Scribd
Upload
8 views104 pages

Is Practical

The document outlines practical steps for configuring routers with OSPF MD5 authentication, NTP, and syslog logging. It includes detailed instructions for setting up IP addresses, enabling authentication, and configuring access control lists (ACLs) across multiple routers and PCs. Additionally, it covers the implementation of AAA authentication methods using local, TACACS+, and RADIUS servers.

Uploaded by

gudiyaprasad251
Copyright
© All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
8 views104 pages

Is Practical

The document outlines practical steps for configuring routers with OSPF MD5 authentication, NTP, and syslog logging. It includes detailed instructions for setting up IP addresses, enabling authentication, and configuring access control lists (ACLs) across multiple routers and PCs. Additionally, it covers the implementation of AAA authentication methods using local, TACACS+, and RADIUS servers.

Uploaded by

gudiyaprasad251
Copyright
© All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd

Practical 1

Aim: Configure Routers: OSPF MD5 authentication, NTP, to log


messages to the syslog server.
Step 1: Turn of the Router and then Drag and Drop ‘HWIC-2T’ Port in First Slot.
Step 2: After That, Again Turn on The Router.
Step 3: Repeat this Step in All the Routers Present in Topology.

Step 4: While Connecting the Routers Select this wire known as Serial DTE in
Connections Section.

1|Page
Step 5: Then Select this for other Connections known as ‘Copper Cross-Over’
Wire.

Topology:

Configuring All Devices


Step 1: Open PC A (Server) go to Desktop > IP Configuration and Enter this IP
Addresses as Following.

2|Page
Step 2: Open PC B (Server) and then Enter Following IP Addresses.

Step 3: Open PC C (PC) and then Enter the Following IP Addresses.

3|Page
Step 4: Go to Config Change the Hostname and Display name as R1.

Step 5: Turn on Port Status in Gig0/0 and Enter these Addresses.

4|Page
Step 6: Do the Changes in IP Addresses in Se0/1/0.

Step 7: Change the Host Name and Display Name as R2.

5|Page
Step 8: Turn on Port Status in Se0/1/0 and Enter these Addresses.

Step 9: Do the Changes in IP Addresses in Se0/1/1.

6|Page
Step 10: Change the Host Name and Display Name as R3.

Step 11: Turn on Port Status in Gig0/0 and Enter these Addresses.

7|Page
Step 12: Do the Changes in IP Addresses in Se0/1/1.

Step 13: Enter All This Commands in Router 1.


R1#en
R1#conf t
R1(config)#line vty 0 4
R1(config-line)#password vtypa55
R1(config-line)#login
R1(config-line)#enable secret enpa55

Step 14: Again, Enter All This Commands in Router 2.


R2#en
R2#conf t
R2(config)#line vty 0 4
R2(config-line)#password vtypa55
R2(config-line)#login
R2(config-line)#enable secret enpa55

8|Page
Step 15: Again, Enter All This Commands in Router 3.
R3>en
R3#conf t
R3(config)#line vty 0 4
R3(config-line)#password vtypa55
R3(config-line)#login
R3(config-line)#enable secret enpa55

Step 16: Enter this Commands in R1.


R1(config)#router ospf 1
R1(config-router)#network [Link] [Link] area 0
R1(config-router)#network [Link] [Link] area 0

Step 17: Enter this Commands in R2.


R2(config)#router ospf 2
R2(config-router)#network [Link] [Link] area 0
R2(config-router)#network [Link] [Link] area 0

Step 18: Enter this Commands in R3.


R3(config)#router ospf 3
R3(config-router)#network [Link] [Link] area 0
R3(config-router)#network [Link] [Link] area 0

9|Page
Part A: Configure OSPF MD5 Authentication
Step 1: Testing Connectivity.

Step 2: Configure OSPF MD5 authentication for all the routers in area 0.
R1(config)#router ospf 1
R1(config-router)#area 0 authentication message-digest
R2(config)#router ospf 1
R2(config-router)#area 0 authentication message-digest
R3(config)#router ospf 1
R3(config-router)#area 0 authentication message-digest

Step 3: Configure the MD5 key for all the routers in area 0.
R1(config)#interface s0/1/0
R1(config-if)#ip ospf message-digest-key 1 md5 MD5pa55
R2(config)#interface s0/1/0
R2(config-if)#ip ospf message-digest-key 1 md5 MD5pa55
R2(config-if)#interface s0/1/1
R2(config-if)#ip ospf message-digest-key 1 md5 MD5pa55
R3(config)#interface s0/1/0
R3(config-if)#ip ospf message-digest-key 1 md5 MD5pa55

10 | P a g e
Step 4: Verify configurations.

11 | P a g e
Part B: Configure NTP
Step 1: Open PC A > Services > NTP, Do the changes Accordingly.

Step 2: Configure R1, R2, and R3 as NTP clients.


R1(config)#ntp server [Link]
R2(config)#ntp server [Link]
R3(config)#ntp server [Link]

Step 3: Configure routers to update hardware clock.


R1(config)#ntp update-calendar
R2(config)#ntp update-calendar
R3(config)#ntp update-calendar

Step 4: Configure NTP authentication on the routers.


R1(config)#ntp authenticate
R1(config)#ntp trusted-key 1
R1(config)#ntp authentication-key 1 md5 NTPpa55
R2(config)#ntp authenticate
R2(config)#ntp trusted-key 1

12 | P a g e
13 | P a g e
R2(config)#ntp authentication-key 1 md5 NTPpa55
R3(config)#ntp authenticate
R3(config)#ntp trusted-key 1
R3(config)#ntp authentication-key 1 md5 NTPpa55

Step 5: Configure routers to timestamp log messages.


R1(config)#service timestamps log datetime msec
R2(config)#service timestamps log datetime msec
R3(config)#service timestamps log datetime msec

Part C: Configure Routers to Log Messages to the Syslog Server


Step 1: Configure the routers to identify the remote host (Syslog Server) that
will receive logging messages.
R1(config)#logging host [Link]
R2(config)#logging host [Link]
R3(config)#logging host [Link]

14 | P a g e
Step 2: Verify logging configuration.

Step 3: Examine logs of the Syslog Server.

15 | P a g e
Practical 2
Aim: Configure AAA Authentication.
Topology:

Step 1: Configuring IP
Address PC A

16 | P a g e
PC B

Server (TACAS)

17 | P a g e
PC C

Server (RADIUS)

18 | P a g e
R1

R2

19 | P a g e
R3

Step 2: Enter this Commands in all the Routers


R1(config)#line vty 0 4
R1(config-line)#password admin
R1(config-line)#login
R1(config-line)#enable secret adminpa55
R2(config)#line vty 0 4
R2(config-line)#password admin
R2(config-line)#login
R2(config-line)#enable secret adminpa55
R3(config)#line vty 0 4
R3(config-line)#password admin
R3(config-line)#login
R3(config-line)#enable secret adminpa55

Step 3: Commands in R1
R1(config)#router ospf 1
R1(config-router)#network [Link] [Link] area 0
R1(config-router)#network [Link] [Link] area 0

110 | P a g
e
Step 4: Commands in R2
R2(config)#router ospf 2
R2(config-router)#network [Link] [Link] area 0
R2(config-router)#network [Link] [Link] area 0
R2(config-router)#network [Link] [Link] area 0

Step 5: Commands in R3
R3(config)#router ospf 3
R3(config-router)#network [Link] [Link] area 0
R3(config-router)#network [Link] [Link] area 0

Step 6: Test Connectivity.

20 | P a g e
Part 1: Configure Local AAA Authentication for Console
Access on R1
Step 1: Test Connectivity of all Devices.
PC A to PC B

PC A to PC C

21 | P a g e
PC B to PC C

22 | P a g e
Step 2: Configure a local username on R1.
R1(config)#username Admin1 secret admin1pa55
R1(config)#aaa new-model
R1(config)#aaa authentication login default local
R1(config)#line console 0
R1(config-line)#login authentication default

Step 3: Verify the AAA authentication method.

Username: Admin1
Password: admin1pa55

23 | P a g e
24 | P a g e
Part 2: Configure Local AAA Authentication for vty Lines on R1
Step 1: Configure domain name and crypto key for use with SSH.
R1(config)#ip domain-name [Link]
R1(config)#crypto key generate rsa

R1(config)#aaa authentication login SSH-LOGIN local


*Mar 1 1:1:9.175: %SSH-5-ENABLED: SSH 1.99 has been enabled
R1(config)#line vty 0 4
R1(config-line)#login authentication SSH-LOGIN
R1(config-line)#transport input ssh

Step 2: Verify the AAA authentication method.

ssh -l Admin1 [Link]


Password: admin1pa55

25 | P a g e
26 | P a g e
Part 3: Configure Server-Based AAA Authentication Using
TACACS+ on R2
Step 1: Configure a backup local database entry called Admin.
R2(config)#username Admin2 secret admin2pa55

Step 2: Open TACAS (Server) > Go to Services > AAA and change
Accordingly.

Step 3: Configure AAA login authentication for console access on R2.


R2(config)#username Admin2 secret admin2pa55
R2(config)#aaa new-model
R2(config)#aaa authentication login default group tacacs+ local
R2(config)#line console 0
R2(config-line)#login authentication default

27 | P a g e
Step 4: Verify the AAA authentication method.

Username: Admin2
Password: admin2pa55

28 | P a g e
29 | P a g e
Part 4: Configure Server-Based AAA Authentication Using
RADIUS on R3.
Step 1: Configure a backup local database entry called Admin.
R3(config)#username Admin3 secret admin3pa55

Step 2: Open RADIUS (Server) > Go to Services > AAA and change
Accordingly.

Step 3: Configure AAA login authentication for console access on R3.


R3(config)#aaa new-model
R3(config)#aaa authentication login default group radius local
R3(config)#line console 0
R3(config-line)#login authentication default

210 | P a g
e
Step 4: Verify the AAA authentication method.

Username: Admin3
Password: admin3pa55

211 | P a g
e
Practical 3A
Aim: Configuring Extended ACLs - Scenario 1
Topology:

Configuring IP Address
R1 – Gig0/0

212 | P a g
e
R1 – Gig0/1

R1 -Gig0/2

30 | P a g e
Server

PC 1

31 | P a g e
PC 2

Part A - Configure, Apply and Verify an Extended Numbered ACL


Step 1: R1 Commands
R1>en
R1#conf t
R1(config)#line vty 0 4
R1(config-line)#password admin
R1(config-line)#login
R1(config-line)#exit
R1(config)#enable secret adminpa55
R1(config)#access-list 100 permit tcp [Link] [Link] host
[Link] eq ftp
R1(config)#access-list 100 permit tcp [Link] [Link] host
[Link]
R1(config)#int gig0/0
R1(config-if)#ip access-group 100 in

32 | P a g e
Step 2: Verify the ACL implementation.

Username: cisco
Password: cisco

33 | P a g e
34 | P a g e
Part B - Configure, Apply and Verify an Extended Named ACL
Step 1: R1 Commands
R1(config)#ip access-list extended HTTP_ONLY
R1(config-ext-nacl)#permit tcp [Link] [Link] host
[Link] eq www
R1(config-ext-nacl)#permit icmp [Link] [Link] host
[Link]
R1(config-ext-nacl)#int gig 0/1
R1(config-if)#ip access-group HTTP_ONLY in

Step 2: Verify the ACL implementation.

In Browser Enter this url: [Link]

35 | P a g e
Practical 3B
Aim: Configuring Extended ACLs - Scenario 2
Topology:

Configuring IP
Addresses RTA (Router)
Gig0/0

36 | P a g e
Gig0/1

Gig0/2

37 | P a g e
PC A

PC B

38 | P a g e
Step 1: Enter this Commands in Router and Switches to configure
SWA (Switch)
SWA(config)#int vlan 1
SWA(config-if)#ip address [Link] [Link]
SWA(config-if)#no shut
SWA(config-if)#ip default-gateway [Link]
SWA(config)#enable secret enpa55
SWA(config)#line console 0
SWA(config-line)#password abhi
SWA(config-line)#login

SWB (Switch)
SWB(config)#int vlan 1
SWB(config-if)#ip address [Link] [Link]
SWB(config-if)#no shut
SWB(config-if)#ip default-gateway [Link]
SWB(config)#enable secret enpa55
SWB(config)#line console 0
SWB(config-line)#password abhi
SWB(config-line)#login

SWC (Switch)
SWC(config)#int vlan 1
SWC(config-if)#ip address [Link] [Link]
SWC(config-if)#no shut
SWC(config-if)#ip default-gateway [Link]
SWC(config-if)#ip default-gateway [Link]
SWC(config)#enable secret enpa55
SWC(config)#line console 0
SWC(config-line)#password abhi
SWC(config-line)#login

39 | P a g e
RTA (Router)
RTA(config)#enable secret enpa55
RTA(config)#line console 0
RTA(config-line)#password abhi
RTA(config-line)#login

310 | P a g
e
Step 2: Test
Connectivity. PC A to
PC B

PC A to SWC

PC B to SWC

40 | P a g e
Part 1: Configure Switch and Router to support SSH Connection
Step 1: Configure domain name and crypto key for use with SSH.
RTA (Router)
RTA(config)#ip domain-name [Link]
RTA(config)#username admin secret adminpa55
RTA(config)#line vty 0 4
RTA(config-line)#login local
RTA(config-line)#crypto key generate rsa

SWA (Switch)
SWA(config)#ip domain-name [Link]
SWA(config)#username admin secret adminpa55
SWA(config)#line vty 0 4
SWA(config-line)#login local
SWA(config-line)#crypto key generate rsa

SWB (Switch)
SWB(config)#ip domain-name [Link]
SWB(config)#username admin secret adminpa55
SWB(config)#line vty 0 4
SWB(config-line)#login local
SWB(config-line)#crypto key generate rsa

41 | P a g e
SWC (Switch)
SWC(config)#ip domain-name [Link]
SWC(config)#username admin secret adminpa55
SWC(config)#line vty 0 4
SWC(config-line)#login local
SWC(config-line)#crypto key generate rsa

42 | P a g e
Step 2: Verify the SSH Connection

ssh -l Admin [Link]


Password: adminpa55

43 | P a g e
44 | P a g e
Part 2: Configure, Apply and Verify an Extended Numbered ACL
Step 1: Configure the extended ACL.
RTA (Router)
RTA(config)#access-list 199 permit tcp [Link] [Link]
[Link] [Link] eq 22
RTA(config)#access-list 199 permit icmp any any
RTA(config)#int gig0/2
RTA(config-if)#ip access-group 199 out

Step 2: Verify the extended ACL implementation.

ssh -l Admin [Link]


Password: adminpa55

45 | P a g e
46 | P a g e
Practical 4
Aim: Configure IP ACLs to Mitigate Attacks.
Topology:

Step 1: Configuring IP Addresses


PC A (Server)

47 | P a g e
PC C

R1

48 | P a g e
R2

R3

Step 2: Enter All the Commands in All Routers


R1
R1(config)#enable secret enpa55
R1(config)#line console 0
R1(config-line)#password conpa55
R1(config-line)#login
R1(config)#ip domain-name [Link]
R1(config)#username admin secret adminpa55

49 | P a g e
R1(config)#line vty 0 4
R1(config-line)#login local
R1(config-line)#crypto key generate rsa

R2
R2(config)#enable secret enpa55
R2(config)#line console 0
R2(config-line)#password conpa55
R2(config-line)#login
R2(config)#ip domain-name [Link]
R2(config)#username admin secret adminpa55
R2(config)#line vty 0 4
R2(config-line)#login local
R2(config-line)#crypto key generate rsa

R3

R3(config)#enable secret enpa55


R3(config)#line console 0
R3(config-line)#password conpa55
R3(config-line)#login
R3(config)#ip domain-name [Link]
R3(config)#username admin secret adminpa55
R3(config)#line vty 0 4
R3(config-line)#login local
R3(config-line)#crypto key generate rsa

410 | P a g
e
411 | P a g
e
Step 3: Configure console password on router
R2
R2(config)#int loopback 0
R2(config-if)#ip address [Link] [Link]
R2(config-if)# no shut

Step 4: Configure static routing on routers


R1
R1(config)#ip route [Link] [Link] [Link]
R1(config)#ip route [Link] [Link] [Link]
R1(config)#ip route [Link] [Link] [Link]

R2
R2(config)#ip route [Link] [Link] [Link]
R2(config)#ip route [Link] [Link] [Link]

R3
R3(config)#ip route [Link] [Link] [Link]
R3(config)#ip route [Link] [Link] [Link]

R3(config)#ip route [Link] [Link] [Link]

412 | P a g
e
Part 1 - Verify Basic Network Connectivity
Step 1: Test Connectivity
PC A to PC C & R2

ssh -l admin [Link]


Password: adminpa55
PC C to PC A & R2

ssh -l admin [Link]


Password: adminpa55

50 | P a g e
50 | P a g e
Step 2: Check in Browser

In Browser Enter this url: [Link]


Part 2 - Secure Access to Routers except from PC-C.
R1
R1(config)#access-list 10 permit host [Link]
R1(config)#line vty 0 4
R1(config-line)#access-class 10 in

R2
R2(config)#access-list 10 permit host [Link]
R2(config)#line vty 0 4
R2(config-line)#access-class 10 in

R3
R3(config)#access-list 10 permit host [Link]
R3(config)#line vty 0 4
R3(config-line)#access-class 10 in

51 | P a g e
Step 2: Verify exclusive access from management station PC-C
PC C

ssh -l admin [Link]


Password: adminpa55
PC A

ssh -l admin [Link]


Password: adminpa55

52 | P a g e
Part 3 – Create a Numbered IP ACL 120 on R1
Step 1: Open PC A (Server) and go Services > HTTP

Step 2: Configure ACL 120 to specifically permit and deny the specified
traffic.
R1(config)#access-list 120 permit udp any host [Link] eq
domain
R1(config)#access-list 120 permit tcp any host [Link] eq
smtp
R1(config)#access-list 120 permit tcp any host [Link] eq
ftp
R1(config)#access-list 120 deny tcp any host [Link] eq
443
R1(config)#access-list 120 permit tcp host [Link] host
[Link] eq 22
R1(config)#int se0/1/0
R1(config-if)#ip access-group 120 in

53 | P a g e
Step 3: Verify that PC-A can successfully ping the loopback interface on
R2.

In Browser Enter this url: [Link]

54 | P a g e
Part 4 - Modify an Existing ACL on R1
Step 1: Verify that PC-A cannot successfully ping the loopback interface on
R2.

Step 2: Make any necessary changes to ACL 120 to permit and deny the
specified traffic.
R1(config)#access-list 120 permit icmp any any echo-reply
R1(config)#access-list 120 permit icmp any any unreachable
R1(config)#access-list 120 deny icmp any any
R1(config)#access-list 120 permit ip any any

Step 3: Verify that PC-A can successfully ping the loopback interface on
R2.

55 | P a g e
Part 5 - Create a Numbered IP ACL 110 on R3
Step 1: Configure ACL 110 to permit only traffic from the inside network.
R3(config)#access-list 110 permit ip [Link] [Link] any
R3(config)#int gig0/1
R3(config-if)#ip access-group 110 in

Part 6: Create a Numbered IP ACL 100 on R3


Step 1: Configure ACL 100 to block all specified traffic from the outside
network.
R3(config)#access-list 100 permit tcp [Link] [Link]
host [Link] eq 22
R3(config)#access-list 100 deny ip [Link] [Link] any
R3(config)#access-list 100 deny ip [Link] [Link] any
R3(config)#access-list 100 deny ip [Link] [Link] any
R3(config)#access-list 100 deny ip [Link] [Link] any
R3(config)#access-list 100 deny ip [Link] [Link]
any
R3(config)#access-list 100 permit ip any any
R3(config)#interface se0/1/0
R3(config-if)#ip access-group 100 in

56 | P a g e
Step 2: Confirm that the specified traffic entering interface Serial is
handled correctly.

ssh -l admin [Link]


Password: adminpa55

57 | P a g e
58 | P a g e
Practical 5
Aim: Configuring IPv6 ACLs
Topology:

Step 1: Configuring IP Addresses


PC 1 PC 2

59 | P a g e
Server

R1
R1(config)#ipv6 unicast-routing
R1(config)#interface GigabitEthernet0/0
R1(config-if)#ipv6 address 2002::1/64
R1(config-if)#ipv6 rip a enable
R1(config-if)#no shut
R1(config-if)#exit
R1(config)#interface GigabitEthernet0/1
R1(config-if)#ipv6 address 2001::1/64
R1(config-if)#ipv6 rip a enable
R1(config-if)#no shut
R1(config-if)#exit
R1(config)#interface Serial0/1/0
R1(config-if)#ipv6 address 2003::1/64
R1(config-if)#ipv6 rip a enable

510 | P a g
e
R1(config-if)#no shut
R1(config-if)#exit

R2
Router(config)#ipv6 unicast-routing
Router(config)#interface Serial0/1/0
Router(config-if)#ipv6 address 2003::1/64
Router(config-if)#ipv6 rip a enable
Router(config-if)#no shut
Router(config-if)#exit
Router(config)#interface Serial0/1/1
Router(config-if)#ipv6 address 2004::1/64
Router(config-if)#ipv6 rip a enable
Router(config-if)#no shut
Router(config-if)#exit

R3
Router(config)#ipv6 unicast-routing
Router(config)#interface Serial0/1/1
Router(config-if)#ipv6 address 2004::2/64
Router(config-if)#ipv6 rip a enable
Router(config-if)#no shut
Router(config-if)#exit
Router(config)#interface GigabitEthernet0/0
Router(config-if)#ipv6 address 2005::1/64
Router(config-if)#ipv6 rip a enable
Router(config-if)#no shut
Router(config-if)#exit

60 | P a g e
Step 2: Test Connectivity

Step 3: Configure, Apply, and Verify an IPv6 ACL


R2 (config)#ipv6 access-list smile
R2(config-ipv6-acl)#deny tcp any host 2005::2 eq www
R2(config-ipv6-acl)#deny tcp any host 2005::2 eq 443
R2(config-ipv6-acl)#permit ipv6 any any
R2(config-ipv6-acl)#exit
R2(config)#interface Serial0/1/1
R2(config-if)#ipv6 traffic-filter smile out
R2(config-if)#exit

61 | P a g e
Step 4: Testing Connectivity

62 | P a g e
Practical 6
Aim: Configuring a Zone-Based Policy Firewall (ZPF).
Topology:

Configuring IP Addresses
PC A (Server)

63 | P a g e
PC C

R1

64 | P a g e
R2

R3

Step 1: Enter All the Commands in All Routers


R1
R1(config-line)#password conpa55
R1(config-line)#login
R1(config-line)#exit
R1(config)#line vty 0 4
R1(config-line)#password vtypa55
R1(config-line)#login

65 | P a g e
R1(config-line)#enable secret enpa55
R1(config)#ip domain-name [Link]
R1(config)#username admin secret adminpa55
R1(config)#line vty 0 4
R1(config-line)#login local
R1(config-line)#crypto key generate rsa

R1(config)#router ospf 1
R1(config-router)#network [Link] [Link] area 0
R1(config-router)#network [Link] [Link] area 0

R2
R2(config)#line console 0
R2(config-line)#password conpa55
R2(config-line)#login
R2(config-line)#exit
R2(config)#line vty 0 4
R2(config-line)#password vtypa55
R2(config-line)#login
R2(config-line)#enable secret enpa55
R2(config)#ip domain-name [Link]
R2(config)#username admin secret adminpa55
R2(config)#line vty 0 4
R2(config-line)#login local
R2(config-line)#crypto key generate rsa

66 | P a g e
R2(config)#router ospf 2
R2(config-router)#network [Link] [Link] area 0
R2(config-router)#network [Link] [Link] area 0

R3
R3(config)#line console 0
R3(config-line)#password conpa55
R3(config-line)#login
R3(config-line)#line vty 0 4
R3(config-line)#password vtypa55
R3(config-line)#login
R3(config-line)#enable secret enpa55
R3(config)#ip domain-name [Link]
R3(config)#username admin secret adminpa55
R3(config)#line vty 0 4
R3(config-line)#login local
R3(config-line)#crypto key generate rsa

R3(config)#router ospf 3
R3(config-router)#network [Link] [Link] area 0
R3(config-router)#network [Link] [Link] area 0

67 | P a g e
Part 1: Verify Basic Network Connectivity
PC A to PC C PC C to PC A

ssh -l admin [Link] Url: [Link]


Password: adminpa55

68 | P a g e
Part 2 – Create the Firewall Zones on R3
Step 1: Enable the Security Technology package.
R3
R3#show version

R3(config)# license boot module c1900 technology-package


securityk9
(Write yes)
R3#reload
(Write yes) > Press Enter
R3#show version

Step 2: Create an internal zone.


R3(config)#zone security IN-ZONE
R3(config-sec-zone)#exit
R3(config)#zone security OUT-ZONE
R3(config-sec-zone)#exit

69 | P a g e
Part 3: Identify Traffic Using a Class-Map
Step 1: Create an ACL that defines internal traffic.
R3(config)#access-list 101 permit ip [Link] [Link] any
R3(config)#class-map type inspect match-all IN-NET-CLASS-MAP
R3(config-cmap)#match access-group 101
R3(config-cmap)#exit

Part 4: Specify Firewall Policies


Step 1: Create a policy map to determine what to do with matched traffic.
R3(config)#policy-map type inspect IN-2-OUT-PMAP
R3(config-pmap)#class type inspect IN-NET-CLASS-MAP
R3(config-pmap-c)#inspect
R3(config-pmap-c)#exit
R3(config-pmap)#exit

Part 5: Apply Firewall Policies


Step 1: Create a pair of zones and Assign interfaces to the appropriate
security zones.
R3(config)# zone-pair security IN-2-OUT-ZPAIR source IN-ZONE
destination OUT-ZONE
R3(config-sec-zone-pair)#service-policy type inspect IN-2-OUT-
PMAP
R3(config-sec-zone-pair)#exit
R3(config)#int g0/0
R3(config-if)#zone-member security IN-ZONE
R3(config-if)#exit
R3(config)#int s0/1/0
R3(config-if)#zone-member security OUT-ZONE
R3(config-if)#exit
R3#copy run start
(press Enter)
R3#reload

70 | P a g e
Part 6: Test Firewall Functionality from IN-ZONE to OUT-ZONE
Step 1: From internal PC-C, ping the external PC-A server and SSH

ssh -l admin [Link]


Password: adminpa55
R3#show policy-map type inspect zone-pair sessions

71 | P a g e
72 | P a g e
Url: [Link]
R3#show policy-map type inspect zone-pair sessions

Part 7: Test Firewall Functionality from OUT-ZONE to IN-ZONE

73 | P a g e
Practical 7
Aim: Configure IOS Intrusion Prevention System (IPS) Using the
CLI
Topology:

Step 1: Configuring IP Addresses


PC 0

PC 1

74 | P a g e
75 | P a g e
Server 0

R1

76 | P a g e
R2

R3

77 | P a g e
Step 2: Configuring in RIP in Routers
R1

R2

78 | P a g e
R3

Step 3: Test Connectivity

79 | P a g e
Part 1: Enable IOS IPS
Step 1: Enable the Security Technology package.
R1# show version

R1(config)#license boot module c1900 technology-package


securityk9
(Write yes)
R1#reload
(write yes) > press enter
R1#show version

Step 2: Verify network connectivity.


PC 1 to PC 0 PC 0 to PC 1

710 | P a g
e
Step 3: Write these Commands in Router 1
R1#mkdir ipsdir
(Press enter)
R1#conf t
R1(config)#ip ips config location flash:ipsdir
R1(config)#ip ips name iosips
R1(config)#ip ips notify log
R1(config)#exit
R1#clock set 01:10:10 19 FEB 2026
R1(config)#service timestamps log datetime msec
R1(config)#ip ips signature-category
R1(config-ips-category)#category all
R1(config-ips-category-action)#retired true
R1(config-ips-category-action)#exit
R1(config-ips-category)#category ios_ips basic
R1(config-ips-category-action)#retired false
R1(config-ips-category-action)#exit
R1(config-ips-category)#exit
(Press Enter)
R1(config)#int gig0/0
R1(config-if)#ip ips iosips out
R1#show all ip ips all

711 | P a g
e
Server 0 Services > Syslog

80 | P a g e
Part 2: Modify the Signature
Step 1: Write these Commands in Router 1
R1(config)#ip ips signature-definition
R1(config-sigdef)#signature 2004 0
R1(config-sigdef-sig)#status
R1(config-sigdef-sig-status)#retired false
R1(config-sigdef-sig-status)#enabled true
R1(config-sigdef-sig-status)#exit
R1(config-sigdef-sig)#engine
R1(config-sigdef-sig-engine)#event-action produce-alert
R1(config-sigdef-sig-engine)#event-action deny-packet-inline
R1(config-sigdef-sig-engine)#exit
R1(config-sigdef-sig)#exit
R1(config-sigdef)#exit
(press enter)
R1# show ip ips all

81 | P a g e
Step 2: Test Connectivity.
PC 1 to PC 0 PC 0 to PC 1

Server 0 Services > Syslog

82 | P a g e
Practical 8
Aim: Layer 2 Security
Topology:

83 | P a g e
Step 1: Configuring IP Addresses
R1

C1 C2

84 | P a g e
C3 C4

D1 D2

85 | P a g e
D3 D4

Central (Router)
Central(config)#enable secret enpa55
Central(config)#line console 0
Central(config-line)#password conpa55
Central(config-line)#login
Central(config-line)#exit
Central(config)#ip domain-name [Link]
Central(config)#username admin secret adminpa55
Central(config)#line vty 0 4
Central(config-line)#login local
Central(config-line)#crypto key generate rsa

86 | P a g e
SW1 (Switch)
SW1(config)#enable secret enpa55
SW1(config)#line console 0
SW1(config-line)#password conpa55
SW1(config-line)#login
SW1(config-line)#exit
SW1(config)#ip domain-name [Link]
SW1(config)#username admin secret adminpa55
SW1(config)#line vty 0 4
SW1(config-line)#login local
SW1(config-line)#crypto key generate rsa

SW2 (Switch)
SW2(config)#enable secret enpa55
SW2(config)#line console 0
SW2(config-line)#password conpa55
SW2(config-line)#login
SW2(config-line)#exit
SW2(config)#ip domain-name [Link]
SW2(config)#username admin secret adminpa55
SW2(config)#line vty 0 4
SW2(config-line)#login local
SW2(config-line)#crypto key generate rsa

87 | P a g e
SWA (Switch)
SWA(config)#enable secret enpa55
SWA(config)#line console 0
SWA(config-line)#password conpa55
SWA(config-line)#login
SWA(config-line)#exit
SWA(config)#ip domain-name [Link]
SWA(config)#username admin secret adminpa55
SWA(config)#line vty 0 4
SWA(config-line)#login local
SWA(config-line)#crypto key generate rsa

SWB (Switch)
SWB(config)#enable secret enpa55
SWB(config)#line console 0
SWB(config-line)#password conpa55
SWB(config-line)#login
SWB(config-line)#exit
SWB(config)#ip domain-name [Link]
SWB(config)#username admin secret adminpa55
SWB(config)#line vty 0 4
SWB(config-line)#login local
SWB(config-line)#crypto key generate rsa

88 | P a g e
Part 2: Configure Root Bridge
Step 1: Determine the current root bridge.
Central#show spanning-tree
SW1#show spanning-tree

Step 2: Assign Central as the primary root bridge.


Central#conf t
Central(config)#spanning-tree vlan 1 root primary
Central(config)#exit
Central#show spanning-tree

Step 3: Assign SW-1 as a secondary root bridge.


SW1#conf t
SW1(config)#spanning-tree vlan 1 root secondary
SW1(config)#exit
SW1#show spanning-tree

Part 3: Protect Against STP Attacks


Step 1: Enable PortFast on all access ports.
SWA(config)#int range fa0/1 - 4
SWA(config-if-range)#spanning-tree portfast

Step 2: Enable BPDU guard on all access ports.


SWA(config)#int range fa0/1 - 4
SWA(config-if-range)#spanning-tree bpduguard enable

Step 3: Enable root guard.


SWA(config)#int range fa0/23 - 24
SWA(config-if-range)#spanning-tree guard root

89 | P a g e
Part 4: Configure Port Security and Disable Unused Ports
Step 1: Configure basic port security on all ports connected to host devices.
SWA(config)#int range fa0/1 - 22
SWA(config-if-range)#switchport mode access
SWA(config-if-range)#switchport port-security
SWA(config-if-range)#switchport port-security maximum 2
SWA(config-if-range)#switchport port-security violation
shutdown
SWA(config-if-range)#switchport port-security mac-address
sticky
SWB(config)#int range fa0/1 - 22
SWB(config-if-range)#switchport mode access
SWB(config-if-range)#switchport port-security
SWB(config-if-range)# switchport port-security maximum 2
SWB(config-if-range)#switchport port-security violation
shutdown
SWB(config-if-range)#switchport port-security mac-address
sticky

Step 2: Verify port security.


SWA#show port-security int fa0/1
SWB#show port-security int fa0/1

Step 3: Disable unused ports.


SWA(config)#int range fa0/5 - 22
SWA(config-if-range)#shutdown
SWB(config)#int range fa0/5 - 22
SWB(config-if-range)#shutdown

90 | P a g e
Step 4: Verify Connectivity

91 | P a g e
Step 5: Verify port security.

92 | P a g e

You might also like