ICTNWK602 Plan, configure and test advanced server based security – Assessment -02 Last Updated: April 2018, V. No. 1.0
Page 1 of 7
Assessment Task 02 – Practical Demonstration
Task 01: Configure IP ACLs to Mitigate Attacks
Topology Diagram
Addressing Table
Case Scenario:
Access to routers R1, R2, and R3 should only be permitted from PC-C, the management
station. PC-C is also used for connectivity testing to PC-A, a server providing DNS, SMTP,
FTP, and HTTPS services.
ICTNWK602 Plan, configure and test advanced server based security – Assessment -02 Last Updated: April 2018, V. No. 1.0
Page 2 of 7
Standard operating procedure is to apply ACLs on edge routers to mitigate common
threats based on source and/or destination IP address. In this activity, you create ACLs on
edge routers R1 and R3 to achieve this goal.
You then verify ACL functionality from internal and external hosts.
The routers have been pre-configured with the following:
| |
Enable password: ciscoenpa55 Password for console: ciscoconpa55 Username for VTY lines: SSHadmin Password for VTY lines: ciscosshpa55 IP addressing |
| | Static routing |
Objectives
Verify connectivity among devices before firewall configuration.
Use ACLs to ensure remote access to the routers is available only from
management station PC-C.
Configure ACLs on R1 and R3 to mitigate attacks.
Verify ACL functionality.
Your Tasks:
Task 1: Verify Basic Network Connectivity
Task 2: Secure Access to Routers
Task 3: Create a Numbered IP ACL 100
Task 4: Create a Numbered IP ACL 110
Task 5: Create a Numbered IP ACL 120
Task 6: Modify an Existing ACL
ICTNWK602 Plan, configure and test advanced server based security – Assessment -02 Last Updated: April 2018, V. No. 1.0
Page 3 of 7
Task 02: Configure a Network for Secure Operation
Topology Diagram
Addressing Table
ICTNWK602 Plan, configure and test advanced server based security – Assessment -02 Last Updated: April 2018, V. No. 1.0
Page 4 of 7
Case Scenario:
In this comprehensive practice activity, you will apply a combination of security measures
that were introduced in the course. These measures are listed in the objectives.
In the topology, R1 is the edge outer for the Company A while R3 is the edge router for
Company B. These networks are interconnected via the R2 router which represents the
ISP. You will configure various security features on the routers and switches for Company
A and Company B. Not all security features will be configured on R1 and R3.
The following preconfigurations have been made:
| |
Hostnames on all devices IP addresses on all devices R2 console password: ciscoconpa55 R2 password on VTY lines: ciscovtypa55 R2 enable password: ciscoenpa55 Static routing Syslog services on PC-B DNS lookup has been disabled |
| | IP default gateways for all switches |
Learning Objectives
| | Secure the routers with strong passwords, password encryption and a login banner. Secure the console and VTY lines with passwords. Configure local AAA authentication. Configure SSH server. Configure router for syslog. Configure router for NTP. Secure the router against login attacks. |
| |
ICTNWK602 Plan, configure and test advanced server based security – Assessment -02 Last Updated: April 2018, V. No. 1.0
Page 5 of 7
Configure CBAC and ZPF firewalls.
Secure network switches.
Your Tasks:
Task 1: Test Connectivity and Verify Configurations
Task 2: Secure the Routers
Task 3: Configure Local Authentication on R1 and R3
Task 4: Configure NTP
Task 5: Configure R1 as Syslog Client
Task 6: Secure Router against Login Attacks
Task 7: Configure SSH on R3
Task 8: Configure CBAC on R1
Task 9: Configure ZPF on R3
Task 10: Secure the Switches
Task 11: Verification
Task 03: Configure AAA Authentication on Cisco Routers
Topology Diagram
ICTNWK602 Plan, configure and test advanced server based security – Assessment -02 Last Updated: April 2018, V. No. 1.0
Page 6 of 7
Addressing Table:
Case Scenario
The network topology shows routers R1, R2 and R3. Currently all administrative security is
based on knowledge of the enable secret password. Your task is to configure and test
local and server-based AAA solutions.
You will create a local user account and configure local AAA on router R1 to test the
console and VTY logins.
User account: Admin1 and password admin1pa55
ICTNWK602 Plan, configure and test advanced server based security – Assessment -02 Last Updated: April 2018, V. No. 1.0
Page 7 of 7
You will then configure router R2 to support server-based authentication using the
TACACS+ protocol. The TACACS+ server has been pre-configured with the following:
| |
Client: R2 using the keyword tacacspa55 User account: Admin2 and password admin2pa55 |
Finally, you will configure router R3 to support server-based authentication using the
RADIUS protocol. The RADIUS server has been pre-configured with the following:
| |
Client: R3 using the keyword radiuspa55 User account: Admin3 and password admin3pa55 |
The routers have also been pre-configured with the following:
Enable secret password: ciscoenpa55
RIP version 2
Note: The console and VTY lines have not been pre-configured.
Learning Objectives
| | Configure a local user account on R1 and authenticate on the console and VTY lines using local AAA. Verify local AAA authentication from the R1 console and the PC-A client. Configure a server-based AAA authentication using TACACS+. Verify server-based AAA authentication from PC-B client. Configure a server-based AAA authentication using RADIUS. Verify server-based AAA authentication from PC-C client. |
| |
Your Tasks:
Task 1: Configure Local AAA Authentication for Console Access on R1
Task 2: Configure Local AAA Authentication for VTY Lines on R1
Task 3: Configure Server-Based AAA Authentication Using TACACS+ on R2
Task 4: Configure Server-Based AAA Authentication Using RADIUS on R3