Practical 10 Console Security To enable a password on the console , on the global configuration mode write the following; SengSwitch(config)#line

e console 0 SengSwitch(config-line)#password SengSwitch(config-line)#password soft0000 But Cisco switch doesnt know that I need to be asked for that password, so I should write login to ask me or prompt me to enter a Password. SengSwitch(config-line)#password soft0000 SengSwitch(config-line)#login To enable a password on the Telnet SengSwitch(config)#line vty 0 1 SengSwitch(config-line)#login % Login disabled on line 1, until 'password' is set % Login disabled on line 2, until 'password' is set SengSwitch(config-line)#password soft0000 Note: When you enable Telnet you must type login so as to be prompted for it when you access the Switch. If you set a password for the telnet but didnt make the login command you will not be able to enter the Switch. If you havent entered a password and type no login in the Line terminal Configuration you will enter with no request of password. If you type a Password and Login you will be prompted for Entering the Password to enter the Switch. SengSwitch(config)#line vty 0 4 SengSwitch(config-line)#no login Note that After Configuring the Password for Telnet and Console, when you run the Show run command you will find that they are appearing in clear text and not Encrypted. So to encrypt all the Password and any Password you have entered on Cisco Device with only one command you have to type the following: SengSwitch(config)#service password-encryption Now when you type show run you will find the Password for Telnet and Console are Encrypted by level 7 Encryption: line con 0 password 7 083243481D49554742
February 2013 CNs-Practical 10 1

login ! line vty 0 1 password 7 083243481D49554742 no login line vty 2 4 no login line vty 5 15 login But dont get false Sensitive of Security as this Password is Level 7 that can be decrypted easy by any program. Search in Google for: break cisco password, and you will find a link that indicates cisco password cracker (http://www.ifm.net.nz/cookbooks/passwordcracker.html), After entering the site, take a copy of your encrypted password, and paste it in the box and then click crack password. Take the type 7 password, such as the text above in red, and paste it into the box below and click Crack Passwprd.

Now you have seen the password that we entered for the telnet is in clear text. Where that indicates Cisco doesn't much process using password level7 as well as password level 5, although it doesn't appear in a clear text.

Banner Command The banner is used to show a message on the Cisco devices Go to Configuration Mode and type banner? SengSwitch(config)#banner ? motd Set Message of the Day banner Actually there are more commands under banner ( but in Packet tracer it only use motd ( Message Of The Day). To set up the motd , do the following; SengSwitch(config)#banner motd ? LINE c banner-text c, where 'c' is a delimiting character What it means? It means that after you enter the command banner motd you should type any character after that on your keyboard to start, then type the Message and End with the Same character that you have entered the first timee. So we will start with [ Symbol as Example and end the message with [ Symbol too. SengSwitch(config)#banner motd[
February 2013 CNs-Practical 10 2

Enter TEXT message. End with character [. ************************************* Do Not Log On ***************************************** [ When we exist the Sisco Devicesand Login again, you would find the following: *************************** Do Not Log On **************************** User Access Verification **************************** Password: Setting up PORT Security on Switch Its a way to lock down on what devices can plug-in to your Switch or how many devices can plug-in to your Switch. Using the command below; SengSwitch#show ip interface brief It shows all the IP Addresses that is connected to the Switch and on which interface Connect a PC or any laptop, then to show and see MAC address for the connected devices, use;

SengSwitch#show mac-address-table Now what we will do? We will configure Port 1 in fast Ethernet switch to work only on the MAC address of the Laptop,

SengSwitch(config)#interface FastEthernet 0/1 SengSwitch(config)# switchport mod access The Command switchport mode access is used to hardcode this interface as an access port, access port means that it tell the switch it is connected to another pc or laptop or server or even a router but not connected to another Switch. After doing that I can now enable port Security, by the following command SengSwitch(config-if)#switchport port-security

February 2013

CNs-Practical 10

Once I have done that I enabled the Security feature on this port but the switch still want to know what the action to be done after that if the Security is broken. The first thing I do is to set maximum number of devices that can be connected at this port and access it. The reason for doing this is to keep somebody away from plugging multiple devices at this port by using a HUB, or another Switch. So we will configure this port to accept only one Device at a time and to limit multiple devices from being connected by the following Command; SengSwitch(config-if)#switchport port-security maximum 1 After that we will configure the Switch to take the Violation Action if this Security setting we configures is breached

SengSwitch(config-if)#switchport port-security violation ? Protect Security violation protect mode Restrict Security violation restrict mode Shut down Security violation shutdown mode By default the violation of the switch is configured to be Shutdown, and the only ways to switch the shutdown port back to up is to telnet or console through the Switch and enable the port again The other two options which are (Protect & Restrict) virtually they do the same thing, meaning if some one attach more than PC on our secure configure port, it will just listen to only one MAC Address and the others MAC Address will be blocked and cant access the Network. Protect: Just ignore the rest of PC that is trying to connect to the Network (Block them). Restrict: it will ignore the rest of PC trying to connect to the Network and Log it (Record it) when it happens. It means you will get messages on the switch saying (Hey the Port number 1 is trying to be connected by more than one Device, on the Next Section you will find a counter that will be incremented whenever someone tries to Violate the Security.) Experienced People Highly Suggest to Use Restrict over Protect.

SengSwitch(config-if)#switchport port-security mac-address? H.H.H. 48 bit mac address Sticky Configure dynamic secure address as sticky From the Above we find that there are two options for choosing what type of MAC address to be entered whether a certain MAC Address or a Dynamic MAC Address learn by the Switch. So we will choose sticky, in order to get dynamic MAC addresses. Now we need to show the Port Security of Fast Ethernet port 1

February 2013

CNs-Practical 10

SengSwitch#show port-security interface fastEthernet 0/1 To configure Security on a Group of Ports at once, do the following SengSwitch(config)#interface range fastEthernet 0/1 - 24 SengSwitch(config-if-range)# Understanding the Physical Indicator in Switch 1. System LED: its the System Status, when the Power is turned On it will be Blinking Green as its booting up, and become solid green when it's booted, if the Light is Amber, then the switch is broken down. 2. RPS (Redundant Power Supply): Most of the Switches have a two power Supply installed inside of them, so if one is failed you have the other working one. We have a mode button that is used to switch between different modes, we have four Leds as four Modes as the following (STAT, UTIL, DUPLEX, and SPEED):

I. STAT: its the Default and it shows the Status of the Port, so if the port is connected to a PC the LED will light Green indicating the Port is connected. II. UTIL: Actually it indicates for utilization of how much traffic is passing through the Switch, it shows in the matter of LEDs as if its an Equalizer of your audio Device, if the Network Utilization is 50 % it may turn the 50% of the LEDs if more or less the LEDs will be the Same. III. DUPLEX: LED will light up on the Port if that port is configured into a Full Duplex, if it's not light then it's in a Half Duplex. IV. SPEED: LED will light up on the Port if that port is 100Mbps, if it's not light then it's in a 10Mbps. Optimizing and Troubleshooting Switches Configuring Speed & Duplex: By Default Every Port on Cisco Switch has the Speed and Duplex are set on AUTO Detection, the problem for this mechanism is old they were design for network card that were created and Manufactured from a year before, so the problem is that some of the time the Auto detect Mechanism will detect incorrect the Duplex on the Switch port. For Example on the Switch port it may detect that the Duplex is Half Duplex but on the Other Side of the Cable at the PC Network Card its Full Duplex which make a Duplex Mismatch. By the Way all the time the Switch is Able to detect the Speed Correctly of the Cable; its the Duplex that Causes the Problem, and it displays error on the Switch So what we will do is
February 2013 CNs-Practical 10 5

going to Global Configuration mode and Configure this Port that have a Mismatch in Duplex, ok what Mode of Duplex we will configure is it Half Duplex or Full Duplex. 1. It says here Duplex Mismatch discovered on fastethernet0/1 this means the Problem is on FE0/1. 2. Not half Duplex this means that port FE0/1 on this switch is not set on Half Duplex. 3. AccessServer Ethernet 0 (Half Duplex) this means that it detected the other Side Router name AccessServer and its configured as a Half Duplex. So what we will do now is to set the Interface 0/1 into Half Duplex SengSwitch(config-if)#duplex ? Auto Enable AUTO duplex configuration full Force full duplex operation half Force halfduplex operation, SengSwitch(config-if)#duplex half Also we will configure the Speed too on the same interface

SengSwitch(config-if)#speed ? 10 Force 10 Mbps operation 100 Force 100 Mbps operation Auto Enable AUTO speed configuration Experience people say that AUTO Detect is Succeeding in Detecting correctly the speed and Duplex about 90 %, meaning from every 10 Computer there will be one Computer that will Complain. Fixing the error message while you are not finished your command SengSwitch(config)#line console 0 SengSwitch(config-line)#logging synchronous SengSwitch(config-line)#exit SengSwitch(config)#line vty 0 4 SengSwitch(config-line)#logging synchronous Timeout setting for example how many minutes you will stay connected on Telnet SengSwitch(config)#line console 0 SengSwitch(config-line)#exec-timeout 30 0 SengSwitch(config-line)#exit SengSwitch(config)#line vty 0 4 SengSwitch(config-line)#exec-timeout 30 0 Fix mistyping error message , when you write an error message, there will be waiting and message domain lookup 255.255.255.255
February 2013 CNs-Practical 10 6

SengSwitch(config)#no ip domain-lookup Creating aliases (shortcuts for example a shortcut for 'show IP interface brief') SengSwitch(config)# alias exec s show ip interface brief So 's' now the shortcut GOOD LUCK

February 2013

CNs-Practical 10