Securing Network Devices (Advanced) Objective / Purpose This lab is a continuation from lab 1 (Basic device security). In this lab, students will configure secure access to devices via SSH on the VTY lines, forcing timeout on idle sessions, block access after failed attempts and using ACL to restrict access from specific devices. Configure the following (1) Enable secure access via SSH to device (2) Create Certificate for Local device (3) Block login after a predefined number of unsuccessful attempts (4) Control access to a device using ACL Lab Devices 1 x 2900 Switch 1 x 2911 Router 2 x PCs 1 x Server Lab Topology

IP Addressing Table

Device Interface IP address Subnet Mask Gateway Router Gi0/0 192.168.1.1 255.255.255.0 Server Fa0/0 192.168.1.50 255.255.255.0 192.168.1.1 PC0 Fa0 192.168.1.10 255.255.255.0 192.168.1.1 PC1 Fa0 192.168.1.11 255.255.255.0 192.168.1.1

Commands Command Description Hostname Sets the hostname of a device Ip domain name domain-name Define the default domain name Line vty 0 15 Access all VTY lines Login local Enable login from local database Transport input ssh Enables connection to device via SSH (disable all other

connection methods)

Exec-timeout time-in-minutes Set the EXEC timeout for idle sessions Access-list 10 permit host ip address Create a standard ACL Access-class acl # in / out Filter connections based on an IP access list Username admin secret password Creates a user account of admin and sets a password Enable secret password Assign the privileged level secret Crypto key generate rsa general-keys modulus 1024

Creates an encryption key on the local device

Ip ssh time-out time-in-minutes Specify SSH time-out interval Ip ssh authentication-retries Specify number of authentication retries Login block-for 60 attempts 2 within 30 Prevent login for 60 seconds after 2 attempts within 30 seconds Ip ssh version 2 Sets SSH to version 2 Ssh -L userID host_IP Use SSH client to connect to SSH host Show ip ssh Information on SSH Show ssh Status of SSH server connections

Lab Policy

Lab Task Section 1 Build and configure the topology (30 marks) (1) Build the network topology as shown in the topology diagram and connect all devices. (2) Assign hostname to all routers and switches using the following method: Rename each device in the topology to include your group number. For example, if your group number is 1, rename Router0 to R0-Group1. (3) Assign IP addresses to each router interfaces and PCs as shown in the IP table. Section 2 Create accounts and Configure SSH (20 marks) (1) Set an enable secret of C!sc0123 on the router (2) Set a minimum password length of 8 characters (3) Create user accounts for each student in your group with an encrypted password in the local database on the router. (4) Create a domain name of group#.local - Group number should be the number of your group. (5) Create an encryption key for the device and select a modulus of 1024 for the encryption strength (6) Set SSH idle timeout for 3 minutes in global configuration mode

Section 3 - Enable secure access to the router via SSH

(1) On the Router - enable login to all VTY lines. Login should use credentials from local device database. (2) Enable access to the router from the VTY lines only from SSH connections. (3) Connect to the router from the server via SSH. Record your results - use screen shot from your results and paste into google forms. (4) Connect to the router from the server via TELNET. Record your results (5) Record your observations for task 4 and 5

Section 4 Control Access with ACL (20 marks) (1) Using a standard ACL, permit only the server to access the router via the VTY lines your ACL number should be your group number. (2) Apply the ACL to the VTY lines (3) Using SSH, connect to the router via VTY from the server. Record your results. use screen shot from your results and paste into google forms provided. (4) Using SSH, connect to the router via VTY from PC0. Record your results.

Section 5 Router configuration (1) Display the running configuration on router 0 and record in google forms.