Scribd
Upload
196 views4 pages

16.4.6 - 16.5.1 Packet Tracer Labs

Uploaded by

Pavlos Christides
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
196 views4 pages

16.4.6 - 16.5.1 Packet Tracer Labs

Uploaded by

Pavlos Christides
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 4

Packet Tracer 16.4.

6 - Configure Secure Passwords and SSH

Addressing Table
Device Interface IP Address Subnet Mask Default Gateway

RTA G0/0 172.16.1.1 255.255.255.0 N/A


PCA NIC 172.16.1.10 255.255.255.0 172.16.1.1
SW1 VLAN 1 172.16.1.2 255.255.255.0 172.16.1.1
Blank Line, No additional information

Scenario
The network administrator has asked you to prepare RTA and SW1 for deployment. Before they can be connected
to the network, security measures must be enabled.

Intructions
Configure Basic Security on the Router
Open a command prompt

a. Configure IP addressing on PCA according to the Addressing Table.


b. Console into RTA from the Terminal on PCA.
c. Configure the hostname as RTA.
d. Configure IP addressing on RTA and enable the interface.
e. Encrypt all plaintext passwords.
RTA(config)# service password-encryption
f. Set the minimum password length to 10.
RTA(config)# security password min-length 10
g. Set a strong secret password of your choosing. Note: Choose a password that you will remember, or you will
need to reset the activity if you are locked out of the device.
h. Disable DNS lookup.
RTA(config)# no ip domain-lookup
i. Set the domain name to CCNA.com (case-sensitive for scoring in PT).
RTA(config)# ip domain-name CCNA.com
j. Create a user of your choosing with a strong encrypted password.
RTA(config)# username any_user secret any_password
k. Generate 1024-bit RSA keys.
Note: In Packet Tracer, enter the crypto key generate rsa command and press Enter to continue.
RTA(config)# crypto key generate rsa
The name for the keys will be: RTA.CCNA.com
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.

 2015 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 1 of 4 www.netacad.com
Packet Tracer 16.4.6 - Configure Secure Passwords and SSH
How many bits in the modulus [512]: 1024

l. Block anyone for three minutes who fails to log in after four attempts within a two-minute period.
RTA(config)# login block-for 180 attempts 4 within 120
m. Configure all VTY lines for SSH access and use the local user profiles for authentication.
RTA(config)# line vty 0 4
RTA(config-line)# transport input ssh
RTA(config-line)# login local
n. Set the EXEC mode timeout to 6 minutes on the VTY lines.
RTA(config-line)# exec-timeout 6
o. Save the configuration to NVRAM.
p. Access the command prompt on the desktop of PCA to establish an SSH connection to RTA.
C:\> ssh /?
Packet Tracer PC SSH
Usage: SSH -l username target
C:\>
Close a command prompt

Configure Basic Security on the Switch


Configure switch SW1 with corresponding security measures. Refer to the configuration steps on the router if you
need additional assistance.
q. Click on SW1 and select the CLI tab.
r. Configure the hostname as SW1.
s. Configure IP addressing on SW1 VLAN1 and enable the interface.
t. Configure the default gateway address.
u. Disable all unused switch ports.
Note: On a switch it is a good security practice to disable unused ports. One method of doing this is to simply shut
down each port with the ‘shutdown’ command. This would require accessing each port individually. There is a
shortcut method for making modifications to several ports at once by using the interface range command. On
SW1 all ports except FastEthernet0/1 and GigabitEthernet0/1 can be shutdown with the following command:
SW1(config)# interface range F0/2-24, G0/2
SW1(config-if-range)# shutdown
%LINK-5-CHANGED: Interface FastEthernet0/2, changed state to administratively down
%LINK-5-CHANGED: Interface FastEthernet0/3, changed state to administratively down
<Output omitted>
%LINK-5-CHANGED: Interface FastEthernet0/24, changed state to administratively down
%LINK-5-CHANGED: Interface GigabitEthernet0/2, changed state to administratively down
The command used the port range of 2-24 for the FastEthernet ports and then a single port range of
GigabitEthernet0/2.
v. Encrypt all plaintext passwords.
w. Set a strong secret password of your choosing.
x. Disable DNS lookup.
y. Set the domain name to CCNA.com (case-sensitive for scoring in PT).
z. Create a user of your choosing with a strong encrypted password.
aa. Generate 1024-bit RSA keys.
bb. Configure all VTY lines for SSH access and use the local user profiles for authentication.
cc. Set the EXEC mode timeout to 6 minutes on all VTY lines.
dd. Save the configuration to NVRAM.

 2015 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 2 of 4 www.netacad.com
Packet Tracer 16.4.6 - Configure Secure Passwords and SSH

Packet Tracer 16.5.1 - Secure Network Devices

Addressing Table
Device Interface Address Mask Gateway

RTR-A G0/0/0 192.168.1.1 255.255.255.0 N/A

RTR-A
G0/0/1 192.168.2.1 255.255.255.0 N/A
SW-1 SVI 192.168.1.254 255.255.255.0 blank

PC NIC 192.168.1.2 255.255.255.0 blank

Laptop NIC 192.168.1.10 255.255.255.0 blank

Remote PC NIC 192.168.2.10 255.255.255.0 blank


Blank Line, No additional information

Requirements
Note: To keep this activity brief and easy to manage, some security configuration settings have not been made. In
other cases, security best practices have not been followed.
In this activity you will configure a router and a switch based on a list of requirements.

Instructions
Document the Network
Complete the addressing table with the missing information.

 2015 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 3 of 4 www.netacad.com
Packet Tracer 16.4.6 - Configure Secure Passwords and SSH

Router configuration requirements:


 Prevent IOS from attempting to resolve mistyped commands to domain names.
 Hostnames that match the values in the addressing table.
 Require that newly created passwords be at least 10 characters in length.
 A strong ten-character password for the console line. Use @Cons1234!
 Ensure that console and VTY sessions close after 7 minutes exactly.
 A strong, encrypted ten-character password for the privileged EXEC mode. For this activity, it is permissible to
use the same password as the console line.
 A MOTD banner that warns about unauthorized access to the devices.
 Password encryption for all passwords.
 A user name of NETadmin with encrypted password LogAdmin!9.
 Enable SSH.
o Use security.com as the domain name.
o Use a modulus of 1024.
 The VTY lines should use SSH for incoming connections.
 The VTY lines should use the username and password that were configured to authenticate logins.
 Impede brute force login attempts by using a command that blocks login attempts for 45 seconds if someone
fails three attempts within 100 seconds.

Switch configuration requirements:


 All unused switch ports are administratively down.
 The SW-1 default management interface should accept connections over the network. Use the information
shown in the addressing table. The switch should be reachable from remote networks.
 Use @Cons1234! as the password for the privileged EXEC mode.
 Configure SSH as was done for the router.
 Create a user name of NETadmin with encrypted secret password LogAdmin!9
 The VTY lines should only accept connections over SSH.
 The VTY lines should only allow the network administrator account to access the switch management
interface.
 Hosts on both LANs should be able to ping the switch management interface.

 2015 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 4 of 4 www.netacad.com

You might also like