Cisco Device Security Configuration Lab – CCNA 200-301

Posted on by Gregnstuff

Cisco Device Security Configuration Lab

Secure administrative access to Cisco routers in a small network.

Secure Privileged Exec Mode

  • Set the enable password
    • #conf t
    • (config)#enable password [password]
  • Set the enable secret password
    • #conf t
    • (config)#enable secret [password]
    • NOTE: While both passwords can be set “secret” will over-ride/supersede the standard enable password.
  • show passwords
    • #show running-config
    • NOTE: Secret password in hashed and cannot be read while the standard password is in plain text.
  • Ensure all pain text passwords are encrypted
    • #conf t
    • (config)#service password-encryption

Secure Remote Telnet and SSH Access

  • Ensure user logged out after 15 minutes on console and virtual terminal
    • Console
      • #conf t
      • (config)#line console
      • (config-line)#exec-timeout 15
    • Virtual (vty)
      • #conf t
      • (config)#line vty 0 15
      • (config-line)#exec-timeout 15
  • Allow workstation at 10.0.0.10 to telnet to router with a different password
    • Create an access list
      • (config)#access-list 1 permit host 10.0.0.10
    • Apply list
      • (config)#line vty 0 15
      • (config-line)#access-class 1 in
      • (config-line)#password line [password]
  • Telnet users to the router should see “Authorized users only” message
    • (config)#banner login [delimiter character]
    • message
    • [delimiter character]
  • Configure login in to require username and password
    • #conf t
    • (config)#username [username] password|secret [password]
    • (config)#vty 0 15
    • (config-line)#login local
    • Note the will supersede the local passwords
  • Allow SSH to the router
    • #conf t
    • (config)#ip domain-name [name]
    • (config)#crypto key generate rsa
    • How many bits in the modulus [512]: 768
      • SSH requires 768
    • (config)#line vty 0 15
    • (config-line)#transport input ssh
      • NOTE: Need to know ssh command for CCNA test 
        • ssh -l [username] [ip address]
  • Set console to use password and no username
    • #config t
    • (config)#line console 0
    • (config-line)#login
    • % Login disabled on line 0, until ‘password’ is set
    • (config-line)#password [password]

NTP Network Time Protocol

  • Configure NTP to synchronise its time with 10.0.1.100 & set timezone as Pacific Standard time.
    • (config)#ntp server 10.0.1.100
    • (config)#clock timezone Pacific -8
  • Show time and verify ntp sync
    • (config)#show clock
    • (config)#show ntp status

Switch Management

  • Configure switch with an ip address on vlan 1
    • #conf t
    • (config)#int vlan 1
    • (config-if)#ip address 10.0.1.50 255.255.255.0
    • (config-if)#no shut
    • (config-if)#exit
    • (config)#ip default-gateway 10.0.1.1