# 02 Network Infrastructure - labs - part 2 ###### tags: `Network Infrastructure` `MCT` `MCT_IoTIE` ## Table of contents [TOC] ## Combination of lab types 1.4, 2.1 and 3.1  ### Stappenplan - BRA - Interface configuratie - Int fa0/0 - DHCP (WAN) - Int fa0/1 10.10.10.65/26 - Int fa0/1.100 192.168.10.1/24 (Mgt VLAN) - NAT configuratie + IPsec VPN ACL's - IPSec configuratie - Configure isakmp (ike) - (isakmp phase 1) - creating extended acl - create ipsec transform (isakmp phase 2 policy) - create crypto map - apply crypto map to the public interface - network address translation (nat) and ipsec vpn tunnels - bringing up and verifying the vpn tunnel - Routes toevoegen - 192.168.10.0/26 10.10.10.66 - 192.168.10.128/26 10.10.10.66 - 192.168.10.192/26 10.10.10.66 - Basic security hardening - Password Encryption and Length - Enable Secret Password - Line Login with Local Database - Disable CDP - Message-Of-The-Day (MOTD) or Login banner Login Banner - NTP-server - SSH configuratie + ACL - BRB - Interface configuratie - Int fa0/0 - DHCP (WAN) - Int fa0/1.10 10.20.20.0/26 - Int fa0/1.20 10.20.20.64/26 - Int fa0/1.30 10.20.20.128/26 - Int fa0/1.40 10.20.20.192/26 - Int fa0/1.100 192.168.20.1/24 (Mgt VLAN) - NAT configuratie + IPsec VPN ACL's - IPSec configuratie - Configure isakmp (ike) - (isakmp phase 1) - creating extended acl - create ipsec transform (isakmp phase 2 policy) - create crypto map - apply crypto map to the public interface - network address translation (nat) and ipsec vpn tunnels - bringing up and verifying the vpn tunnel - Basic security hardening - Password Encryption and Length - Enable Secret Password - Line Login with Local Database - Disable CDP - Message-Of-The-Day (MOTD) or Login banner Login Banner - NTP-server - SSH configuratie + ACL - L3-Switch–LAN-A - Hostname instellen - Routering inschakelen - Router interfaces maken - VLAN interfaces maken - Poorten toewijzen aan VLAN's - Management VLAN - Gateway of last resort -> #ip route 0.0.0.0 0.0.0.0 <exit IP address (Router IP)> - Basic security hardening - Password Encryption and Length - Enable Secret Password - Line Login with Local Database - Disable CDP - Message-Of-The-Day (MOTD) or Login banner Login Banner - NTP-server - SSH configuratie + ACL - Portfast, (R)STP and Broadcast Storm Control - Port Security - DHCP snooping - DIA - L2-Switch–LAN-B - Hostname instellen - VLAN's aanmaken - Trunk poort definiëren - Poorten toewijzen aan VLAN's - Managment VLAN - DHCP server - Per subnet ### BR-A - Hostname ```console Router(config)#hostname BR-A BR-A(config)# ``` - WAN Interface configuratie ```console BR-A(config)# int Fa0/0 BR-A(config-if)# ip address DHCP BR-A(config-if)# description WAN BR-A(config-if)# ip nat outside BR-A(config-if)# no shut ``` - Interfaces & subinterfaces LAN & vlan ```console BR-A(config)# int Fa0/1 BR-A(config-if)# ip address 10.10.10.65 255.255.255.192 BR-A(config-if)# description vlan20 BR-A(config-if)# ip nat inside BR-A(config-if)# no shut BR-A(config)# int Fa0/1.100 BR-A(config-if)# encapsulation dot1q 100 BR-A(config-if)# ip address 192.168.10.1 255.255.255.0 BR-A(config-if)# description vlan100-management BR-A(config-if)# no shut ``` - Access list NAT + IPsec VPN ```console BR-A(config)# ip nat inside source list 100 interface fa0/0 overload BR-A(config)# access-list 100 remark -=[Define NAT Service]=- BR-A(config)# access-list 100 deny ip 10.10.10.0 0.0.0.63 10.20.20.0 0.0.0.63 BR-A(config)# access-list 100 deny ip 10.10.10.64 0.0.0.63 10.20.20.0 0.0.0.63 BR-A(config)# access-list 100 deny ip 10.10.10.128 0.0.0.63 10.20.20.0 0.0.0.63 BR-A(config)# access-list 100 deny ip 10.10.10.192 0.0.0.63 10.20.20.0 0.0.0.63 BR-A(config)# access-list 100 deny ip 10.10.10.0 0.0.0.63 10.20.20.64 0.0.0.63 BR-A(config)# access-list 100 deny ip 10.10.10.64 0.0.0.63 10.20.20.64 0.0.0.63 BR-A(config)# access-list 100 deny ip 10.10.10.128 0.0.0.63 10.20.20.64 0.0.0.63 BR-A(config)# access-list 100 deny ip 10.10.10.192 0.0.0.63 10.20.20.64 0.0.0.63 BR-A(config)# access-list 100 deny ip 10.10.10.0 0.0.0.63 10.20.20.128 0.0.0.63 BR-A(config)# access-list 100 deny ip 10.10.10.64 0.0.0.63 10.20.20.128 0.0.0.63 BR-A(config)# access-list 100 deny ip 10.10.10.128 0.0.0.63 10.20.20.128 0.0.0.63 BR-A(config)# access-list 100 deny ip 10.10.10.192 0.0.0.63 10.20.20.128 0.0.0.63 BR-A(config)# access-list 100 deny ip 10.10.10.0 0.0.0.63 10.20.20.192 0.0.0.63 BR-A(config)# access-list 100 deny ip 10.10.10.64 0.0.0.63 10.20.20.192 0.0.0.63 BR-A(config)# access-list 100 deny ip 10.10.10.128 0.0.0.63 10.20.20.192 0.0.0.63 BR-A(config)# access-list 100 deny ip 10.10.10.192 0.0.0.63 10.20.20.192 0.0.0.63 BR-A(config)# access-list 100 remark ``` - IPSec VPN configuratie - CONFIGURE ISAKMP (IKE) - (ISAKMP PHASE 1) - ISAKMP (IKE) bestaat enkel en alleen om SA's (Security Association) voor IPsec op te zetten. Voordat dit kan gebeuren, dient IKE een SA (eeb ISAKLO SA) relationship met de peer (remote VPN client) leggen. ```console BR-A(config)# crypto isakmp policy 1 BR-A(config-isakmp)# encr 3des BR-A(config-isakmp)# hash md5 BR-A(config-isakmp)# authentication pre-share BR-A(config-isakmp)# group 2 BR-A(config-isakmp)# lifetime 86400 ``` - Uitleg parameters: - **3DES** - The encryption method to be used for Phase 1. * **MD5** - The hashing algorithm * **Pre-share** - Use Pre-shared key as the authentication method * **Group 2** - Diffie-Hellman group to be used * **86400** – Session key lifetime. Expressed in either kilobytes (after x-amount of traffic, change the key) or seconds. Value set is the default value. - De **ISAKMP Phase 1** policy is globaal gedefineerd. Dit betekent dat wanneer we 5 verschillende remote sites hebben en geconfigureerd zijn voor vijf verschillende ISAKMP phase 1 policies (een voor elke remote router), wanneer onze router dan probeert een VPN tunnel te negotiëren met elke send, zal het alle vijf de policies uit sturen en gebruikt de eerste match die door beide wordt geaccepteerd. - Nu mane we onze pre shared key voor de authenticatie met onze peer (router BR-B) ```console BR-A(config)# crypto isakmp key Pa$$w0rd321 address [WAN-IP-BR-B] ``` - De pre shared key is ingesteld op '**Pa$$w0rd321**' met het publieke IP van **BR-B [WAN-IP-BR-B]**. Elke keer dat BR-A een VPN tunnel met BR-B wenst te openen, zal de pre-shared key worden gebruikt. - CREATING EXTENDED ACL - Hier definiëren we een access list om het toegestane verkeer over de VPN tunnel toe te staan. In dit voorbeeld zal verkeer van het lokale netwerk 192.168.1.0/24 worden toegestaan naar 192.168.20.0/24. Access-list die VPN verkeer behandelen worden soms ook **crypto access-list** of **interesting traffic access-list** genoemd. ```console BR-A(config)# ip access-list extended VPN-TRAFFIC BR-A(config-ext-nacl)# permit ip 10.10.10.0 0.0.0.63 10.20.20.0 0.0.0.63 BR-A(config-ext-nacl)# permit ip 10.10.10.0 0.0.0.63 10.20.20.64 0.0.0.63 BR-A(config-ext-nacl)# permit ip 10.10.10.0 0.0.0.63 10.20.20.128 0.0.0.63 BR-A(config-ext-nacl)# permit ip 10.10.10.0 0.0.0.63 10.20.20.192 0.0.0.63 BR-A(config-ext-nacl)# permit ip 10.10.10.64 0.0.0.63 10.20.20.0 0.0.0.63 BR-A(config-ext-nacl)# permit ip 10.10.10.64 0.0.0.63 10.20.20.64 0.0.0.63 BR-A(config-ext-nacl)# permit ip 10.10.10.64 0.0.0.63 10.20.20.128 0.0.0.63 BR-A(config-ext-nacl)# permit ip 10.10.10.64 0.0.0.63 10.20.20.192 0.0.0.63 BR-A(config-ext-nacl)# permit ip 10.10.10.128 0.0.0.63 10.20.20.0 0.0.0.63 BR-A(config-ext-nacl)# permit ip 10.10.10.128 0.0.0.63 10.20.20.64 0.0.0.63 BR-A(config-ext-nacl)# permit ip 10.10.10.128 0.0.0.63 10.20.20.128 0.0.0.63 BR-A(config-ext-nacl)# permit ip 10.10.10.128 0.0.0.63 10.20.20.192 0.0.0.63 BR-A(config-ext-nacl)# permit ip 10.10.10.192 0.0.0.63 10.20.20.0 0.0.0.63 BR-A(config-ext-nacl)# permit ip 10.10.10.192 0.0.0.63 10.20.20.64 0.0.0.63 BR-A(config-ext-nacl)# permit ip 10.10.10.192 0.0.0.63 10.20.20.128 0.0.0.63 BR-A(config-ext-nacl)# permit ip 10.10.10.192 0.0.0.63 10.20.20.192 0.0.0.63 ``` - CREATE IPSEC TRANSFORM (ISAKMP PHASE 2 POLICY) - Hier maken een we IPsec transfort set om de data over de tunnel te beveiligen. We noemen dit TS: ```console BR-A(config)# crypto ipsec transform-set TS esp-3des esp-md5-hmac ``` - ESP-3DES - Encryption method - MD5 - Hashing algorithm - CREATE CRYPTO MAP - De Crypto map is de laatste stap van onze setup. Dit connecteerd de eerder gedefinieerde ISAKMP & IPSec configuratie samen. ```console BR-A(config)# crypto map CMAP 10 ipsec-isakmp BR-A(config-crypto-map)# set peer [WAN-IP-BR-B] BR-A(config-crypto-map)# set transform-set TS BR-A(config-crypto-map)# match address VPN-TRAFFIC ``` - Onze crypto map kreeg als naam CMAP. De **ipsec-isakmp** tag geeft mee aan de router dat deze crypto map een IPsec crypto map is. Ondanks dat er slecht een enkele peer gedeclareerd is in deze crypti map, namelijk [WAN-IP-BR-B], is het mogelijk om meerdere peers te hebben binnen een crypto map. - APPLY CRYPTO MAP TO THE PUBLIC(WAN) INTERFACE - Deze laatste stap zal de crypto map gaan koppelen aan de uitgande interface van de router. De uitgaande interface is hier Fa0/0. ```console BR-A(config)# int Fa0/0 BR-A(config-if)# crypto map CMAP ``` - Je kan enkel 1 crypto map aan een interface koppelen. - Van zodra we een crypto map aan een interface koppelen, ontvangen we een bericht van de router die bevestigt dat de isakmp aan staat: "ISAKMP is ON". - Hier is alle configuratie voor de IPsec VPN geconfigureerd. Uiteraard dient dit op BR-B ook worden gedaan. - NETWORK ADDRESS TRANSLATION (NAT) AND IPSEC VPN TUNNELS - Network Address Translation (NAT) zal op de uitgaande interface (WAN) worden geconfigueerd om internet toegang te hebben. Bij het configureren van een site to site IPsec VPN tunnel, is het belangrijk om de router **GEEN NAT** te laten uitvoeren (DENY NAT) op pakketten die bestemt zijn voor het remote VPN network. Zie **Access list NAT + IPsec** **Zie - Access list NAT** - BRINGING UP AND VERIFYING THE VPN TUNNEL - De volledige site-to-site VPN verbinding zou nu moeten functioneren en kan up worden gebracht. Om de tunnel initiatie te forceren moeten we een pakcet forceren de VPN tunnel gebruiken. Pas dan dan wordt deze gemaakt. Dit kan via een eenvougide ping (ICMP packet). ```console BR-A# ping 10.20.20.1 source fastethernet0/0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.20.20.1, timeout is 2 seconds: Packet sent with a source address of 10.10.10.1 .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 44/47/48 ms ``` - Verificatie commando's ```console BR-A# show crypto session remote [WAN-IP-BR-A] detail BR-A# show crypto ipsec sa peer [WAN-IP-BR-A] ``` - Routes toevoegen ```console BR-A(config)#ip route 0.0.0.0 0.0.0.0 [WAN-interface] BR-A(config)#ip route 10.10.10.0 255.255.255.192 10.10.10.66 BR-A(config)#ip route 10.10.10.128 255.255.255.192 10.10.10.66 BR-A(config)#ip route 10.10.10.192 255.255.255.192 10.10.10.66 ``` - Basic security hardening - Password Encryption and Length ```console BR-A(config)# service password-encryption BR-A(config)# security passwords min-length 10 ``` - Enable Secret Password ```console BR-A(config)# enable secret IL-JDR ``` - Line Login with Local Database ```console BR-A(config)# username il-jdr-admin secret IL-JDR BR-A(config)# line console 0 BR-A(config-line)# login local BR-A(config-line)# exec-timeout 15 BR-A(config)# line aux 0 BR-A(config-line)# login local BR-A(config-line)# exec-timeout 15 BR-A(config)# line vty 0 4 BR-A(config-line)# login local BR-A(config-line)# exec-timeout 15 BR-A(config)# line vty 5 15 BR-A(config-line)# login local BR-A(config-line)# exec-timeout 15 ``` - Disable CDP ```console BR-A(config)# no cdp enable ``` - Message-Of-The-Day (MOTD) or Login banner Login Banner ```console BR-A(config)# banner motd $Unauthorized access strictly prohibited and prosecuted to the full extent of the law$ ``` - NTP-server ```console BR-A(config)# ntp server 172.20.0.2 ``` - SSH configuratie + ACL ```console BR-A(config)# line vty 0 4 BR-A(config)# login local BR-A(config)# transport input ssh BR-A(config)# exec-timeout 15 BR-A(config)# line vty 5 15 BR-A(config)# login local BR-A(config)# transport input ssh BR-A(config)# exec-timeout 15 BR-A(config)# crypto key zeroize rsa BR-A(config)# crypto key generate rsa general-keys modulus 2048 BR-A(config)# ip ssh time-out 90 BR-A(config)# ip ssh authentication-retries 2 ``` ```console BR-A(config)# access-list 10 remark Allow VLAN20 to Management VLAN100 BR-A(config)# access-list 10 permit 10.10.10.64 0.0.0.63 BR-A(config)# access-list 10 deny any log BR-A(config)# line vty 0 15 BR-A(config-line)# login local BR-A(config-line)# transport input ssh BR-A(config-line)# access-class 10 in ``` ### L3-Switch–LAN-A - Hostname instellen ```console Switch> enable Switch# configure terminal Switch(config)# hostname L3-Switch–LAN-A L3-Switch–LAN-A(config)# ``` - Routering inschakelen ```console L3-Switch–LAN-A(config)#ip routing ``` - VLAN's aanmaken ```console L3-Switch–LAN-A> enable L3-Switch–LAN-A# configure terminal L3-Switch–LAN-A(config)# vlan 10 L3-Switch–LAN-A(config-vlan)# name vlan10 L3-Switch–LAN-A(config)# vlan 20 L3-Switch–LAN-A(config-vlan)# name vlan20 L3-Switch–LAN-A(config)# vlan 30 L3-Switch–LAN-A(config-vlan)# name vlan30 L3-Switch–LAN-A(config)# vlan 40 L3-Switch–LAN-A(config-vlan)# name vlan40 ``` - Router interfaces maken - Hier gebruiken we vlan20, daarmee maken we het niet meer aan in de volgende stap ```console L3-Switch–LAN-A(config)# int gigabitEthernet 1/0/24 L3-Switch–LAN-A(config-if)# no switchport L3-Switch–LAN-A(config-if)# ip address 10.10.10.66 255.255.255.192 L3-Switch–LAN-A(config-if)# ip helper-address 10.10.10.2 L3-Switch–LAN-A(config-if)# no shutdown L3-Switch–LAN-A(config-if)# description vlan20-uplink-BR-a L3-Switch–LAN-A(config-if)# exit ``` - VLAN interfaces maken ```console L3-Switch–LAN-A(config)#int vlan10 L3-Switch–LAN-A(config-if)# ip address 10.10.10.1 255.255.255.192 L3-Switch–LAN-A(config-if)# no shutdown L3-Switch–LAN-A(config-if)# description vlan10 L3-Switch–LAN-A(config-if)# exit L3-Switch–LAN-A(config)#int vlan30 L3-Switch–LAN-A(config-if)# ip address 10.10.10.129 255.255.255.192 L3-Switch–LAN-A(config-if)# ip helper-address 10.10.10.2 L3-Switch–LAN-A(config-if)# no shutdown L3-Switch–LAN-A(config-if)# description vlan30 L3-Switch–LAN-A(config-if)# exit L3-Switch–LAN-A(config)#int vlan40 L3-Switch–LAN-A(config-if)# ip address 10.10.10.193 255.255.255.192 L3-Switch–LAN-A(config-if)# ip helper-address 10.10.10.2 L3-Switch–LAN-A(config-if)# no shutdown L3-Switch–LAN-A(config-if)# description vlan40 L3-Switch–LAN-A(config-if)# exit ``` - Poorten toewijzen aan VLAN's ```console L3-Switch–LAN-A(config)# interface range g1/0/1-6 L3-Switch–LAN-A(config-if-range)# switchport mode access L3-Switch–LAN-A(config-if-range)# switchport access vlan 10 L3-Switch–LAN-A(config-if-range)# interface range g1/0/7-12 L3-Switch–LAN-A(config-if-range)# switchport access vlan 20 L3-Switch–LAN-A(config-if-range)# interface range g1/0/13-18 L3-Switch–LAN-A(config-if-range)# switchport access vlan 30 L3-Switch–LAN-A(config-if-range)# interface range g1/0/19-23 L3-Switch–LAN-A(config-if-range)# switchport access vlan 40 ``` - Management VLAN ```console L3-Switch–LAN-A(config)# vlan 100 L3-Switch–LAN-A(config-vlan)# name vlan100-management L3-Switch–LAN-A(config)# int vlan100 L3-Switch–LAN-A(config-if)# ip address 192.168.10.2 255.255.255.192 L3-Switch–LAN-A(config-if)# no shutdown L3-Switch–LAN-A(config-if)# description vlan100-management L3-Switch–LAN-A(config-if)# exit ``` - Gateway of last resort → #ip route 0.0.0.0 0.0.0.0 <exit IP address (Router IP)> ```console L3-Switch–LAN-A(config)# ip route 0.0.0.0 0.0.0.0 10.10.10.65 ``` - Basic security hardening - Password Encryption and Length ```console L3-Switch–LAN-A(config)# service password-encryption L3-Switch–LAN-A(config)# security passwords min-length 10 ``` - Enable Secret Password ```console L3-Switch–LAN-A(config)# enable secret IL-JDR ``` - Line Login with Local Database ```console L3-Switch–LAN-A(config)# username il-jdr-admin secret IL-JDR L3-Switch–LAN-A(config)# line console 0 L3-Switch–LAN-A(config-line)# login local L3-Switch–LAN-A(config-line)# exec-timeout 15 L3-Switch–LAN-A(config)# line aux 0 L3-Switch–LAN-A(config-line)# login local L3-Switch–LAN-A(config-line)# exec-timeout 15 L3-Switch–LAN-A(config)# line vty 0 4 L3-Switch–LAN-A(config-line)# login local L3-Switch–LAN-A(config-line)# exec-timeout 15 L3-Switch–LAN-A(config)# line vty 5 15 L3-Switch–LAN-A(config-line)# login local L3-Switch–LAN-A(config-line)# exec-timeout 15 ``` - Disable CDP ```console L3-Switch–LAN-A(config)# no cdp enable ``` - Message-Of-The-Day (MOTD) or Login banner Login Banner ```console L3-Switch–LAN-A(config)# banner motd $Unauthorized access strictly prohibited and prosecuted to the full extent of the law$ ``` - NTP-server ```console L3-Switch–LAN-A(config)# ntp server 172.20.0.2 ``` - SSH configuratie + ACL ```console L3-Switch–LAN-A(config)# line vty 0 4 L3-Switch–LAN-A(config)# login local L3-Switch–LAN-A(config)# transport input ssh L3-Switch–LAN-A(config)# exec-timeout 15 L3-Switch–LAN-A(config)# line vty 5 15 L3-Switch–LAN-A(config)# login local L3-Switch–LAN-A(config)# transport input ssh L3-Switch–LAN-A(config)# exec-timeout 15 L3-Switch–LAN-A(config)# crypto key zeroize rsa L3-Switch–LAN-A(config)# crypto key generate rsa general-keys modulus 2048 L3-Switch–LAN-A(config)# ip ssh time-out 90 L3-Switch–LAN-A(config)# ip ssh authentication-retries 2 ``` ```console L3-Switch–LAN-A(config)# access-list 10 remark Allow VLAN20 to Management VLAN100 L3-Switch–LAN-A(config)# access-list 10 permit 10.10.10.64 0.0.0.63 L3-Switch–LAN-A(config)# access-list 10 deny any log L3-Switch–LAN-A(config)# line vty 0 15 L3-Switch–LAN-A(config-line)# login local L3-Switch–LAN-A(config-line)# transport input ssh L3-Switch–LAN-A(config-line)# access-class 10 in ``` - Portfast, ( R)STP and Broadcast Storm Control ```console L3-Switch–LAN-A(config)# interface range g0/1-23 L3-Switch–LAN-A(config-if-range)# spanning-tree portfast L3-Switch–LAN-A(config-if-range)# spanning-tree bpduguard enable L3-Switch–LAN-A(config-if-range)# storm-control broadcast level 50.00 ``` - Port Security ```console L3-Switch–LAN-A(config)# interface range g0/1-23 L3-Switch–LAN-A(config-if-range)# switchport port-security L3-Switch–LAN-A(config-if-range)# switchport port-security maximum 3 L3-Switch–LAN-A(config-if-range)# switchport port-security mac-address sticky L3-Switch–LAN-A(config-if-range)# switchport port-security aging time 10 L3-Switch–LAN-A(config-if-range)# switchport port-security aging type inactivity ``` - DHCP snooping ```console L3-Switch–LAN-A(config)# ip dhcp snooping L3-Switch–LAN-A(config)# interface f0/1 L3-Switch–LAN-A(config-if)# ip dhcp snooping trust L3-Switch–LAN-A(config-if)# exit L3-Switch–LAN-A(config)# interface range g0/2-24 L3-Switch–LAN-A(config-if-range)# ip dhcp snooping limit rate 6 L3-Switch–LAN-A(config-if-range)# exit L3-Switch–LAN-A(config)# ip dhcp snooping vlan 10,20,30,40 ``` - DIA ```console L3-Switch–LAN-A(config)# ip arp inspection vlan 10,20,30,40 L3-Switch–LAN-A(config)# ip arp inspection validate src-mac dst-mac ip L3-Switch–LAN-A(config)# interface f0/1 L3-Switch–LAN-A(config-if)# ip arp inspection trust L3-Switch–LAN-A(config-if)# exit ``` ### BR-B - Hostname ```console Router(config)#hostname BR-B BR-B(config)# ``` - WAN Interface configuratie ```console BR-B(config)# int g0/0 BR-B(config-if)# ip address DHCP BR-B(config-if)# description WAN BR-B(config-if)# ip nat outside BR-B(config-if)# no shut ``` - Subinterfaces vlan's ```console BR-B(config)# int g0/1 BR-B(config-if)# no shut BR-B(config)# int g0/1.10 BR-B(config-if)# encapsulation dot1q 10 BR-B(config-if)# ip address 10.20.20.1 255.255.255.192 BR-B(config-if)# description vlan10 BR-B(config-if)# ip nat inside BR-B(config-if)# no shut BR-B(config)# int g0/1.20 BR-B(config-if)# encapsulation dot1q 20 BR-B(config-if)# ip address 10.20.20.65 255.255.255.192 BR-B(config-if)# description vlan20 BR-B(config-if)# ip nat inside BR-B(config-if)# no shut BR-B(config)# int g0/1.30 BR-B(config-if)# encapsulation dot1q 30 BR-B(config-if)# ip address 10.20.20.129 255.255.255.192 BR-B(config-if)# description vlan30 BR-B(config-if)# ip nat inside BR-B(config-if)# no shut BR-B(config)# int g0/1.40 BR-B(config-if)# encapsulation dot1q 40 BR-B(config-if)# ip address 10.20.20.193 255.255.255.192 BR-B(config-if)# description vlan40 BR-B(config-if)# ip nat inside BR-B(config-if)# no shut BR-B(config)# int g0/1.100 BR-B(config-if)# encapsulation dot1q 100 BR-B(config-if)# ip address 192.168.20.1 255.255.255.0 BR-B(config-if)# description vlan100-management BR-B(config-if)# ip nat inside BR-B(config-if)# no shut ``` - Access list NAT + IPsec VPN ```console BR-B(config)# ip nat inside source list 100 interface fa0/3/0 overload BR-A(config)# access-list 100 remark -=[Define NAT Service]=- BR-A(config)# access-list 100 deny ip 10.10.10.0 0.0.0.63 10.20.20.0 0.0.0.63 BR-A(config)# access-list 100 deny ip 10.10.10.64 0.0.0.63 10.20.20.0 0.0.0.63 BR-A(config)# access-list 100 deny ip 10.10.10.128 0.0.0.63 10.20.20.0 0.0.0.63 BR-A(config)# access-list 100 deny ip 10.10.10.192 0.0.0.63 10.20.20.0 0.0.0.63 BR-A(config)# access-list 100 deny ip 10.10.10.0 0.0.0.63 10.20.20.64 0.0.0.63 BR-A(config)# access-list 100 deny ip 10.10.10.64 0.0.0.63 10.20.20.64 0.0.0.63 BR-A(config)# access-list 100 deny ip 10.10.10.128 0.0.0.63 10.20.20.64 0.0.0.63 BR-A(config)# access-list 100 deny ip 10.10.10.192 0.0.0.63 10.20.20.64 0.0.0.63 BR-A(config)# access-list 100 deny ip 10.10.10.0 0.0.0.63 10.20.20.128 0.0.0.63 BR-A(config)# access-list 100 deny ip 10.10.10.64 0.0.0.63 10.20.20.128 0.0.0.63 BR-A(config)# access-list 100 deny ip 10.10.10.128 0.0.0.63 10.20.20.128 0.0.0.63 BR-A(config)# access-list 100 deny ip 10.10.10.192 0.0.0.63 10.20.20.128 0.0.0.63 BR-A(config)# access-list 100 deny ip 10.10.10.0 0.0.0.63 10.20.20.192 0.0.0.63 BR-A(config)# access-list 100 deny ip 10.10.10.64 0.0.0.63 10.20.20.192 0.0.0.63 BR-A(config)# access-list 100 deny ip 10.10.10.128 0.0.0.63 10.20.20.192 0.0.0.63 BR-A(config)# access-list 100 deny ip 10.10.10.192 0.0.0.63 10.20.20.192 0.0.0.63 access-list 100 permit ip 10.10.10.0 0.0.0.63 any access-list 100 permit ip 10.10.10.64 0.0.0.63 any access-list 100 permit ip 10.10.10.128 0.0.0.63 any access-list 100 permit ip 10.10.10.192 0.0.0.63 any BR-A(config)# access-list 100 remark ``` - IPSec VPN configuratie - CONFIGURE ISAKMP (IKE) - (ISAKMP PHASE 1) ```console BR-B(config)# crypto isakmp policy 1 BR-B(config-isakmp)# encr 3des BR-B(config-isakmp)# hash md5 BR-B(config-isakmp)# authentication pre-share BR-B(config-isakmp)# group 2 BR-B(config-isakmp)# lifetime 86400 ``` - Nu mane we onze pre shared key voor de authenticatie met onze peer (router BR-B) ```console BR-B(config)# crypto isakmp key Pa$$w0rd321 address [WAN-IP-BR-A] ``` - CREATING EXTENDED ACL ```console BR-B(config)# ip access-list extended VPN-TRAFFIC BR-B(config-ext-nacl)# permit ip 10.20.20.0 0.0.0.63 10.10.10.0 0.0.0.63 BR-B(config-ext-nacl)# permit ip 10.20.20.0 0.0.0.63 10.10.10.64 0.0.0.63 BR-B(config-ext-nacl)# permit ip 10.20.20.0 0.0.0.63 10.10.10.128 0.0.0.63 BR-B(config-ext-nacl)# permit ip 10.20.20.0 0.0.0.63 10.10.10.192 0.0.0.63 BR-B(config-ext-nacl)# permit ip 10.20.20.64 0.0.0.63 10.10.10.0 0.0.0.63 BR-B(config-ext-nacl)# permit ip 10.20.20.64 0.0.0.63 10.10.10.64 0.0.0.63 BR-B(config-ext-nacl)# permit ip 10.20.20.64 0.0.0.63 10.10.10.128 0.0.0.63 BR-B(config-ext-nacl)# permit ip 10.20.20.64 0.0.0.63 10.10.10.192 0.0.0.63 BR-B(config-ext-nacl)# permit ip 10.20.20.128 0.0.0.63 10.10.10.0 0.0.0.63 BR-B(config-ext-nacl)# permit ip 10.20.20.128 0.0.0.63 10.10.10.64 0.0.0.63 BR-B(config-ext-nacl)# permit ip 10.20.20.128 0.0.0.63 10.10.10.128 0.0.0.63 BR-B(config-ext-nacl)# permit ip 10.20.20.128 0.0.0.63 10.10.10.192 0.0.0.63 BR-B(config-ext-nacl)# permit ip 10.20.20.192 0.0.0.63 10.10.10.0 0.0.0.63 BR-B(config-ext-nacl)# permit ip 10.20.20.192 0.0.0.63 10.10.10.64 0.0.0.63 BR-B(config-ext-nacl)# permit ip 10.20.20.192 0.0.0.63 10.10.10.128 0.0.0.63 BR-B(config-ext-nacl)# permit ip 10.20.20.192 0.0.0.63 10.10.10.192 0.0.0.63 ``` - CREATE IPSEC TRANSFORM (ISAKMP PHASE 2 POLICY) ```console BR-B(config)# crypto ipsec transform-set TS esp-3des esp-md5-hmac ``` - CREATE CRYPTO MAP ```console BR-B(config)# crypto map CMAP 10 ipsec-isakmp BR-B(config-crypto-map)# set peer [WAN-IP-BR-A] BR-B(config-crypto-map)# set transform-set TS BR-B(config-crypto-map)# match address VPN-TRAFFIC ``` - APPLY CRYPTO MAP TO THE PUBLIC(WAN) INTERFACE ```console BR-B(config)# int g0/0 BR-B(config-if)# crypto map CMAP ``` - NETWORK ADDRESS TRANSLATION (NAT) AND IPSEC VPN TUNNELS **Zie - Access list NAT** - BRINGING UP AND VERIFYING THE VPN TUNNEL ```console BR-B# ping 10.20.20.1 source fastethernet0/0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.20.20.1, timeout is 2 seconds: Packet sent with a source address of 10.20.20.1 .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 44/47/48 ms ``` - Verificatie commando's ```console BR-B# show crypto session remote [WAN-IP-BR-A] detail BR-B# show crypto ipsec sa peer [WAN-IP-BR-A] ``` - Basic security hardening - Password Encryption and Length ```console BR-B(config)# service password-encryption BR-B(config)# security passwords min-length 10 ``` - Enable Secret Password ```console BR-B(config)# enable secret IL-JDR ``` - Line Login with Local Database ```console BR-B(config)# username il-jdr-admin secret IL-JDR BR-B(config)# line console 0 BR-B(config-line)# login local BR-B(config-line)# exec-timeout 15 BR-B(config)# line aux 0 BR-B(config-line)# login local BR-B(config-line)# exec-timeout 15 BR-B(config)# line vty 0 4 BR-B(config-line)# login local BR-B(config-line)# exec-timeout 15 BR-B(config)# line vty 5 15 BR-B(config-line)# login local BR-B(config-line)# exec-timeout 15 ``` - Disable CDP ```console BR-B(config)# no cdp enable ``` - Message-Of-The-Day (MOTD) or Login banner Login Banner ```console BR-B(config)# banner motd $Unauthorized access strictly prohibited and prosecuted to the full extent of the law$ ``` - NTP-server ```console BR-B(config)# ntp server 172.20.0.2 ``` - SSH configuratie + ACL ```console BR-B(config)# line vty 0 4 BR-B(config)# login local BR-B(config)# transport input ssh BR-B(config)# exec-timeout 15 BR-B(config)# line vty 5 15 BR-B(config)# login local BR-B(config)# transport input ssh BR-B(config)# exec-timeout 15 BR-B(config)# crypto key zeroize rsa BR-B(config)# crypto key generate rsa general-keys modulus 2048 BR-B(config)# ip ssh time-out 90 BR-B(config)# ip ssh authentication-retries 2 ``` ```console BR-B(config)# access-list 10 remark Allow VLAN20 to Management VLAN100 BR-B(config)# access-list 10 permit 10.20.20.64 0.0.0.63 BR-B(config)# access-list 10 deny any log BR-B(config)# line vty 0 15 BR-B(config-line)# login local BR-B(config-line)# transport input ssh BR-B(config-line)# access-class 10 in ``` ### L2-Switch–LAN-B - Hostname ```console Switch(config)# hostname L2-Switch–LAN-B L2-Switch–LAN-B(config)# ``` - Trunk poort ```console L2-Switch–LAN-B(config)# int fa0/24 L2-Switch–LAN-B(config-if)# switchport mode trunk L2-Switch–LAN-B(config-if)# switchport nonegotiate L2-Switch–LAN-B(config-if)# switchport trunk encapsulation dot1q # DOES NOT WORK ON Cisco 2960 (https://community.cisco.com/t5/other-network-architecture/2960-will-not-allow-quot-switchport-trunk-encapsulation-dot1q/td-p/2439012) L2-Switch–LAN-B(config-if)# switchport trunk allowed vlan 10,20,30,100 L2-Switch–LAN-B(config-if)# description Uplink to BR ``` - Management interface ```console L2-Switch–LAN-B(config)# vlan 100 L2-Switch–LAN-B(config-vlan)# name vlan100-management L2-Switch–LAN-B(config)# int vlan100 *Mar 1 00:42:53.062: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan100, changed state to down L2-Switch–LAN-B(config-if)# ip address 192.168.20.2 255.255.255.0 L2-Switch–LAN-B(config-if)# no shutdown L2-Switch–LAN-B(config-if)# description vlan100-management L2-Switch–LAN-B(config-if)# exit ``` - VLAN's ```console L2-Switch–LAN-B(config)# vlan 10 L2-Switch–LAN-B(config-vlan)# name vlan10 L2-Switch–LAN-B(config)# vlan 20 L2-Switch–LAN-B(config-vlan)# name vlan20 L2-Switch–LAN-B(config)# vlan 30 L2-Switch–LAN-B(config-vlan)# name vlan30 L2-Switch–LAN-B(config)# vlan 40 L2-Switch–LAN-B(config-vlan)# name vlan40 ``` - VLAN's toekennen aan switchports ```console L2-Switch–LAN-B(config)# int range fa0/1-6 L2-Switch–LAN-B(config-if)# switchport mode access L2-Switch–LAN-B(config-if)# switchport access vlan 10 L2-Switch–LAN-B(config-if)# no shutdown L2-Switch–LAN-B(config)# int r fa0/7-12 L2-Switch–LAN-B(config-if)# switchport mode access L2-Switch–LAN-B(config-if)# switchport access vlan 20 L2-Switch–LAN-B(config-if)# no shutdown L2-Switch–LAN-B(config)# int r fa0/13-18 L2-Switch–LAN-B(config-if)# switchport mode access L2-Switch–LAN-B(config-if)# switchport access vlan 30 L2-Switch–LAN-B(config-if)# no shutdown L2-Switch–LAN-B(config)# int r fa0/19-23 L2-Switch–LAN-B(config-if)# switchport mode access L2-Switch–LAN-B(config-if)# switchport access vlan 40 L2-Switch–LAN-B(config-if)# no shutdown ``` ### DHCP server - Netwerk config Debian ```console Ip: 10.10.10.2 255.255.255.192 Gateway: 10.10.10.1 ``` - isc-dhcp-server Debian config ```console DHCP config: subnet 10.10.10.0 netmask 255.255.255.192 { range 10.10.10.40 10.10.10.50; option routers 10.10.10.1; } subnet 10.10.10.64 netmask 255.255.255.192 { range 10.10.10.100 10.10.10.110; option routers 10.10.10.66; } subnet 10.10.10.128 netmask 255.255.255.192 { range 10.10.10.170 10.10.10.180; option routers 10.10.10.129; } subnet 10.10.10.192 netmask 255.255.255.192 { range 10.10.10.210 10.10.10.220; option routers 10.10.10.193; } ``` ## Exam prep  ### Breedband router **hostname** ```console hostname BR ``` **Basics** ```console no ip domain-lookup ``` **Interfaces** ```console int Fa0/0 ip address dhcp ip nat outside no shut int Fa0/1 no shut int Fa0/1.100 encapsulation dot1q 100 ip address 10.10.100.1 255.255.255.0 description Managment-vlan no shut int Fa0/1.666 encapsulation dot1q 666 ip address 10.10.255.254 255.255.255.248 ip nat inside description Internet no shut ``` **routes** ```console ip route 0.0.0.0 0.0.0.0 192.168.60.254 #(HOME TEST NET JDR) ip route 10.10.0.0 255.255.0.0 10.10.255.253 ip route 10.20.0.0 255.255.0.0 10.10.255.253 ``` **NAT** ```console ip nat inside source list 1 interface fa0/0 overload access-list 1 remark ACL for NAT access-list 1 permit 10.10.1.0 0.0.0.255 access-list 1 permit 10.10.2.0 0.0.0.255 access-list 1 permit 10.10.3.0 0.0.0.255 access-list 1 permit 10.20.1.0 0.0.0.255 access-list 1 permit 10.20.2.0 0.0.0.255 access-list 1 permit 10.20.3.0 0.0.0.255 access-list 1 remark end of ACL 1 ``` **ACL management** ``` access-list 10 remark Allow VLAN10 & 20 to Management VLAN100 access-list 10 permit 10.10.1.0 0.0.0.255 access-list 10 permit 10.10.2.0 0.0.0.255 access-list 10 permit 10.20.1.0 0.0.0.255 access-list 10 permit 10.20.2.0 0.0.0.255 access-list 10 deny any log access-list 10 remark end of ACL 10 ``` **VTY lines** ``` ip domain-name ni.exam.internal.mct.be crypto key zeroize rsa crypto key generate rsa general-keys modulus 2048 username jdradmin secret P@ssw0rd line vty 0 15 login local transport input ssh access-class 10 in ip ssh time-out 90 ip ssh authentication-retries 2 ip ssh version 2 ``` **Basic security hardening** - Password Encryption and Length ```console service password-encryption security passwords min-length 10 ``` - Enable Secret Password ```console enable secret IL-JDR1234 ``` - Line Login with Local Database ```console username il-jdr-admin secret IL-JDR1234 line console 0 login local exec-timeout 15 line aux 0 login local exec-timeout 15 ``` - Disable CDP ```console no cdp enable # OF no cdp run ``` - Message-Of-The-Day (MOTD) or Login banner Login Banner ```console banner motd $Unauthorized access strictly prohibited and prosecuted to the full extent of the law$ ``` - NTP-server ```console BR-A(config)# ntp server 192.168.60.254 ``` ### Layer 3 switch site A **hostname** ```console hostname S-L3-A ``` **vlans** ```console vlan 10 name vlan10-servers vlan 20 name vlan20-lan vlan 30 name vlan30-voice vlan 40 name vlan40-uplink-site-b vlan 100 name vlan100-management-vlan vlan 666 name vlan666-internet ``` **ip routing** ```console ip routing ``` **Interfaces** ```console int range fa0-8 switchport mode access switchport access vlan 10 description vlan10-servers no shut int range fa9-16 switchport mode access switchport access vlan 20 description vlan20-lan int range fa17-22 switchport mode access switchport access vlan 30 description vlan30-voice int fa0/23 switchport trunk encapsulation dot1q switchport mode trunk switchport trunk allowed vlan 40,100 description uplink-site-b int fa0/24 switchport trunk encapsulation dot1q switchport mode trunk switchport trunk allowed vlan 100,666 description uplink-to-broadbandrouter spanning-tree portfast trunk int range g0/1-2 shut int vlan10 ip address 10.10.1.1 255.255.255.0 ip helper-address 10.10.250.1 description vlan10-servers no shut int vlan20 ip address 10.10.2.1 255.255.255.0 ip helper-address 10.10.250.1 description vlan20-lan no shut int vlan30 ip address 10.10.3.1 255.255.255.0 ip helper-address 10.10.250.1 description vlan30-voice no shut int vlan40 ip address 10.10.250.2 255.255.255.252 description vlan40-uplink-site-b no shut int vlan100 ip address 10.10.100.2 255.255.255.0 description vlan100-management no shutdown no shut int vlan666 ip address 10.10.255.253 255.255.255.248 description vlan666-internet no shut ``` **routes** ```console ip route 0.0.0.0 0.0.0.0 10.10.255.254 ip route 10.20.0.0 255.255.0.0 10.10.250.1 ``` **ACL management** ``` access-list 10 remark Allow VLAN10 & 20 to Management VLAN100 access-list 10 permit 10.10.1.0 0.0.0.255 access-list 10 permit 10.10.2.0 0.0.0.255 access-list 10 permit 10.20.1.0 0.0.0.255 access-list 10 permit 10.20.2.0 0.0.0.255 access-list 10 deny any log ``` **VTY lines** ``` ip domain-name ni.exam.internal.mct.be crypto key zeroize rsa crypto key generate rsa general-keys modulus 2048 username jdradmin secret P@ssw0rd line vty 0 15 login local transport input ssh access-class 10 in ip ssh time-out 90 ip ssh authentication-retries 2 ip ssh version 2 ``` **Basic security hardening** - Password Encryption and Length ```console service password-encryption security passwords min-length 10 ``` - Enable Secret Password ```console enable secret IL-JDR1234 ``` - Line Login with Local Database ```console username il-jdr-admin secret IL-JDR1234 line console 0 login local exec-timeout 15 line aux 0 login local exec-timeout 15 ``` - Disable CDP ```console no cdp enable # OF no cdp run ``` - Message-Of-The-Day (MOTD) or Login banner Login Banner ```console banner motd $Unauthorized access strictly prohibited and prosecuted to the full extent of the law$ ``` - NTP-server ```console ntp server 192.168.60.254 ``` - Portfast, ( R)STP and Broadcast Storm Control ```console interface range fa0/1-22 spanning-tree portfast spanning-tree bpduguard enable storm-control broadcast level 50.00 ``` - Port Security ```console interface range fa0/1-22 switchport port-security switchport port-security maximum 3 switchport port-security mac-address sticky switchport port-security aging time 10 switchport port-security aging type inactivity ``` - DHCP snooping ```console ip dhcp snooping interface f0/23 ip dhcp snooping trust interface range fa0/1-22 ip dhcp snooping limit rate 6 ip dhcp snooping vlan 10,20,30 interface fa0/24 ip dhcp snooping limit rate 6 ip dhcp snooping vlan 10,20,30 ``` - DIA ```console ip arp inspection vlan 10,20,30 ip arp inspection validate src-mac dst-mac ip interface f0/23 ip arp inspection trust ``` ### Router A **hostname** ```console hostname RA ``` **Basics** ```console no ip domain-lookup ``` **Interfaces** ```console int Fa0/0 ip address 10.10.255.245 255.255.255.252 no shut int Fa0/1 no shut int Fa0/1.40 encapsulation dot1q 40 ip address 10.10.250.1 255.255.255.252 no shut int Fa0/1.100 encapsulation dot1q 100 ip address 10.10.100.3 255.255.255.0 no shut ``` **DHCP** ```console ip dhcp excluded-address 10.10.1.1 ip dhcp pool vlan10-servers network 10.10.1.0 255.255.255.0 default-router 10.10.1.1 dns-server 8.8.8.8 domain-name internal.mct.be lease 0 1 30 ip dhcp excluded-address 10.10.2.1 ip dhcp pool vlan20-lan network 10.10.2.0 255.255.255.0 default-router 10.10.2.1 dns-server 8.8.8.8 domain-name internal.mct.be lease 0 1 30 ip dhcp excluded-address 10.10.3.1 ip dhcp pool vlan30-voice network 10.10.3.0 255.255.255.0 default-router 10.10.3.1 dns-server 8.8.8.8 domain-name internal.mct.be lease 0 1 30 ``` **routes** ```console ip route 0.0.0.0 0.0.0.0 10.10.250.2 ip route 10.20.0.0 255.255.0.0 10.10.255.246 ``` **ACL management** ``` access-list 10 remark Allow VLAN10 & 20 to Management VLAN100 access-list 10 permit 10.10.1.0 0.0.0.255 access-list 10 permit 10.10.2.0 0.0.0.255 access-list 10 permit 10.20.1.0 0.0.0.255 access-list 10 permit 10.20.2.0 0.0.0.255 access-list 10 deny any log ``` **VTY lines** ``` ip domain-name ni.exam.internal.mct.be crypto key zeroize rsa crypto key generate rsa general-keys modulus 2048 username jdradmin secret P@ssw0rd line vty 0 15 login local transport input ssh access-class 10 in ip ssh time-out 90 ip ssh authentication-retries 2 ip ssh version 2 ``` **Basic security hardening** - Password Encryption and Length ```console service password-encryption security passwords min-length 10 ``` - Enable Secret Password ```console enable secret IL-JDR1234 ``` - Line Login with Local Database ```console username il-jdr-admin secret IL-JDR1234 line console 0 login local exec-timeout 15 line aux 0 login local exec-timeout 15 ``` - Disable CDP ```console no cdp enable # OF no cdp run ``` - Message-Of-The-Day (MOTD) or Login banner Login Banner ```console banner motd $Unauthorized access strictly prohibited and prosecuted to the full extent of the law$ ``` - NTP-server ```console ntp server 192.168.60.254 ``` ### Router B **hostname** ```console hostname RB ``` **Basics** ```console no ip domain-lookup ``` **Interfaces** ```console int Fa0/0 ip address 10.10.255.246 255.255.255.252sh i no shut int Fa0/1 no shut int Fa0/1.10 encapsulation dot1q 10 ip address 10.20.1.1 255.255.255.0 no shut int Fa0/1.20 encapsulation dot1q 20 ip address 10.20.2.1 255.255.255.0 no shut int Fa0/1.30 encapsulation dot1q 30 ip address 10.20.3.1 255.255.255.0 no shut int Fa0/1.100 encapsulation dot1q 100 ip address 10.20.100.1 255.255.255.0 no shut ``` **DHCP** ```console ip dhcp excluded-address 10.20.1.1 ip dhcp pool vlan10-servers network 10.20.1.0 255.255.255.0 default-router 10.20.1.1 dns-server 8.8.8.8 domain-name internal.mct.be lease 0 1 30 ip dhcp excluded-address 10.20.2.1 ip dhcp pool vlan20-lan network 10.20.2.0 255.255.255.0 default-router 10.20.2.1 dns-server 8.8.8.8 domain-name internal.mct.be lease 0 1 30 ip dhcp excluded-address 10.20.3.1 ip dhcp pool vlan30-voice network 10.20.3.0 255.255.255.0 default-router 10.20.3.1 dns-server 8.8.8.8 domain-name internal.mct.be lease 0 1 30 ``` **routes** ```console ip route 0.0.0.0 0.0.0.0 10.10.255.245 ``` **ACL management** ``` access-list 10 remark Allow VLAN10 & 20 to Management VLAN100 access-list 10 permit 10.10.1.0 0.0.0.255 access-list 10 permit 10.10.2.0 0.0.0.255 access-list 10 permit 10.20.1.0 0.0.0.255 access-list 10 permit 10.20.2.0 0.0.0.255 access-list 10 deny any log ``` **VTY lines** ``` ip domain-name ni.exam.internal.mct.be crypto key zeroize rsa crypto key generate rsa general-keys modulus 2048 username jdradmin secret P@ssw0rd line vty 0 15 login local transport input ssh access-class 10 in ip ssh time-out 90 ip ssh authentication-retries 2 ip ssh version 2 ``` **Basic security hardening** - Password Encryption and Length ```console service password-encryption security passwords min-length 10 ``` - Enable Secret Password ```console enable secret IL-JDR1234 ``` - Line Login with Local Database ```console username il-jdr-admin secret IL-JDR1234 line console 0 login local exec-timeout 15 line aux 0 login local exec-timeout 15 ``` - Disable CDP ```console no cdp enable # OF no cdp run ``` - Message-Of-The-Day (MOTD) or Login banner Login Banner ```console banner motd $Unauthorized access strictly prohibited and prosecuted to the full extent of the law$ ``` - NTP-server ```console ntp server 192.168.60.254 ``` ### Layer 2 switch site B **hostname** ```console hostname S-L2-B ``` **Basics** ```console no ip domain-lookup ``` **vlans** ```console vlan 10 name vlan10-servers vlan 20 name vlan20-lan vlan 30 name vlan30-voice vlan 100 name vlan100-management-vlan ``` **Interfaces** ```console int range fa0/1-8 switchport mode access switchport access vlan 10 description vlan10-servers no shut int range fa0/9-16 switchport mode access switchport access vlan 20 description vlan20-lan int range fa0/17-24 switchport mode access switchport access vlan 30 description vlan30-voice int g0/1 switchport mode trunk switchport trunk encapsulation dot1q switchport trunk allowed vlan 10,20,30,100 spanning-tree portfast trunk description uplink-site-b int g0/2 shut int vlan 100 ip address 10.20.100.2 255.255.255.0 no shut ``` **ACL management** ``` access-list 10 remark Allow VLAN10 & 20 to Management VLAN100 access-list 10 permit 10.10.1.0 0.0.0.255 access-list 10 permit 10.10.2.0 0.0.0.255 access-list 10 permit 10.20.1.0 0.0.0.255 access-list 10 permit 10.20.2.0 0.0.0.255 access-list 10 deny any log ``` **VTY lines** ``` ip domain-name ni.exam.internal.mct.be crypto key zeroize rsa crypto key generate rsa general-keys modulus 2048 username jdradmin secret P@ssw0rd line vty 0 15 login local transport input ssh access-class 10 in ip ssh time-out 90 ip ssh authentication-retries 2 ip ssh version 2 ``` **Basic security hardening** - Password Encryption and Length ```console service password-encryption ``` - Enable Secret Password ```console enable secret IL-JDR1234 ``` - Line Login with Local Database ```console username il-jdr-admin secret IL-JDR1234 line console 0 login local exec-timeout 15 ``` - Disable CDP ```console no cdp enable # OF no cdp run ``` - Message-Of-The-Day (MOTD) or Login banner Login Banner ```console banner motd $Unauthorized access strictly prohibited and prosecuted to the full extent of the law$ ``` - NTP-server ```console ntp server 192.168.60.254 ``` - Portfast, ( R)STP and Broadcast Storm Control ```console interface range fa0/1-24 spanning-tree portfast spanning-tree bpduguard enable storm-control broadcast level 50.00 ``` - Port Security ```console interface range fa0/1-24 switchport port-security switchport port-security maximum 3 switchport port-security mac-address sticky switchport port-security aging time 10 switchport port-security aging type inactivity ``` - DHCP snooping ```console ip dhcp snooping interface g0/1 ip dhcp snooping trust interface range fa0/1-24 ip dhcp snooping limit rate 6 ``` - DIA ```console ip arp inspection vlan 10,20,30 ip arp inspection validate src-mac dst-mac ip interface g0/1 ip arp inspection trust ``` ### Extra oefening  ### BR **hostname** ```console hostname BR ``` **Basics** ```console no ip domain-lookup ``` **Interfaces** ```console int Fa0/0 ip address dhcp ip nat outside no shut int Fa0/1 no shut int Fa0/1.11 encapsulation dot1q 11 ip address 172.20.2.1 255.255.254.0 description Managment-vlan no shut int Fa0/1.55 encapsulation dot1q 55 ip address 172.20.255.254 255.255.255.248 ip nat inside description Internet no shut ``` **ip routes** ```console ip route 0.0.0.0 0.0.0.0 192.168.60.254 #(HOME TEST NET JDR) ip route 172.20.0.0 255.255.0.0 172.20.255.253 ``` **NAT** ```console ip nat inside source list 1 interface fa0/0 overload access-list 1 remark ACL for NAT access-list 1 permit 172.20.0.0 0.0.1.255 access-list 1 permit 172.20.74.0 0.0.0.31 access-list 1 permit 172.20.4.0 0.0.1.255 access-list 1 permit 172.20.240.0 0.0.3.255 access-list 1 permit 172.20.248.0 0.0.1.255 access-list 1 permit 172.20.2.0 0.0.1.255 access-list 1 remark end of ACL 1 ``` ### L3-S **hostname** ```console hostname L3-S ``` **Basics** ```console no ip domain-lookup ``` **vlans** ```console vlan 10 name vlan10-servers vlan 74 name vlan74-blok-e vlan 12 name vlan12-administration vlan 40 name vlan40-wireless-company vlan 48 name vlan48-wireless-visitors vlan 11 name vlan11-management-vlan vlan 55 name vlan55-internet ``` **ip routing** ```console ip routing ``` **interfaces** ```console int range fa0-8 switchport mode access switchport access vlan 10 description vlan10-servers no shut int range fa9-16 switchport mode access switchport access vlan 12 description vlan12-administration int range fa17-22 switchport mode access switchport access vlan 74 description vlan74-blok-e int fa0/23 switchport trunk encapsulation dot1q switchport mode trunk switchport trunk allowed vlan 10,11 description dhcp-router-b spanning-tree portfast trunk int fa0/24 switchport trunk encapsulation dot1q switchport mode trunk switchport trunk allowed vlan 11,55 description uplink-to-broadbandrouter spanning-tree portfast trunk int g0/1 switchport trunk encapsulation dot1q switchport mode trunk switchport trunk allowed vlan 10,11,12,40,48,74 description uplink-to-l2-switch spanning-tree portfast trunk no shut int g0/2 shut int vlan10 ip address 172.20.0.1 255.255.252.0 ip helper-address 172.20.0.2 description vlan10-servers int vlan11 ip address 172.20.2.2 255.255.252.0 description vlan11-management int vlan12 ip address 172.20.4.1 255.255.252.0 ip helper-address 172.20.0.2 description vlan12-administration int vlan40 ip address 172.20.240.1 255.255.251.0 ip helper-address 172.20.0.2 description vlan40-wireless-company int vlan48 ip address 172.20.248.1 255.255.252.0 ip helper-address 172.20.0.2 description vlan48-wireless-visitors int vlan55 ip address 172.20.255.253 255.255.255.248 description vlan55-internet int vlan74 ip address 172.20.74.1 255.255.255.224 ip helper-address 172.20.0.2 description vlan74-blok-e ``` ### RA **hostname** ```console hostname RA ``` **Basics** ```console no ip domain-lookup ``` **Interfaces** ```console int Fa0/0 ip address dhcp ip nat outside no shut int Fa0/1 no shut int Fa0/1.10 encapsulation dot1q 10 ip address 172.20.0.2 255.255.254.0 ip nat inside description DHCP-server no shut int Fa0/1.11 encapsulation dot1q 11 ip address 172.20.2.3 255.255.254.0 description Managment-vlan no shut ``` **ip routes** ```console ip route 0.0.0.0 0.0.0.0 172.20.0.1 ``` **DHCP** ```console ip dhcp excluded-address 172.20.0.1 172.20.0.10 ip dhcp excluded-address 172.20.4.1 172.20.4.10 ip dhcp excluded-address 172.20.240.1 172.20.240.10 ip dhcp excluded-address 172.20.248.1 172.20.248.10 ip dhcp excluded-address 172.20.74.1 172.20.74.5 ip dhcp pool IPv4-VLAN10-SERVERS network 172.20.0.0 255.255.254.0 default-router 172.20.0.1 dns-server 172.20.0.2 domain-name internal.mct.be lease 0 1 30 ip dhcp pool IPv4-VLAN12-SERVERS network 172.20.4.0 255.255.254.0 default-router 172.20.4.1 dns-server 172.20.0.2 domain-name internal.mct.be lease 0 1 30 ip dhcp pool IPv4-VLAN40-SERVERS network 172.20.240.0 255.255.254.0 default-router 172.20.240.1 dns-server 172.20.0.2 domain-name internal.mct.be lease 0 1 30 ip dhcp pool IPv4-VLAN48-SERVERS network 172.20.248.0 255.255.254.0 default-router 172.20.248.1 dns-server 172.20.0.2 domain-name internal.mct.be lease 0 1 30 ip dhcp pool IPv4-VLAN74-SERVERS network 172.20.74.0 255.255.255.224 default-router 172.20.74.1 dns-server 172.20.0.2 domain-name internal.mct.be lease 0 1 30 ``` ### L2 **hostname** ```console hostname L2-S ``` **Basics** ```console no ip domain-lookup ``` **vlans** ```console vlan 10 name vlan10-servers vlan 74 name vlan74-blok-e vlan 12 name vlan12-administration vlan 40 name vlan40-wireless-company vlan 48 name vlan48-wireless-visitors vlan 11 name vlan11-management-vlan ``` **interfaces** ```console int range fa0-8 switchport mode access switchport access vlan 10 description vlan10-servers no shut int range fa9-16 switchport mode access switchport access vlan 12 description vlan12-administration int range fa17-22 switchport mode access switchport access vlan 74 description vlan74-blok-e int fa0/23 switchport trunk encapsulation dot1q switchport mode trunk switchport trunk allowed vlan 10,11,12,40,48,74 description uplink-l3-switch spanning-tree portfast trunk int fa0/24 switchport trunk encapsulation dot1q switchport mode trunk switchport trunk allowed vlan 11,40,48 description uplink-ap spanning-tree portfast trunk int vlan11 ip address 172.20.2.3 255.255.252.0 description vlan11-management ``` ### AP (Mikrotik) 1. Create management (vlan) access ```console /interface vlan add interface=ether5 name=Management vlan-id=11 /ip address add address=172.20.2.4/23 interface=Management network=172.20.2.0 /ip route add distance=1 gateway=172.20.2.1 ``` 2. Create wireless security-profiles for wlan1 and wlan2 Add Virtual AP under wlan1 interface ```console /interface wireless security-profiles add authentication-types=wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys name=WL-Company supplicant-identity="" wpa2-pre-shared- key=P@ssw0rd add authentication-types=wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys name=WL-Visitors supplicant-identity="" wpa2-pre-shared- key=Azerty123 /interface wireless set [ find default-name=wlan1 ] disabled=no mode=ap-bridge security- profile=WL-Company ssid=WL-Company-XX vlan-id=40 vlan-mode=use-tag add disabled=no master-interface=wlan1 name=wlan2 security-profile=WL-Visitors ssid=WL-Visitors-XX vlan-id=48 vlan-mode=use-tag ``` 3. Create bridge with vlan-filtering=yes Add necessary bridge ports Add tagged interfaces under interface bridge vlan section with correct vlan-ids ```console /interface bridge add fast-forward=no name=bridge1 vlan-filtering=yes /interface bridge port add bridge=bridge1 interface=ether5 add bridge=bridge1 interface=wlan1 add bridge=bridge1 interface=wlan2 /interface bridge vlan add bridge=bridge1 tagged=ether5,wlan1 vlan-ids=40 add bridge=bridge1 tagged=ether5,wlan2 vlan-ids=48 ```