PRACTICAL 1

AIM: Configure Routers:

a. OSPF MD5 authentication.
b. NTP.
c. to log messages to the syslog server.

a. OSPF MD5 authentication.

Theory:
➢ OSPF (Open Shortest Path First) is a link-state routing protocol that helps routers determine
the best path for data transmission based on network topology. OSPF operates
by dividing networks into areas, with Area 0 serving as the backbone.
➢ Routers in the same area exchange link-state advertisements (LSAs) to share
information, and each router independently calculates the best paths using
the Dijkstra algorithm.
➢ OSPF supports fast convergence, making it well-suited for large, dynamic networks.
➢ To secure OSPF routing updates, MD5 (Message Digest 5) authentication is used to ensure
message integrity and prevent unauthorized routers from injecting false routing
information.
➢ By applying an MD5 hash, OSPF ensures that the received routing updates are from
legitimate sources and have not been tampered with.
➢ Both routers must have the same shared MD5 key configured for authentication. This
enhances the security of OSPF communications, ensuring that only trusted routers can
exchange routing updates.

Steps to perform:
1. Set up the Topology
1. Add Devices:
o Drag two routers onto the workspace (e.g., Router0 and Router1).
2. Connect Devices:
o Use a straight-through cable to connect the routers via their interfaces (e.g.,
GigabitEthernet0/0/0).
2. Assign IP Addresses
1. Access Router CLI: Click on the router, then go to the CLI tab.
2. Assign IP addresses:
On Router0:
Router> enable
Router# configure terminal
Router(config)# interface GigabitEthernet0/0/0
Router(config-if)# ip address 192.168.1.1 255.255.255.0
Router(config-if)# no shutdown
Router(config-if)# exit

On Router1:
Router> enable
Router# configure terminal
Router(config)# interface GigabitEthernet0/0/0
 Router(config-if)# ip address 192.168.1.2 255.255.255.0
Router(config-if)# no shutdown
Router(config-if)# exit
3. Verify Connectivity: Use the Ping tool to test connectivity between Router0 and Router1.

3. Configure OSPF
1. Enable OSPF on both routers:
On Router0:
Router(config)# router ospf 1
Router(config-router)# network 192.168.1.0 0.0.0.255 area 0
Router(config-router)# exit
On Router1:
Router(config)# router ospf 1
Router(config-router)# network 192.168.1.0 0.0.0.255 area 0
Router(config-router)# exit
2. Verify OSPF neighbors (optional, before authentication):
Router# show ip ospf neighbor

4. Configure MD5 Authentication

1. Enable MD5 authentication on the interfaces:
On Router0:
Router(config)# interface GigabitEthernet0/0
Router(config-if)# ip ospf message-digest-key 1 md5 mypassword
Router(config-if)# ip ospf authentication message-digest
Router(config-if)# exit
On Router1:
Router(config)# interface GigabitEthernet0/0
Router(config-if)# ip ospf message-digest-key 1 md5 mypassword
Router(config-if)# ip ospf authentication message-digest
Router(config-if)# exit
2. Verify OSPF Authentication:
o Check OSPF neighbors again to ensure they form:
Router# show ip ospf neighbor
o Confirm MD5 is enabled:
Router# show ip ospf interface GigabitEthernet0/0/0

Result:
• OSPF neighbors should establish adjacency only if both routers have matching MD5 keys
and password.
• The show ip ospf neighbor command confirms successful adjacency.
• The show ip ospf interface command confirms MD5 authentication is active on the
interface.
b. NTP.
Theory:
➢ NTP (Network Time Protocol) is a protocol used to synchronize the clocks of computers
and network devices over a packet-switched network.
➢ It helps maintain accurate time across all devices in a network, ensuring consistency in
logging, event coordination, and scheduled tasks.
➢ NTP uses a hierarchical system of time sources, with servers classified in strata: Stratum 0
(highly accurate sources like atomic clocks) down to Stratum 15. Devices sync their clocks
with a time server, which can be internal or external.

Steps to perform:
1. Network Setup
1. Add Devices:
o Add two routers (e.g., Router1 and Router2).
2. Connect Devices:
o Use straight-through cables to connect the routers and other devices via interfaces (e.g.,
GigabitEthernet0/0/0).
2. Configure Basic IP Connectivity
On Router1 (NTP Server):
1. Assign an IP address to Router1:
Router1> enable
Router1# configure terminal
Router1(config)# interface gigabitethernet0/0/0
Router1(config-if)# ip address 192.168.1.1 255.255.255.0
Router1(config-if)# no shutdown
Router1(config-if)# exit
2. Check ntp status
Router1# show ntp status
3. Set Router1 as the NTP Master:
Router1(config)# ntp master 1
Router1(config)# exit
4. Verify NTP configuration:
Router1# show ntp status
On Router2 (NTP Client):
1. Assign an IP address to Router2:
Router2> enable
Router2# configure terminal
Router2(config)# interface gigabitethernet0/0/0
Router2(config-if)# ip address 192.168.1.2 255.255.255.0
Router2(config-if)# no shutdown
Router2(config-if)# exit
2. Configure Router2 to synchronize with Router1:
Router2(config)# ntp server 192.168.1.1
Router(config)# exit
3. Verify NTP configuration:
Router2# show ntp associations
Router2# show clock
3. Verify NTP Synchronization
1. On Router2, check if the time is synchronized:
Router2# show ntp status
➢ Look for synchronized status and stratum level.
2. Test connectivity between Router1 and Router2:
Router2# ping 192.168.1.1
3. On Router1, verify its NTP role:
Router1# show ntp status

Results:
➢ On Router2, the command show ntp status should show "synchronized" status and
stratum level 1 (indicating Router1 is acting as the NTP master).
➢ The ping from Router2 to Router1 (ping 192.168.1.1) should be successful, confirming
network connectivity.
c. to log messages to the syslog server.
Theory:
➢ A syslog server collects, stores, and manages log messages from network devices for
monitoring, analysis, and troubleshooting.
➢ To log messages to a syslog server, a router or network device is configured to send log
messages to a specific IP address of the syslog server, which collects and stores these logs.
➢ This is typically done by specifying the server's IP address using the command logging
host <syslog-server-ip> and setting the logging level (e.g., logging trap informational).
➢ The router generates log messages for various events such as interface status changes,
routing updates, or system errors, and sends them to the syslog server.
➢ The syslog server stores these logs, providing a centralized location for network
monitoring, analysis, and troubleshooting.

Steps to perform:
1. Network Setup
• Devices Needed:
o Router (Router1, Router2, etc.)
o Syslog Server (Server with Syslog service enabled)
• Connections:
o Connect the router and the syslog server.
2. Configure IP Addresses
• On the Router:
o Assign an IP address to the router's interface.
Router> enable
Router# configure terminal
Router(config)# interface gigabitethernet0/0/0
Router(config-if)# ip address 192.168.1.1 255.255.255.0
Router(config-if)# no shutdown
Router(config-if)# exit
• On the Syslog Server:
o Assign an IP address to the Syslog server.
o Example: IP: 192.168.1.2, Subnet Mask: 255.255.255.0
3. Configure the Router to Send Logs to the Syslog Server
• Set the Syslog Server's IP:
Router(config)# logging host 192.168.1.2
• Set the Logging Level:
Router(config)# logging trap informational
• Enable Logging:
Router(config)# logging on
Router(config)# exit
4. Generate Log Messages
• Perform an action to generate log messages (e.g., shut down an interface).
Router# configure terminal
Router(config)# interface gigabitethernet0/0/0
Router(config-if)# shutdown
• Enable the interface again:
Router(config-if)# no shutdown
5. Verify Configuration
• Check the Router's Logging Configuration:
Router# show running-config | include logging
It should show the syslog server's IP address.
• Verify Syslog Messages on the Syslog Server:
o Go to the Syslog service on the PC and verify that the logs are displayed.
• View Logs on the Router:
Router# show logging

Results:
➢ The router should successfully send log messages to the syslog server, and the logs should
be visible on the Syslog server.
➢ On the router, the show logging command will display the generated log entries,
confirming the logging configuration is working correctly.
 PRACTICAL 2
AIM: Configure AAA Authentication
a. Configure a local user account on Router and configure
authenticate on the console and vty lines using local AAA
b. Verify local AAA authentication from the Router console and
the PC-A client

Theory:
➢ AAA stands for Authentication, Authorization, and Accounting, which are
essential components of network security.
➢ Authentication is the process of verifying the identity of a user, device, or
entity attempting to access a network or system.
➢ Authorization refers to the permissions granted to authenticated users, specifying
what resources they can access and what actions they can perform.
➢ Finally, Accounting tracks the actions of users and devices during their session,
maintaining logs that record activities such as login times, commands executed,
and resource usage, which helps with auditing and troubleshooting.
➢ Local AAA means that the authentication, authorization, and accounting
settings are configured locally on the device itself rather than relying on
an external server like a RADIUS or TACACS+ server.
➢ Console and VTY (Virtual Terminal) lines are types of access methods for
connecting to a router or switch.
➢ The console line refers to a physical serial connection that allows administrators
to access the device directly through a console cable. It's typically used for
out-of-band management, especially when remote access is unavailable.
➢ On the other hand, VTY lines are logical connections used for remote access
via Telnet or SSH. VTY lines allow administrators to connect to the device
over the network, providing more flexibility for management. Configuring
authentication on both the console and VTY lines with AAA ensures secure
access to the device by verifying user credentials before granting access.

Steps to perform:
1. Network Setup
Before configuring AAA, set up a basic network in Packet Tracer:
• Add a Router and a PC (e.g., PC-A).
• Connect the PC to the router via a switch or directly using a crossover
cable.
• Assign IP addresses to the PC and Router interfaces.
2. Basic Router Configuration
1. Assign an IP address to the router's interface and enable it:
Router> enable
Router# configure terminal
Router(config)# interface gigabitethernet0/0/0
Router(config-if)# ip address 192.168.1.1 255.255.255.0
Router(config-if)# no shutdown
 Router(config-if)# exit
2. Configure the PC's IP settings (e.g., IP: 192.168.1.2, Subnet:
255.255.255.0, Gateway: 192.168.1.1).
3. Verify connectivity using ping from PC-A to the router:
C:\> ping 192.168.1.1
3. Configure Local AAA on the Router
1. Enable the AAA feature on the router:
Router(config)# aaa new-model
2. Create a local user account for authentication:
Router(config)# username sophia privilege 15 secret sophia24
3. Configure AAA authentication for console access:
Router(config)# aaa authentication login CONSOLE_AUTH local
4. Apply the AAA method to the console line:
Router(config)# line console 0
Router(config-line)# login authentication CONSOLE_AUTH
Router(config-line)# exit
5. Configure AAA authentication for VTY lines (Telnet/SSH):
Router(config)# line vty 0 4
Router(config-line)# login authentication CONSOLE_AUTH
Router(config-line)# exit
4. Verify AAA Configuration
From the Router Console
1. Log out of the router console using the exit command:
Router> exit
2. Log back in to the router. You should be prompted for a username and
password:
o Username: sophia
o Password: sophia24
From PC-A
1. Use Telnet to connect to the router:
C:\> telnet 192.168.1.1
2. Enter the same username and password (sophia, sophia24) when
prompted.
3. If successful, you'll gain access to the router CLI.

5. Testing and Troubleshooting

1. Verify AAA settings:
Router# show running-config | section aaa
This command shows all AAA-related configurations.
2. Test login with incorrect credentials to ensure unauthorized access is
denied.

Results:
➢ When accessing the router's console or using Telnet, you should be prompted to enter the
username "sophia" and the password "sophia24".
➢ If the correct credentials are entered, you will be granted access to the router's CLI with
privilege level 15 (full access).
➢ If incorrect credentials are entered, the router will deny access and prompt you to enter the
correct username and password, confirming that the AAA authentication is working as
expected.
 PRACTICAL 3
AIM: Configure, Apply and Verify an Extended Numbered ACL

Theory:
➢ An Access Control List (ACL) is a set of rules used to filter network traffic.
➢ ACLs filter traffic based on IP address, protocol, and port.
➢ Types: There are Standard ACLs (filter by source IP) and Extended ACLs (filter by
source/destination IP, protocol, and port).
➢ Direction: ACLs can be applied inbound (incoming) or outbound (outgoing) on interfaces.
➢ Implicit Deny: ACLs have an implicit "deny" at the end, meaning if no rule matches,
traffic is automatically blocked.
➢ ACLs help control access, enhance security, and manage network traffic.

Steps to perform:
1. Network Setup
Devices Required:
• 1 Router
• 2 Switches
• 2 Server
Connections:
• Connect PC1 → Switch1 → Router g0/0/0.
• Connect PC2 → Switch2 → Router g0/0/1.
• Use Copper Straight-Through cables for all connections.

2. Configure IP Addresses
PC1 Configuration:
1. Go to PC1 → Desktop → IP Configuration:
o IP Address: 192.168.1.10
o Subnet Mask: 255.255.255.0
o Default Gateway: 192.168.1.1
PC2 Configuration:
1. Go to PC2 → Desktop → IP Configuration:
o IP Address: 192.168.2.10
o Subnet Mask: 255.255.255.0
o Default Gateway: 192.168.2.1
Router Interface Configuration:
1. Open the Router CLI and configure its interfaces:
Router> enable
Router# configure terminal
Router(config)# interface fa0/0
Router(config-if)# ip address 192.168.1.1 255.255.255.0
Router(config-if)# no shutdown
Router(config-if)# exit
Router(config)# interface fa0/1
Router(config-if)# ip address 192.168.2.1 255.255.255.0
Router(config-if)# no shutdown
Router(config-if)# exit
3. Test Basic Connectivity
From PC1: Open the Command Prompt and type: ping 192.168.2.10 / ftp 192.168.2.10
4. Configure the Extended ACL
1. Open the Router CLI and create the ACL:
Router> enable
Router# configure terminal
Router(config)# access-list 101 permit tcp 192.168.1.10 0.0.0.0 192.168.2.10
0.0.0.0 eq ftp
Router(config)# access-list 101 deny ip any any
Router(config)# exit
o permit tcp 192.168.1.10 0.0.0.0 192.168.2.10 0.0.0.0 eq ftp: Allows FTP traffic from PC1
to PC2.
o deny ip any any: Denies all other traffic.

5. Apply the ACL to an Interface

1. Apply the ACL to the g0/0/1 interface in the inbound direction:
Router(config)# interface g0/0/1
Router(config-if)# ip access-group 101 in
Router(config-if)# exit
Explanation:
o ip access-group 101 in: Filters all incoming traffic on the g0/0/1 interface.

6. Verify the ACL

1. View the configured ACL:
Router# show access-lists
Expected Output:
Extended IP access list 101
permit tcp host 192.168.1.10 host 192.168.2.10 eq ftp
deny ip any any
2. Verify the ACL is applied to the Fa0/1 interface:
Router# show ip interface g0/0/1
Expected Output:
FastEthernet0/1 is up, line protocol is up
Inbound access list is 101

7. Test the ACL

o Go to PC1 → Command Prompt.
o Type:
ftp 192.168.2.10
ping 192.168.2.10

Result:
Allowed Traffic:
• FTP traffic (port 21) from PC1 to PC2 is allowed.
Denied Traffic:
• All other traffic (e.g., ICMP, HTTP, etc.) is denied.
 PRACTICAL 4
AIM: Configure IP ACLs to Mitigate Attacks
a. Verify connectivity among devices before firewall configuration.
b. Use ACLs to ensure remote access to the routers is available only from management
station PC-C.
c. Configure ACLs on to mitigate attacks.

Theory:
➢ Access Control Lists (ACLs) are used to restrict access to critical network devices. By
configuring ACLs, remote access to routers via protocols like SSH can be limited to
trusted devices, such as a designated management station (e.g., PC). This prevents
unauthorized users from accessing network control devices.
➢ ACLs can block malicious or unwanted traffic to safeguard the network. By creating rules,
protocols like Telnet (port 23) and HTTP (port 80) can be denied, reducing exposure to
attacks.

Steps to perform:
Step 1: IP Addressing Plan
Create four subnets for the devices:
• Subnet 1: 192.168.1.0/24 (Server - Switch-1 - Router R0)
• Subnet 2: 192.168.2.0/24 (Router R0 - Router R1 link)
• Subnet 3: 192.168.3.0/24 (Router R1 - Router R2 link)
• Subnet 4: 192.168.4.0/24 (Router R2 - Switch-2 - PC)

Step 2: Device Configuration

Server Configuration
1. Assign an IP address:
IP: 192.168.1.2
Subnet: 255.255.255.0
Gateway: 192.168.1.1 (Router R0 interface FastEthernet0)
Router R0 Configuration
1. Assign the hostname and domain name:
hostname R0
ip domain-name sophia.com
2. Configure interfaces:
interface g0/0/0
ip address 192.168.1.1 255.255.255.0
no shutdown

interface g0/0/1
ip address 192.168.2.1 255.255.255.0
no shutdown
3. Enable SSH:
crypto key generate rsa
line vty 0 4
transport input ssh
login local
exit
username sophia privilege 15 password sophia24
Router R1 Configuration
1. Assign a hostname:
hostname R1
2. Configure interfaces:
interface <interface_connected_to_R0>
ip address 192.168.2.2 255.255.255.0
no shutdown
interface <interface_connected_to_R2>
ip address 192.168.3.1 255.255.255.0
no shutdown
Router R2 Configuration
1. Assign a hostname:
hostname R2
2. Configure interfaces:
interface <interface_connected_to_R1>
ip address 192.168.3.2 255.255.255.0
no shutdown
interface <interface_connected_to_Switch-2>
ip address 192.168.4.1 255.255.255.0
no shutdown
PC Configuration
1. Assign an IP address:
IP: 192.168.4.2
Subnet: 255.255.255.0
Gateway: 192.168.4.1 (Router R2 interface)
Step 3: Verify Connectivity
1. Ping from the Server (192.168.1.2) to the PC (192.168.4.2):
ping 192.168.4.2
2. Ping from the PC (192.168.4.2) to the Server (192.168.1.2):
ping 192.168.1.2
Step 4: Configure ACL for SSH Access
Restrict SSH access to Router R0 from the PC (192.168.4.2).
On Router R0:
1. Create a standard ACL to allow SSH access from PC:
access-list 10 permit host 192.168.4.2
2. Apply the ACL to VTY lines:
line vty 0 4
access-class 10 in

Step 5: Test SSH Login

From the PC, test SSH access to Router R0 (192.168.1.1):
1. Open a terminal and enter:
ssh -l sophia 192.168.1.1
2. Verify successful login. Test SSH access from other devices to confirm it is blocked.

Result:
The practical successfully verified connectivity between the server and PC, ensuring proper
network setup. SSH access to Router R0 was restricted and validated, allowing only the PC
(192.168.4.2) to connect, while other devices were blocked as per the ACL configuration.
 PRACTICAL 4B

AIM: Configuring IPv6 ACLs

Steps to perform:
Step 1. Device Placement and Setup
➢ Devices used:
o 2 PCs (PC0 and PC1)
o 3 Switches
o 3 Routers
o 1 Server
➢ Hardware Configuration:
o Power off all routers.
o Drag and place the HWIC-2T module into an available slot of each router to
enable serial interfaces.
o Power on all routers.
Step 2. Physical Connections
• Use appropriate cables:
o PCs to switches: Copper straight-through cables.
o Switches to routers: Copper straight-through cables.
o Routers to each other (serial): Serial DCE/DTE cables.
o Server to a switch: Copper straight-through cable.

Step 3. IPv6 Address Assignments

Assign the following IPv6 addresses and default gateways to the devices:
• PC0:
o IPv6 Address: 2002::2/64
o Default Gateway: 2002::1
• PC1:
o IPv6 Address: 2001::2/64
o Default Gateway: 2001::1
• Server:
o IPv6 Address: 2005::2/64
o Default Gateway: 2005::1

Step 4. Router Configuration

All routers are configured for IPv6 routing, RIP, and interface IP assignments.
Router 0
1. Enable IPv6 unicast routing:
ipv6 unicast-routing
2. Configure interfaces:
interface gigabitEthernet0/0
ipv6 address 2002::1/64
ipv6 rip a enable
no shutdown
exit

interface gigabitEthernet0/1
ipv6 address 2001::1/64
ipv6 rip a enable
no shutdown
exit

interface serial0/1/0
ipv6 address 2003::1/64
ipv6 rip a enable
no shutdown
exit
Router 1

1. Enable IPv6 unicast routing:

ipv6 unicast-routing
2. Configure interfaces:
interface serial0/1/0
ipv6 address 2003::2/64
ipv6 rip a enable
no shutdown
exit

interface serial0/1/1
ipv6 address 2004::1/64
ipv6 rip a enable
no shutdown
exit
Router 2

1. Enable IPv6 unicast routing:

ipv6 unicast-routing
2. Configure interfaces:
interface serial0/1/1
ipv6 address 2004::2/64
ipv6 rip a enable
no shutdown
exit
 interface gigabitEthernet0/0
ipv6 address 2005::1/64
ipv6 rip a enable
no shutdown
exit

Step 5. Test Connectivity

1. Ping Test:
o From PC0: ping 2002::2
o From PC0: ping 2004::1
o From PC1: ping 2005::1
2. Web Test:
o Open the browser on PC1 or the Server and access http://[2005::2].

Step 6. Apply IPv6 Access Control List (ACL)

The ACL is configured to block HTTP (port 80) and HTTPS (port 443) traffic to the server
while allowing all other traffic.
Router 1 Configuration
1. Create an IPv6 ACL named Sophia:
ipv6 access-list Sophia
deny tcp any host 2005::2 eq www
deny tcp any host 2005::2 eq 443
permit ipv6 any any
exit
2. Apply the ACL to the Serial0/1/1 interface (outbound traffic):
interface serial0/1/1
ipv6 traffic-filter Sophia out
exit

Result:
o PCs and Server can ping their respective gateways and devices in the network.
o RIP propagates routes, enabling communication across routers.
o HTTP/HTTPS traffic to the server (2005::2) is blocked.
o Other types of traffic, including ICMP (ping), remain functional.
 PRACTICAL 5

AIM: Configuring a Zone-Based Policy Firewall

Theory:
➢ A Zone-Based Policy Firewall (ZBF) is a Cisco security feature that controls traffic flow
between different network segments by grouping interfaces into security zones.
➢ Traffic between zones is regulated using zone-pairs, class-maps, and policy-maps.
➢ Class-maps define the criteria for traffic classification (e.g., by protocols or ACLs), while
policy-maps determine actions like inspect, pass, or drop.
➢ Zone-pairs link zones and apply the policies to traffic flowing between them.
➢ ZBF provides stateful inspection, granular control, and improved security by ensuring that
only legitimate traffic is allowed, making it a robust and scalable solution for modern
network security.

Steps to perform:
1. Place and Connect Devices
1. Open Cisco Packet Tracer.
2. Place the following devices:
o 1 server
o 2 switches
o 3 routers
o 1 PC
3. Connect the devices using copper straight-through cables:
o Server → Switch 0 → Router 0 (g0/0)
o Router 0 (s0/1/0) → Router 1 (s0/1/0) o
Router 1 (s0/1/1) → Router 2 (s0/1/1)
o Router 2 (g0/0) → Switch 1 → PC
2. Configure Routers
1. Make Routers Serializable:
o Power off each router.
o Drag and drop the HWIC-2T module into the available slot.
o Power on the routers.
2. Router 0:
o Access the CLI of Router 0.
o Configure IP addresses:
en
 conf t
interface g0/0
ip address 192.168.1.1 255.255.255.0
no shutdown
exit
interface s0/1/0
ip address 192.168.2.1 255.255.255.252
no shutdown
exit
3. Router 1:
o Configure IP addresses:
en
conf t
interface s0/1/0
ip address 192.168.2.2 255.255.255.252
no shutdown
exit
interface s0/1/1
ip address 192.168.3.1 255.255.255.252
no shutdown
exit
4. Router 2:
o Configure IP addresses:
en
conf t
interface s0/1/1
ip address 192.168.3.2 255.255.255.252
no shutdown
exit
interface g0/0
ip address 192.168.4.1 255.255.255.0
no shutdown
exit
3. Configure Static Routes
1. Router 2:
o Add static routes:
ip route 192.168.1.0 255.255.255.0 192.168.3.1
ip route 192.168.2.0 255.255.255.0 192.168.3.1
2. Router 1:
o Add static routes:
ip route 192.168.4.0 255.255.255.0 192.168.3.2
ip route 192.168.1.0 255.255.255.0 192.168.2.1
3. Router 0:
o Add static routes:
 ip route 192.168.4.0 255.255.255.0 192.168.2.2
ip route 192.168.3.0 255.255.255.0 192.168.2.2
4. Configure Server and PC
1. Server:
o IP: 192.168.1.2
o Subnet Mask: 255.255.255.0
o Default Gateway: 192.168.1.1
2. PC 0:
o IP: 192.168.4.2
o Subnet Mask: 255.255.255.0
o Default Gateway: 192.168.4.1
5. Configure SSH on Router 1
1. Enable SSH:
en
conf t
ip domain-name sophia.com
hostname sophia
crypto key generate rsa
modulus 512
line vty 0 4
transport input ssh
login local
exit
username sophia privilege 15 password sophia24
6. Configure ZBF on Router 2
1. Enable security licensing if not active:
en
conf t
license boot module c1900 technology-package securityk9
accept
exit
reload
2. Configure ZBF:
conf t
zone security in-zone
exit
zone security out-zone
exit
access-list 101 permit ip 192.168.4.0 0.0.0.255 any
class-map type inspect match-all in-map
match access-group 101
exit
policy-map type inspect in-out
class type inspect in-map
 inspect
exit
zone-pair security in-out-zone source in-zone destination out-zone
service-policy type inspect in-out
exit
interface g0/0
zone-member security in-zone
exit
interface s0/1/1
zone-member security out-zone
exit
copy running-config startup-config
7. Verification
1. On PC 0:
o Ping the server: ping 192.168.1.2.
o SSH into Router 1: ssh -l sophia 192.168.3.1.
2. On Server:
o Ping the PC: ping 192.168.4.2.
o Open a web browser and access the server URL: 192.168.1.2.
3. On Router 2:
o View session information:
en
show policy-map type inspect zone-pair sessions

Result
1. Successful pings confirm network connectivity.
2. The PC connects to the server using SSH and accesses it via a web browser.
3. ZBF ensures controlled traffic flow, confirming security policies are implemented
correctly.
 PRACTICAL 6
AIM: Configure IOS Intrusion Prevention System (IPS) Using the CLI
a. Enable IOS IPS.
b. Modify an IPS signature.

Theory:
➢ Cisco IOS Intrusion Prevention System (IPS) is a security feature that detects and prevents
potential threats by analyzing network traffic in real time. It helps safeguard networks from
malicious activities such as unauthorized access, Denial-of-Service (DoS) attacks, and
network reconnaissance by actively monitoring and blocking suspicious packets.
➢ IOS IPS uses predefined and customizable signature-based detection to identify threats.
When enabled on a router, it examines incoming and outgoing traffic, matches it against a
database of known attack signatures, and takes predefined actions such as alerting the
administrator or blocking the traffic. By applying IPS to an interface, administrators can
prevent attacks before they affect network resources.
➢ IPS signatures define the patterns of known threats that the system should detect. By default,
all signatures are retired, meaning they are inactive. Administrators can selectively enable
signatures based on security requirements. In this practical, signature 2004 was modified to
block ICMP (ping) requests, ensuring protection against network reconnaissance attempts.

Steps to perform:
1. Set Up the Network Topology
• Place 2 PCs, 1 Server, 2 Switches, and 3 Cisco 1941 Routers.
• Add HWIC-2T serial ports to make the routers serializable.
• Connect all devices according to the following IP configuration:
Device Interface IP Address Default Gateway
PC0 NIC 192.168.1.3 192.168.1.1
PC1 NIC 192.168.4.2 192.168.4.1
Server NIC 192.168.1.2 192.168.1.1
Router0 S0/1/0 192.168.2.1 N/A
G0/1 192.168.1.1 N/A
Router1 S0/1/0 192.168.2.2 N/A
S0/1/1 192.168.3.1 N/A
Router2 S0/1/1 192.168.3.2 N/A
G0/1 192.168.4.1 N/A
2. Configure RIP Routing
On Router0:
en
conf t
router rip
version 2
network 192.168.1.0
network 192.168.2.0
no auto-summary
exit
On Router1:
en
conf t
router rip
version 2
network 192.168.2.0
network 192.168.3.0
no auto-summary
exit
On Router2:
en
conf t
router rip
version 2
network 192.168.3.0
network 192.168.4.0
no auto-summary
exit

3. Enable the Security Package on Router1

Check if the security package is enabled:
en
show version

If it is not enabled, execute:

license boot module c1900 technology-package securityk9
exit
reload

Type yes when prompted.

After reboot, confirm:
en
show version
4. Configure IOS IPS
a. Set the Clock and Create the IPS Directory
clock set 09:02:20 February 2 2025
mkdir flash:isp6
Confirm: yes

b. Configure IPS
conf t
ip ips config location flash:sophia
ip ips name iosips
ip ips notify log
ip ips signature-category
category all
retired true
exit
category ios_ips basic
retired false
exit
exit
Confirm: yes
c. Apply IPS to Serial Interface
interface s0/1/0
ip ips iosips out
exit

5. Modify an IPS Signature to Block Pings

ip ips signature-definition
signature 2004 0
status
retired false
enabled true
exit
engine
event-action produce-alert
event-action deny-packet-inline
exit
exit
exit
Confirm: yes

6. Verify Connectivity
• Check if PC1 cannot ping Server (192.168.1.2):

ping 192.168.1.2
It should return Request Timed Out due to IPS blocking.
• Check PC1 to PC0 Connectivity:
ping 192.168.1.3
It should be successful.
• Verify Logging on Router0:
en
conf t
logging 192.168.1.2
exit
ping 192.168.1.2

Result:
Test Expected Result
ping 192.168.1.3 (PC1 to PC0) Success
ping 192.168.1.2 (PC1 to Server) Request Timed Out
ping 192.168.4.2 (Server to PC1) Success
Now, your IPS is correctly blocking unauthorized ping requests, ensuring security.
 PRACTICAL 7
AIM: Layer 2 Security
a. Assign the Central switch as the root bridge.
b. Secure spanning-tree parameters to prevent STP manipulation attacks.
c. Enable port security to prevent CAM table overflow attacks.

Theory:
➢ Spanning Tree Protocol (STP)
➢ Spanning Tree Protocol (STP) is used to prevent loops in a network topology that has
redundant paths. In this configuration:
➢ Switch0 is set as the primary root bridge for VLAN 1.
➢ Switch1 is set as the secondary root bridge to provide redundancy.
➢ PortFast and BPDU Guard are enabled on access ports to prevent topology changes and
block unauthorized switches.
➢ Port Security
➢ Port Security is configured to limit the number of MAC addresses on specific ports and
take actions if an unauthorized device is connected. In this configuration:
➢ Ports connecting end-user devices are set with a maximum of 2 MAC addresses.
➢ Sticky MAC ensures MAC addresses are learned dynamically.

Network Connection Table

Device 1 Port Device 2 Port
PC0 fa0 SwitchA fa0/1
PC1 fa0 SwitchA fa0/2
PC2 fa0 SwitchB fa0/1
PC3 fa0 SwitchB fa0/2
SwitchA fa0/23 Switch1 fa0/23
SwitchA fa0/24 Switch2 fa0/1
SwitchB fa0/24 Switch1 fa0/1
SwitchB fa0/23 Switch2 fa0/23
Switch1 fa0/24 Switch2 fa0/24
Switch1 g0/1 Switch0 (Core) g0/1
Switch2 g0/1 Switch0 (Core) g0/2
Switch0 fa0/1 Router 1941 g0/0
Router 1941 se0/1/0 CloudPT se0

Steps to perform:
A. Configure Spanning Tree Protocol (STP)
On Switch0 (Multi-Switch Mode - Root Bridge)
1. Enter privileged mode:
en
2. Show the current spanning tree configuration:
show spanning-tree
3. Enter global configuration mode:
conf t
4. Set Switch0 as the primary root bridge for VLAN 1:
spanning-tree vlan 1 root primary
5. Exit configuration mode:
exit
On Switch1 (Secondary Root Bridge)
1. Enter global configuration mode:
conf t
2. Set Switch1 as the secondary root bridge:
spanning-tree vlan 1 root secondary
3. Verify the spanning tree configuration:
do show spanning-tree
4. Exit configuration mode:
exit

B. Enable PortFast and BPDU Guard on Access Ports

On SwitchA:
en
conf t
interface range fastEthernet 0/1-2
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
exit

On SwitchB:
en
conf t
interface range fastEthernet 0/1-2
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
exit

On Switch1:
en
conf t
interface range fastEthernet 0/23-24
spanning-tree portfast
spanning-tree bpduguard enable
exit
On Switch2:
en
conf t
interface range fastEthernet 0/23-24
spanning-tree portfast
spanning-tree bpduguard enable
exit

C. Configure Port Security

On SwitchA:
en
conf t
interface range fastEthernet 0/1-2
switchport port-security maximum 2
switchport port-security mac-address sticky
switchport port-security violation shutdown
exit

On SwitchB:
en
conf t
interface range fastEthernet 0/1-2
switchport port-security maximum 2
switchport port-security mac-address sticky
switchport port-security violation shutdown
exit

D. Verify Port Security on SwitchA

1. Enter privileged mode:
en
2. Show port security status on interface f0/1:
show port-security interface fastEthernet 0/1

E. Disable Unused Ports for Security

On SwitchA:
en
conf t
interface range fastEthernet 0/3-22
shutdown
exit
On SwitchB:
en
conf t
interface range fastEthernet 0/3-22
shutdown
exit

Results:
➢ Spanning Tree Protocol (STP) is correctly implemented:
o Switch0 is the root bridge, ensuring proper network convergence.
o Switch1 is the secondary root bridge, providing backup.
o Redundant links will be put in blocking state to avoid loops.
➢ Port Security is properly enforced:
o Each port allows only 2 devices.
o Unauthorized devices will trigger a shutdown violation.
➢ BPDU Guard and PortFast are configured:
o Prevents topology changes from rogue switches.
o Enhances network performance by speeding up port transitions.
➢ Unused Ports are disabled, improving security by preventing unauthorized connections.
 PRACTICAL 8
AIM: Configure and Verify a Site-to-Site IPsec VPN Using CLI

Theory:
VLAN security is crucial for ensuring the integrity and protection of network traffic.
Implementing VLAN segmentation prevents unauthorized access and enhances network
performance by isolating different departments or functions. Key security measures include:
1. Port Security: Limits the number of MAC addresses per port to prevent MAC
flooding attacks.
2. BPDU Guard: Prevents unauthorized switches from participating in Spanning Tree
Protocol (STP).
3. VLAN ACLs (VACLs): Ensures traffic within VLANs is appropriately filtered.
4. Dynamic ARP Inspection (DAI): Protects against ARP spoofing attacks.
The implementation of VPN in this network further secures inter-router communication,
ensuring encrypted transmission between remote sites.

Network Connection Table

Steps to perform:
Steps to Perform: Configuring RIP and VPN on Routers
Step 1: Assign IP Addresses
1. PC0 → Connect to Switch0 via F0:
o IP: 192.168.1.2
o Switch Port: F0/24
o Network: 192.168.1.0
2. Router0:
o G0/0: 192.168.1.1
o S0/1/0: 192.168.2.1
3. Router2:
o S0/1/0: 192.168.2.2
o S0/1/1: 192.168.3.1
o G0/0: 192.168.5.1
4. Router1:
o S0/1/1: 192.168.3.2
o G0/0: 192.168.4.1
5. PC1 → Connect to Router1:
o IP: 192.168.4.2
6. PC2 → Connect to Router2:
o IP: 192.168.5.2

Step 2: Configure RIP Routing Protocol

Router0:
router rip
network 192.168.1.0
network 192.168.2.0
exit

Router1:
router rip
network 192.168.3.0
network 192.168.4.0
exit

Router2:
router rip
network 192.168.2.0
network 192.168.3.0
network 192.168.5.0
exit

Step 3: Verify Connectivity

1. PC0 to PC1
PC0> ping 192.168.4.2
2. PC2 to PC0
PC2> ping 192.168.1.2

Step 4: Enable Security License on Router0 & Router1

Router0:
en
conf t
license boot module c1900 technology-package securityk9
do write
exit
reload
Router1:
en
conf t
license boot module c1900 technology-package securityk9
do write
exit
reload
Step 5: Configure VPN Tunnel Between Router0 and Router1

Router0:
conf t
access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
crypto isakmp policy 10
encryption aes 256
authentication pre-share
group 5
exit
crypto isakmp key sophia123 address 192.168.3.2
crypto ipsec transform-set vpn-set esp-aes esp-sha-hmac
crypto map vpn-map 10 ipsec-isakmp
set peer 192.168.3.2
set transform-set vpn-set
match address 110
exit

interface s0/1/0
crypto map vpn-map
exit

Router1:
conf t
access-list 110 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
crypto isakmp policy 10
encryption aes 256
authentication pre-share
group 5
exit
crypto isakmp key sophia123 address 192.168.2.1
crypto ipsec transform-set vpn-set esp-aes esp-sha-hmac
crypto map vpn-map 10 ipsec-isakmp
set peer 192.168.2.1
set transform-set vpn-set
match address 110
exit
interface s0/1/1
crypto map vpn-map
exit

Step 6: Verify VPN Configuration

1. Check VPN Security Association on Router0:
show crypto ipsec sa
2. Check VPN Security Association on Router1:
show crypto ipsec sa

Step 7: Final Testing

1. PC0 to PC1
ping 192.168.4.2
2. PC2 to PC0
ping 192.168.1.2
3. PC0 to PC2
ping 192.168.5.2
4. Check VPN SA after each test on Router0
show crypto ipsec sa

Results:
• VPN tunnel between Router0 and Router1 confirmed operational.
• Successful ping tests between PCs verifying secure communication.
• show crypto ipsec sa command validated secure VPN traffic.