Lab 3-2: Device Hardening

Visual Topology

Command Lis

Command Description
[no] cdp enable Enables or disables CDP on an interface
show cdp neighbors [detail] Displays CDP neighbours
Show mac-address Displays the contents of the switches mac-address table.
show interfaces Displays interface statistics
show interface status Displays interface status
show port-security interface interface Displays port security configured on an interface
show port-security address Displays port-security MAC addresses
[no] shutdown Disables or enable a switchport or interface
switchport mode access Sets the switchport into access mode supporting only one data and one voice vlan
switchport port-security Enables port-security
switchport port-security mac-address Sets a static secure MAC address

Physical Topology Diagram

  • Task 1: Managing unused ports on a Switch.
  • Task 2: Using Switchport port-security.
  • Task 3: Disable unused services.

Lab 3-2: Device Hardening

Task 1: Managing unused ports on a Switch.

Step 1: Access the CLI on your switch

Step 2: Ensure that the interface connecting your switch to your Router is enabled by using
the no shutdown command, remember to be in the right configuration mode?

Task 2: Using Switchport port-security.

Step 1: Access the CLI on your Router

Step 2: Identify the MAC address of the interface used to connect to y our switch.

What command could be used to achieve step 2 ?

Once you know the MAC address of the interface make a note of it below.

MAC Address:

Step 3: Enter the configuration mode which will allow you to change the interface parameters on Fa0/0 or Gi0/0.

Shutdown the interface and set the MAC address to the following value using these commands:

Rx(config-if)#Shut
Rx(config-if)#mac-address 0000.0C12.ABCD

Step 4: Enable the interface and generate some traffic by pinging the IP address of your switch.

Step 5: Access the switches CLI.

What command could we use to check the MAC address of the attached router?

Step 6: While still accessing the CLI on the switch, shutdown the interface fa0/12

Step 7: Enable switchport security using the following commands:

SWx(config-if)#switchport mode access
SWx(config-if)#switchport port-security
SWx(config-if)#switchport port-security mac-address sticky

Why have we used the first command switchport mode access and does it disable DTP ?

Step 8: Enable interface fa0/12 and generate some traffic between the switch and the router.

The connection between the switch and the router should be up/up use the show interface
fa0/12
to verify this.

What are the default values used by the system when the switchport port-securitycommand is applied to an interface ?

Step 9: Access the CLI on the router and shutdown the interface connected to your switch.

Step 10: On the interface connected to your switch reset the MAC address to its original value.

Step 11: Enable the interface and generate some traffic between the router and the switch.

Step 12: Access the CLI on the switch and check the status of the interface connected to the router. You should now observe a down/down (err-disabled) state due to the port violation which occurred when you changed the MAC address of the router.

Step 13: Remove the switchport port-security and check you once again have connectivity between the switch and the router.

Task 3: Disable unused services.

Step 1: Access the CLI on the switch

Step 2: Run the appropriate command to view the CDP neighbours table (remember to use the American spelling)

Is CDP running?

Step 3: Disable CDP on the interface connected to the router and issue the command used in step 2.

Do you see a difference ?

Remember the default timeout value for CDP is 180 seconds.

Step 4: Enable CDP on the interface.

Step 5: Save your configuration.

Lab Answer Keys:

[sociallocker id=”4139″]

Task 1: Managing unused ports on a Switch.

Step 2: Ensure that the interface connecting your switch to your Router is enabled by using the no shutdown command, remember to be in the right configuration mode?

SW>en
SW#conf t
SW(config)#int fa0/12
SW(config-if)#no shut

Task 2: Using Switchport port-security.

Step 2: Identify the MAC address of the interface used to connect to your switch. What command could be used to achieve step 2 ?

R#sh int fa0/0

or

R#sh int gi0/0

Once you know the MAC address of the interface make a note of it below.

MAC Address:

Step 3: Enter the configuration mode which will allow you to change the interface parameters on Fa0/0 or Gi0/0.

R#conf t

R(config)#int fa0/0

or

R(config)#int gi0/0

Shutdown the interface and set the MAC address to the following value using these commands:

R(config-if)#Shut
R(config-if)#mac-address 0000.0C12.ABCD

Step 4: Enable the interface and generate some traffic by pinging the IP address of your switch.

R(config-if)#no shut

Step 5: Access the switches CLI.

What command could we use to check the MAC address of the attached router?

SW#sh mac-address

Step 6: While still accessing the CLI on the switch, shutdown the interface fa0/12

SW#conf t
SW(config)#int fa0/12
SW(config-if)#shut

Step 7: Enable switchport security using the following commands:

SW(config-if)switchport mode access
SW(config-if)switchport port-security

Why have we used the first command switchport mode access and does it disable DTP ?

Switchport port security is not supported over trunk connections
NO it doesn't disable DTP

Step 8: Enable interface fa0/12 and generate some traffic between the switch and the router.

SW(config-if)#no shut

The connection between the switch and the router should be up/up use the show interface fa0/12 to verify this.

SW(config-if)#end
SW#show int fa0/12

What are the default values used by the system when the switchport port-security command is applied to an interface ?

Max of 1 supported MAC address with a violation policy of shutdown

Step 9: Access the CLI on the router and shutdown the interface connected to your switch.

R(config)#int fa0/0

or

R(config)#int gi0/0
R(config-if)#shut

Step 10: On the interface connected to your switch reset the MAC address to its original value.

R(config-if)default mac-address

or

R(config-if)no mac-address

Step 11: Enable the interface and generate some traffic between the router and the switch.

R(config-if)no shut

Step 12: Access the CLI on the switch and check the status of the interface connected to the router. You should now observe a down/down (err-disabled) state due to the port violation which occurred when you changed the MAC address of the router.

Resetting the violated port

SW(config)#int fa0/12
SW(config-if)#shut
SW(config-if)#no shut

Step 13: Remove the switchport port-security and check you once again have connectivity
between the switch and the router.

SW(config-if)#no switchport port-security

Task 3: Disable unused services.

Step 2: Run the appropriate command to view the CDP neighbours table (remember to use the American spelling)

SW#sh cdp nei

Is CDP running? YES

Step 3: Disable CDP on the interface connected to the router and issue the command used in step 2.

SW#conf t
SW(config)#int fa0/12
SW(config-if)#no cdp enable

Do you see a difference ? YES

Remember the default timeout value for CDP is 180 seconds.

Step 4: Enable CDP on the interface.

SW(config-if)#cdp enable

Step 5: Save your configuration.

SW(config-if)end
SW#copy run start
[/sociallocker]
Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments
Inline Feedbacks
View all comments