The topics covered in Lab 9 are
● Port security
● motd banner
● History file configuration and use
● Password encryption
● DNS configuration
Port Security
Port security allows you to control who can use a particular interface on a switch. An interface is configured to control the MAC addresses, or the number of MAC addresses that can use an interface.
It is not easy to understand the need for port security in a lab. If these labs are your first experience with network equipment, it may seem like a simple issue: don’t plug a computer into a port.
In reality, it’s not that easy. In a real network, switches and routers are locked in a computer room or a wiring closet that is not close to where computers are located. Cat 5 cabling runs from offices and cubicles to the switches. If you work in a typical office, your computer is probably connected to an RJ-45 jack in your cubicle. The other end of the wiring is connected to an interface on a switch in the computer room.
The problem is that someone can unplug your computer and plug in their computer. Then they are in your VLAN, with an IP address in your subnet, and possibly have access that you don’t want them to have. When you go home, the Ethernet connection in your cubicle or the vice president’s office is now available to anyone with a laptop. No cares if they use your cubicle when your (or I) are not there, but that vice president cares a great deal.
As stated earlier, port security is configured on each interface. Port security limits the number of MAC addresses that can use the interface, and actual addresses that can use the interface. The “number of addresses” really is not much of an issue these days. Most examples will show a hub in a critical department like Accounting, and discuss the need to limit access to a certain number of computers, like only the Accounting computers. You would plug all of the Accounting computers in the hub, connect the hub to the switch, and configure the switch interface to only support the number of MAC addresses that correspond to the number of computers. If you have four computers in the department, you would limit the number of MAC addresses to four.
The first step in configuring port security is to enable port security. The interface should be configured as an access port and assigned to a VLAN before configuring security.
labsw1 (config)interface fa0/9
labsw1 (config-if) switchport mode access
labsw1 (config-if) switchport access vlan x
labsw1 (config-if) switchport port-security
The next command defines the number of MAC address that can use the interface. If it is the vice president’s connection, you probably want "1".
Labsw1 (config-if) Switchport port-security maximum (number of addresses)
The next command determines what the port does if the security configuration is violated. The options are protect, restrict or shutdown.
labsw1 (config-if)switchport port-security violation (protect|restrict|shutdown)
Protect will drop frames from an unauthorized MAC address
Restrict will generate an alarm to the network monitoring system (NMS)
Shutdown will physically disable the port
To statically define the MAC addresses that can use the interface:
labsw1 (config-if) switchport port-security mac-address (MAC address)
The switch can learn the MAC addresses that can use the port. Refer to the maximum command above. The interface will support the first addresses it learns until it reaches the number set in maximum. These addresses are called “sticky”, perhaps because the first addresses will “stick”.
If your maximum is four, it will learn the first four addresses, and then follow the configuration choice used in the violation command: protect, restrict or shutdown.
MOTD Banner
Cisco IOS provides for a banner to be displayed when the switch or router is accessed. If you are familiar with UNIX, you probably have seen similar banners, sometimes called the MOTD, or “message of the day.”
The message of today seems to be a warning to unauthorized people to go away. There is a fable, which may even be true, that a person was criminally charged with maliciously accessing a system and destroying the system or data on the system. According to the tale, when the person accessed the system, they received a “Welcome” banner. This apparently meant that the person had permission from the owners to cause as much damage as possible, and, therefore, the case was dismissed. Homeowners fear that the dismissal of the case will soon apply to them, which is why sales of welcome mats have decreased and sales of firearms have increased.
The banner is any text that you decide to be displayed each time someone accesses the switch or router from the console port or a vty connection. The banner is created in global configuration mode by using the banner command.
There are several types of banners:
LINE c banner-text c, where 'c' is a delimiting character
Exec Set EXEC process creation banner
Incoming Set incoming terminal line banner
Login Set login banner
Motd Set Message of the Day banner
prompt-timeout Set Message for login authentication timeout
slip-ppp Set Message for SLIP/PPP
A delimiter character is required in the banner command. The delimiter character is the character that notifies the IOS to terminate the banner text. In English, that means that you specify a character that will tell the switch or router that you have entered all of the banner text.
It is possible to use the Enter key while creating the banner to help format the banner. A banner can be 256 characters, but a normal monitor screen displays about 80 or so characters. If you don’t want most of your banner to disappear on the right side of your screen, use the Enter key to start a new line occasionally. The router or switch will not consider the banner to be “finished” until you use the delimiter character.
The command format is
banner [banner type] [delimiter character] [text] [delimiter character]
In the example below, the “&” character will be used as the delimiter character.
labsw1(config)#banner motd & This is a private network and not available to unauthorized
labsw1(config)access. If you are not authorized, you can and will be
labsw1(config)# prosecuted to the fullest extent of the law. &
Test the banner by exiting your connection and re-establshing the connection. When you connect, you should receive a message:
PC>telnet labsw1
Trying 192.168.1.75 ...
This is a private network and not available for private
access. If you are not authorized, you can and will be prosecuted to the fullest extent of the law.
User Access Verification
Password:
It is a very good idea to AVOID commonly used characters like letters and numbers as the delimiter character. If, for example above, you specified the letter “a” as the delimiter in the banner above, the message would end with the first occurrence of “a”, and the banner would read “This is”. While that may be existentially true, it’s not very helpful.
Packet Tracer only supports motd banner messages. Exam hint, perhaps?
History file
Cisco IOS supports command recall to reuse, or to modify and use, commands that have been entered in the current session. The current session is the one that started when you logged in. All commands are deleted when you exit the session. To access the commands, use the Up arrow key and Down arrow key to cycle through the commands.
The history file is context sensitive. If you are in EXEC mode, only commands that were entered in EXEC mode can be recalled. If you are in configuration terminal mode, commands entered in configuration terminal mode can be recalled, but not the commands that were entered in EXEC mode. When you return to Exec mode, only commands previously entered in EXEC mode can be recalled.
Practical Note: An interesting feature of command recall is that Delete does not work. This can be frustrating when you first try to use the Delete key. Placing the cursor on a character and pressing the Delete key will probably insert a nonsensical character into the text without deleting anything. If you need to modify a previous command, place the cursor under the character to the right of the one that you want to delete, and press the Backspace key. You can backspace to remove characters as long as you have characters to backspace and delete. Typing inserts character to the left of the cursor. Practice with it. It’s an important skill but probably not on the exam.
The number of commands saved by the switch or router, however, may be a test question. The default history size is the last ten commands, which may be too limited, depending on the tasks you are performing in the switch or router. To increase the number of commands stored in the history file, use the EXEC command (not a configuration command):
labsw1#terminal history size x
(where x is a number between 1 and 256. That right: 256. 257 and above will not work.)
To recall commands already entered, use the Up key on the keyboard. Continue to press Up until the desired command is displayed. Hit Enter to reuse the command. This is a time saving tool when doing repetitive tasks. If you need to "go back" through the list of previous commands, use the Down arrow.
To display all of the commands in the history file, use the command:
labsw1#show terminal history
Remember: when you exit the switch or router, all of your command history is deleted. The change to the terminal history file size is also reset to the default. You get to start over.
Like all of the topics on the exam, the true value of command recall is when you are actually working with Cisco equipment. It is convenient to recall a long command that has a typo and correct the typo instead of retyping the command (and making the mistake again). Or you may need to use a particular show command multiple times to see if a status changes, or to watch totals change. The Up arrow makes that much easier and faster.
What we are saying, hedgelings, is learn how to use the Up and Down arrows and/or backspace to make your network life easier. Learn to display and change the history file to pass the exam. Both are good.
Password Encryption
Few topics receive more attention these days than security. Encryption is a vital part of security. With the right IOS and hardware, many functions can be encrypted on a devices, from the actual data being transmitted, the data included in a vty session, and some elements of the configuration.
In this section, we discuss password encryption. We will cover session, or vty connection, encryption in a later lab.
You have seen one example of password encryption with the enable secret password. The enable secret password is encrypted (okay, for you real nit-picky hedgelings, it actually a hash of the password, but it works pretty much the same). However, the rest of the passwords: console, vty, are in clear text, as shown in the following example.
labsw1#sho run
Building configuration...
Current configuration : 1203 bytes
!
version 12.1
no service password-encryption
!
hostname labsw1
!
enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0
enable password pass1
!
ip name-server 192.168.1.3
!
!
interface FastEthernet0/1
!
interface FastEthernet0/2
!
interface FastEthernet0/3
(lines omitted)
!
interface Vlan1
ip address 192.168.1.75 255.255.255.0
!
banner motd ^C This is a private network and not available for private
access. If you are not authorized, you can and will be prosecuted to the
fullest extent of the law.^C
line con 0
password cisco
login
!
line vty 0 4
password cisco
login
line vty 5 15
password cisco
login
!
!
end
To encrypt the display of the passwords, use the command:
labsw1(config)#service password-encryption
Exit configuration mode and display the configuration again to see the encrypted passwords.
labsw1#sho run
Building configuration...
Current configuration : 1236 bytes
!
version 12.1
service password-encryption
!
hostname labsw1
!
enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0
enable password 7 08314D5D1A48
!
ip name-server 192.168.1.3
!
!
interface FastEthernet0/1
!
interface FastEthernet0/2
!
interface FastEthernet0/3
(lines omitted)
!
line con 0
password 7 0822455D0A16
login
!
line vty 0 4
password 7 0822455D0A16
login
line vty 5 15
password 7 0822455D0A16
login
A switch or router configuration can have other "passwords" that are important to encrypt. The services password-encryption command will also encrypt those passwords.
DNS
DNS is a potential exam question, and more importantly, it is one of the most important aids in managing a network. You are probably very aware of how important DNS is in navigating the Internet. You can remember google.com, yahoo.com , and hopefully hedgehogtech.blogspot.com, but you might have some difficulty remembering the IP addresses of those sites.
If you are unfamiliar with DNS, DNS is the process that allows you to use a word or name instead of the IP address of a site, or in our case, a device in the network. If you have not worked in a network environment, you may not be aware that most, probably all, enterprise networks maintain their own DNS for managing their networks. It is more common to use a name like labsw1 and PC1 than to use 192.168.1.75 or 192.168.1.2.
Before you can configure your switch or router to use DNS, you must first create a DNS server and connect it to the network. If you are using a hardware lab, you will need DNS server software. (Note: any difficulty with this section will probably be configuring the DNS software. The switch/router commands are very simple.)
If you are using Packet Tracer, you will need to use the generic server and configure DNS. The DNS entry contains both the name of the device, PC1, and the IP address of the device, 192.168.1.2, as well as labsw1 - 192.168.1.75.
For this exercise:
- Install a DNS server in your network. Unless you have unlimited funds and space, you will probably install it on PC1. Note the IP address of the system supporting DNS, such as 192.168.1.2. Connect the server and PC1 to VLAN 1 interfaces: Fa0-9 – Fa0/24 (depending on the model of your switch). You should know the reason for using VLAN 1 interfaces from Lab 8: the devices connected to a switch must be in the same VLAN as the VLAN interface to use the VLAN 1 interface. With the current switch configuration,the switch can only use services on VLAN 1, since VLAN 1 is the management interface.
- Create two entries in the DNS server: PC1 – 192.168.1.2, and labsw1 - 1921.68.1.75
- Configure the switch to use the DNS server with the global configuration command:
labsw1(config)# ip name-server 192.168.1.2 - Exit configuration mode and ping PC1 from labsw1
labsw1#ping pc1 (or pc1.workgroup, if you are using Dual Server)
You are successful when you can ping PC1 from labsw1.
You should also configure all equipment in our lab to use the DNS server: PCs, switches, and routers. It will make life easier. When you have configured the PC for your lab DNS server, ping labsw1 from the PC.
In most networks, you will use the same DNS server for the entire network. All Cisco devices will be configured with the same command: ip name-server x.x.x.x. If your lab includes a DNS server, we strongly recommend that you update the DNS entries as equipment is added to the lab. It is just as helpful in a lab as it is in an actual network.
Since adding PCs and servers to a Packet Tracer network is easy and cheap(see if your network simulator supports a DNS server), we recommend that you create a DNS server that is not part of the “normal” lab devices, and give it an IP address such as 192.168.1.240. Unfortunately, you cannot configure the dns-server with its own IP address as the DNS server, as you can with most real DNS servers. You can, however, configure all other devices to use the DNS server.
Testing DNS
Make sure your DNS entries are correct. Always ping a device by name, such as pc1, labsw1, etc. Look for the following errors:
- Ping request could not find host pc4. Please check the name and try again. – This error means that no DNS entry exists for the device.
- Request timed out – This error can often be the result of an incorrect IP address. The ping process will display the IP address that is being pinged. If the ping request times out, check the IP address of the DNS entry and make sure it is correct. If the entry is correct, make sure that device is actually addressed correctly. Finally, check to make sure that the cabling is correct, that the device is in the right vlan, and the port is up, up. If the ping to the DNS name fails, ping to the IP address. If the address ping is successful, it is probably a mistake in the DNS entry. Usually the IP address is mistyped.
When completed, save the running configuration to the startup configuration and to the TFTP server.
Note to the ambitious: DNS management is a very profitable career choice. Getting a CCNA® is very helpful toward learning and supporting DNS, so these CCNA® studies are by no means wasted if you decide to move in a DNS support direction. You have to understand IP to successfully manage DNS. The most common DNS software is BIND, which is free in FreeBSD and many Linux distributions. It ain’t so easy to learn, which is why someone will pay you well if you have these skills. Kinda like getting a CCNA, CCNP, CCIE, etc.