INFORMATION SECURITY PRACTICAL

Practical 1: Configure Routers for Syslog, NTP and SSH operation.

Topology:

Addressing Table:
Devic Interfa IP Default
Subnet Mask
e ce Address Gateway
192.168.1.
R1 G0/0 [Link] N/A
1
[Link]
R1 S0/1/0 [Link] N/A
52
[Link]
R2 S0/1/0 [Link] N/A
52
[Link]
R2 S0/1/1 [Link] N/A
52
192.168.3.
R3 G0/0 [Link] N/A
1
[Link]
R3 S0/1/0 [Link] N/A
52
192.168.1.
PC-A NIC [Link] [Link]
5
192.168.1.
PC-B NIC [Link] [Link]
6
192.168.3.
PC-C NIC [Link] [Link]
5

Objectives:
▪ Configure OSPF MD5 authentication.
▪ Configure NTP.
▪ Configure routers to log messages to the syslog server. ▪ Configure R3 to
support SSH connections.
Configure Router with password:

Step 1: Configure password for vty lines Execute Command on all routers
R(config) # line vty 0 4
R(config-line) #password vtypa55 R(config-line) #login
Step 2: Configure secret on router Execute Command on all routers R(config) #
enable secret enpa55
Step 3: Configure OSPF on routers
R1(config) #router ospf 1
R1(config-router) #network [Link] [Link] area
0 R1(config-router) #network [Link] [Link] area 0
R2(config) #router ospf 1
R2(config-router) #network [Link] [Link] area
0 R2(config-router) #network [Link] [Link]
area 0
R3(config) #router ospf 1
R3(config-router) #network [Link] [Link] area 0
R3(config-router) #network [Link] [Link] area 0
Step 4: Test Connectivity
PC-A > ping [Link]
Successful
PC-B > ping [Link]
Successful

Part 1: Configure OSPF MD5 Authentication

Step 1: Test connectivity. All devices should be able to ping all other IP
addresses.
Step 2: Configure OSPF MD5 authentication for all the routers in area
0. R1(config)# router ospf 1
R1(config-router)# area 0 authentication message-digest R2(config)# router ospf 1
R2(config-router)# area 0 authentication message-digest
R3(config)# router ospf 1
R3(config-router)# area 0
authentication message-digest Step 3: Configure the MD5 key for all the routers
in area 0. Configure an MD5 key on the serial interfaces on R1, R2 and R3.
Use the password MD5pa55 for key 1.
R1(config)# interface s0/1/0
R1(config-if)# ip ospf message-digest-key 1 md5 MD5pa55
R2(config)# interface s0/1/0
R2(config-if)# ip ospf message-digest-key 1 md5 MD5pa55
R2(config-if)# interface s0/1/1
R2(config-if)# ip ospf message-digest-key 1 md5 MD5pa55
R3(config)# interface s0/1/0
R3(config-if)# ip ospf message-digest-key 1 md5 MD5pa55
Step 4: Verify configurations.
a. Verify the MD5 authentication configurations using the commands show ip ospf
interface.
b. Verify end-to-end connectivity.
Output should be shown in all the routers :
R# show ip ospf interface
Message-digest Authentication Enabled Youngest key ID is 1
Part 2: Configure NTP
Step 1: Enable NTP authentication on PC-A.
a. On PC-A, click NTP under the Services tab to verify NTP service is enabled.
b. To configure NTP authentication, click Enable under Authentication. Use key 1 and
password NTPpa55
for authentication.
Step 2: Configure R1, R2, and R3 as NTP clients.
R1(config)# ntp server [Link]
R2(config)# ntp server [Link] R3(config)# ntp server [Link]
Verify client configuration using the command show ntp status.
Step 3: Configure routers to update hardware clock. Configure R1, R2, and
R3 to periodically update the hardware clock with the time learned from
NTP.
R1(config)# ntp update-calendar R2(config)# ntp update-calendar R3(config)# ntp
update-calendar
Verify that the hardware Clock was Updated
R# show clock
Step 4: Configure NTP authentication on the routers. Configure NTP
authentication on R1, R2, and R3 using key 1 and password NTPpa55.
R1(config)# ntp authenticate R1(config)# ntp trusted-key 1
R1(config)# ntp authentication-key 1 md5 NTPpa55
R2(config)# ntp authenticate R2(config)# ntp trusted-key 1
R2(config)# ntp authentication-key 1 md5 NTPpa55
R3(config)# ntp authenticate R3(config)# ntp trusted-key 1
R3(config)# ntp authentication-key 1 md5 NTPpa55
Step 5: Configure routers to timestamp log messages. Execute commands on
all routers
R1(config)# service timestamps log datetime msec R2(config)# service timestamps
log datetime msec R3(config)# service timestamps log datetime msec

Part 3: Configure Routers to Log Messages to the Syslog Server

Step 1: Configure the routers to identify the remote host (Syslog Server)
that will receive logging messages.
R1(config)# logging host [Link] R2(config)# logging host [Link]
R3(config)# logging host [Link]
The router console will display a message that logging has started.
Step 2: Verify logging configuration.
Use the command R# show logging
to verify logging has been enabled.
Step 3: Examine logs of the Syslog Server.
From the Services tab of the Syslog Server’s dialogue box, select the Syslog services
button. Observe the logging messages received from the routers.
Note: Log messages can be generated on the server by executing commands on the
router. For example, entering and exiting global configuration mode will generate an
informational configuration message. You may need to click a different service and
then click Syslog again to refresh the message display.
Part 4: Configure R3 to Support SSH Connections Step 1: Configure a domain
name of [Link] on R3.
R3(config)# ip domain-name [Link]
Step 2: Configure users for login to the SSH server on R3.
Create a user ID of SSHadmin with the highest possible privilege level and a secret
password of sshpa55.
R3(config)# username SSHadmin privilege 15 secret sshpa55
Step 3: Configure the incoming vty lines on R3. Use the local user accounts
for mandatory login and validation. Accept only SSH connections.
R3(config)# line vty 0 4 R3(config-line)# login local
R3(config-line)# transport input ssh
Step 4: Erase existing key pairs on R3. Any existing RSA key pairs should be
erased on the router.
R3(config)# crypto key zeroize rsa
Step 5: Generate the RSA encryption key pair for R3.
The router uses the RSA key pair for authentication and encryption of transmitted SSH
data. Configure the RSA keys with a modulus of 1024. The default is 512, and the
range is from 360 to 2048.
R3(config)# crypto key generate rsa
The name for the keys will be: [Link]
How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
Step 6: Verify the SSH configuration.
Use the show ip ssh command to see the current settings. Verify that the
authentication timeout and retries are at their default values of 120 and 3.
R3# show ip ssh
SSH enabled-version 1.99
Authentication time out: 120 secs; Authentication retries : 3 R#
Step 7: Configure SSH timeouts and authentication parameters.
The default SSH timeouts and authentication parameters can be altered to be more
restrictive. Set the timeout to 90 seconds, the number of authentication retries to 2,
and the version to 2.R3(config)# ip ssh time-out 90 R3(config)# ip ssh authentication-
retries 2 R3(config)# ip ssh version 2 . Verify the SSH configuration R3# show ip ssh
SSH enabled-version 2.0
Authentication time out: 90 secs; Authentication retries : 2 R#
Step 8: Attempt to connect to R3 via Telnet from PC-C.
Open the Desktop of PC-C. Select the Command Prompt icon. From PC-C, enter the
command to connect to R3 via Telnet.
PC> telnet [Link]
This connection should fail because R3 has been configured to accept only SSH
connections on the virtual terminal lines.
Step 9: Connect to R3 using SSH on PC-C.
Open the Desktop of PC-C. Select the Command Prompt icon. From PC-C, enter the
command to connect to R3 via SSH. When prompted for the password, enter the
password configured for the administrator shpa55.
PC> ssh –l SSHadmin [Link] Password: sshpa55
Step 10: Connect to R3 using SSH on R2.
To troubleshoot and maintain R3, the administrator at the ISP must use SSH to access
the router CLI. From the CLI of R2, enter the command to connect to R3 via SSH
version 2 using the SSHadmin user account. When prompted for the password, enter
the password configured for the administrator: ciscosshpa55.
R2# ssh –v 2 –l SSHadmin [Link] Password: sshpa55

Practical 2: Configure AAA Authentication on Cisco routers

Topology:

Addressing Table:
Device Interface IP Default
Address Gateway
R1 gig0/0 [Link] 255.255.255. N/A
0
PC0 NIC [Link] 255.255.255. [Link]
0
PC1 NIC [Link] 255.255.255. [Link]
0 Objectives:
▪ Configure a local user account on R1 and configure authenticate on the console
and vty lines using local AAA.
▪ Verify local AAA authentication from the R1 console and the PC0 client and PC1

■ Configure Router:
Client.

Step 1: Configure password for vty lines

R1(config) # line vty 0 4 R1(config-line) #password vtypa55 R1(config-line) #login
Step 2: Configure secret on router
R1(config) # enable secret enpa55
 Step 3: Configure OSPF on routers
R1(config) #router ospf 1
R1(config-router) #network [Link] [Link] area 0
Step 4: Configure OSPF MD5 authentication for all router in area 0 R1(config)
#router ospf 1
R1(config-router)# area 0 authentication message-digest
Step 5: Configure MD5 key for all routers in area 0
R1(config)# int gig0/0
R1(config-if)# ip ospf message-digest-key 1 md5 pa55
Step 6: Verify configurations.
a. Verify the MD5 authentication configurations using the commands show ip ospf
interface.
b. Verify end-to-end connectivity.
Output should be shown in all the routers : R1# show ip ospf interface
Message-digest Authentication Enabled Youngest key ID is 1

Part 1: Configure Local AAA Authentication for Console Access on R1

Step 1: Test Connectivity
PC0 > ping [Link]
Successful
PC1 > ping [Link]
Successful
Step 2: Configure Local username on R1
R1(config)# username admin secret adminpa55
Step 3: Configure local AAA authentication for console access on R1.
R1(config)# aaa new-model
R1(config)# aaa authentication login default local
Step 4: Configure the line console to use the defined AAA authentication
method.
R1(config)# line console 0
R1(config-line)# login authentication default
Step 5: Verify the AAA authentication method.
R1(config-line)# end User Access Verification Username: admin Password: adminpa55
R1>

Part 2: Configure Local AAA Authentication for vty Lines on R1

Step 1: Configure domain name and crypto key for use with SSH. R1(config)#
ip domain-name [Link] R1(config)# crypto key generate rsa
How many bits in the modulus [512]: 1024
Step 2: Configure a named list AAA authentication method for the vty lines
on R1.
R1(config)# aaa authentication login SSH-LOGIN local
Step 3: Configure the vty lines to use the defined AAA authentication
method.
R1(config)# line vty 0 4
R1(config-line)# login authentication SSH-LOGIN R1(config-line)# transport input ssh
R1(config-line)# end
Step 4: Verify the AAA authentication method.
PC0> ssh –l Admin [Link] Password: adminpa55
R1>
PC1> ssh –l Admin [Link] Password: adminpa55
R1>

Practical 3: Configuring Extended ACLs

A]
Topology:

Addressing Table:
Device Interface IP Address Subnet Mask Default
Gateway

R1 gig0/0 [Link] [Link] N/A

4
Objectives:
▪ Configure, Apply and Verify an Extended Numbered ACL
▪ Configure, Apply and Verify an Extended Named ACL
Scenario:
o PC1 Should be allowed only FTP access
o PC2 Should be allowed only web access
o Both PCs must ping server but not each other’s
■ Configure Router:
Step 1: Configure password for vty lines
R1(config) # line vty 0 4 R1(config-line) #password vtypa55 R1(config-line) #login
Step 2: Configure secret on router
R1(config) # enable secret enpa55
Part 1: Configure, Apply and Verify an Extended Numbered ACL
Step 1: Configure an ACL to permit FTP and ICMP. (Use Router 2911)
R1(config)# access-list 100 permit tcp [Link] [Link] host
[Link] eq ftp
R1(config)# access-list 100 permit icmp [Link] [Link]
host [Link]
Step 2: Apply the ACL on the correct interface to filter traffic. R1(config)#
int gig 0/0
R1(config-if)# ip access-group 100 in
Step 3: Verify the ACL implementation.
a. Ping from PC1 to Server.
PC1> ping [Link]
(Successful)
b. FTP from PC1 to Server. The username and password are both cisco.
PC1> ftp [Link]
c. Exit the FTP service of the Server.
ftp> quit
d. Ping from PC1 to PC2.
PC1> ping [Link]
(Unsuccessful) destination host unreachable

Part 2: Configure, Apply and Verify an Extended Named ACL Step 1:

Configure an ACL to permit HTTP access and ICMP. R1(config)# ip access-list
extended HTTP_ONLY
R1(config-ext-nacl)# permit tcp [Link] [Link] host [Link] eq www
R1(config-ext-nacl)# permit icmp [Link] [Link] host [Link]
Step 2: Apply the ACL on the correct interface to filter traffic. R1(config)#
int gig0/1
R1(config-if)# ip access-group HTTP_ONLY in
Step 3: Verify the ACL implementation. a. Ping from PC2 to Server.
PC2> ping [Link]
(Successful)
b. FTP from PC2 to Server
PC2> ftp [Link]
(Unsuccessful)
c. Open the web browser on PC2. URL -> [Link]
(Successful)
d. Ping from PC2 to PC1.
PC> ping [Link]
(Unsuccessful)
B]
Topology

Addressing Table:

Device Interface Subnet Default

Mask Gateway

RTA gig0/0 [Link] 255.255.255 N/A

.248

gig0/1 [Link] 255.255.255 N/A

.240

gig0/2 [Link] 255.255.255 N/A

.224

PCA NIC [Link] 255.255.255 [Link]

.248 9

PCB NIC [Link] 255.255.255 [Link]

.240 3

SWA VLAN 1 [Link] 255.255.255 [Link]

.248 9

SWB VLAN 1 [Link] 255.255.255 [Link]

.240 3

SWC VLAN 1 [Link] 255.255.255 [Link]

.224
Objectives:
▪ Configure, Apply and Verify an Extended Numbered ACL
▪ Scenario:
o Device on one LAN are allowed to remotely access device in another LAN
using SSH protocol

■ Configure Switch and Router:

Besides ICMP all traffic from other network is denied

Step 1: Configure the IP address on switch

SWA(config)# int vlan 1
SWA(config-if)# ip address [Link] [Link] SWA(config-if)# no shut
SWA(config-if)# ip default-gateway [Link]
SWB(config)# int vlan 1
SWB(config-if)# ip address [Link] [Link] SWB(config-if)# no shut
SWB(config-if)# ip default-gateway [Link]
SWC(config)# int vlan 1
SWC(config-if)# ip address [Link] [Link] SWC(config-if)# no shut
SWC(config-if)# ip default-gateway [Link]
Step 2: Configure the secret on router and switch RTA/SW(config)# enable
secret enpa55
Step 3: Configure the console password on router and switch
RTA/SW(config)# line console 0 RTA/SW(config)# password tyit
RTA/SW(config)# login
Step 4: Test connectivity Ping from PCA to PC-B.
PCA>ping [Link]
(Successful)
Ping from PCA to SWC.
PCA>ping [Link]
(Successful)
Ping from PCB to SWC.
PCB>ping [Link]
(Successful)

Part 1: Configure Switch and Router to support SSH Connection Step 1:

Configure domain name and crypto key for use with SSH. RTA/SW(config)# ip
domain-name [Link]
Step 2: Configure users to login to SSH
RTA/SW(config)# username admin secret adminpa55
Step 3: Configure incoming vty lines RTA/SW(config)# line vty 0 4
RTA/SW(config-line)# login local RTA/SW(config)# crypto key generate rsa How
many bits in the modulus [512]: 1024 Step 4: Verify the SSH Connection PCA>
ssh -l Admin [Link]
Password: adminpa55
SWB>
PCA> ssh -l Admin [Link] Password: adminpa55
SWC> PCB> ssh -l Admin [Link]
Password: adminpa55 SWA>
PCB> ssh -l Admin [Link] Password: adminpa55
 SWC>
SWC> ssh -l Admin [Link]
Password: adminpa55 SWA>
SWC> ssh -l Admin [Link]
Password: adminpa55 SWB>
SWB> exit

Part 2: Configure, Apply and Verify an Extended Numbered ACL

Step 1: Configure the extended ACL.
RTA(config)# access-list 199 permit tcp [Link] [Link]
[Link] [Link] eq 22
RTA(config)# access-list 199 permit icmp any any
Step 2: Apply the extended ACL.
RTA(config)# int gig0/2
RTA(config-if)# ip access-group 199 out
Step 3: Verify the extended ACL implementation. a. Ping from PCB to all of
the other IP addresses in the network. PCB> ping [Link]
(Successful)
PCB> ping [Link]
(Successful)
b. SSH from PCB to SWC. PCB> ssh -l Admin [Link] Password:adminpa55
SWC>
c. Exit the SSH session to SWC.
SWC>exit
d. Ping from PCA to all of the other IP addresses in the network. PCA> ping
[Link]
(Successful)
PCA> ping [Link]
(Successful)
e. SSH from PCA to SWC
PCA> ssh -l Admin [Link]
Connection timed out. Remote host not responding
f. SSH from PCA to SWB.
PCA> ssh -l Admin [Link]
Password: adminpa55 SWB>
g. After logging into SWB, do not log out. SSH to SWC in privileged EXEC
mode.
SWB# ssh -l Admin [Link] Password: adminpa55
SWC>
Practical 4: Configure IP ACLs to Mitigate Attacks

A]
Topology:

Addressing Table:
Device Interface IP Address Subnet Mask Default
Gateway

R1 gig0/0 [Link] [Link] N/A

Se0/1/0 [Link] [Link] N/A

(DCE) 52
R2 Se0/1/0 [Link] [Link] N/A
52
Se0/1/1 [Link] [Link] N/A
(DCE) 52
Lo0 [Link] [Link] N/A

R3 gig0/0 [Link] [Link] N/A

Se0/1/0 [Link] [Link] N/A

52
PC-A Fa0 [Link] [Link] [Link]
 PC-C Fa0 [Link] [Link] [Link]

Objectives:
• Verify connectivity among devices before firewall configuration.
Use ACLs to ensure remote access to the routers is available only from management
station
PC-C.
• Configure ACLs on R1 and R3 to mitigate attacks.

■ Configure Router:
• Verify ACL functionality.

Step 1: Configure secret on router

R(config) # enable secret enpa55
Step 2: Configure console password on router
R(config) # line console 0 R(config-line) #password conpa55 R(config-line) #login
Step 3: Configure SSH login on router
Execute command on all routers
R(config)# ip domain-name [Link] R(config)# username admin secret
adminpa55 R(config)# line vty 0 4
R(config-line)# login local
R(config-line)# crypto key generate rsa How many bits in the modulus [512]: 1024
Step 4: Configure loop back address on Router 2 R2(config)#int loopback 0
R2(config-if)#ip address [Link] [Link] R2(config-if)# no shut
Step 5: Configure static routing on routers Execute command on all routers
R1(config)#ip route [Link] [Link] [Link]
R1(config)#ip route [Link] [Link] [Link]
R1(config)#ip route [Link] [Link] [Link]
R2(config)#ip route [Link] [Link]
[Link] R2(config)#ip route [Link]
[Link] [Link]
R3(config)#ip route [Link] [Link] [Link]
R3(config)#ip route [Link] [Link] [Link]
R3(config)#ip route [Link] [Link] [Link]

Part 2: Verify Basic Network Connectivity

Step 1: From PC-A, verify connectivity to PC-C and R2. PCA> ping [Link]
(Successful)
PCA> ping [Link]
(Successful)
PCA> ssh –l admin [Link] Password: adminpa55
R2>exit
Step 2: From PC-C, verify connectivity to PC-A and R2. PCC> ping [Link]
(Successful)
PCC> ping [Link]
(Successful)
PCC> ssh –l admin [Link]
Password: adminpa55 R2>exit
Open a web browser to the PC-A server ([Link]) to display the web page.
Close the browser when done.
Desktop->Web Browser->[Link] (Successful)

Part 3: Secure Access to Routers

Step 1: Configure ACL 10 to block all remote access to the routers except from PC-
C
Execute command on all routers
R(config)# access-list 10 permit host [Link]
Step 2: Apply ACL 10 to ingress traffic on the VTY lines. Execute command on all
routers
R(config)# line vty 0 4
R(config-line)# access-class 10 in
Step 3: Verify exclusive access from management station PC-
C. PCC> ssh –l admin [Link] Password: adminpa55
R2>exit
Step 4: Verify denial from PC-A. PCA> ssh –l admin [Link] Connection refused
by remote host

Part 4: Create a Numbered IP ACL 120 on R1

Step 1: Verify that PC-C can access the PC-A via HTTPS using the web browser.
Be sure to disable HTTP and enable HTTPS on server PC-A in Services tab.
Step 2: Configure ACL 120 to specifically permit and deny the specified traffic.
R1(config)# access-list 120 permit udp any host [Link] eq domain
R1(config)# access-list 120 permit tcp any host [Link] eq smtp R1(config)#
access-list 120 permit tcp any host [Link] eq ftp R1(config)# access-list 120
deny tcp any host [Link] eq 443 R1(config)# access-list 120 permit tcp host
[Link] host [Link] eq 22
Step 3: Apply the ACL to interface
R1(config)# int se0/1/0
R1(config-if)# ip access-group 120 in
Step 4: Verify that PC-C cannot access PC-A via HTTPS using the web browser.
Desktop->Web Browser->[Link] (Unsuccessful) Request timed out

Part 5: Modify an Existing ACL on R1

Step 1: Verify that PC-A cannot successfully ping the loopback interface on R2.
PCA> ping [Link]
(Unsuccessful) Request timed out
Step 2: Make any necessary changes to ACL 120 to permit and deny the specified
traffic.
R1(config)# access-list 120 permit icmp any any echo-reply R1(config)# access-list
120 permit icmp any any unreachable R1(config)# access-list 120 deny icmp any
any R1(config)# access-list 120 permit ip any any
Step 3: Verify that PC-A can successfully ping the loopback interface on R2.
PCA> ping [Link] (Successful)

Part 6: Create a Numbered IP ACL 110 on R3

Step 1: Configure ACL 110 to permit only traffic from the inside network.
R3(config)# access-list 110 permit ip [Link] [Link] any
Step 2: Apply the ACL to interface
R3(config)# int gig0/1
R3(config-if)# ip access-group 110 in

Part 7: Create a Numbered IP ACL 100 on R3

Step 1: Configure ACL 100 to block all specified traffic from the outside network.
R3(config)# access-list 100 permit tcp [Link] [Link] host
[Link] eq 22
R3(config)# access-list 100 deny ip [Link] [Link] any
R3(config)# access-list 100 deny ip [Link] [Link] any
R3(config)# access-list 100 deny ip [Link] [Link] any
R3(config)# access-list 100 deny ip [Link] [Link] any
R3(config)# access-list 100 deny ip [Link] [Link] any
R3(config)# access-list 100 permit ip any any
Step 2: Apply the ACL to interface R3(config)# interface se0/1/0 R3(config-if)# ip
access-group 100 in
Step 3: Confirm that the specified traffic entering interface Serial is handled
correctly.
PCC> ping [Link]
(Unsuccessful)
PCC> ssh –l admin [Link] Password: adminpa55
R2>exit

B]
Topology:

Addressing Table:
Device Interface ss/Prefix Default
Gateway
PC1 NIC 2001:DB8:1:10::10/64 FE80::1

PC2 NIC 2001:DB8:1:11:11/64 FE80::1

R1 gig0/0 2001:DB8:1:10::1/64 FE80::1

 se0/1/0 2001:DB8:1:1::1/64 FE80::1

gig0/1 2001:DB8:1:11::1/64 FE80::1

R3 se0/1/0 2001:DB8:1:1::2/64 FE80::2

se0/1/1 2001:DB8:1:2::2/64 FE80::2

R3 gig0/0 2001:DB8:1:30::1/64 FE80::3

se0/1/0 2001:DB8:1:2::1/64 FE80::3

Server NIC 2001:DB8:1:30::30/64 FE80::3

Objective:
• Configure, Apply, and Verify an IPv6 ACL
• Configure, Apply, and Verify a Second IPv6 ACL
• Configure Router:
Step 1: Configure secret on router Execute command on all routers R(config)#
enable secret enpa55
Step 2: Assign static ipv6 address
R1(config)# int gig0/0 R1(config-if)# ipv6 address
2001:DB8:1:10::1/64 R1(config-if)# ipv6
address FE80::1 link-local R1(config-if)# no shut
R1(config)# int gig0/1 R1(config-if)# ipv6 address
2001:DB8:1:11::1/64 R1(config-if)# ipv6 address FE80::1 link-local R1(config-if)# no
shut
R1(config)# int se0/1/0 R1(config-if)# ipv6 address
2001:DB8:1:1::1/64 R1(config-if)# ipv6
address FE80::1 link-local R1(config-if)# no shut
R2(config)# int se0/1/0 R2(config-if)# ipv6 address
2001:DB8:1:1::2/64 R2(config-if)# ipv6 address FE80::2 link-local R2(config-if)# no
shut
R2(config)# int se0/1/1
R2(config-if)# ipv6 address 2001:DB8:1:2::2/64 R2(config-if)# ipv6 address FE80::2
link-local
R2(config-if)# no shut
R3(config)# int gig0/0 R3(config-if)# ipv6 address
2001:DB8:1:30::1/64 R3(config-if)# ipv6
address FE80::3 link-local R3(config-if)# no shut
R3(config)# int se0/1/0 R3(config-if)# ipv6 address
2001:DB8:1:2::1/64 R3(config-if)# ipv6
address FE80::3 link-local R3(config-if)# no shut
Step 3: Enable IPv6 routing
R1(config)# ipv6 unicast-routing
R1(config)# ipv6 route 2001:DB8:1:2::0/64 2001:DB8:1:1::2
R1(config)# ipv6 route 2001:DB8:1:30::0/64 2001:DB8:1:1::2
R2(config)# ipv6 unicast-routing
R2(config)# ipv6 route 2001:DB8:1:10::0/64 2001:DB8:1:1::1 R2(config)# ipv6 route
2001:DB8:1:11::0/64 2001:DB8:1:1::1 R2(config)# ipv6 route 2001:DB8:1:30::0/64
2001:DB8:1:2::1
R3(config)# ipv6 unicast-routing
R3(config)# ipv6 route 2001:DB8:1:10::0/64 2001:DB8:1:2::2 R3(config)# ipv6 route
2001:DB8:1:11::0/64 2001:DB8:1:2::2
R3(config)# ipv6 route 2001:DB8:1:1::0/64 2001:DB8:1:2::2
Step 4: Verify connectivity
PC1> ping 2001:DB8:1:30::30
(Successful)
PC2> ping 2001:DB8:1:30::30
(Successful)

Part 2: Configure, Apply, and Verify an IPv6 ACL Step 1: Configure an ACL
that will block HTTP and HTTPS access.
R1(config)# ipv6 access-list BLOCK_HTTP
R1(config-ipv6-acl)# deny tcp any host 2001:DB8:1:30::30 eq www R1(config-ipv6-
acl)# deny tcp any host 2001:DB8:1:30::30 eq 443 R1(config-ipv6-acl)# permit ipv6
any any
R1(config-ipv6-acl)# exit
Step 2: Apply the ACL to the correct interface.
R1(config)# int gig0/1
R1(config-if)# ipv6 traffic-filter BLOCK_HTTP in
Step 3: Verify the ACL implementation
Open a web browser to the PC1 to display the web page. Desktop->Web Browser-
>[Link]
(Successful)
Desktop->Web Browser->[Link] (Successful)
Open a web browser to the PC2 to display the web page. Desktop->Web Browser-
>[Link]
(Unsuccessful) – Request Timeout Desktop->Web Browser-
>[Link] (Unsuccessful) –
Request Timeout
PC2> ping 2001:DB8:1:30::30
(Successful)

Part 3: Configure, Apply, and Verify a Second IPv6 ACL

Step 1: Create an access list to block ICMP. R3(config)# ipv6 access-list BLOCK_ICMP
R3(config-ipv6-acl)# deny icmp any any R3(config-ipv6-acl)# permit ipv6 any any
R3(config-ipv6-acl)# exit
Step 2: Apply the ACL to the correct interface.
R3(config)# int gig0/0
R3(config-if)# ipv6 traffic-filter BLOCK_ICMP out
Step 3: Verify that the proper access list functions. PC2> ping 2001:DB8:1:30::30
(Unsuccessful) - Destination host unreachable PC1> ping 2001:DB8:1:30::30
(Unsuccessful) - Destination host unreachable
Open a web browser to the PC1 to display the web page. Desktop->Web Browser-
>[Link]
(Successful)
Desktop->Web Browser->[Link] (Successful)

Practical 5: Configuring a Zone-Based Policy Firewall (ZPF)

A]
Topology:

Addressing Table:
Device Interface IP Address Subnet Mask Default
Gateway
R1 gig0/0 [Link] [Link] N/A
 Se0/1/0 (DCE) [Link] [Link] N/A

R2 Se0/1/0 [Link] [Link] N/A

Se0/1/1 (DCE) [Link] [Link] N/A

R3 gig0/0 [Link] [Link] N/A

Se0/1/0 [Link] [Link] N/A

PC-A NIC [Link] [Link] [Link]

PC-C NIC [Link] [Link] [Link]

Objectives:
∙ Verify connectivity among devices before firewall configuration. ∙ Configure a
zone-based policy (ZPF) firewall on R3.
∙ Verify ZPF firewall functionality using ping, SSH, and a web browser.
■ Configure Router:
Step 1: Configure console password on router
Execute command on all routers R(config) # line console 0 R(config-line) #password
conpa55 R(config-line) #login
Step 2: Configure password for vty lines Execute command on all routers
R(config)# line vty 0 4
R(config-line)# password vtypa55 R(config-line)# login
Step 3: Configure secret on router
R(config) # enable secret enpa55
Step 4: Configure SSH login on router Execute command on all routers
R(config)# ip domain-name [Link] R(config)# username admin secret
adminpa55 R(config)# line vty 0 4
R(config-line)# login local
R(config-line)# crypto key generate rsa How many bits in the modulus [512]: 1024
Step 5: Configure static routing on routers
Execute command on all routers
R(config)#ip route destination-network-address subnetmask next-hop destination-
address

Part 2: Verify Basic Network Connectivity Step 1: Check connectivity from

PCA to PCC PCA>ping [Link]
(Successful)
Step 2: Access R2 using SSH. PCC>ssh –l admin [Link] Password:adminpa55
R2>exit
Step 3: From PC-C, open a web browser to the PC-A server. Desktop -> Web
Browser
URL: [Link]
(Successful)
Part 3: Create the Firewall Zones on R3 Step 1: Verify that the Security
Technology package R3# show version
Step 2: Enable the Security Technology package
R3(config)# license boot module c1900 technology-package securityk9
Step 3: Save the running-config and reload the router R3#copy run start
R3# reload
Step 4: Verify that the Security Technology package
R3# show version
Step 5: Create an internal zone. R3(config)# zone security IN-ZONE R3(config-
sec-zone)# exit
Step 6: Create an external zone. R3(config)# zone security OUT-ZONE
R3(config-sec-zone)# exit
Part 4: Identify Traffic Using a Class-Map
Step 1: Create an ACL that defines internal traffic.
R3(config)# access-list 101 permit ip [Link] [Link] any
Step 2: Create a class map referencing the internal traffic ACL R3(config)#
class-map type inspect match-all IN-NET-CLASS- MAP R3(config-cmap)# match
access-group 101
R3(config-cmap)# exit
Part 5: Specify Firewall Policies
Step 1: Create a policy map to determine what to do with matched traffic.
R3(config)# policy-map type inspect IN-2-OUT-PMAP
Step 2: Specify a class type of inspect and reference class map IN-NET
CLASS-MAP.
R3(config-pmap)# class type inspect IN-NET-CLASS-MAP
Step 3: Specify the action of inspect for this policy map.
R3(config-pmap-c)# inspect R3(config-pmap-c)# exit R3(config-pmap)# exit
Part 6: Apply Firewall Policies
Step 1: Create a pair of zones.
R3(config)# zone-pair security IN-2-OUT-ZPAIR source IN-ZONE destination
OUTZONE
Step 2: Specify the policy map for handling the traffic between the two
zones.
R3(config-sec-zone-pair)# service-policy type inspect IN-2-OUT- PMAP R3(config-
sec-zone-pair)# exit
R3(config)#
Step 3: Assign interfaces to the appropriate security zones. R3(config)# int
g0/0
R3(config-if)# zone-member security IN-ZONE R3(config-if)# exit
R3(config)# int s0/1/0
R3(config-if)# zone-member security OUT-ZONE R3(config-if)# exit
Step 4: Copy the running configuration to the startup configuration. R3#
copy run start
R3# reload
Part 7: Test Firewall Functionality from IN-ZONE to OUT ZONE
Step 1: From internal PC-C, ping the external PC-A server. PCC>ping
[Link]
(Successful)
Step 2: Access R2 using SSH. PCC>ssh –l admin [Link] Password:
R2>
Step 3: View established sessions
R3# show policy-map type inspect zone-pair sessions
Session 175216232 ([Link]:1028)=>([Link]:22) tcp SIS_OPEN/TCP_ESTAB
Step 4: From PC-C, exit the SSH session on R2 and close the command
prompt window.
R2>exit
Step 5: From internal PC-C, open a web browser to the PC-A server web
page.
Desktop -> Web Browser URL: [Link]
(Successful)
Step 6: View established sessions
R3# show policy-map type inspect zone-pair sessions
Session 565266624 ([Link]:1031)=>([Link]:80) tcp
SIS_OPEN/TCP_ESTAB
Part 8: Test Firewall Functionality from OUT-ZONE to IN ZONE
Step 1: From internal PC-A, ping the external PC-C server. PCA>ping
[Link]
(Unsuccessful – Request timed out)
Step 2: From R2, ping PC-C.
R2# ping [Link]
(Unsuccessful – Request timed out)

Practical 6: Configure IOS Intrusion Prevention System (IPS) Using the CLI
Topology:
 Addressing Table:

Device Interface Subnet Default

Mask Gateway
R1 gig0/0 [Link] 255.255.255. N/A
0
Se0/1/0 [Link] [Link] N/A
52
R2 Se0/1/0 [Link] [Link] N/A
52
Se0/1/1 [Link] [Link] N/A
52
R3 gig0/0 [Link] 255.255.255. N/A
0
Se0/1/0 [Link] [Link] N/A
52

Syslog
ObjectivesNIC [Link] 255.255.255. [Link]
• Enable IOS IPS. 0
• Configure logging.
• Modify an IPS signature.
• Verify IP

Part 1: Configure router

Step 1: Configure secret on router Execute command on all routers R(config)#
enable secret enpa55
Step 2: Configure console password on router Execute command on all routers
R(config)# line console 0
R(config-line)# password conpa55 R(config-line)# login
Step 3: Configure SSH login on router
Execute command on all routers
R(config)# ip domain-name [Link] R(config)# username admin secret
adminpa55 R(config)# line vty 0 4
R(config-line)# login local R(config)# crypto key generate rsa
How many bits in the modulus [512]: 1024
Step 4: Configure OSPF on routers Execute command on router 1
R1(config)#router ospf 1
R1(config-router)# network [Link] [Link] area
0 R1(config-router)# network [Link] [Link] area 0
Execute command on router 2 R2(config)#router ospf 1
R2(config-router)# network [Link] [Link] area 0
R2(config-router)# network [Link] [Link] area 0
Execute command on router 3 R3(config)#router ospf 1
R3(config-router)# network [Link] [Link] area 0
R3(config-router)# network [Link] [Link] area 0

Part 2: Enable IOS IPS

Step 1: Enable the Security Technology package
R1# show version

(When command “show version” is given the above result comes,

remember for further practical’s)
R1(config)# license boot module c1900 technology-package securityk9
(Type yes)
R1# copy run start R1# reload
R1# show version
Step 2: Verify network connectivity
PCA> ping [Link]
(Successful)
PCC> ping [Link]
(Successful)
Step 3: Create an IOS IPS configuration directory in flash.
R1# mkdir ipsdir
Create directory filename [ipsdir]? <Enter>
Step 4: Configure the IPS signature storage location. R1(config)# ip ips
config location flash:ipsdir
Step 5: Create an IPS rule
R1(config)# ip ips name iosips
Step 6: Enable logging.
R1(config)# ip ips notify log
R1# clock set hr:min:sec date month year R1(config)# service timestamps log
datetime msec R1(config)# logging host [Link]
Step7: Configure IOS IPS to use the signature categories. R1(config)# ip ips
signature-category
R1(config-ips-category)# category all
R1(config-ips-category-action)# retired true R1(config-ips-category-action)# exit
R1(config-ips-category)# category ios_ips basic R1(config-ips-category-action)#
retired false R1(config-ips-category-action)# exit R1(config-ips-cateogry)# exit
Do you want to accept these changes? [confirm] <Enter>
Step 8: Apply the IPS rule to an interface. R1(config)# int gig0/0 R1(config-if)#
ip ips iosips out
Step 9: Use show commands to verify IPS. R1# show ip ips all
(Output)
Step 10: View the syslog messages. Click the Syslog server->Services tab->
SYSLOG (Output)

Part 3: Modify the Signature

Step 1: Change the event-action of a signature. R1(config)# ip ips signature-
definition
R1(config-sigdef)# signature 2004 0 R1(config-sigdef-sig)# status
R1(config-sigdef-sig-status)# retired false
R1(config-sigdef-sig-status)# enabled true
R1(config-sigdef-sig-status)# exit R1(config-sigdef-sig)# engine
R1(config-sigdef-sig-engine)# event-action produce-alert R1(config-sigdef-sig-
engine)# event-action deny-packet-inline R1(config-sigdef-sig-engine)# exit
R1(config-sigdef-sig)# exit R1(config-sigdef)# exit
Do you want to accept these changes? [confirm] <Enter>
Step 2: Use show commands to verify IPS.
R1# show ip ips all (Output)
Step 3: Verify that IPS is working properly.
PCC> ping [Link](Unsuccessful – Request timed out) PCA> ping
[Link](Successful)
Step 4: View the syslog messages.
Click the Syslog server->Services tab-> SYSLOG
Practical 7: Layer 2 Security
Topology:

Device Interface IP Address Subnet Default

Mask Gateway

R1 gig0/0 [Link] [Link] N/A

Se0/1/0 [Link] [Link] N/A

C1 NIC [Link] [Link] [Link]

C2 NIC [Link] [Link] [Link]

C3 NIC [Link] [Link] [Link]

C4 NIC [Link] [Link] [Link]

D1 NIC [Link] [Link] [Link]

D2 NIC [Link] [Link] [Link]

D3 NIC [Link] [Link] [Link]

D4 NIC [Link] [Link] [Link]

Addressing Table:
Objectives:

• Assign the Central switch as the root bridge.

• Secure spanning-tree parameters to prevent STP manipulation attacks.
• Enable port security to prevent CAM table overflow attacks.

Part 1: Configure Switch / Router

Step 1: Configure secret
Execute command on all switches and router R1/SW(config) # enable secret enpa55
Step 2: Configure console password Execute command on all switches and
router R1/SW(config)# line console 0 R1/SW(config-line)# password conpa55
R1/SW(config-line)# login
Step 3: Configure SSH login
Execute command on all switches and router R1/SW(config)# ip domain-name
[Link] R1/SW(config)# username admin secret adminpa55
R1/SW(config)# line vty 0 4 R1/SW(config-line)# login local
R1/SW(config-line)# crypto key generate rsa How many bits in the modulus [512]:
1024
Part 2: Configure Root Bridge Step 1: Determine the current root bridge.
Central# show spanning-tree
SW1# show spanning-tree
Step 2: Assign Central as the primary root bridge. Central(config)# spanning-
tree vlan 1 root primary
Central# show spanning-tree
Step 3: Assign SW-1 as a secondary root bridge. SW1(config)# spanning-tree
vlan 1 root secondary SW1# show spanning-tree
Part 3: Protect Against STP Attacks Step 1: Enable PortFast on all access
ports. SWA/B(config)# int range fa0/1 - 4
SWA/B(config-if-range)# spanning-tree portfast
Step 2: Enable BPDU guard on all access ports.
SWA/B(config)# int range fa0/1 - 4
SWA/B(config-if-range)# spanning-tree bpduguard enable
Step 3: Enable root guard.
SW-1/2(config)# int range fa0/23 - 24
SW-1/2(config-if-range)# spanning-tree guard root
Part 4: Configure Port Security and Disable Unused Ports Step 1: Configure
basic port security on all ports connected to host devices. SW- A/B(config)#
int range fa0/1 - 22
SW-A/B(config-if-range)# switchport mode access SW-A/B(config-if-range)#
switchport port-security
SW-A/B(config-if-range)# switchport port-security maximum 2 SW-
A/B(config-if-range)# switchport port-security violation shutdown
SW-A/B(config-if-range)# switchport port-security mac-address sticky
Step 2: Verify port security. SW- A/B# show port-security int fa0/1
Step 3: Disable unused ports. SW- A/B(config)# int range fa0/5 - 22
SW-A/B(config-if-range)# shutdown
Step 4: Verify Connectivity Ping C1->C2 (Successful)
Ping C1->D1 (Successful)
Step 5: Verify port security. SW- A/B# show port-security int fa0/1
Practical 8: Layer 2 VLAN Security

Topology:

Device Interface IP Address Subnet Mask Default Gateway

R1 gig0/0

se0/1/0 [Link] [Link] N/A

C2 NIC [Link] [Link] [Link]

C3 NIC [Link] [Link] [Link]

C4 NIC [Link] [Link] [Link]

D1 NIC [Link] [Link] [Link]

D2 NIC [Link] [Link] [Link]

D3 NIC [Link] [Link] [Link]

D4 NIC [Link] [Link] [Link]

Addressing Table:

Objectives
• Connect a new redundant link between SW-1 and SW-2.
• Enable trunking and configure security on the new trunk link between SW-1
and SW-2.
 • Create a new management VLAN (VLAN 20) and attach a management PC to
that VLAN.
• Implement an ACL to prevent outside users from accessing the management
VLAN
Scenario
A company’s network is currently set up using two separate VLANs: VLAN 5 and
VLAN 10. In addition, all trunk ports are configured with native VLAN 15.
Part 1: Configure Switch/Router
Step 1: Configure secret
Execute command on all switches/router SW/R1(config)# enable secret enpa55
Step 2: Configure console password Execute command on all switches/router
SW/R1(config)# line console 0 SW/R1(config-line)# password conpa55
SW/R1(config-line)# login
Step 3: Configure SSH login
Execute command on all switches/router
SW/R1(config)# ip domain-name [Link] SW/R1(config)# username admin
secret adminpa55 SW/R1(config)# line vty 0 4
SW/R1(config-line)# login local SW/R1(config-line)# crypto key generate rsa How
many bits in the modulus [512]: 1024

Part 2: Create VLAN and assign access mode and trunk mode to interfaces
Step 1: Check existing VLAN Execute command on all switches SW# show vlan
brief
Step 2: Create new VLAN Execute command on all switches SW(config)# vlan 5
SW(config-vlan) # exit SW(config)# vlan 10 SW(config-vlan) # exit SW(config)# vlan
15 SW(config-vlan) # exit
Step 3: Check the new VLAN Execute command on all switches SW# show vlan
brief
Step 4: Assign access mode to VLAN switch interfaces Execute command on
switches SWA/SWB SWA(config)# int fa0/2
SWA(config -if)# switchport mode access
SWA(config -if)# switchport access vlan 10 SWA(config)# int fa0/3
SWA(config -if)# switchport mode access SWA(config -if)# switchport access vlan 10
SWA(config)# int fa0/4
SWA(config -if)# switchport mode access SWA(config -if)# switchport access vlan 5
SWB(config)# int fa0/1
SWB(config -if)# switchport mode access SWB(config -if)# switchport access vlan 5
SWB(config)# int fa0/2
SWB(config -if)# switchport mode access SWB(config -if)# switchport access vlan 5
SWB(config)# int fa0/3
SWB(config -if)# switchport mode access SWB(config -if)# switchport access vlan 5
SWB(config)# int fa0/4
SWB(config -if)# switchport mode access SWB(config -if)# switchport access vlan
10
Step 5: Check the access mode allocations SWA# show vlan brief SWB# show
vlan brief
Step 6: Assign trunk mode to other switch
interfaces SWA(config)# int fa0/24
SWA(config -if)# switchport mode trunk SWA(config -if)# switchport trunk native
vlan 15
SWB(config)# int fa0/24
SWB(config -if)# switchport mode trunk SWB(config -if)# switchport trunk native
vlan 15
SW1(config)# int fa0/24
SW1(config -if)# switchport mode trunk SW1(config -if)# switchport trunk native
vlan 15 SW1(config)# int gig0/1
SW1(config -if)# switchport mode trunk SW1(config -if)# switchport trunk native
vlan 15
SW2(config)# int fa0/24
SW2(config -if)# switchport mode trunk SW2(config -if)# switchport trunk native
vlan 15 SW2(config)# int gig0/1
SW2(config -if)# switchport mode trunk SW2(config -if)# switchport trunk native
vlan 15
Central(config)# int range gig0/1-2 Central(config –if-range)# switchport mode
trunk
Central(config –if-range)# switchport trunk native vlan
15 Central(config)# int fa0/1 Central(config –if)# switchport mode trunk
Central(config –if)# switchport trunk native vlan 15
Step 7: Check the trunk mode allocations
Central# show int trunk SW1/2# show int trunk SWA/B# show int trunk
Step 8: Create sub-interfaces on router to support VLAN R1(config)# int
gig0/0.1
R1(config - subif)# encapsulation dot1q 5
R1(config - subif)# ip address [Link] [Link]
R1(config)# int gig0/0.2
R1(config - subif)# encapsulation dot1q 10
R1(config - subif)# ip address [Link] [Link]
R1(config)# int gig0/0.15
R1(config - subif)# encapsulation dot1q 15
R1(config - subif)# ip address [Link] [Link]

Part 3: Verify Connectivity

Step 1: Verify connectivity between C2 (VLAN 10) and C3 (VLAN 10). C2>
ping [Link]
(Successful)
Step 2: Verify connectivity between C2 (VLAN 10) and D1 (VLAN 5). PC2>
ping [Link]
(Successful)

Part 4: Create a Redundant Link between SW-1 and SW-2

Step 1: Connect SW-1 and SW-2.
Using a crossover cable, connect port Fa0/23 on SW-1 to port Fa0/23 on SW-2.
Step 2: Enable trunking, including all trunk security mechanisms on the
link between SW-1 and SW-2.
(Execute command on SW- 1 and SW-2) SW1/2(config)# int fa0/23
SW1/2(config-if)# switchport mode trunk SW1/2(config-if)# switchport trunk native
vlan 15 SW1/2(config-if)# switchport nonegotiate
Part 5: Enable VLAN 20 as a Management VLAN
Step 1: Enable a management VLAN (VLAN 20) on SW-
A. SW-A(config)# vlan 20 SW-A(config-vlan)# exit SW-A(config)# int vlan 20
SW-A(config-if)# ip address [Link] [Link]
Step 2: Enable the same management VLAN on all other switches (Execute
command on SW-B, SW-1, SW-2, and Central) SW(config)# vlan 20
SW(config-vlan)# exit
Create an interface VLAN 20 on all switches and assign an IP address
within the [Link]/24 network.
SW-B(config)# int vlan 20
SW-B(config-if)# ip address [Link] [Link]
SW-1(config)#int vlan 20
SW-1(config-if)#ip address [Link] [Link]
SW-2(config)#int vlan 20
SW-2(config-if)#ip address [Link] [Link]
Central(config)# int vlan 20
Central(config-if)# ip address [Link] [Link]
Step 3: Connect and configure the management PC.
Connect the management PC using copper straight-through to SW-A port
Fa0/1 and ensure that it is assigned an available IP address [Link]
Step 4: On SW-A, ensure the management PC is part of VLAN
20. SW-A(config)# int fa0/1
SW-A(config)# switchport mode access SW-A(config-if)# switchport access vlan 20
Step 5: Verify connectivity of the management PC to all switches. C1> ping
[Link] (SW-A)
(Successful)
C1> ping [Link] (SW-B)
(Successful)
C1> ping [Link] (SW-1)
(Successful)
C1> ping [Link] (SW-2)
(Successful)
C1> ping [Link] (Central) (Successful)
Part 6: Enable the Management PC to Access Router R1
Step 1: Enable a new subinterface on router R1.
R1(config)# int gig0/0.3
R1(config-subif)# encapsulation dot1q 20
R1(config-subif)# ip address [Link] [Link]
Step 2: Set default gateway in management PC.
C1 – [Link]
Step 3: Verify connectivity between the management PC and R1. C1> ping
[Link]
(Successful)
Step 4: Enable security.
R1(config)# access-list 101 deny ip any [Link]
[Link] R1(config)# access-list 101 permit ip any any R1(config)# access-list 102
permit ip host [Link] any
Step 5: Apply ACL on correct interfaces
R1(config)# int gig0/0.1

INDEX

SR. NO DATE TOPIC SIGN

1 Configure Routers:
a. OSPF MD5 authentication.
b. NTP.
c. to log messages to the syslog server.
2 Configure AAA Authentication
a. Configure a local user account on Router and
configure authenticate on the console and vty
lines using local AAA
b. Verify local AAA authentication from the
Router console and the PC-A client
3 Configuring Extended ACLs
a. Configure, Apply and Verify an Extended
Numbered ACL
4 Configure IP ACLs to Mitigate Attacks and IPV6
ACLs
a. Verify connectivity among devices before
firewall configuration.
b. Use ACLs to ensure remote access to the
routers is available only from management
station PC-C.
c. Configure ACLs on to mitigate attacks.
d. Configuring IPv6 ACLs
5 Configuring a Zone-Based Policy Firewall
6 Configure IOS Intrusion Prevention System
(IPS) Using the CLI
a. Enable IOS IPS.
b. Modify an IPS signature.
7 Layer 2 Security
a. Assign the Central switch as the root bridge.
b. Secure spanning-tree parameters to prevent
STP manipulation attacks.
c. Enable port security to prevent CAM table
overflow attacks
8 Layer 2 VLAN Security
 INDEX

SR. NO DATE TOPIC SIGN

1 Familiarizing Quantum GIS: Installation of QGIS,
datasets for both Vector and Raster data, Maps
2 Creating and Managing Vector Data: Adding
vector layers, setting properties, formatting,
calculating line lengths and statistics
3 Exploring and Managing Raster data: Adding
raster layers, raster styling and analysis, raster
mosaicking and clipping
4 Making a Map, Working with Attributes,
Importing Spreadsheets or CSV files Using
Plugins, Searching and Downloading
OpenStreetMap Data
5 Working with attributes, terrain Data
6 Working with Projections and WMS Data
7 Georeferencing Topo Sheets and Scanned
Maps Georeferencing Aerial Imagery Digitizing
Map Data
8 Managing Data Tables and Saptial data Sets:
Table joins, spatial joins, points in polygon
analysis, performing spatial queries