From the case study, document, identify, and assess the current state of the following factors:
3. Assess the ability of the current operations and network management infrastructure to support a new technology solution. On the checklist, list the following categories and include what changes must be completed before the implementation of any new technology solution.

• • Infrastructure
• • Personnel
• • Processes
• • Tools

1. Identify and add to the checklist any custom applications that may be required for the new network.

Step 2: Outline the project plan

1. To manage the project, the project plan includes five components. List these five components and an example of each, and then add them to the checklist. Jawaban:  1) Tasks· (Install wireless Access Points, configure routers), 2) Timelines and critical milestones· (Calendar or chart), 3) Risks and constraints· (Temporary loss of services, budget), 4) Responsibilities· (Allocation of tasks), 5) Resources required: (Cabling, equipment, time, specialist skills)
2. The plan needs to be within the scope, cost, and resource limits established by the business goals.
3. The FilmCompany and the stadium management need to assign staff to manage the project from each of their perspectives
4. Save your Project Plan Checklist document. You will use it during the next stages of this network design case study.

Step 3: Reflection

Sometimes apparent urgency, pressure to present results, and enthusiasm for a project can create a work environment that causes projects to be started before proper planning has been completed. Consider and discuss the potential problems that result from starting a network upgrade before completely assessing the existing network.

 

CompNtwk : Lab 1.4.6 B Implementing Port Security

Task 1: Configure and Test the Switch Connectivity

Step 1: Prepare the switch for configuration

NOTE: If the PCs used in this lab are also connected to your Academy LAN or to the Internet, ensure that you record the cable connections and TCP/IP settings so these can be restored at the conclusion of the lab.

1. Referring to the topology diagram, connect the console (or rollover) cable to the console port on the switch and the other cable end to the host computer with a DB-9 or DB-25 adapter to the COM 1 port. Ensure that power has been applied to both the host computer and switch.
2. Establish a console terminal session from PC1 to switch S1.
3. Prepare the switch for lab configuration by ensuring that all existing VLAN and general configurations are removed.
4. Power cycle the switch and exit the initial configuration setup when the switch restarts.

Step 2: Configure the switch

Configure the hostname and VLAN 1 interface IP address as shown in the table.

Step 3: Configure the hosts attached to the switch

1. Configure the two PCs to use the same IP subnet for the address and mask as shown in the table.
2. Connect PC1 to switch port Fa0/1 and PC2 to switch port Fa0/4. The Linksys device is not connected at this stage of the lab.

Step 4: Verify host connectivity

Ping between all PCs and the switch to verify correct configuration. If any ping was not successful, troubleshoot the hosts and switch configurations.

Step 5: Record the host MAC addresses

Determine and record the Layer 2 addresses of the PC network interface cards.

(For Windows 2000, XP, or Vista, check by using Start > Run > cmd > ipconfig /all.)

PC1 MAC Address: _______________________________ e.g., 00-07-EC-93-3CD1

PC2 MAC Address: _______________________________ e.g., 00-01-C7-E4-ED-E6

Step 6: Determine what MAC addresses the switch has learned

1. At the privileged EXEC mode prompt, issue the show mac-address-table command to display the PC MAC addresses that the switch has learned.

FC-ASW-1#show mac-address-table

Record the details displayed in the table.

____________________________________________________________________________

____________________________________________________________________________

Mac Address Table

——————————————-

Vlan Mac Address Type Ports

—- ———– ——– —–

1 0001.c7e4.ede6 DYNAMIC Fa0/1

1 0007.ec93.3cd1 DYNAMIC Fa0/4

NOTE: The MAC addresses above are examples only.

1. Note the MAC addresses shown and the associated switch ports. Confirm that these addresses

 

Task 2 Configure and Test the Switch for Dynamic Port Security

Step 1: Set port security options

1. Disconnect all PCs Ethernet cables from the switch ports.
2. Ensure that the MAC address table is clear of entries. To confirm this, issue the clear macaddress-

table dynamic and show mac-address-table commands.

a. Clear the MAC address table entries.

FC-ASW-1#clear mac-address-table dynamic

b. Issue the show mac-address-table command.

Record the table entries.

____________________________________________________________________________

____________________________________________________________________________

____________________________________________________________________________

____________________________________________________________________________

Mac Address Table

——————————————-

Vlan Mac Address Type Ports

—- ———– ——– —–

1. Determine the options for setting port security on interface FastEthernet 0/4. From the global configuration mode, enter interface fastethernet 0/4.

FC-ASW-1(config)#interface fa 0/4

Enabling switch port security provides options, such as specifying what happens when a security setting is violated.

1. To configure the switch port FastEthernet 0/4 to accept only the first device connected to the port, issue the following commands from the configuration mode:

FC-ASW-1(config-if)#switchport mode access

FC-ASW-1(config-if)#switchport port-security

1. In the event of a security violation, the interface should be shut down. Set the port security action to shutdown:

FC-ASW-1(config-if)#switchport port-security violation shutdown

FC-ASW-1(config-if)#switchport port-security mac-address sticky

What other action options are available with port security?Jawaban: protect, restrict

1. Exit the configuration mode.

Step 2: Verify the configuration

1. Display the running configuration.

What statements in the configuration directly reflect the security implementation?

1. Show the port security settings. FC-ASW-1#show port-security interface fastethernet 0/4

Record the details displayed in the table.

 

Port Security : Enabled

Port Status : Secure-down

Violation Mode : Shutdown

Aging Time : 0 mins

Aging Type : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses : 1

Total MAC Addresses : 0

Configured MAC Addresses : 0

Sticky MAC Addresses : 0

Last Source Address:Vlan : 0000.0000.0000:0

Security Violation Count : 0

Step 3: Verify the port security

1. Connect PC1 to switch port Fa0/1 and PC2 to switch port Fa0/4.
2. From the command prompt ping from PC1 to PC2.
3. From the command prompt ping from PC2 to PC1.
4. From the console terminal session, issue the show mac-address-table command.
5. Show the port security settings.

FC-ASW-1#show port-security interface fastethernet 0/4

Record the details displayed in the table.

Port Security : Enabled

Port Status : Secure-down

Violation Mode : Shutdown

Aging Time : 0 mins

Aging Type : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses : 1

Total MAC Addresses : 0

Configured MAC Addresses : 0

Sticky MAC Addresses : 0

Last Source Address:Vlan : 0000.0000.0000:0

Security Violation Count : 0

Step 4: Test the port security

1. Disconnect PC2 from Fa0/4
2. Connect PC2 to the Linksys using one of the ports on the Linksys LAN switch.
3. Use the Basic Setup tab to configure the Internet IP address on the Linksys device to the address and mask, as shown in the table.

Step 5: Reactivate the port

1. If a security violation occurs and the port is shut down, enter interface Fa0/4 configuration mode, disconnect the offending device, and use the shutdown command to temporarily disable the port.
2. Disconnect the Linksys and reconnect PC2 to port Fa0/4. Issue the no shutdown command on the

Step 6: Discuss switch port security using dynamic MAC address assignment

Step 7: Clean up

Erase the configurations and reload the switches. Disconnect and store the cabling. For PC hosts that are normally connected to other networks (such as the school LAN or to the Internet), reconnect the appropriate cabling and restore the TCP/IP settings.

Task 3: Reflection

When considering designing a typical enterprise network, it is necessary to think about points of security vulnerability at the Access Layer. Discuss which Access Layer switches should have port security and those for which it may not be appropriate. Include possible future issues in regard to wireless and guest access to the network.

Jawaban:

• • What types of hosts are connected to the switch; e.g., general PCs, IP phones, printers, servers.
• • The type of users – employees or guests
• • Where access is made – in secure office or in public area
• • Type of access – wired or wireless
• • Investigating the security features available on different switch platforms
• • How port security policies can be implemented and managed.
• • Static versus dynamic port security

 

CompNtwk : Lab 1.4.6A Gaining Physical Access to the Network

Task 1: Access and Change the Router Passwords

Step 1: Attempt login to the router

NOTE: If the PC used in this lab is also connected to your Academy LAN or to the Internet, ensure that you record the cable connections and TCP/IP settings so these can be restored at the conclusion of the lab.

1. Referring to the Topology 1, connect the host PC NIC Ethernet port to the router Fa0/0 Ethernet port using a crossover cable. Ensure that power has been applied to both the host computer and router.
2. Using the given preconfigured topology, attempt to telnet to the router from the PC command line.
3. When this attempt at remote login fails, establish a direct physical connection to the router by making the necessary console connections between the PC and router. Then establish a terminal session using HyperTerminal or TeraTerm. What does the message-of-the-day display? Jawaban:  ONLY AUTHORIZED ACCESS TO THIS DEVICE PERMITTED Unauthorized access will be penalized in accordance with the relevant laws

Attempt to log in by guessing the password.

How many login attempts are allowed? __________ 3

What message is displayed to indicate failure of the log-in attempts? Jawaban: % Bad passwords

The configuration register needs to be changed so that the startup-configuration is not loaded. Normally, this is this done from the global configuration mode, but because you cannot log in at all, the boot process must first be interrupted so that the change can be made in the ROM Monitor mode.

Step 2: Enter the ROM Monitor mode

ROM Monitor mode (ROMMON) is a limited command-line environment used for special purposes, such as low-level troubleshooting and debugging. ROMMON mode is invoked when a Break key sequence sent to the console port interrupts the router boot process. This can only be done via the physical console connection.

The actual Break key sequence depends on the terminal program used:

• • With HyperTerminal, the key combination is Ctrl+Break.
• • For TeraTerm, it is Alt+b.

The list of standard break key sequences is available athttp://www.cisco.com/warp/public/701/61.pdf

1. To enter ROM Monitor mode, turn the router off, wait a few seconds, and turn it back on.
2. When the router starts displaying “System Bootstrap, Version …” on the terminal screen, press the Ctrl key and the Break key together if using HyperTerminal, or the Alt key and the b key together if using TeraTerm.

The router will boot in ROM monitor mode. Depending on the router hardware, one of several prompts such as “rommon 1 >” or simply “>” may show.

Step 3: Examine the ROM Monitor mode help

Enter ? at the prompt. The output should be similar to this:

rommon 1 > ?

alias set and display aliases command

boot boot up an external process

break set/show/clear the breakpoint

confreg configuration register utility

context display the context of a loaded image

dev list the device table

dir list files in file system

dis display instruction stream

help monitor builtin command help

history monitor command history

meminfo main memory information

repeat repeat a monitor command

reset system reset

set display the monitor variables

sysret print out info from last system return

tftpdnld tftp image download

xmodem x/ymodem image download

Step 4: Change the configuration register setting to boot without loading configuration file

From the ROM Monitor mode, enter confreg 0×2142 to change the config-register. rommon 2 >confreg 0×2142

NOTE: The ROMMON prompt increments when a command is issued – this is normal behavior. The increment does not mean a change of mode. The same ROMMON commands are still available. “0x” (zero- x) denotes that 2142 is a hexadecimal value. What is this value in binary?

Step 5: Restart router

1. From the ROM Monitor mode, enter reset, or power cycle the router. rommon 3 > reset

Due to the new configuration register setting, the router will not load the configuration file. After restarting, the system prompts:

“Would you like to enter the initial configuration dialog? [yes/no]:”

1. Enter no and press Enter.

Step 6: Enter Privileged EXEC mode and view and change passwords

The router is now running without a loaded configuration file.

1. At the user mode prompt Router>, enter enable and press Enter to go to the privileged mode without a password.
2. Use the command copy startup-config running-config to restore the existing configuration. Because the user is already in privileged EXEC, no password is needed.
3. Enter show running-config to display the configuration details. Note that all the passwords are shown.

enable password different

line con 0 password unusual

line vty 0 4 password uncommon

What two measures could be taken to prevent the passwords from being readable? service password encryption, enable secret somepassword

1. If the passwords were not readable, they can be changed. Enter configure terminal to enter the global configuration mode.
2. In global configuration mode, use these commands to change the passwords:

FC-CPE-1(config)#enable password cisco

FC-CPE-1(config)#line console 0

FC-CPE-1(config-line)#password console

FC-CPE-1(config-line)#login

FC-CPE-1(config-line)#line vty 0 4

FC-CPE-1(config-line)#password telnet

FC-CPE-1(config-line)#login

Step 7: Change the configuration register setting to boot and load the configuration file

1. The instructor will provide you with the original configuration register value, most likely 0×2101. While still in the global configuration mode, enter config-register 0×2101 (or the value provided by your instructor). Press Enter. FC-CPE-1(config)#config-register 0×2101
2. Use the Ctrl+z combination to return to the privileged EXEC mode.
3. Use the copy running-config startup-config command to save the new configuration.
4. Before restarting the router, verify the new configuration setting. From the privileged EXEC prompt, enter the show version command and press Enter.
5. Verify that the last line of the output reads: Configuration register is 0×2142 (will be 0×2101 at next reload).
6. Use the reload command to restart the router.

Step 8: Verify new password and configuration

1. When the router reloads, log in and change mode using the new passwords.
2. Issue the no shutdown command on the fa0/0 interface to bring it up to working status. FC-CPE-1(config-if)# no shutdown
3. Save the running configuration to startup configuration FC-CPE-1# copy run start
4. Disconnect the console cable and access the router using Telnet from the PC command line. The newly configured passwords will allow a successful login.

Step 9: Clean up

Erase the configurations and reload the router. Disconnect and store the cabling. For PC hosts that are normally connected to other networks (such as the school LAN or to the Internet), reconnect the appropriate cabling and restore the TCP/IP settings.

Task 2: Access and Change the Switch Passwords

Step 1: Attempt login to the switch

NOTE: If the PC used in this lab is also connected to your Academy LAN or to the Internet, ensure that you record the cable connections and TCP/IP settings so these can be restored at the conclusion of the lab.

1. Referring to the Topology 2, connect the host PC NIC Ethernet port to the switch Fa0/1 Ethernet port using a straight-through cable. Ensure that power has been applied to both the host computer and switch.
2. Using the given preconfigured topology, attempt to telnet to the router from the PC command line.

Step 2: Enter the switch: mode

1. Power off the switch.
2. Locate the MODE button on the front of the switch.
3. Hold down the MODE button on the front of the switch while powering on the switch. Release the

MODE button after 10 seconds.

Output similar to the following should be displayed:

Base ethernet MAC Address: 00:0a:b7:72:2b:40

Xmodem file system is available.

The password-recovery mechanism is enabled.

The system has been interrupted prior to initializing the

flash files system. The following commands will initialize

the flash files system, and finish loading the operating

system software:

flash_init

load_helper

boot

switch:

1. To initialize the file system and finish loading the operating system, enter the following commands at

the switch: prompt:

switch: flash_init

switch: load_helper

1. To view the contents of flash memory, enter dir flash: at the switch: prompt.

switch: dir flash:

NOTE: Do not forget to type the colon (:) after the word “flash” in the command dir flash:

The file config.txt should be seen listed.

1. Enter rename flash:config.text flash:config.old to rename the configuration file. This file contains the password definitions.
2. Enter dir flash: at the switch: prompt to view the name change. switch: dir flash:

Step 3: Restart the switch

1. Enter boot to restart the switch.
2. Would you like to terminate autoinstall? [Yes]: Y
3. Would you like to enter the initial configuration dialog? [yes/no] N Switch>

Step 4: Enter Privileged EXEC mode and view and change passwords

The switch is now running without a loaded configuration file.

1. At the user mode prompt Router>, type enable and press Enter to go to the privileged mode without a password.
2. Enter rename flash:config.old flash:config.text to rename the configuration file with its original name.

Switch#rename flash:config.old flash:config.text

Destination filename [config.text]?

Press Enter to confirm file name change.

1. Copy the configuration file into RAM.

Switch#copy flash:config.text system:running-config

Destination filename [running-config]?

Press Enter to confirm file name.

1. Press Enter to accept the default file names.

Source filename [config.text]?

Destination filename [running-config]

The configuration file is now loaded.

1. Enter show running-config to display the configuration details. Note that all the passwords are shown.

enable password different

line con 0 password unusual

line vty 0 4 password uncommon

What two measures could be taken to prevent the passwords from being readable?

____________________________________________ service password encryption

____________________________________________ enable secret somepassword

1. If the passwords were not readable they can be changed. Enter configure terminal to enter the global configuration mode.
2. Change the unknown passwords.

FC-ASW-1#configure terminal

FC-ASW-1(config)#enable password cisco

FC-ASW-1(config)#line console 0

FC-ASW-1(config-line)#password console

FC-ASW-1(config-line)#line vty 0 15

FC-ASW-1(config-line)#password telnet

FC-ASW-1(config-line)#exit

FC-ASW-1(config)#exit

Step 5: Save the configuration file

Use the copy running-config startup-config command to save the new configuration.

Step 6: Verify new password and configuration

Power cycle the switch and verify that the passwords are now functional.

Step 7: Clean up

Erase the configurations and reload the switch. Disconnect and store the cabling. For PC hosts that are normally connected to other networks (such as the school LAN or to the Internet), reconnect the appropriate cabling and restore the TCP/IP settings.

Task 3: Reflection

Consider the different methods of securing physical access to networking devices such as routers and

switches. List how only those people who require access can be identified and how this security can be

implemented. Jawaban: Physical security includes locking rooms and closets containing switches and routers. Networking devices sharing common space with other services, such as electrical power panels, should be enclosed in a separated lockable cabinet. Keys and access codes should only be given to identified authorized personnel. People authorized to access the networking devices should include only those network personnel required to configure and troubleshoot switches and routers as part of their regular or daily duties. Other IT personnel such as help desk staff, data center administrators, or desktop support workers would normally not be required to access switches and routers.

 

CompNtwk : Lab 1.4.5 Identifying Network Vulnerabilities

Step 1: Open the SANS Top 20 List

Using a web browser, go to http://www.sans.org/. On the resources menu, choose top 20 list.The SANS Top-20 Internet Security Attack Targets list is organized by category. An identifying letter indicates the category type, and numbers separate category topics. Router and switch topics fall under the Network Devices category, N. There are two major hyperlink topics:

 

N1. VoIP Servers and Phones

N2. Network and Other Devices Common Configuration Weaknesses

Step 2: Review common configuration weaknesses

1. Click hyperlink N2. Network and Other Devices Common Configuration Weaknesses.
2. List the four headings in this topic.

 

Step 3: Review common default configuration issues

Review the contents of N2.2 Common Default Configuration Issues. As an example, N.2.2.2(in January 2007) contains information about threats associated with default accounts and values. A Google search on “wireless router passwords” returns links to multiple sites that publish a list of wireless router default administrator account names and passwords. Failure to change the default password on these devices can lead to compromised security and vulnerability to attackers.

Step 4: Note the CVE references

The last line under several topics cites references to CVE or Common Vulnerability Exposure. The CVE name is linked to the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD), sponsored by the United States Department of Homeland Security (DHS) National Cyber Security Division and US-CERT, which contains information about the vulnerability.

Step 5: Investigate a topic and associated CVE hyperlink

The remainder of this lab walks you through a vulnerability investigation and solution. Choose a topic to investigate, and click on an associated CVE hyperlink. The link should open a new web browser connected to http://nvd.nist.gov/ and the vulnerability summary page for the CVE.

NOTE: Because the CVE list changes, the current list may not contain the same vulnerabilities as

those in January 2007.

Step 6: Record vulnerability information

Complete the information about the vulnerability. Answers vary

Original release date: ____________________________

Last revised: ___________________________________

Source: _______________________________________

Overview: _____________________________________

Step 7: Record the vulnerability impact

Under Impact, there are several values. The Common Vulnerability Scoring System (CVSS) severity is

displayed and contains a value between 1 and 10. Complete the information about the vulnerability impact. Answers vary CVSS Severity

 

Access Complexity: ______________________________________________

Authentication: __________________________________________________

Impact Type: ___________________________________________________

Step 8: Record the solution

The References to Advisories, Solutions, and Tools section contains links with information about the

vulnerability and possible solutions. Jawaban: Using the hyperlinks, write a brief description of the solution found on those pages. Answers vary

Step 9: Reflection

The number of vulnerabilities to computers, networks, and data, continues to increase. Many national governments have dedicated significant resources to coordinating and disseminating information about security vulnerability and possible solutions. It remains the responsibility of the end user to implement the solution. Think of ways that users can help strengthen security. Write down some user habits that create security risks.

Jawaban: Using weak passwords, Writing down passwords, Not changing passwords frequently, Not securing workstations when leaving them unattended, Not following procedures or protocols when divulging network information (checking a person’s identity and clearance to have that information). Creating a “work-around” solution to a current security requirement (if it impedes a work process) instead of formally requesting that the issue be reviewed and amended. (Network administrators also need to be aware that network functionality is essential and that implementing security measures that render a business network feature inoperable is not viable.).

 

CompNtwk : Lab 1.4.3 Monitoring VLAN Traffic

Task 1: Demonstrate Broadcasts across a Single LAN

Step 1: Prepare the switch for configuration

NOTE: If the PCs used in this lab are also connected to your Academy LAN or to the Internet, ensure that you record the cable connections and TCP/IP settings so these can be restored at the conclusion of the lab.

1. Referring to the topology diagram, connect the console (or rollover) cable to the console port on the switch and the other cable end to the host computer with a DB-9 or DB-25 adapter to the COM 1 port. Ensure that power has been applied to both the host computer and switch.
2. Establish a HyperTerminal, or other terminal emulation program, connection from PC1 to the switch.
3. Ensure that the switch is ready for lab configuration by verifying that all existing VLAN and general configurations are removed.

1) Remove the switch startup configuration file from NVRAM.

Switch#erase startup-config

Erasing the nvram filesystem will remove all files! Continue? [confirm]

2) Press Enter to confirm.

The response should be:

Erase of nvram: complete

Step 2: Configure the PCs

a. Connect the two PCs to the switch as shown in the topology diagram.

b. Configure the two PCs to have the IP addresses and subnet mask shown in the topology table.

c. Clear the ARP cache on each PC by issuing the arp -d command at the PC command prompt.

d. Confirm that the ARP cache is clear by issuing the arp -a command.

Step 3: Generate and examine ARP broadcasts

1. Launch Wireshark on each PC and start the packet capture for the traffic seen by the NIC in each PC.
2. From the command line of each PC, ping all connected devices.
3. Monitor the operation of Wireshark. Note the ARP traffic registering on each PC.
4. Stop the Wireshark capture on each PC.
5. Examine the entries in the Wireshark Packet List (upper) Pane.
6. Exit Wireshark. (You have the option to save the capture file for later examination.)

 

Task 2: Demonstrate Broadcasts within Multiple VLANs

Step 1: Configure the VLANs on the switch

1. Using the established console session from PC1 to the switch, set the hostname by issuing the following command from the global configuration mode:

Switch(config)# hostname FC-ASW-1

1. Set interfaces Fa0/1 and Fa0/2 to VLAN 10 by issuing the following commands from the global configuration and interface configuration modes:

FC_ASW-1(config)#interface FastEthernet0/1

FC_ASW-1(config-if)#switchport access vlan 10

% Access VLAN does not exist. Creating vlan 10

FC_ASW-1(config-if)#interface FastEthernet0/2

FC_ASW-1(config-if)#switchport access vlan 10

1. Set interfaces Fa0/3 and Fa0/4 to VLAN 20 by issuing the following commands from the interface configuration mode:

FC_ASW-1(config-if)#interface FastEthernet0/3

FC_ASW-1(config-if)#switchport access vlan 20

% Access VLAN does not exist. Creating vlan 20

FC_ASW-1(config-if)#interface FastEthernet0/4

FC_ASW-1(config-if)#switchport access vlan 20

FC_ASW-1(config-if)#end

1. Confirm that the interfaces are assigned to the current VLANs by issuing the show vlancommand from the Privileged EXEC mode. If the VLANs are not assigned correctly, troubleshoot the command entries shown in Steps 1b and 1c and reconfigure the switch.

Step 2: Prepare the PCs

1. Clear ARP cache on each PC by issuing the arp -d command at the PC command prompt.
2. Confirm the ARP cache is clear by issuing the arp -a command.

Step 3: Generate ARP broadcasts

1. Launch Wireshark on each PC and start the packet capture for the traffic seen by the NIC in each PC.
2. From the command line of each PC, ping each of the other three devices connected to the switch.
3. Monitor the operation of Wireshark. Note the ARP traffic registering on the two PCs.
4. Stop the Wireshark capture on each PC.
5. Examine the entries in the Wireshark Packet List (upper) Pane.
6. Exit Wireshark. (You have the option to save the capture file for later examination.)

Step 4: Clean up

Erase the configuration and reload the switch. Disconnect and store the cabling. For PC hosts that are normally connected to other networks (such as the school LAN or to the Internet), reconnect the appropriate cabling and restore the TCP/IP settings.

Task 3: Reflection

1. Discuss the use of VLANS in keeping data traffic separated. What are the advantages of doing this?
2. When designing a network list different criteria that could be used to divide a network into VLANs.

 

CompNtwk : Lab 1.3.4 Creating an ACL

Step 1: Analyze the traffic filtering requirements

1. Determine the access and filtering requirements.

For this lab:

1. PC1 is a network administrator’s workstation. This host must be permitted FTP and HTTP access to the network server, and telnet access to the router FC-CPE-1.
2. PC2 is a general workstation that is to have HTTP access only. FTP services and Telnet access to the router is not permitted.

1. Having determined specific requirements, decide if all other traffic is to be allowed or denied. List the benefits and potential problems to the following filtering scenarios:

Step 2: Design and create the ACL

1. Review, and then apply, ACL recommended practice.

• • Always plan thoroughly before implementation.
• • The sequence of the statements is important. Put the more specific statements at the beginning and the more general statements at the end.
• • Statements are added to the end of the ACL as they are written.
• • Create and edit ACLs with a text editor and save the file.
• • Use Named ACLs wherever possible.
• • Use comments (remark option) within the ACL to document the purpose of the statements.
• • To take effect, ACLs must be applied to an interface.
• • An interface can have one ACL per Network Layer protocol, per direction.
• • Although there is an implicit deny any statement at the end of every ACL, it is good practice to

configure this explicitly. This ensures that you remember that the effect is in place and allows

logging of matches to this statement to be used.

• • ACLs with many statements take longer to process, which may affect router performance.
• • Placement of ACLs:

o Standard: closest to destination (if have administrative authority on that router)

o Extended: closest to source (if have administrative authority on that router)

1. Consider the two approaches to writing ACLs:

• • Permit specific traffic first and then deny general traffic.
• • Deny specific traffic first and then permit general traffic.

1. Select one approach and write the ACL statements that will meet the requirements of this lab.

Step 3: Cable and configure the given network

NOTE: If the PCs used in this lab are also connected to your Academy LAN or to the Internet, ensure that you record the cable connections and TCP/IP settings so these can be restored at the conclusion of the lab.

1. Referring to the topology diagram, connect the console (or rollover) cable to the console port on the router and the other cable end to the host computer with a DB-9 or DB-25 adapter to the COM 1 port. Ensure that power has been applied to both the host computer and router.
2. Connect and configure the devices in accordance with the given topology and configuration. Your instructor may substitute Discovery Server with an equivalent server for this lab.
3. Establish a HyperTerminal, or other terminal emulation program, from PC1 to Router R1.
4. From the global configuration mode issue the following commands:

Router(config)#hostname FC-CPE-1

FC-CPE-1(config)#interface FastEthernet0/0

FC-CPE-1(config-if)#ip address 10.0.0.1 255.255.255.0

FC-CPE-1(config-if)#no shutdown

FC-CPE-1(config-if)#exit

FC-CPE-1(config)#interface FastEthernet0/1

FC-CPE-1(config-if)#ip address 172.17.0.1 255.255.0.0

FC-CPE-1(config-if)#no shutdown

FC-CPE-1(config-if)#exit

FC-CPE-1(config)#line vty 0 4

FC-CPE-1(config-line)#password telnet

FC-CPE-1(config-line)#login

FC-CPE-1(config-line)#end

1. Ping between PC1 and Discovery Server to confirm network connectivity. Troubleshoot and establish connectivity if the pings fail.

Step 4: Test the network services without ACLs Perform the following tests on PC1:

1. Open a web browser on PC1 and enter the URL http://172.17.1.1 at the address bar. What web page was displayed? Discovery Server Home Page
2. Open a web browser on PC1 and enter the URL ftp://172.17.1.1 at the address bar. What web page was displayed? Discovery FTP Home Directory
3. On the Discovery FTP Home Directory, open the Discovery 1 folder. Click and drag a Chapter file to the local Desktop. Did the file copy successfully?
4. From the PC1 command line prompt, issue the command telnet 10.0.0.1, or use a Telnet client (HyperTerminal or TeraTerm, for example) to establish a Telnet session to the router. What response did the router display?

 

Step 5: Configure the network services ACL

From the global configuration mode issue the following commands:

1. Allow PC1 to access the web server and telnet to the router.
2. Allow PC2 to access the web server.

FC-CPE-1(config-ext-nacl)#remark Allow PC2 to access web server

FC-CPE-1(config-ext-nacl)#permit tcp host 10.0.0.201 host 172.17.1.1 eq

www log

1. Allow PC1 telnet access to router

FC-CPE-1(config-ext-nacl)#remark Allow PC1 to telnet router

FC-CPE-1(config-ext-nacl)#permit tcp host 10.0.0.10 host 10.0.0.1 eq telnet log

1. Deny all other traffic.

FC-CPE-1(config-ext-nacl)#remark Deny all other traffic

FC-CPE-1(config-ext-nacl)#deny ip any any log

FC-CPE-1(config-ext-nacl)#exit

Step 6: Apply the ACLs

1. Apply the Extended ACL to the router interface closest to the source.

FC-CPE-1(config)#interface FastEthernet0/0

FC-CPE-1(config-if)#ip access-group Server-Access in

FC-CPE-1(config-if)#end

1. From the Privileged EXEC mode, issue the show running-configuration command and confirm that the ACLs have been configured and applied as required. Reconfigure if errors are noted.

Step 7: Test the network services with ACLs

Perform the following tests on PC1:

1. Open a web browser on PC1 and enter the URL http://172.17.1.1 at the address bar.
2. Open a web browser on PC1 and enter the URL ftp://172.17.1.1 at the address bar.
3. On the Discovery FTP Home Directory, open the Discovery 1 folder. Click and drag a Chapter file to the local Desktop.

Did the file copy successfully? _________

Why is this the outcome?

1. From the PC1 command line prompt, issue the command telnet 10.0.0.1, or use a Telnet client (HyperTerminal or TeraTerm, for example) to establish a Telnet session to the router. What response did the router display? Why is this the outcome?
2. Exit the Telnet session.

 

Perform the following tests on PC2:

1. Open a web browser on PC2 and enter the URL http://172.17.1.1 at the address bar.
2. Open a web browser on PC2 and enter the URL ftp://172.17.1.1 at the address bar.
3. From the PC2 command line prompt, issue the command telnet 10.0.0.1, or use a Telnet client(HyperTerminal or TeraTerm, for example) to establish a Telnet session to the router. If any of these transactions did not result in the expected outcome, troubleshoot the network andconfigurations and retest the ACLs from each host.

Step 8: Observe the number of statement matches

1. From the Privileged EXEC mode, issue the command:

FC-CPE-1#show access-list Server-Access

List the number of matches logged against each ACL statement.

Step 9: Clean up

Erase the configurations and reload the routers and switches. Disconnect and store the cabling. For PC hosts that are normally connected to other networks (such as the school LAN or to the Internet), reconnect the appropriate cabling and restore the TCP/IP settings.

Challenge

Rewrite the Server-Access ACL used in this lab so that:

1) Administrator workstations are considered to be in the address range of 10.0.0.10 /24 to

10.0.0.15 /24 instead of a single host; and,

2) The general workstations have the address range of 10.0.0.16 /24 to 10.0.0.254 /24 instead of

being a single host.