Cisco Device Management Configuration Lab – CCNA 200-301

Posted on 2020-10-302020-10-31 by Gregnstuff

Cisco Device Management Configuration

Goal: Configure Syslog and SNMP (Simple Network Management Protocol) logging.

SNMP and Syslog

Configure SNMP communities read-only and read-write
- #conf t
- (config)#snmp-server community [password] ro
  - Read-only
- (config)#snmp-server community [password] rw
  - Read-write
Configure syslog server to receive all severity events
- (config)#logging 10.0.0.100
- (config)#logging debugging
Verify logging level
- #show logging

Cisco Device Security Configuration Lab – CCNA 200-301

Posted on 2020-10-302020-10-30 by Gregnstuff

Cisco Device Security Configuration Lab

Secure administrative access to Cisco routers in a small network.

Secure Privileged Exec Mode

Set the enable password
- #conf t
- (config)#enable password [password]
Set the enable secret password
- #conf t
- (config)#enable secret [password]
- NOTE: While both passwords can be set “secret” will over-ride/supersede the standard enable password.
show passwords
- #show running-config
- NOTE: Secret password in hashed and cannot be read while the standard password is in plain text.
Ensure all pain text passwords are encrypted
- #conf t
- (config)#service password-encryption

Secure Remote Telnet and SSH Access

Ensure user logged out after 15 minutes on console and virtual terminal
- Console
  - #conf t
  - (config)#line console
  - (config-line)#exec-timeout 15
- Virtual (vty)
  - #conf t
  - (config)#line vty 0 15
  - (config-line)#exec-timeout 15
Allow workstation at 10.0.0.10 to telnet to router with a different password
- Create an access list
  - (config)#access-list 1 permit host 10.0.0.10
- Apply list
  - (config)#line vty 0 15
  - (config-line)#access-class 1 in
  - (config-line)#password line [password]
Telnet users to the router should see “Authorized users only” message
- (config)#banner login [delimiter character]
- message
- [delimiter character]
Configure login in to require username and password
- #conf t
- (config)#username [username] password|secret [password]
- (config)#vty 0 15
- (config-line)#login local
- Note the will supersede the local passwords
Allow SSH to the router
- #conf t
- (config)#ip domain-name [name]
- (config)#crypto key generate rsa
- How many bits in the modulus [512]: 768
  - SSH requires 768
- (config)#line vty 0 15
- (config-line)#transport input ssh
  - NOTE: Need to know ssh command for CCNA test
    - ssh -l [username] [ip address]
Set console to use password and no username
- #config t
- (config)#line console 0
- (config-line)#login
- % Login disabled on line 0, until ‘password’ is set
- (config-line)#password [password]

NTP Network Time Protocol

Configure NTP to synchronise its time with 10.0.1.100 & set timezone as Pacific Standard time.
- (config)#ntp server 10.0.1.100
- (config)#clock timezone Pacific -8
Show time and verify ntp sync
- (config)#show clock
- (config)#show ntp status

Switch Management

Configure switch with an ip address on vlan 1
- #conf t
- (config)#int vlan 1
- (config-if)#ip address 10.0.1.50 255.255.255.0
- (config-if)#no shut
- (config-if)#exit
- (config)#ip default-gateway 10.0.1.1

Cisco IPv6 Configuration Lab – CCNA 200-301

Posted on 2020-10-292020-10-31 by Gregnstuff

Cisco IPv6 Configuration Lab

Goal: Configure the network to be dual-stack by adding support for IPv6 addresses.

Verify IPv4 Connectivity

Verify routers have been configured with IPv4 addresses
- #show ip int brief
View routes between routers
- #show ip route

IPv6 Addressing

Configure global unicast IPv6 address
- (config)#int [interface]
- (config-if)#ipv6 address [ipaddress]/[CIDR]
Configure devices with EUI-64
- (config-if)#ipv6 address [ip network address]/[CIDR] eui-64
When configuring a IPv6 address the interface also automatically configures a link-local address that starts with FE80::
Show IPv6 neighbors
- #show ipv6 neighbors

Static Routing

Verify which IPvt dynamic routing protocols are running
- #show ipv6 protocol
Configure default gateway
- (config)#ipv6 route ::/0 [gateway address]
Turn on IPv6 routing
- (config)#ipv6 unicast-routing
Configure static routes
- (config)#ipv6 route [IPv6 subnet]/[CIDR] [Next-hop ipv6 address]
Verify IPv6 routes
- #show ipv6 route

Keith Barker’s IPv6 Static Routing – Cisco 200-301

Posted on 2020-10-292020-10-29 by Gregnstuff

First off if you are not subscribed to Keith’s YouTube Channel and you are working on your CCNA… STOP EVERYTHING!!! and go subscribe: https://www.youtube.com/user/Keith6783

Video Summary: https://www.youtube.com/watch?v=xLstDGmzgFI

Keith goes through creating and routing a small network using Cisco Packet Tracer

Time Stamps:

6:20 – Network Design
10:40 – Network Addressing – IPv6 Planning and explanation
- 11:20 – Explination of 2001:DB8: IPv6 address
  - This address is set aside for documentation.
  - This is still routeable
- 14:20 – Discuss IPv6 addresses
  - 2XXX::-3XXX:: – Globally routable IPv6 addresses
  - FE80:: – Link Local Address
  - FFXX:: – Multi Cast Address
22:38 – Setup Network and Packet Tracer explanation
34:55 – Configuration of Routers
- 35:48 – Standard route default settings.
  - enable
    conf t
    line con 0
    logging sync
    no exec-timeout
    exit
    no ip domain-lookup
    endwr
- 34:42 – Hostname
- 37:55 – Configure interfaces
  - (config-if)ipv6 address [ipv6address] [link-local]
- 53:44 – Review what routes are needed
  - Talk about
    - “Optimal” route
    - Administrative Distance
- 1:04:48 – Write out routes
  - (config)#ipv6 unicast-routing
  - (config)#ipv6 route [network]/[cidr] [net-hop] [administrative distance]
- 1:12:50 – Apply network configuration

So the one thing that I found during this session if you put in the address incorrectly and the routes are in correct. Those routes do not show up when you do a show ipv6 route.

Cisco NAT Configuration Lab

Posted on 2020-10-272020-10-27 by Gregnstuff

Cisco NAT Configuration

Static NAT

Set inside and outside interfaces
- #conf t
- (config)#int f0/1
- (config-if)#ip nat outside
- (config-if)#int f0/0
- (config-if)#ip nat inside
Set the translation for inside and out side
- (config-if)#exit
- (config)#ip nat inside source static [insideLocalIP] [InsideGlobalIP]
  - Inside Local address – Actual configured IP address on the inside host OS
  - Inside global address – NAT’d address of inside host as it will be reached/seen by the outside network.
Verify translation
- (config)#end
- #show ip nat translation

Dynamic NAT

Set interface with clients that will use the pool as an inside interface
- #conf t
- (config)#int f1/0
- (config-if)#ip nat inside
Set dynamic pool
- (config-if)#exit
- (config)#ip nat pool [name of pool] [startingIPaddess] [endingIPaddress] netmask [subnet]
Create an access list for the allow addresses to use the pool
- (config)#access-list [Accesslist#] deny|permit|remark [protocol] [IpAddress] [Wildcard Mask]
Associate the access list with the NAT pool
- (config)#ip nat inside source list [accesslist#] pool [poolname]
Verify traffic
- show ip nat translation
Enable Port Address Translation so the last IP address in the range can be reused when all address have been allocated.
- Add the “overload flag at the end of the associate command
- (config)#ip nat inside source list [accesslist#] pool [poolname] overload

Port Address Translation (PAT)

Remove address from Router Interface and configure it to use DHCP
- #conf t
- (config)#int f0/0
- (config-if)#no ip address
- (config-if)#ip address dhcp
Configure NAT
- Repeat the assigning interfaces inside and outside
- Create access-list
- (config)#ip nat inside source interface f0/0 overload
Verify Nat translation
- #show ip nat trans
Show nat statistics
- #show ip nat stat

Keith Barker’s IT ELF – Cisco OSPF Neighbor States

Posted on 2020-10-27 by Gregnstuff

Who knew that the dating life of OSPF devices were controlled by the IT ELF?

First off if you are not subscribed to Keith’s Youtube channel and you are working on your CCNA, what are you thinking? Follow this link and subscribe! https://www.youtube.com/user/Keith6783

So IT Elf is an acronym for the OSPF states

I – Init
T – Two-way
E – Estart & Exchange
L – Loading
F – Full

Now as far as the dating portion, I will leave the video to explain that in detail but know that the DR (Designated Router) and BDR (Backup Designated Router) are a bit of a player as they are the only devices that build a full relationship will all the other devices. The devices that become DROTHER routers build two way relationship with the other DROTHER devices but will build a full relationship with DR and BDR.

Check out Keith’s OSPF Neighbor States | Cisco CCNA 200-301 video

Reference site when reporting cyber issues (phishing, vulnerabilities, etc…)

Posted on 2020-10-26 by Gregnstuff

United States Info Sec Information.

Sites to be used for reporting cyber issues.

FTC.GOV

Federal Trade Commision – one-stop resource, www.IdentityTheft.gov can help you report and recover from identity theft. Report fraud to the FTC at ftc.gov/OnGuardOnline or www.ftc.gov/complaint.

US-CERT.GOV

Cybersecurity & Infrastructure Security Agency – Report Computer or network vulnerabilities to US-CERT via the hotline: 1-888-282-0870 or www.us-cert.gov. Forward phishing emails to websites to US-CERT at phishing: report@us-cert.gov

IC3.GOV

Internet Crime Complaint Center – If you are a victim of online crime, file a complaint with the IC3 at http://www.IC3.gov

SSA.GOV

Social Security Administration – If you believe someone is using your SSN, contact the Social Security Administration’s fraud hotline at 1-800-269-0271.

Cisco ACL Configuration Lab

Posted on 2020-10-25 by Gregnstuff

Numbered Standard ACL

Standard ACL Numbers
- 1-99, 1300-1999
Configure a number standard route to allow one subnet to pass-though while denying another subnet to a third subnet.
- As soon as a rule is applied there is also a deny all rule applied to the access list also.
- Standard Access lists only check the source address as opposed to extended ACL that checks both source and destination.
  - This requires that the list be completed on the outbound port toward the subnet that needs to be blocked.
- Commands
  - Create the outbound ACL on interface sending traffic to the subnet to be denied
    - (config-if)#ip access-group [Standard ACL#] out
  - Add rules to the newly created ACL
    - (config-if)#exit
    - (config)#access-group 1 deny [restricted subnet] [restricted wildcard mask]
    - (config)#access-group 1 permit [allowed subnet] [allowed wildcard mask]
      - This is needed as the default Deny All rule that is applied to all ACLs
- In the lab, they create the ACL rules first and then create the ACL that will house these rules. This makes sense as when you apply the ACL all traffic will be blocked until a permit rule is put in place.

Numbered Extended ACL

Extended ACL Numbers
- 100-199, 2000-2699
Configure a numbered extended ACL to permit telnet access to a single IP address while denying all other IP addresses.
- I did this incorrectly as I applied two rules while three are needed (all rules were provided on the inbound interface on the router for the subnet making the request.
  - I provided the permit rule for the single IP address and a deny rule for all other IP addresses. The default deny all traffic on the ACL blocked all other traffic.
  - Since numbered ACLs cannot be reordered, the ACL was deleted and re-applied the rules in the ordered needed.
- Commands
  - (config)#access-list 100 permit tcp host 10.0.1.10 host 10.0.0.2 eq telnet
  - (config)#access-list 100 deny tcp 10.0.1.0 0.0.0.255 host 10.0.0.2 eq telnet
  - (config)#access-list 100 permit ip any any
  - (config)#int [inbound interface]
  - (config-if)#ip access-list 100 in

Named Extended ACL

Remove the number extended ACL
- Command
  - (config-if)#no ip access-group [group#] in
Configure and apply a named extended ACL
- (config)#ip access-list extended [Name]
- (config-ext-nacl)#permit tcp host 10.0.1.10 host 10.0.0.2 eq telnet
- (config-ext-nacl)#deny tcp 10.0.1.0 0.0.0.255 host 10.0.0.2 eq telnet
- (config-ext-nacl)#permit icmp host 10.0.1.11 host 10.0.0.2 echo
- (config-ext-nacl)#deny icmp host 10.0.1.0 host 10.0.0.2 echo
- (config-ext-nacl)#permit ip any any
Apply ACL to interface
- (config-if)#ip access-group [access-list name] in|out

Cisco Port Security Configuration Lab

Posted on 2020-10-252020-12-19 by Gregnstuff

Disable Unused ports

(config)#int range f0/1-24
(config-if-range)shut

Port Security Configuration

(config-if)#switchport mode access
- must be an access port to apply port-security
(config-if)#switchport port-security
(config-if)#switchport port-security maximum [number of MACs allowed]
(config-if)#switchport port-security mac-address [mac address]
- To statically assign a MAC address to a port.

EtherChannel Configuration Lab

Posted on 2020-10-242020-10-24 by Gregnstuff

Configure EtherChannel

Each side of the etherchannel needs to be configured the same.
Types
- LACP
  - Active – Active = Connection
  - Active – Passive = Connection
  - Passive – Passive = No connection
- PAgP
  - auto – auto = No connection
  - auto – desirable = Connection
  - desirable – desirable = Connection
- Static
  - on – on = Connection
Commands
- (config)#int range [interfaces]
- (config-if-range)#channel-group [group#] mode [active, passive, auto, desirable, on]
- (config-if-range)#int po[group#]
- (config-if)#switchport mode trunk
- (config-if)#switchport trunk native vlan [vlan#]

Verify EtherChannel status

#show etherchannel summary

StackWise, VSS and vPC

Depending on the switch it will use one of the three versions. This allows two different switches to support upload links using IP addresses instead of layer two information.
Commands are very similar to layer 2 except for an additional command in the config-if-range and instead of setting trunk mode in the config-if you set an IP address
- (config)#int range [interfaces]
- (config-if-range)#channel-group [group#] mode [active, passive, auto, desirable, on]
- (config-if-range)#no switchport
- (config-if-range)#int po[group#]
- (config-if)#ip address [IPAddress] [Subnet]
- (config-if)#no shut