6.3 Configure, verify, and troubleshoot IPv4 and IPv6 access list for traffic filtering

IPv4 ACLs

6.3.a Standard

Screenshot_2018-12-09_06-18-36

Using the above topology, we will use standard ACLs to block (1-99) traffic. Using the implicit “deny” at the end of the ACL will reduce the amount of ACLs needed.

On R1:

interface GigabitEthernet1/0
 ip address 10.0.0.1 255.255.255.0
 ip access-group 1 out
 negotiation auto
!
interface GigabitEthernet2/0
 ip address 10.0.1.1 255.255.255.0
 ip access-group 2 out
 negotiation auto
!
access-list 1 permit 192.168.122.0 0.0.0.255 log
access-list 2 permit 10.0.2.0 0.0.0.255 log
!

To verify use pings, and extended pings:

BANKING> ping 10.0.0.2   
*10.0.1.1 icmp_seq=1 ttl=255 time=9.955 ms (ICMP type:3, code:13, Communication administratively prohibited)
*10.0.1.1 icmp_seq=2 ttl=255 time=3.232 ms (ICMP type:3, code:13, Communication administratively prohibited)
*10.0.1.1 icmp_seq=3 ttl=255 time=2.574 ms (ICMP type:3, code:13, Communication administratively prohibited)
*10.0.1.1 icmp_seq=4 ttl=255 time=2.354 ms (ICMP type:3, code:13, Communication administratively prohibited)
*10.0.1.1 icmp_seq=5 ttl=255 time=1.745 ms (ICMP type:3, code:13, Communication administratively prohibited)

DEVOPS> ping 10.0.0.2 
*10.0.2.1 icmp_seq=1 ttl=255 time=9.813 ms (ICMP type:3, code:13, Communication administratively prohibited)
*10.0.2.1 icmp_seq=2 ttl=255 time=2.622 ms (ICMP type:3, code:13, Communication administratively prohibited)
*10.0.2.1 icmp_seq=3 ttl=255 time=11.419 ms (ICMP type:3, code:13, Communication administratively prohibited)
*10.0.2.1 icmp_seq=4 ttl=255 time=10.533 ms (ICMP type:3, code:13, Communication administratively prohibited)
*10.0.2.1 icmp_seq=5 ttl=255 time=2.351 ms (ICMP type:3, code:13, Communication administratively prohibited)

router#ping
Protocol [ip]: 
Target IP address: 10.0.0.2
Repeat count [5]: 
Datagram size [100]: 
Timeout in seconds [2]: 
Extended commands [n]: y
Source address or interface: GigabitEthernet0/0
Type of service [0]: 
Set DF bit in IP header? [no]: 
Validate reply data? [no]: 
Data pattern [0xABCD]: 
Loose, Strict, Record, Timestamp, Verbose[none]: 
Sweep range of sizes [n]: 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds:
Packet sent with a source address of 192.168.122.180 
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 4/266/1040 ms
router#

6.3.b Extended

Extended access list are in the range <100-199>.

Extended commands allow us to match on the destination address as well as the protocol.

<0-255>       An IP protocol number
  ahp           Authentication Header Protocol
  eigrp         Cisco's EIGRP routing protocol
  esp           Encapsulation Security Payload
  gre           Cisco's GRE tunneling
  icmp          Internet Control Message Protocol
  igmp          Internet Gateway Message Protocol
  ip            Any Internet Protocol
  ipinip        IP in IP tunneling
  nos           KA9Q NOS compatible IP over IP tunneling
  object-group  Service object group
  ospf          OSPF routing protocol
  pcp           Payload Compression Protocol
  pim           Protocol Independent Multicast
  tcp           Transmission Control Protocol
  udp           User Datagram Protocol

interface GigabitEthernet1/0
 ip address 10.0.0.1 255.255.255.0
 ip access-group 100 out
 negotiation auto
!
interface GigabitEthernet2/0
 ip address 10.0.1.1 255.255.255.0
 ip access-group 101 out
 negotiation auto
!
access-list 100 permit ip 192.168.122.0 0.0.0.255 host 10.0.0.2 log
access-list 101 permit ip 10.0.2.0 0.0.0.255 host 10.0.1.2 log

6.3.c Named

Using named ACLs is the same as the above, except individual sequences can be entered:

<1-2147483647>  Sequence Number
  default         Set a command to its defaults
  deny            Specify packets to reject
  dynamic         Specify a DYNAMIC list of PERMITs or DENYs
  evaluate        Evaluate an access list
  exit            Exit from access-list configuration mode
  no              Negate a command or set its defaults
  permit          Specify packets to forward
  remark          Access list entry comment
router(config)#ip access-list extended RULE1
router(config-ext-nacl)#1 permit ip 192.168.122.0 0.0.0.255 host 10.0.0.2 log

router(config)#ip access-list extended RULE2
router(config-ext-nacl)#1 permit ip 10.0.2.0 0.0.0.255 host 10.0.1.2 log

Then you can delete in individual sequence numbers:

router(config)#ip access-list extended RULE1
router(config-ext-nacl)#no ?
  <1-2147483647>  Sequence Number
  deny            Specify packets to reject
  dynamic         Specify a DYNAMIC list of PERMITs or DENYs
  evaluate        Evaluate an access list
  permit          Specify packets to forward
  remark          Access list entry comment

router(config-ext-nacl)#no 1

IPv6 ACLs

According to Cisco: “With IPv4, you can configure standard and extended numbered IP ACLs, named IP ACLs, and MAC ACLs. IPv6 supports only named ACLs.”

Here is the topology:

Screenshot_2018-12-09_06-18-36

Here are the ACLs:

interface GigabitEthernet0/0
 ip address dhcp
 duplex full
 speed 1000
 media-type gbic
 negotiation auto
 ipv6 address 2001:DB8:4::/48 eui-64
!
interface GigabitEthernet1/0
 no ip address
 negotiation auto
 ipv6 address 2001:DB8:1::/48 eui-64
 ipv6 traffic-filter RULE1 out
!
interface GigabitEthernet2/0
 no ip address
 negotiation auto
 ipv6 address 2001:DB8:2::/48 eui-64
 ipv6 traffic-filter RULE2 out
!
interface GigabitEthernet3/0
 no ip address
 negotiation auto
 ipv6 address 2001:DB8:3::/48 eui-64
!
ipv6 access-list RULE1
 permit ipv6 2001:DB8:4::/48 2001:DB8:1::/48 log
!
ipv6 access-list RULE2
 permit ipv6 2001:DB8:3::/48 2001:DB8:2::/48 log
!
control-plane

The steps to verify are as above. Adding the log keyword helps by showing when the ACL is triggered:

router#
*Dec 9 09:25:43.011: %IPV6_ACL-6-ACCESSLOGDP: list RULE2/10 permitted icmpv6 2001:DB8:3::1 -> 2001:DB8:2::1 (128/0), 1 packet

Ping commands will also return “prohibited” when attempting to reach ACL restricted subnets:

DEVOPS> ping 2001:db8:1::1

*2001:db8:3:0:c801:12ff:fe77:54 icmp6_seq=1 ttl=64 time=18.509 ms (ICMP type:1, code:1, Communication with destination administratively prohibited)
*2001:db8:3:0:c801:12ff:fe77:54 icmp6_seq=2 ttl=64 time=9.367 ms (ICMP type:1, code:1, Communication with destination administratively prohibited)
*2001:db8:3:0:c801:12ff:fe77:54 icmp6_seq=3 ttl=64 time=9.834 ms (ICMP type:1, code:1, Communication with destination administratively prohibited)
*2001:db8:3:0:c801:12ff:fe77:54 icmp6_seq=4 ttl=64 time=9.151 ms (ICMP type:1, code:1, Communication with destination administratively prohibited)
*2001:db8:3:0:c801:12ff:fe77:54 icmp6_seq=5 ttl=64 time=9.522 ms (ICMP type:1, code:1, Communication with destination administratively prohibited)

6.1 Configure, verify, and troubleshoot port security

Let’s begin with the following topology (download lab here)

Screenshot_2018-12-07_06-55-03

I have configured this topology with R1 acting as a ROAS and as a DHCP server with the DHCP pools configured for each VLAN.

Router#show ip dhcp binding 
Bindings from all pools not associated with VRF:
IP address          Client-ID/	 	    Lease expiration        Type
		    Hardware address/
		    User name
10.10.254.2         0100.5079.6668.01       Jan 07 2019 06:50 AM    Automatic
10.200.100.2        0100.5079.6668.02       Jan 07 2019 06:50 AM    Automatic
10.200.100.3        0100.5079.6668.04       Jan 07 2019 06:51 AM    Automatic
10.200.101.2        0100.5079.6668.00       Jan 07 2019 06:49 AM    Automatic
10.200.102.2        0100.5079.6668.03       Jan 07 2019 06:50 AM    Automatic
10.200.102.3        0100.5079.6668.05       Jan 07 2019 06:50 AM    Automatic
10.200.102.4        0100.5079.6668.07       Jan 07 2019 06:50 AM    Automatic
10.200.102.5        0100.5079.6668.06       Jan 07 2019 06:50 AM    Automatic
Router#

Connectivity has been verified:

PC-1> ping 10.200.100.2
10.200.100.2 icmp_seq=1 timeout
10.200.100.2 icmp_seq=2 timeout
84 bytes from 10.200.100.2 icmp_seq=3 ttl=63 time=13.333 ms
84 bytes from 10.200.100.2 icmp_seq=4 ttl=63 time=14.403 ms
84 bytes from 10.200.100.2 icmp_seq=5 ttl=63 time=13.416 ms

PC-1> ping 10.200.102.2
10.200.102.2 icmp_seq=1 timeout
10.200.102.2 icmp_seq=2 timeout
84 bytes from 10.200.102.2 icmp_seq=3 ttl=63 time=13.100 ms
84 bytes from 10.200.102.2 icmp_seq=4 ttl=63 time=12.385 ms
84 bytes from 10.200.102.2 icmp_seq=5 ttl=63 time=12.282 ms

PC-1> ping 10.200.101.2
10.200.101.2 icmp_seq=1 ttl=64 time=0.001 ms
10.200.101.2 icmp_seq=2 ttl=64 time=0.001 ms
10.200.101.2 icmp_seq=3 ttl=64 time=0.001 ms
10.200.101.2 icmp_seq=4 ttl=64 time=0.001 ms
10.200.101.2 icmp_seq=5 ttl=64 time=0.001 ms

PC-1> ping 10.10.254.2 
10.10.254.2 icmp_seq=1 timeout
10.10.254.2 icmp_seq=2 timeout
84 bytes from 10.10.254.2 icmp_seq=3 ttl=63 time=15.034 ms
84 bytes from 10.10.254.2 icmp_seq=4 ttl=63 time=12.031 ms
84 bytes from 10.10.254.2 icmp_seq=5 ttl=63 time=13.712 ms

PC-1>

The switch shows each computer’s address has been registered into the MAC address table (note the multiple addresses per switchport):

Switch#show mac address-table dynamic 
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
   1    ca01.4ce4.0008    DYNAMIC     Et1/3
  33    0050.7966.6800    DYNAMIC     Et0/0
  33    ca01.4ce4.0008    DYNAMIC     Et1/3
  31    0050.7966.6801    DYNAMIC     Et0/1
  31    ca01.4ce4.0008    DYNAMIC     Et1/3
  30    0050.7966.6802    DYNAMIC     Et1/1
  30    0050.7966.6804    DYNAMIC     Et1/1
  30    ca01.4ce4.0008    DYNAMIC     Et1/3
  20    0050.7966.6803    DYNAMIC     Et1/0
  20    0050.7966.6805    DYNAMIC     Et1/0
  20    0050.7966.6806    DYNAMIC     Et1/0
  20    0050.7966.6807    DYNAMIC     Et1/0
  20    ca01.4ce4.0008    DYNAMIC     Et1/3
Total Mac Addresses for this criterion: 13
Switch#

It is now time to configure port security.

6.1.a Static

Configure static on port e0/0 (VLAN 33):

Switch#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)#int e0/0
Switch(config-if)#switchport port-security ?
  aging        Port-security aging commands
  mac-address  Secure mac address
  maximum      Max secure addresses
  violation    Security violation mode
  

Switch(config-if)#switchport port-security 
Switch(config-if)#switchport port-security violation shutdown 
Switch(config-if)#switchport port-security mac-address 0050.7966.6801
Switch(config-if)#^Z
Switch#

Attempting to ping from PC-1 will result in the interface being shutdown:

PC-1> ping 10.200.101.1
10.200.101.1 icmp_seq=1 timeout
10.200.101.1 icmp_seq=2 timeout
10.200.101.1 icmp_seq=3 timeout
10.200.101.1 icmp_seq=4 timeout
10.200.101.1 icmp_seq=5 timeout

PC-1> 
Switch#
*Dec  6 21:48:44.071: %PM-4-ERR_DISABLE: secure-violation error detected on Et0/0, putting Et0/0 in err-disable state
Switch#
*Dec  6 21:48:44.071: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0050.7966.6800 on port Ethernet0/0.
*Dec  6 21:48:45.076: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/0, changed state to down
Switch#
*Dec  6 21:48:46.072: %LINK-3-UPDOWN: Interface Ethernet0/0, changed state to down
Switch#show int e0/0
Ethernet0/0 is down, line protocol is down (err-disabled)
Switch#show port-security int e0/0
Port Security              : Enabled
Port Status                : Secure-shutdown
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 1
Configured MAC Addresses   : 1
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 0050.7966.6800:33
Security Violation Count   : 1
Switch#

6.1.b Dynamic

Dynamic mode will be triggered when the max mac addresses is exceeded (default is 1). To configure:

Switch#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)#int e1/1
Switch(config-if)#switchport port-security    
Switch(config-if)#switchport port-security violation restrict 
Switch(config-if)#^Z

Now if we try to ping with both PC-5 and PC-3 the second machine will be blocked, while PC-5 will be allowed to still access the network.

PC-5> ping 10.10.254.1
84 bytes from 10.10.254.1 icmp_seq=1 ttl=255 time=4.195 ms
84 bytes from 10.10.254.1 icmp_seq=2 ttl=255 time=9.041 ms
84 bytes from 10.10.254.1 icmp_seq=3 ttl=255 time=11.537 ms
84 bytes from 10.10.254.1 icmp_seq=4 ttl=255 time=10.708 ms
84 bytes from 10.10.254.1 icmp_seq=5 ttl=255 time=10.623 ms
PC-3> ping 10.10.254.1
10.10.254.1 icmp_seq=1 timeout
10.10.254.1 icmp_seq=2 timeout
10.10.254.1 icmp_seq=3 timeout
10.10.254.1 icmp_seq=4 timeout
10.10.254.1 icmp_seq=5 timeout
Switch#
*Dec 6 22:03:03.182: %SYS-5-CONFIG_I: Configured from console by console
Switch#
*Dec 6 22:03:11.967: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0050.7966.6802 on port Ethernet1/1.
Switch#
*Dec 6 22:03:17.969: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0050.7966.6802 on port Ethernet1/1.
Switch#

6.1.c Sticky

The sticky keyword tells the switch to dynamically learn mac-addresses and store them in the running config.

If you want the learned mac-address saved in the startup config run “copy run st”.

Switch#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)#int e0/1
Switch(config-if)#switchport port-security 
Switch(config-if)#switchport port-security mac-address sticky 
Switch(config-if)#switchport port-security violation protect 
Switch(config-if)#^Z
Switch#
*Dec  6 22:16:10.803: %SYS-5-CONFIG_I: Configured from console by console

The “protect” violation mode will restrict access to the learned MAC-address but will not log violations. It will not increment the violation counter or disable the interface.

For example after connecting a different PC and trying to access the network the show command does not show any violations:

Switch#show port-security interface e0/1
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Protect
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 1
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 1
Last Source Address:Vlan   : 0050.7966.6808:31
Security Violation Count   : 0
Switch#

However when we change the violation mode to restrict we see warning messages and the violation counter is incremented:

Switch#
*Dec  6 22:24:16.775: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0050.7966.6808 on port Ethernet0/1.
Switch#show port-security interface e0/1
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Restrict
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 1
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 1
Last Source Address:Vlan   : 0050.7966.6808:31
Security Violation Count   : 6
Switch#

6.1.d Max MAC addresses

The “switchport port-security maximum” command allows for a configured amount of max-addresses to be allowed to access an interface.

Switch#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)#int e1/0
Switch(config-if)#switchport port-security
Switch(config-if)#switchport port-security maximum ?
  <1-4097>  Maximum addresses
Switch(config-if)#switchport port-security maximum 3
Switch(config-if)#switchport port-security violation restrict 
Switch(config-if)#^Z
Switch#
*Dec  6 22:26:40.753: %SYS-5-CONFIG_I: Configured from console by console
Switch#

We  can trigger this by attempting to ping 4 computers on the e1/0 interface:

Router#ping 10.200.102.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.200.102.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/12/24 ms
Router#ping 10.200.102.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.200.102.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/14/28 ms
Router#ping 10.200.102.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.200.102.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/20/36 ms
Router#ping 10.200.102.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.200.102.5, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Router# 

Switch#
*Dec  6 22:32:39.063: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0050.7966.6807 on port Ethernet1/0.
Switch#
*Dec  6 22:32:45.058: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0050.7966.6807 on port Ethernet1/0.

Switch#show port-security interface e1/0 
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Restrict
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 3
Total MAC Addresses : 3
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0050.7966.6807:20
Security Violation Count : 5

6.1.e Violation actions

Discards traffic:

  • Protect/Restrict/Shutdown -> YES

Sends log and SNMP messges & increments the violation counter for each frame:

  • Protect -> NO
  • Restrict/Shutdown -> YES

Shuts down interface:

  • Protect/Restrict -> NO
  • Shutdown -> YES

 

6.1.f Err-disable recovery

To recover a err-disabled port first verify the port has been disabled due to port security with the following “show” commands:

Switch#show port-security interface e1/0
Port Security              : Enabled
Port Status                : Secure-shutdown
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 3
Total MAC Addresses        : 0
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 0050.7966.6807:20
Security Violation Count   : 6
Switch#
Switch#show int e1/0
Ethernet1/0 is down, line protocol is down (err-disabled) 

To recover it simply:

Switch#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)#int e1/0
Switch(config-if)#shutdown 
Switch(config-if)#no shutdown 
Switch(config-if)#^Z
Switch#
*Dec  6 22:41:43.901: %LINK-3-UPDOWN: Interface Ethernet1/0, changed state to up
Switch#
*Dec  6 22:41:44.329: %SYS-5-CONFIG_I: Configured from console by console
*Dec  6 22:41:44.901: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet1/0, changed state to up
Switch#

6.4 Verify ACLs using the APIC-EM Path Trace ACL analysis tool

This simple little section took me over 3 weeks to finally complete. Now I wasn’t studying for those whole weeks just failing to get this APIC-EM to boot/install.

I eventually had to upgrade my $180 server to a $380 server by buying more RAM ($120 and two cpus $80).

Now it has just enough compute power to run the APIC-EM (2x 3Ghz CPUs and 64GB RAM).

Now on with the job:

After configuring a very long lab I finally got the APIC-EM path tracing working.
 On router 4 I configured an ACL blocking all trafic to PC3:
 interface Ethernet0/1
 ip address 172.16.0.1 255.255.255.0
 ip access-group 100 out
 ! snip
 access-list 100 deny ip any host 172.16.0.2

I confirmed first the ACL worked (here are some wireshark packet captures):
Screenshot_2018-03-10_22-49-08Screenshot_2018-03-10_22-48-24

Then ran the APIC-EM Path Trace Tool:
Screenshot_2018-03-10_22-59-03Screenshot_2018-03-10_22-59-21

 

The APIC-EM confirms that the ACL list is in place.

6.5 Configure, verify, and troubleshoot basic device hardening

6.5.a Local authentication

Router>
 Router>en
 Router#conf t
 Enter configuration commands, one per line. End with CNTL/Z.
 Router(config)#enable secret cisco // enforces enable password
 Router(config)#^Z
 Router#exi
 *Feb 17 11:47:36.950: %SYS-5-CONFIG_I: Configured from console by console
 Router#exit

Router con0 is now available

Press RETURN to get started.

Router>en
 Password: // password is now needed to enter enable mode
 Router#conf t
 Enter configuration commands, one per line. End with CNTL/Z.
 Router(config)#line con 0  // this is the console line
 Router(config-line)#login local // enable local username and passwords combos
 Router(config-line)#end
 Router#u
 *Feb 17 11:48:21.548: %SYS-5-CONFIG_I: Configured from console by console
 Router#conf t
 Enter configuration commands, one per line. End with CNTL/Z.
 Router(config)#username admin secret cisco // add user admin with secret cisco
 Router(config)#^Z
 Router#exit
 *Feb 17 11:48:47.478: %SYS-5-CONFIG_I: Configured from console by console
 Router#exit

Router con0 is now available
 Press RETURN to get started.

User Access Verification

Username: admin // username is now prompted not just password
 Password:
 Router>en
 Password:
 Router#

6.5.b Secure password

I think this is a reference to the insecure enable password command which stores the password in the configuration file:

Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#enable password gus
Router(config)#^Z
Router#
Router#conf t 
*Feb 17 12:00:18.028: %SYS-5-CONFIG_I: Configured from console by admin on console
Router#show run | begin enable
enable password gus

6.5.c Access to device

Securing access to the device starts with SSH (telnet is unsafe):

User Access Verification

Username: admin
Password: 
Router>en
Password: 
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname router1
router1(config)#ip domain-name clinetworking.wordpress.com
router1(config)#crypto key generate rsa
The name for the keys will be: router1.clinetworking.wordpress.com
Choose the size of the key modulus in the range of 360 to 4096 for your
 General Purpose Keys. Choosing a key modulus greater than 512 may take
 a few minutes.

How many bits in the modulus [512]: 4096
% Generating 4096 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 7 seconds)

router1(config)#
*Feb 17 12:15:53.440: %SSH-5-ENABLED: SSH 1.99 has been enabled
router1(config)#ip ssh version 2
router1(config)#line vty 0 4 
router1(config-line)#login local
router1(config-line)#transport input ssh // disable telnet
router1(config-line)#exit
router1(config)#username sshlogin secret mysecret
router1(config)#^Z
router1#
*Feb 17 12:16:59.700: %SYS-5-CONFIG_I: Configured from console by admin on console
router1#

6.5.c. [i] Source address

To restrict access via ssh configure an ACL for the vty lines:

router1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
router1(config)#access-list 1 permit 10.0.0.5 0.0.0.0
router1(config)#access-list 1 deny any
router1(config)#^Z
end

Then apply the ACL:

router1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
router1(config)#line vty 0 4
router1(config-line)#access-class 1 in 
router1(config-line)#^Z
router1#

This will permit access only from 10.0.0.5:

Router#ssh -l admin 10.0.0.1
% Connection refused by remote host
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#int e0/0 
Router(config-if)#ip address 10.0.0.5 255.255.255.0 // change ip
Router(config-if)#^Z
Router#ssh -l admin 10.0.0.1
*Feb 17 12:39:10.426: %SYS-5-CONFIG_I: Configured from console by console
Router#ssh -l admin 10.0.0.1 // access is now allowed 
Password: 
router1>en 
Password: 
router1#show ssh
Connection Version Mode Encryption Hmac State Username
0 1.99 IN aes128-cbc hmac-sha1 Session started admin
0 1.99 OUT aes128-cbc hmac-sha1 Session started admin
%No SSHv1 server connections running.
router1#exit

6.5.c. [ii] Telnet/SSH

As shown above disable telnet with:

router1(config)#
*Feb 17 12:15:53.440: %SSH-5-ENABLED: SSH 1.99 has been enabled
router1(config)#ip ssh version 2
router1(config)#line vty 0 4 
router1(config-line)#login local
router1(config-line)#transport input ssh // disable telnet
router1(config-line)#exit

 6.5.d Login banner
Adding a banner is good for legal reasons:

Screenshot_2018-02-17_12-36-42

 

6.3b,c Configure, verify, and troubleshoot IPv4 and IPv6 access list for traffic filtering

This article is deprecated. New version is here.

Extended ACLs can match for source and destination IP address as well as port numbers.

The key is to use the implicit block at the end of the ACL as a way to both reduce the complexity of the list but also keep it in the front of your mind (you will forget it otherwise).

6.3 lab

The setup is the same as 6.3a. I used the following commands to achieve the goal:

interface FastEthernet0/0.100
 encapsulation dot1Q 100
 ip address 10.0.0.100 255.255.255.0
 ip access-group 100 out
!
interface FastEthernet0/1.101
 encapsulation dot1Q 101
 ip address 10.0.1.100 255.255.255.0
 ip access-group 199 in
!
interface FastEthernet1/0
 ip address 1.1.1.100 255.255.255.0
 duplex auto
 speed auto
!
!
access-list 100 permit ip 10.0.1.0 0.0.0.255 host 10.0.0.1
access-list 100 permit ip host 1.1.1.1 10.0.0.0 0.0.0.255
access-list 199 permit ip 10.0.1.0 0.0.0.255 host 10.0.0.1
 

Instead of using a deny command to block VPC5 I instead only commited a single permit for the traffic that was to be permitted on that link (the block is implied).
6.3b

Named ACLs allow you to add or delete individual entries without having to retype all the rules again. I rewrote the rules as follows:
ip access-list extended lan_access
permit ip 10.0.1.0 0.0.0.255 host 10.0.0.1
ip access-list extended server_access
permit ip 10.0.1.0 0.0.0.255 host 10.0.0.1
permit ip host 1.1.1.1 10.0.0.0 0.0.0.255
!

6.3a Configure, verify, and troubleshoot IPv4 and IPv6 access list for traffic filtering

This article is deprecated. New version here.

Now this topic is probably what got me a fail. The only simlet I did was a silly standard access sim. All the auto-complete functions were disabled and the hardware felt like it was from the 90s in the lab.

I will make sure I really get these IP access list for the next exam.

6.3.a Standard
So I made a simple lab:
6.3 lab

Standard ACLs only match on the source IP address. In the lab I wrote the required rules so I could keep focused.

BTW the monitor in the LAB was ridiculously small. I couldn’t fit it all on the damn screen.

Anyway it’s pretty easy to configure the ACL’s check page 605 in the CCENT book.
rule 1rule 2rule 3

Don’t forget the IMPLICIT DENY at the end of the ACL!

Using the implicit deny I was able to satisfy all requirement with only 3 ACL entries:
interface FastEthernet0/0.100
encapsulation dot1Q 100
ip address 10.0.0.100 255.255.255.0
ip access-group 1 out
!
interface FastEthernet0/1.101
encapsulation dot1Q 101
ip address 10.0.1.100 255.255.255.0
ip access-group 2 out
!
access-list 1 permit 1.1.1.1
access-list 1 permit 10.0.1.0 0.0.0.255
access-list 2 permit 10.0.0.0 0.0.0.255

FULL LAB HERE.

6.2 Describe common access layer threat mitigation techniques

6.2 Describe common access layer threat mitigation techniques

6.2.a 802.1x
I couldn’t get the 802.1x port authentication working on GNS3. Will try later.
6.2.b DHCP snooping
dhcp snooping lab.png

I setup a lab like the one above using IOU images.

The config consists of two DHCP servers (Routers) running on vlan 100. R1 is a trunk port and R2 is on a access port. Before DHCP snooping was allowed R2 was able to issue DHCP leases to the VPCs.
Here is the dhcp config on R1:
dhcp config

Here is the debugging output of a rejected DHCP binding with DHCP snooping enabled:
ip dhcp reje

Here is the debug output of a successful DHCP binding from R1 on the trusted trunk port:

*Jan 14 09:28:48.928: DHCP_SNOOPING: received new DHCP packet from input interface (Ethernet0/3)
*Jan 14 09:28:48.928: DHCP_SNOOPING: process new DHCP packet, message type: DHCPDISCOVER, input interface: Et0/3, MAC da: ffff.ffff.ffff, MAC sa: 0050.7966.6801, IP da: 255.255.255.255, IP sa: 0.0.0.0, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 0050.7966.6801
*Jan 14 09:28:48.928: DHCP_SNOOPING: add relay information option.
*Jan 14 09:28:48.928: DHCP_SNOOPING_SW: Encoding opt82 CID in vlan-mod-port format
*Jan 14 09:28:48.928: DHCP_SNOOPING_SW: Encoding opt82 RID in MAC address format
IOU1#
*Jan 14 09:28:48.928: DHCP_SNOOPING: binary dump of relay info option, length: 20 data:
0x52 0x12 0x1 0x6 0x0 0x4 0x0 0x64 0x0 0x3 0x2 0x8 0x0 0x6 0xAA 0xBB 0xCC 0x0 0x1 0x0 
*Jan 14 09:28:48.928: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (100)
*Jan 14 09:28:48.928: DHCP_SNOOPING_SW: bridge packet send packet to port: Ethernet0/0, vlan 100.
*Jan 14 09:28:49.928: DHCP_SNOOPING: received new DHCP packet from input interface (Ethernet0/3)
*Jan 14 09:28:49.928: DHCP_SNOOPING: process new DHCP packet, message type: DHCPDISCOVER, input interface: Et0/3, MAC da: ffff.ffff.ffff, MAC sa: 0050.7966.6801, IP da: 255.255.255.255, IP sa: 0.0.0.0, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 0050.7966.6801
*Jan 14 09:28:49.928: DHCP_SNOOPING: add relay information option.
*Jan 14 09:28:49.928: DHCP_SNOOPING_SW: Encoding opt82 CID in vlan-mod-port format
*Jan 14 09:28:49.928: DHCP_SNOOPING_SW: Encoding opt82 RID in MAC address format
*Jan 14 09:28:49.928: DHCP_SNOOPING: binary dump of relay info option, length: 20 data:
0x52 0x12 0x1 0x6 0x0 0x4 0x0 0x64 0x0 0x3 0x2 0x8 0x0 0x6 0xAA 0xBB 0xCC 0x0 0x1 0x0 
*Jan 14 09:28:49.928: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (100)
*Jan 14 09:28:49.928: DHCP_SNOOPING_SW: bridge packet send packet to port: Ethernet0/0, vlan 100.
IOU1#
*Jan 14 09:28:50.958: DHCP_SNOOPING: received new DHCP packet from input interface (Ethernet0/0)
*Jan 14 09:28:50.958: DHCP_SNOOPING: received new DHCP packet from input interface (Ethernet0/0)
*Jan 14 09:28:50.958: DHCP_SNOOPING: binary dump of option 82, length: 20 data:
0x52 0x12 0x1 0x6 0x0 0x4 0x0 0x64 0x0 0x3 0x2 0x8 0x0 0x6 0xAA 0xBB 0xCC 0x0 0x1 0x0 
*Jan 14 09:28:50.958: DHCP_SNOOPING: binary dump of extracted circuit id, length: 8 data:
0x1 0x6 0x0 0x4 0x0 0x64 0x0 0x3 
*Jan 14 09:28:50.958: DHCP_SNOOPING: binary dump of extracted remote id, length: 10 data:
0x2 0x8 0x0 0x6 0xAA 0xBB 0xCC 0x0 0x1 0x0 
*Jan 14 09:28:50.958: DHCP_SNOOPING_SW: opt82 data indicates local packet
*Jan 14 09:28:50.958: DHCP_SNOOPING: process new DHCP packet, message type: DHCPOFFER, input interface: Et0/0, MAC da: 0050.7966.6801, MAC sa: ca01.2ee4.0000, IP da: 10.0.0.3, IP sa: 10.0.0.1, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 10.0.0.3, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 0050.7966.6801
*Jan 14 09:28:50.958: DHCP_SNOOPING: remove relay information option.
*Jan 14 09:28:50.958: DHCP_SNOOPING: direct forward dhcp replyto output port: Ethernet0/3.
*Jan 14 09:28:50.958: DHCP_SNOOPING: binary dump of option 82, length: 20 data:
0x52 0x12 0x1 0x6 0x0 0x4 0x0 0x64 0x0 0x3 0x2 0x8 0x0 0x6 0xAA 0xBB 0xCC 0x0 0x1 0x0 
*Jan 14 09:28:50.958: DHCP_SNOOPING: binary dump of extracted circuit id, length: 8 data:
0x1 0x6 0x0 0x4 0x0 0x64 0x0 0x3 
*Jan 14 09:28:50.958: DHCP_SNOOPING: binary dump of extracted remote id, length: 10 data:
0x2 0x8 0x0 0x6 0xAA 0xBB 0xCC 0x0 0x1 0x0 
*Jan 14 09:28:50.958: DHCP_SNOOPING_SW: opt82 data indicates local packet
*Jan 14 09:28:50.959: DHCP_SNOOPING: process new DHCP packet, message type: DHCPOFFER, input interface: Et0/0, MAC da: 0050.7966.6801, MAC sa: ca01.2ee4.0000, IP da: 10.0.0.3, IP sa: 10.0.0.1, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 10.0.0.3, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 0050.7966.6801
IOU1#
*Jan 14 09:28:50.959: DHCP_SNOOPING: remove relay information option.
*Jan 14 09:28:50.959: DHCP_SNOOPING: direct forward dhcp replyto output port: Ethernet0/3.
IOU1#
*Jan 14 09:28:52.928: DHCP_SNOOPING: received new DHCP packet from input interface (Ethernet0/3)
*Jan 14 09:28:52.928: DHCP_SNOOPING: process new DHCP packet, message type: DHCPREQUEST, input interface: Et0/3, MAC da: ca01.2ee4.0000, MAC sa: 0050.7966.6801, IP da: 255.255.255.255, IP sa: 0.0.0.0, DHCP ciaddr: 10.0.0.3, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 0050.7966.6801
*Jan 14 09:28:52.928: DHCP_SNOOPING: add relay information option.
*Jan 14 09:28:52.928: DHCP_SNOOPING_SW: Encoding opt82 CID in vlan-mod-port format
*Jan 14 09:28:52.928: DHCP_SNOOPING_SW: Encoding opt82 RID in MAC address format
*Jan 14 09:28:52.928: DHCP_SNOOPING: binary dump of relay info option, length: 20 data:
0x52 0x12 0x1 0x6 0x0 0x4 0x0 0x64 0x0 0x3 0x2 0x8 0x0 0x6 0xAA 0xBB 0xCC 0x0 0x1 0x0 
*Jan 14 09:28:52.929: DHCP_SNOOPING_SW: bridge packet send packet to port: Ethernet0/0, vlan 100.
*Jan 14 09:28:52.944: DHCP_SNOOPING: received new DHCP packet from input interface (Ethernet0/0)
*Jan 14 09:28:52.944: DHCP_SNOOPING: binary dump of option 82, length: 20 data:
0x52 0x12 0x1 0x6 0x0 0x4 0x0 0x64 0x0 0x3 0x2 0x8 0x0 0x6 0xAA 0xBB 0xCC 0x0 0x1 0x0 
*Jan 14 09:28:52.945: DHCP_SNOOPING: binary dump of extracted circuit id, length: 8 data:
0x1 0x6 0x0 0x4 0x0 0x64 0x0 0x3 
*Jan 14 09:28:52.945: DHCP_SNOOPING: binary dump of extracted remote id, length: 10 data:
0x2 0x8 0x0 0x6 0xAA 0xBB 0xCC 0x0 0x1 0x0 
*Jan 14 09:28:52.945: DHCP_SNOOPING_SW: opt82 data indicates local packet
*Jan 14 09:28:52.945: DHCP_SNOOPING: process new DHCP packet, message type: DHCPACK, input interface: Et0/0, MAC da: 0050.7966.6801, MAC sa: ca01.2ee4.0000, IP da: 10.0.0.3, IP sa: 10.0.0.1, DHCP ciaddr: 10.0.0.3, DHCP yiaddr: 10.0.0.3, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 0050.7966.6801
*Jan 14 09:28:52.945: DHCP_SNOOPING_SW: opt82 data indicates local packet
*Jan 14 09:28:52.945: DHCP_SNOOPING: add binding on port Ethernet0/3.
IOU1#
*Jan 14 09:28:52.945: DHCP_SNOOPING: added entry to table (index 2)

*Jan 14 09:28:52.945: DHCP_SNOOPING: dump binding entry: Mac=00:50:79:66:68:01 Ip=10.0.0.3 Lease=2678400    Type=dhcp-snooping Vlan=100 If=Ethernet0/3
*Jan 14 09:28:52.945: DHCP_SNOOPING_SW no entry found for 0050.7966.6801 0.0.0.100 Ethernet0/3
*Jan 14 09:28:52.945: DHCP_SNOOPING_SW host tracking not found for update add dynamic (10.0.0.3, 0.0.0.0, 0050.7966.6801) vlan 100
*Jan 14 09:28:52.945: DHCP_SNOOPING: remove relay information option.
*Jan 14 09:28:52.945: DHCP_SNOOPING: direct forward dhcp replyto output port: Ethernet0/3.

 

Finally here is the IOU config (Switch):

ip dhcp snooping vlan 100
ip dhcp snooping information option allow-untrusted
ip dhcp snooping
!
! snip
!
! trusted port
interface Ethernet0/0
 switchport trunk encapsulation dot1q
 switchport mode trunk
 duplex auto
 ip dhcp snooping trust
!
interface Ethernet0/1
 switchport access vlan 100
 switchport mode access
 duplex auto
!
interface Ethernet0/2
 switchport access vlan 100
 switchport mode access
 duplex auto
!
interface Ethernet0/3
 switchport access vlan 100
 switchport mode access
 duplex auto
! 

6.2.c Nondefault native VLAN
For security reasons it is best to leave the default vlan 1 unused. I do this by default now. Simply assign all access ports to be in a vlan other than 1, and use any other vlan as your “default” vlan.

Full lab here.

6.1 Configure, verify, and troubleshoot port security

Please note this article is deprecated. I have re-written it here with an improved lab.

According the the exam topics the following need to be learned:
6.1 Configure, verify, and troubleshoot port security
6.1.a Static
6.1.b Dynamic
6.1.c Sticky
6.1.d Max MAC addresses
6.1.e Violation actions
6.1.f Err-disable recovery

6.1 lab

I begin with a simple lab to add more than one PC per switch port.
6.1 wiring

Here is an extract from the book summarizing the various port-security options:
port security types

Here is the config for the network:
6.1 swconfig

Here is the resultant mac-address table and security violations:
violations.png

As you can see the port e0/2 was configured with shutdown as the port-security violation option. As a result the port is shutdown:
6.1 violations6.1 port states

6.1.f: to recover an err.disabled port you need to go into interface configure mode in global configuration mode and “shutdown” and “no shutdown” the port.

Full lab here.