您现在的位置是:首页 > 学无止境 > 其他网站首页其他 CCNA大实验
CCNA大实验
- 其他
- 2018-12-20
简介这次实验包括了很多配置命令,其中有基础的配置以及AAA认证,SSH,区域策略防火墙等一些列配置。字数
4610.5
Configure Basic Router Security
配置路由器的基本安全
1.Configure the following on R1:
在R1上配置以下内容:
o Minimum password length is 10 characters.
o Encrypt plaintext passwords.
o Privileged EXEC mode secret password is ciscoenapa55.
o Console line password is ciscoconpa55, timeout is 15 minutes, and console messages should not interrupt command entry.
o A message-of-the-day (MOTD) banner should include the word unauthorized.
最小密码长度为10个字符。
R1(config)#security passwords min-length 10
加密明文密码。
R1(config)#service password-encryption
特权EXEC模式密码是ciscoenapa55。
R1(config)#enable secret ciscoenapa55
控制台行密码是ciscoconpa55,
R1(config)#line console 0
R1(config-line)#password ciscoconpa55
超时时间是15分钟,控制台消息不应中断命令输入。
R1(config-line)#exec-timeout 15 0
R1(config-line)#Login
R1(config-line)#logging synchronous //配置console信息显示自动换行。
MOTD横幅应包括未经授权的单词。
R1(config)#banner motd $Unauthorized access strictly prohibited and prosecuted to the full
extent of the law!$
2.Configure the following on R2:
在R2上配置以下内容:
o Privileged EXEC mode secret password is ciscoenapa55.
o Password for the vty lines is ciscovtypa55, timeout is 15 minutes, and login is required.
特权EXEC模式密码是ciscoenapa55。
R2(config)#enable secret ciscoenapa55
vty行的密码是ciscovtypa55,超时15分钟,并且需要登录。
R2(config)#line vty 0 4
R2(config-line)#password ciscovtypa55
R2(config-line)#exec-timeout 15 0
R2(config-line)#login
Configure Basic Switch Security
配置服务器的基本安全
1.Configure the following on S1:
在S1上配置以下内容:
o Encrypt plaintext passwords.
o Privileged EXEC mode secret password is ciscoenapa55.
o Console line password is ciscoconpa55, timeout is 5 minutes, and consoles messages should not interrupt command entry.
o Password for the vty lines is ciscovtypa55, timeout is 5 minutes, and login is required.
o A MOTD banner should include the word unauthorized.
加密明文密码。
S1(config)#service password-encryption
特权Excel模式密码是ciscoenapa55。
S1(config)#enable secret ciscoenapa55
console线密码ciscoconpa55,超时为5分钟,控制台消息不应中断命令输入。
S1(config)#line console 0
S1(config-line)#password ciscoconpa55
S1(config-line)#exec-timeout 5 0
S1(config-line)#login
S1(config-line)#logging synchronous //配置console信息显示自动换行。
VTY线的密码为ciscovtypa55,超时5分钟,需要登录。
S1(config)#line vty 0 15
S1(config-line)#password ciscovtypa55
S1(config-line)#exec-timeout 5 0
S1(config-line)#login
MOTD横幅应该包括未经授权的单词。
S1(config)#banner motd $Unauthorized access strictly prohibited and prosecuted to the full
extent of the law!$
2.Configure trunking between S1 and S2 with the following settings:
通过以下设置配置S1和S2之间的中继:
o Set the mode to trunk and assign VLAN 99 as the native VLAN.
o Disable the generation of DTP frames.
o Enable storm control for broadcasts to a 50 percent suppression level.
将该模式设置为中继线,并将VLAN 99指定为本地VLAN。
S1(config)#interface FastEthernet 0/1
S1(config-if)#switchport mode trunk
S1(config-if)#switchport trunk native vlan 99
禁用DTP帧的生成。
S1(config-if)#switchport nonegotiate
设置广播风暴控制为50%抑制线。
S1(config-if)#storm-control broadcast level 50
3.Configure the S1 with the following port settings:
用下列端口设置配置S1:
o Fa0/6 should only allow access mode, set to PortFast, and enable BPDU guard.
o Fa0/6 uses basic default port security with dynamically learned MAC addresses added to the running configuration.
o All other ports should be disabled.
Note: Although not all ports are checked, your instructor may want to verify that all unused ports are disabled.
FA0/6应该只允许访问模式,设置为PortFast,并启用BPDU保护。
S1(config)#interface FastEthernet 0/6
S1(config-if)#switchport mode access
S1(config-if)#spanning-tree portfast
S1(config-if)#spanning-tree bpduguard enable
FA0/6使用基本默认端口安全性,动态添加的MAC地址添加到正在运行的配置中。
S1(config-if)#switchport port-security mac-address sticky
S1(config-if)#no shutdown //打开
所有其他端口都应禁用。
S1(config)#interface range f0/2 – 5 , f0/7 – 24 , g0/1 - 2
S1(config-if)#shutdown
注意:虽然不是所有的端口都被检查过,但是你的导师可能想要验证所有未使用的端口都被禁用了。
Configure AAA Local Authentication
配置AAA本地认证
1.Configure the following on R1:
在R1上配置以下内容:
o Create a local user account of Admin01, a secret password of Admin01pa55, and a privilege level of 15.
o Enable AAA services.
o Implement AAA services using the local database as the first option and then the enable password as the backup option.
创建Admin01的本地用户帐户、Admin01pa55的密码和特权级别15。
R1(config)#username Admin01 privilege 15 secret Admin01pa55
启用AAA服务。
R1(config)#aaa new-model
使用本地数据库作为第一个选项,然后使用启用密码作为备份选项来实现AAA服务。
R1(config)#aaa authentication login default local enable
Configure SSH
配置SSH
1.Configure the following on R1:
Note: The RSA key is already generated.
在R1上配置以下内容
注意:RSA密钥已经生成。
o The domain name is ccnasecurity.com
o The RSA key should be generated with a 1024 modulus bits.
o Only SSH version 2 is allowed.
o Only SSH is allowed on vty lines.
Verify that PC-C can remotely access R1 (209.165.200.233) using SSH.
Secure Against Login Attacks
配置域名为ccnasecurity.com。
R1(config)#ip domain-name ccnasecurity.com
RSA密钥应该用1024位生成。
R1(config)#crypto key generate rsa
yes
1024
只允许SSH版本2。
R1(config)#ip ssh version 2
vty线路上只允许SSH。
R1(config)#line vty 0 4
R1(config-if)#transport input ssh
验证PC-C可以使用SSH远程访问R1(209.165.200.233)。
Secure Against Login Attacks
防止登录攻击
1.Configure the following on R1:
在R1上配置以下内容:
o If a user fails to log in twice within a 30-second time span, then disable logins for one minute.
o Log all failed login attempts.
如果用户在30秒内两次登录失败,那么禁用登录一分钟。
R1(config)#login block-for 60 attempts 2 within 30
记录所有失败的登录尝试。
R1(config)#login on-failure log
Configure Firewall and IPS Settings
配置防火墙和IPS设置
1.Configure a ZPF on R3 using the following requirements:
使用以下要求在R3上配置ZPF:
o Create zones named IN-ZONE and OUT-ZONE.
o Create an ACL number 110 that defines internal traffic, permitting all IP protocols from the 172.30.3.0/24 source network to any destination. Explicitly deny all other traffic.
o Create a class map named INTERNAL-CLASS-MAP that uses the match-all option and ACL 110.
o Create a policy map named IN-2-OUT-PMAP that uses the class map INTERNAL-CLASS-MAP to inspect all matched traffic.
o Create a zone pair named IN-2-OUT-ZPAIR that identifies IN-ZONE as the source zone and OUT-ZONE as the destination zone.
o Specify that the IN-2-OUT-PMAP policy map is to be used to inspect traffic between the two zones.
o Assign Fa0/1 as an IN-ZONE member and S0/0/1 as an OUT-ZONE member.
创建名为IN-ZONE和OUT-ZONE的区域。
R3(config)#zone security IN-ZONE
R3(config)#zone security OUT-ZONE
创建一个号码是110的ACL,允许从172.30.3.0/24源网络到任何目的地的所有IP协议。明确拒绝所有其他流量。
R3(config)#access-list 110 permit ip 172.30.3.0 0.0.0.255 any
R3(config)#access-list 110 deny ip any any
//这里↓有毒 要no掉!!!
R3(config)#ip access-list extended 10
R3(config-ext-nacl)#no 20
//这里↑有毒 要no掉!!!
创建一个名为INTERNAL-CLASS-MAP的流量类型,它使用match-all选项和ACL 110。
R3(config)#class-map type inspect match-all INTERNAL-CLASS-MAP
R3(config-cmap)#match access-group 110
创建名为IN-2-OUT-PMAP的策略,该策略映射使用流量类型名为INTERNAL-CLASS-MAP来检查所有匹配的通信量。
R3(config)#policy-map type inspect IN-2-OUT-PMAP
R3(config-pmap)class type inspect INTERNAL-CLASS-MAP
R3(config-pmap-c)#inspect
创建名为IN-2-OUT-ZPAIR的区域对,将IN-ZONE标识为源区域,将OUT-ZONE标识为目标区域。
R3(config)#zone-pair security IN-2-OUT-ZPAIR source IN-ZONE destination OUT-ZONE
指定IN-2-OUT-PMAP策略用于检查两个区域之间的通信量。
R3(config-sec-zone-pair)#service-policy type inspect IN-2-OUT-PMAP
将Fa0/1分配为区域内成员,将S0/0/1分配为输出区域成员。
R3(config)#interface fa0/1
R3(config-if)#zone-member security IN-ZONE
R3(config)#interface s0/0/1
R3(config-if)#zone-member security OUT-ZONE
不太懂看FTP里面的第四章PPT的131页
2.Configure an IPS on R3 using the following requirements:
使用以下要求在R3上配置IPS:
Note: Within Packet Tracer, the routers already have the signature files imported and in place. They are the default XML files in flash. For this reason, it is not necessary to configure the public crypto key and complete a manual import of the signature files.
注意:在包跟踪器中,路由器已经导入并准备好了签名文件。它们是flash中的默认XML文件。因此,不必配置公钥并完成签名文件的手动导入。
o Create a directory in flash named ipsdir and set it as the location for IPS signature storage.
o Create an IPS rule named IPS-RULE.
o Retire the all signature category with the retired true command (all signatures within the signature release).
o Unretire the IOS_IPS Basic category with the retired false command.
o Apply the rule inbound on the S0/0/1 interface.
在flash中创建一个名为ipsdir的目录,并将其设置为IPS签名存储的位置。
R3#mkdir ipsdir
然后回车
R3#Configure terminal
R3(config)#ip ips config location flash:ipsdir
创建名为IPS-RULE的IPS规则。
R3(config)#ip ips name IPS-RULE
使用retired true命令(签名发行版内的所有签名)撤销所有签名类别。Category类别
R3(config)#ip ips signature-category
R3(config-ips-category)#category all
R3(config-ips-category-action)#retired true
使用retired false命令撤消IOS_IPS Basic类别。
R3(config-ips-category)#category ios_ips basic
R3(config-ips-category-action)#retired false
在S0/0/1接口上应用入站规则。
R3(config)#interface s0/0/1
R3(config-if)#ip ips IPS-RULE in
转载:
感谢您对莫愁个人博客网站平台的认可,非常欢迎各位朋友分享到个人站长或者朋友圈,但转载请说明文章出处“来源莫愁个人博客 https://www.mochoublog.com/study/49.html”。
- 其他
- 2018-12-20
Configure Basic Router Security
配置路由器的基本安全
1.Configure the following on R1:
在R1上配置以下内容:
o Minimum password length is 10 characters.
o Encrypt plaintext passwords.
o Privileged EXEC mode secret password is ciscoenapa55.
o Console line password is ciscoconpa55, timeout is 15 minutes, and console messages should not interrupt command entry.
o A message-of-the-day (MOTD) banner should include the word unauthorized.
最小密码长度为10个字符。
R1(config)#security passwords min-length 10
加密明文密码。
R1(config)#service password-encryption
特权EXEC模式密码是ciscoenapa55。
R1(config)#enable secret ciscoenapa55
控制台行密码是ciscoconpa55,
R1(config)#line console 0
R1(config-line)#password ciscoconpa55
超时时间是15分钟,控制台消息不应中断命令输入。
R1(config-line)#exec-timeout 15 0
R1(config-line)#Login
R1(config-line)#logging synchronous //配置console信息显示自动换行。
MOTD横幅应包括未经授权的单词。
R1(config)#banner motd $Unauthorized access strictly prohibited and prosecuted to the full
extent of the law!$
2.Configure the following on R2:
在R2上配置以下内容:
o Privileged EXEC mode secret password is ciscoenapa55.
o Password for the vty lines is ciscovtypa55, timeout is 15 minutes, and login is required.
特权EXEC模式密码是ciscoenapa55。
R2(config)#enable secret ciscoenapa55
vty行的密码是ciscovtypa55,超时15分钟,并且需要登录。
R2(config)#line vty 0 4
R2(config-line)#password ciscovtypa55
R2(config-line)#exec-timeout 15 0
R2(config-line)#login
Configure Basic Switch Security
配置服务器的基本安全
1.Configure the following on S1:
在S1上配置以下内容:
o Encrypt plaintext passwords.
o Privileged EXEC mode secret password is ciscoenapa55.
o Console line password is ciscoconpa55, timeout is 5 minutes, and consoles messages should not interrupt command entry.
o Password for the vty lines is ciscovtypa55, timeout is 5 minutes, and login is required.
o A MOTD banner should include the word unauthorized.
加密明文密码。
S1(config)#service password-encryption
特权Excel模式密码是ciscoenapa55。
S1(config)#enable secret ciscoenapa55
console线密码ciscoconpa55,超时为5分钟,控制台消息不应中断命令输入。
S1(config)#line console 0
S1(config-line)#password ciscoconpa55
S1(config-line)#exec-timeout 5 0
S1(config-line)#login
S1(config-line)#logging synchronous //配置console信息显示自动换行。
VTY线的密码为ciscovtypa55,超时5分钟,需要登录。
S1(config)#line vty 0 15
S1(config-line)#password ciscovtypa55
S1(config-line)#exec-timeout 5 0
S1(config-line)#login
MOTD横幅应该包括未经授权的单词。
S1(config)#banner motd $Unauthorized access strictly prohibited and prosecuted to the full
extent of the law!$
2.Configure trunking between S1 and S2 with the following settings:
通过以下设置配置S1和S2之间的中继:
o Set the mode to trunk and assign VLAN 99 as the native VLAN.
o Disable the generation of DTP frames.
o Enable storm control for broadcasts to a 50 percent suppression level.
将该模式设置为中继线,并将VLAN 99指定为本地VLAN。
S1(config)#interface FastEthernet 0/1
S1(config-if)#switchport mode trunk
S1(config-if)#switchport trunk native vlan 99
禁用DTP帧的生成。
S1(config-if)#switchport nonegotiate
设置广播风暴控制为50%抑制线。
S1(config-if)#storm-control broadcast level 50
3.Configure the S1 with the following port settings:
用下列端口设置配置S1:
o Fa0/6 should only allow access mode, set to PortFast, and enable BPDU guard.
o Fa0/6 uses basic default port security with dynamically learned MAC addresses added to the running configuration.
o All other ports should be disabled.
Note: Although not all ports are checked, your instructor may want to verify that all unused ports are disabled.
FA0/6应该只允许访问模式,设置为PortFast,并启用BPDU保护。
S1(config)#interface FastEthernet 0/6
S1(config-if)#switchport mode access
S1(config-if)#spanning-tree portfast
S1(config-if)#spanning-tree bpduguard enable
FA0/6使用基本默认端口安全性,动态添加的MAC地址添加到正在运行的配置中。
S1(config-if)#switchport port-security mac-address sticky
S1(config-if)#no shutdown //打开
所有其他端口都应禁用。
S1(config)#interface range f0/2 – 5 , f0/7 – 24 , g0/1 - 2
S1(config-if)#shutdown
注意:虽然不是所有的端口都被检查过,但是你的导师可能想要验证所有未使用的端口都被禁用了。
Configure AAA Local Authentication
配置AAA本地认证
1.Configure the following on R1:
在R1上配置以下内容:
o Create a local user account of Admin01, a secret password of Admin01pa55, and a privilege level of 15.
o Enable AAA services.
o Implement AAA services using the local database as the first option and then the enable password as the backup option.
创建Admin01的本地用户帐户、Admin01pa55的密码和特权级别15。
R1(config)#username Admin01 privilege 15 secret Admin01pa55
启用AAA服务。
R1(config)#aaa new-model
使用本地数据库作为第一个选项,然后使用启用密码作为备份选项来实现AAA服务。
R1(config)#aaa authentication login default local enable
Configure SSH
配置SSH
1.Configure the following on R1:
Note: The RSA key is already generated.
在R1上配置以下内容
注意:RSA密钥已经生成。
o The domain name is ccnasecurity.com
o The RSA key should be generated with a 1024 modulus bits.
o Only SSH version 2 is allowed.
o Only SSH is allowed on vty lines.
Verify that PC-C can remotely access R1 (209.165.200.233) using SSH.
Secure Against Login Attacks
配置域名为ccnasecurity.com。
R1(config)#ip domain-name ccnasecurity.com
RSA密钥应该用1024位生成。
R1(config)#crypto key generate rsa
yes
1024
只允许SSH版本2。
R1(config)#ip ssh version 2
vty线路上只允许SSH。
R1(config)#line vty 0 4
R1(config-if)#transport input ssh
验证PC-C可以使用SSH远程访问R1(209.165.200.233)。
Secure Against Login Attacks
防止登录攻击
1.Configure the following on R1:
在R1上配置以下内容:
o If a user fails to log in twice within a 30-second time span, then disable logins for one minute.
o Log all failed login attempts.
如果用户在30秒内两次登录失败,那么禁用登录一分钟。
R1(config)#login block-for 60 attempts 2 within 30
记录所有失败的登录尝试。
R1(config)#login on-failure log
Configure Firewall and IPS Settings
配置防火墙和IPS设置
1.Configure a ZPF on R3 using the following requirements:
使用以下要求在R3上配置ZPF:
o Create zones named IN-ZONE and OUT-ZONE.
o Create an ACL number 110 that defines internal traffic, permitting all IP protocols from the 172.30.3.0/24 source network to any destination. Explicitly deny all other traffic.
o Create a class map named INTERNAL-CLASS-MAP that uses the match-all option and ACL 110.
o Create a policy map named IN-2-OUT-PMAP that uses the class map INTERNAL-CLASS-MAP to inspect all matched traffic.
o Create a zone pair named IN-2-OUT-ZPAIR that identifies IN-ZONE as the source zone and OUT-ZONE as the destination zone.
o Specify that the IN-2-OUT-PMAP policy map is to be used to inspect traffic between the two zones.
o Assign Fa0/1 as an IN-ZONE member and S0/0/1 as an OUT-ZONE member.
创建名为IN-ZONE和OUT-ZONE的区域。
R3(config)#zone security IN-ZONE
R3(config)#zone security OUT-ZONE
创建一个号码是110的ACL,允许从172.30.3.0/24源网络到任何目的地的所有IP协议。明确拒绝所有其他流量。
R3(config)#access-list 110 permit ip 172.30.3.0 0.0.0.255 any
R3(config)#access-list 110 deny ip any any
//这里↓有毒 要no掉!!!
R3(config)#ip access-list extended 10
R3(config-ext-nacl)#no 20
//这里↑有毒 要no掉!!!
创建一个名为INTERNAL-CLASS-MAP的流量类型,它使用match-all选项和ACL 110。
R3(config)#class-map type inspect match-all INTERNAL-CLASS-MAP
R3(config-cmap)#match access-group 110
创建名为IN-2-OUT-PMAP的策略,该策略映射使用流量类型名为INTERNAL-CLASS-MAP来检查所有匹配的通信量。
R3(config)#policy-map type inspect IN-2-OUT-PMAP
R3(config-pmap)class type inspect INTERNAL-CLASS-MAP
R3(config-pmap-c)#inspect
创建名为IN-2-OUT-ZPAIR的区域对,将IN-ZONE标识为源区域,将OUT-ZONE标识为目标区域。
R3(config)#zone-pair security IN-2-OUT-ZPAIR source IN-ZONE destination OUT-ZONE
指定IN-2-OUT-PMAP策略用于检查两个区域之间的通信量。
R3(config-sec-zone-pair)#service-policy type inspect IN-2-OUT-PMAP
将Fa0/1分配为区域内成员,将S0/0/1分配为输出区域成员。
R3(config)#interface fa0/1
R3(config-if)#zone-member security IN-ZONE
R3(config)#interface s0/0/1
R3(config-if)#zone-member security OUT-ZONE
不太懂看FTP里面的第四章PPT的131页
2.Configure an IPS on R3 using the following requirements:
使用以下要求在R3上配置IPS:
Note: Within Packet Tracer, the routers already have the signature files imported and in place. They are the default XML files in flash. For this reason, it is not necessary to configure the public crypto key and complete a manual import of the signature files.
注意:在包跟踪器中,路由器已经导入并准备好了签名文件。它们是flash中的默认XML文件。因此,不必配置公钥并完成签名文件的手动导入。
o Create a directory in flash named ipsdir and set it as the location for IPS signature storage.
o Create an IPS rule named IPS-RULE.
o Retire the all signature category with the retired true command (all signatures within the signature release).
o Unretire the IOS_IPS Basic category with the retired false command.
o Apply the rule inbound on the S0/0/1 interface.
在flash中创建一个名为ipsdir的目录,并将其设置为IPS签名存储的位置。
R3#mkdir ipsdir
然后回车
R3#Configure terminal
R3(config)#ip ips config location flash:ipsdir
创建名为IPS-RULE的IPS规则。
R3(config)#ip ips name IPS-RULE
使用retired true命令(签名发行版内的所有签名)撤销所有签名类别。Category类别
R3(config)#ip ips signature-category
R3(config-ips-category)#category all
R3(config-ips-category-action)#retired true
使用retired false命令撤消IOS_IPS Basic类别。
R3(config-ips-category)#category ios_ips basic
R3(config-ips-category-action)#retired false
在S0/0/1接口上应用入站规则。
R3(config)#interface s0/0/1
R3(config-if)#ip ips IPS-RULE in
转载: 感谢您对莫愁个人博客网站平台的认可,非常欢迎各位朋友分享到个人站长或者朋友圈,但转载请说明文章出处“来源莫愁个人博客 https://www.mochoublog.com/study/49.html”。
