Skip to main content

Configuring Security Measures

 

Configuring passwords on the cisco IOS:

Protecting privilege mode:

Option I

DeviceName(config)#enable password XXXX

Option II

DeviceName(config)#enable secret XXXX

NOTE: Using “Option I” is not recommended as it stores password in clear text that can easily be tracked. Whereas “Option II” saves password in encrypted format.

If both passwords are set, IOS uses secret password.

Space Bar is counted as a character in password.

Protecting user mode:

DeviceName(config)# line console 0

DeviceName(config-line)#password XXXX

DeviceName(config-line)#login

Setting up Telnet:

NOTE: This applies after successful IP configuration of the VLAN1 with valid IP address.

DeviceName(config)# line vty X Y

X = First line number and Y= Last line number. i.e. the number of allowed concurrent telnet sessions.

DeviceName(config-line)#password XXXX

NOTE: telnet will not work without any password.

Keeping an eye on telnet session:

DeviceName#termial monitor

It allow to see all the messages from the telnet/ssh session.

Encrypting all passwords in one go:

DeviceName(config)#service password-encryption

It will encrypt all clear text passwords on the IOS. Might not work on older IOS.

Setting up logon banner:

Type of banners:

Login: This only appears when using telnet.

Motd (Message of the Day): It appears on every console.

DeviceName(config)#banner [motd/login] Y XXXXXX Y

Where Y is the delimiting character.

Setting up port security.

DeviceName(config)#interface fa 0/X

DeviceName(config-if)#switchport mode access

This command makes the interface as access port. It means the interface is connected to some other device like PC or router but not to a switch.

DeviceName(config-if)#switchport port-security

DeviceName(config-if)#switchport port-security maximum X

Where X is the number of maximum MAC address allowed to connect through the interface.

DeviceName(config-if)#switchport port-security violation [shutdown/restrict/protect]

Through this command we set up how the switch should response if the “port security” is violated. There are three modes:

1) Shutdown: It is default mode, and will shutdown the interface completely. It will take the interface to “err-disable” mode and will need administrator to manually activate the port.

2) Restrict: It will not shutdown the port but will stop listening to the port unless the authorized device is logged in again. It will also make a log of the event.

3) Protect: It is same as restrict but will not make a log of the event.

DeviceName(config-if)#switchport port-security mac-address [X.X.X/sticky]

Where X.X.X is the MAC addressed in 48 bit format. And “sticky” will automatically get the MAC address of device currently attached to the port.

Configuring a range of interfaces:

DeviceName(config)#interface range fast-ethernet 0/X – Y

Where X is the starting port number(lower) and Y is the last port number(Higher).

Comments

Post a Comment

Popular posts from this blog

What is this mystical network!

There is a lot written about networks but most of the times when it comes to Basic questions like "What is a network?"(in regards to information technology), most of us will end up saying "A group of different devices that can intercommunicate in an intelligent manner (of-course you may find some that can only give you a shrug,like me)". When I asked myself all I got were random images of pcs and boxes connected via lines, bolts and clouds. Actually what we should concentrate on is what the network does instead of what the network really is? I still remember asking my high school teacher about this cloud. All I was told was that it's Internet: network of networks. Most of us will be pretty satisfied with the above definition of network but read it again, it tells us about what network is made of, and not what network exactly is. Let's take an example from the latest movie I watched, Shrek: the far away kingdom, where King stamps a letter and give ...
Post a Comment
Read more

802.11n flavours explained

Most 802.11n enabled Access Points out there advertise themselves as follow: 2x3:2,  2x2:2. Ever wonder what these numbers mean? Well here is what I make out from them: You will find 802.11n with the following flavors: 1x1:1 1x2:2 2x2:2 2x3:2 3x3:2 Where: TxR:S T - Transmit R - Receive S - Spatial The spatial is your "money". Each spatial equates to 150mb, so you will see 3x3:3 equates to 450 mb.Thats why with Cisco APs and others, you will only ever get 300 with xXx:2. Let me add further, 2 on the transmit means you will use no more than 2 antennas to TX on. 3 on the receive means you will use 3 antennas to rx on. The spatial is your streams. if you have a 2 stream AP, that means its the most number of streams network will have, that too if your environment is favourable to use 2 streams, just because it can do 2, doesn't mean it will always do 2. 802.11n although by standard could support  600 4x4:4, its VERY unlikely we will see that in the enterprise. Atheros ...
Post a Comment
Read more

Getting Started - I

We can start off our campaign by configuring a small LAN network. We will configure a cisco switch that is connected to end user device and eventually forward traffic to a router with connects our LAN with outside network/ Internet. In our scenario, the configuration will be done on the switch, here we are going to divide the whole process into six stages: 1) Beginning: start up new switch/ wipe out existing configs. 2) Security: passwords & banner. 3) Cosmetics: name & work environment. 4) Management: IP address & gateway. 5) Interfaces: speed, duplex & description. 6) Verify & backup: CDP, TFTP, show interfaces. BEGINNING Very few of us will be born with the silver spoon to have a brand new switch to start off the proceedings, for other not so lucky comrades like me, before we can start any configuration we need to make sure that previous configuration do not effect what we are about to do. At boot up of a brand new switch, it always prompts with a qu...
Post a Comment
Read more