Pro Domain 6: Security
You're the IT security administrator for a small corporate network. You need to increase the security on the switch in the Networking Closet by creating an access control list. You have been asked to prevent video game consoles from connecting to the switch. In this lab, your task is to: Create a MAC-based ACL named GameConsoles. Configure the GameConsoles MAC-based access control entry (ACE) settings as follows: Bind the GameConsoles ACL to all of the GE2-GE30 interfaces. Save the changes to the switch's startup configuration file.
Create the GameConsoles ACL as follows: Under Getting Started, select Create MAC-Based ACL. Select Add. Enter the ACL name. Select Apply. Select Close. Create MAC-based access control as follows: Select MAC-Based ACE Table. Select Add. Enter the priority. Select the action. Under Destination MAC Address, make sure Any is selected. Under Source MAC Address, select User Defined. Enter the destination MAC address value. Enter the destination MAC address mask. Select Apply. Repeat steps 2c-2i for the additional ACE entries. Select Close. Bind the GameConsoles ACL to all of the interfaces as follows: Under Access Control, select ACL Binding. Select GE1. At the bottom of the window, select Edit. Select Select MAC-Based ACL. Select Apply. Select Close. Select Copy Settings. In the Copy configuration to field, enter GE2-GE30. Select Apply. Save the Configuration as follows: At the top of the window, select Save. Under Source File Name, make sure Running configuration is selected. Under Destination File Name, make sure Startup configuration is selected. Select Apply. Select OK.
You are the IT administrator at a small corporate office. You just downloaded a new release for a program you use. You need to make sure the file was not altered before you received it. Another file containing the original file hash was also downloaded. The files are located in C:\Downloads. In this lab, your task is to use MD5 hash files to confirm that the Release.zip file was unaltered as follows: Use Windows PowerShell to generate a the calculated file hash for Release.zip. Examine the release821hash.txt file for the known hash. Compare the known hash of the Release.zip file to its calculated hash in PowerShell to see if they match.Use the "calculated hash" -eq "known hash" command.The calculated hash is the hash generated by the get-filehash file_name -a md5 command, and the known hash is the hash generated by the get-content file_name.txt command.Remember to include the quotation marks and the file extensions with the file names in the commands. Answer the question.
Right-click Start and select Windows PowerShell (Admin). At the prompt, type cd \downloads and press Enter to navigate to the directory that contains the files. Type dir and press Enter to view the available files. Type get-filehash Release.zip -a md5 and press Enter to view the calculated MD5 hash. Type get-content release821hash.txt and press Enter to view the known hash contained in the .txt file. Type "calculated hash" -eq "known hash" and press Enter to determine if the file hashes match. In the top right, select Answer Questions. Answer the question. Select Score Lab.
You have a small business network connected to the internet through a single router as shown in the network diagram. You have noticed that three hosts on the internet have been flooding your router with unwanted traffic. As a temporary measure, you want to prevent all communication from these three hosts until the issue is resolved. In this lab, your task is to: Create a standard access list number 25. Add statements to the access list to block traffic from the following hosts: 199.68.111.199 202.177.9.1 211.55.67.11 Add a statement to allow all other traffic from all other hosts. Apply access list 25 to the Serial0/0/0 interface to filter incoming traffic.
Select Router. Press Enter to get started. At the Router> prompt, type enable and press Enter. At the Router# prompt, type config t and press Enter. At the Router(config)# prompt, type access-list 25 deny host 199.68.111.199 and press Enter. At the Router(config)# prompt, type access-list 25 deny host 202.177.9.1 and press Enter. At the Router(config)# prompt, type access-list 25 deny host 211.55.67.11 any and press Enter. At the Router(config)# prompt, type access-list 25 permit any and press Enter. At the Router(config)# prompt, type int s0/0/0 and press Enter. At the Router(config-if)# prompt, type ip access-group 25 in and press Enter.
You recognize that the threat of malware is increasing and have implemented Windows Defender on your office's computers. In this lab, your task is to configure Windows Defender as follows: Add a file exclusion for D:\Graphics\cat.jpg. Add a process exclusion for welcome.scr. Update protection definitions prior to performing a scan. Perform a quick scan.
Add a file exclusion. Select Start. Select Settings. Select Update & Security. Select Windows Security. Maximize the window for easier viewing. Select Virus & threat protection. Under Virus & threat protection settings, select Manage settings. Under Exclusions, select Add or remove exclusions. Select the + (plus sign) next to Add an exclusion. From the drop-down lists, select File. Under This PC, select Data (D:). Double-click Graphics. Select cat.jpg. Select Open. Add a process exclusion. Select the + (plus sign) next to Add an exclusion. From the drop-down lists, select Process. In the Enter process name field, enter welcome.scr for the process name. Select Add. Update protection definitions. In the left menu, select the shield icon. Under Virus & threat protection updates, select Check for updates. Select Check for updates. Perform a quick scan. In the left menu, select the shield icon. Under Current threats, select Quick scan to run a quick scan now.
You are the IT administrator for a small corporate network. You need to find specific information about the packets being exchanged on your network using Wireshark. In this lab, your task is to: Use Wireshark to capture packets from the enp2s0 interface. Use the following Wireshark filters to isolate and examine specific types of packets:net 192.168.0.0host 192.168.0.34tcp contains password Answer the questions.
Begin a Wireshark capture. From the Favorites bar, open Wireshark. Under Capture, select enp2s0. Select the blue fin to begin a Wireshark capture. Apply the net 192.168.0.0 filter. In the Apply a display filter field, type net 192.168.0.0 and press Enter. Look at the source and destination addresses of the filtered packets. In the top right, select Answer Questions. Under Lab Questions, answer Question 1. Apply the host 192.168.0.34 filter. In the Apply a display filter field, type host 192.168.0.34 and press Enter. Look at the source and destination addresses of the filtered packets. Under Lab Questions, answer Question 2. Apply the tcp contains password filter. In the Apply a display filter field, type tcp contains password and press Enter. Select the red box to stop the Wireshark capture. Locate the password in the captured packet. Under Lab Questions, answer Question 3. Select Score Lab.
You're the IT security administrator for a small corporate network. You need to increase the security on the switch in the networking closet by restricting access management and by updating the switch's firmware. In this lab, your task is to: Create an access profile called MgtAccess and configure it with the following settings: Add a profile rule to the MgtAccess profile with the following settings: Set the MgtAccess profile as the active access profile. Save the changes to the switch's startup configuration file. Update the firmware image to the latest version by downloading the firmware files found in C:\Sx300_Firmware\Sx300_FW-1.2.7.76.ros.
Create an access profile. From the left menu, expand Security. Expand Mgmt Access Method. Select Access Profiles. Under Access Profile Table, select Add. Enter the access profile name. Enter the rule priority. Under Management Method, make sure All is selected. Enter the action. Under Applies to Interface, make sure All is selected. Under Applies to Source IP Address, make sure All is selected. Select Apply. Select Close. Add a profile rule. From the left menu, select Profile Rules under Mgmt Access Method. Select the MgtAccess profile. Select Add. Enter the rule priority. Select the management method. Under Action, make sure Permit is selected. Under Applies to Interface, make sure All is selected. Under Applies to Source IP Address, select User Defined. Under IP Version, make sure Version 4 is selected. Enter the IP address. Enter the network mask. Select Apply. Select Close. Set the MgtAccess profile as the active access profile. From the left menu, select Access Profiles. From the Active Access Profile drop-down list, select MgtAccess. Select Apply. Select OK. Save the changes to the switch's startup configuration file. At the top, select Save. Under Source File Name, make sure Running configuration is selected. Under Destination File Name, make sure Startup configuration is selected. Select Apply. Select OK. Upgrade the firmware image to the latest version. From the left menu, select Getting Started. Select Upgrade Device Software. Under File Name, select Choose File. Browse to and select C:\Sx300_Firmware\Sx300_FW-1.2.7.76.ros. Select Open. Select Apply. Select OK. Under File Management in the left menu, select Active Image. Under Active Image After Reboot, select Image 2 from the drop-down list. Select Apply. From the left menu under Administration, select Reboot. Select Reboot. Select OK. Log back in as user ITSwitchAdmin with the password Admin$0nly2017 (0 is zero). Select Log In.
As an IT administrator, you need to know how security breaches are caused. You know that SMAC is used for MAC spoofing, so you are going to spoof your MAC address. In this lab, your task is to complete the following: On Office2, use ipconfig /all and find the IP address and MAC address. Spoof the MAC address on ITAdmin to that of Office2 using SMAC. Refresh your MAC and IP addresses to match the target machine.
Find the IP address and MAC address. Right-click Start and select Windows PowerShell (Admin). At the command prompt, type ipconfig /all and press Enter. Find and write down the MAC address 00:00:55:55:44:15 and the IP address 192.168.0.33. Spoof the MAC address. From the top navigation tabs, select Floor 1 Overview. Under IT Administration, select ITAdmin. In the search bar, type SMAC. Under Best match, right-click SMAC and select Run as administrator. In the New Spoofed Mac Address field, type 00:00:55:55:44:15 for the MAC address from Office2. Select Update MAC. Select OK to restart the adapter. Refresh your MAC and IP addresses. Right-click Start and select Windows PowerShell (Admin). At the command prompt, type ipconfig /all and press Enter to confirm the MAC address has been updated on ITAdmin. Type ipconfig /renew and press Enter to update the IP address. Notice that the IP address on ITAdmin is now the same as the IP address on Office2.
You are performing a penetration test for a client. Your client is concerned that hackers may be performing port scanning on the network, hoping to find open ports that could leave the company vulnerable to attacks. In this lab, your task is to use nmap to detect open ports as follows: Scan the following network addresses:198.28.1.0/24192.168.0.0/24 Find and report any open ports, especially those susceptible to hacking attacks. Answer the questions.
From the Favorites bar, open Terminal. At the prompt, type nmap -p- 198.28.1.0/24 and press Enter to scan for open ports on all servers located on this network. Type nmap -p- 192.168.0.0/24 and press Enter to scan for open ports on all the servers located on this network. In the top right, select Answer Questions. Answer the questions. Select Score Lab.
CorpNet.xyz has hired you as a consultant. While visiting the company, you connected a small computer to the switch in the networking closet. This computer also functions as a rogue wireless access point. Now you are sitting in your van in the parking lot of CorpNet.xyz, where you are connected to the internal network through the rogue wireless access point. Using the small computer you left behind, you can perform remote exploits against the company. In this lab, your task is to: Use ssh -X to connect to your rogue computer (192.168.0.251). Use 1worm4b8 as the root password. Use Zenmap on the remote computer to scan all the ports on the internal network looking for computers vulnerable to attack. Answer the question.
From the Favorites bar, open Terminal. At the prompt, type ssh -X 192.168.0.251 and press Enter. For the root password, type 1worm4b8 and press Enter. You are now connected to Rogue1. Type zenmap and press Enter to launch Zenmap remotely. Zenmap is running on the remote computer, but you see the screen locally. In the Command field, type nmap -p- 192.168.0.0/24. Select Scan. From the results, find the computers with ports open that make them vulnerable to attack. In the top right, select Answer Questions. Answer the question. Select Score Lab.
You are the CorpNet IT administrator. Your support team says that CorpNet's customers are unable to browse to the public-facing web server. You suspect that it might be under some sort of denial-of-service attack, possibly a TCP SYN flood attack. Your www_stage computer is on the same network segment as your web server, so you'll use this computer to investigate the problem. In this lab, your task is to: Capture packets from the network segment on www_stage using Wireshark. Analyze the attack using the following filters:tcp.flags.syn==1 and tcp.flags.ack==1tcp.flags.syn==1 and tcp.flags.ack==0 Answer the question.
From the Favorites bar, open Wireshark. Maximize the window for easier viewing. Under Capture, select enp2s0. From the menu, select the blue fin to begin the capture. In the Apply a display filter field, type tcp.flags.syn==1 and tcp.flags.ack==1 and press Enter to filter the Wireshark display to only those packets with both the SYN flag and ACK flag.This could take up to a minute or longer before any SYN-ACK packets are captured and displayed. Select the red square to stop the capture. In the Apply a display filter field, change the tcp.flags.ack ending from 1 to 0 and press Enter to filter the Wireshark display to packets with only the SYN flag.Notice that there are a flood of SYN packets being sent to 198.28.1.1 (www.corpnet.xyz) that were not being acknowledged. In the top right, select Answer Questions. Answer the question. Select Score Lab. What indicates that this is a distributed denial-of-service (DDoS) attack? There are multiple source addresses for the SYN packets with the destination address 198.28.1.1.
You are the cybersecurity specialist for your company. You need to check to see if any clear text passwords are being exposed to hackers through an HTTP login request. In this lab, your task is to analyze HTTP POST packets as follows: Use Wireshark to capture all packets. Filter the captured packets to show only HTTP POST data. Examine the packets captured to find clear text passwords. Answer the questions.
From the Favorites bar, open Wireshark. Under Capture, select enp2s0. Select the blue fin to begin a Wireshark capture. Capture packets for five seconds. Select the red box to stop the Wireshark capture. Maximize Wireshark for easier viewing. In the Apply a display filter field, type http.request.method==POST and press Enter to show the HTTP POST requests. From the middle pane, expand HTML Form URL Encoded for each packet. Examine the information shown to find clear text passwords. In the top right, select Answer Questions. Answer the questions. Select Score Lab.
You are the IT administrator for a small corporate network, and you want to know how to find and recognize an ICMP flood attack. You know that you can do this using Wireshark and hping3. In this lab, your task is to create and examine the results of an ICMP flood attack as follows: From Kali Linux, start a capture in Wireshark for the esp20 interface. Ping CorpDC at 192.168.0.11. Examine the ICMP packets captured. Use hping3 to launch an ICMP flood attack against CorpDC. Examine the ICMP packets captured. Answer the question.
From the Favorites bar, open Wireshark. Under Capture, select enp2s0. Select the blue fin to begin a Wireshark capture. From the Favorites bar, open Terminal. At the prompt, type ping 192.168.0.11 and press Enter. After some data exchanges, press Ctrl + c to stop the ping process. In Wireshark, select the red box to stop the Wireshark capture. In the Apply a display filter field, type icmp and press Enter.Notice the number of packets captured and the time between each packet being sent. Select the blue fin to begin a new Wireshark capture. In Terminal, type hping3 --icmp --flood 192.168.0.11 and press Enter to start a ping flood against CorpDC. In Wireshark, select the red box to stop the Wireshark capture.Notice the type, number of packets, and the time between each packet being sent. In Terminal, type Ctrl + c to stop the ICMP flood. In the top right, select Answer Questions. Answer the question. Select Score Lab.
You work for a penetration testing consulting company. During an internal penetration test, you find that VNC is being used on the network, which violates your company's security policies. It was installed by a malicious employee to help them maintain access. Run a scan using nmap to discover open ports on host machines to find out which host machines are using port 5900 for VNC. In this lab, your task is to complete the following: Use Zenmap to scan for open port 5900 running VNC. Use the table below to help you identify the computer. Go to the suspect computer and uninstall VNC. From the suspect computer, run netstat to verify that the ports for VNC are closed.
From the Favorites bar, open Zenmap. In the Command field, type nmap -p 5900 192.168.0.0/24. Select Scan. From the results, find the computer with port 5900 open. From the top navigation tabs, select Floor 1 Overview. Under Support Office, select Support. From the Favorites bar, open Terminal. At the prompt, type netstat and press Enter to confirm the port is open on the machine. Type dnf list vnc and press Enter to find the package name. Type dnf erase libvncserver and press Enter. Press Y and press Enter to uninstall the package. Type netstat and press Enter to confirm that the port has been closed on the machine.
You are the IT security administrator for a small corporate network. You need to secure access to your switch, which is still configured with the default settings. In this lab, your task is to: Create a new user account with the following settings:User Name: ITSwitchAdminPassword: Admin$0nly2017 (0 is zero)User Level: Read/Write Management Access (15) Edit the default user account as follows:Username: ciscoPassword: CLI$0nly2017 (0 is zero)User Level: Read-Only CLI Access (1) Save the changes to the switch's startup configuration file.
From the taskbar, open Chrome. In the URL field, enter 192.168.0.2 and press Enter. Maximize the window for easier viewing. Enter the username. Enter the password. Select Log In. From Getting Started under Quick Access, select Change Device Password. Create a new user account. Select Add. Enter the username. Enter the password. In the Confirm Password field, enter the password. Under User Level, make sure Read/Write Management Access (15) is selected. Select Apply. Select Close. Edit the default user account. Select the default user. Select Edit. Make sure the username is cisco. Enter the password. In the Confirm Password field, enter the password. Under User Level, make sure Read-Only CLI Access (1) is selected. Select Apply. Select Close. Save the configuration. From the top of the window, select Save. Under Source File Name, make sure Running configuration is selected. Under Destination File Name, make sure Startup configuration is selected. Select Apply. Select OK.
You are the IT security administrator for a small corporate network. The HR director is concerned that an employee is doing something sneaky on the company's employee portal and has authorized you to hijack his web session so you can investigate. In this lab, your task is to hijack a web session as follows: On IT-Laptop, use Ettercap to sniff traffic between the employee's computer in Office1 and the gateway. Initiate a man-in-the-middle attack to capture the session ID for the employee portal logon. On Office1, log in to the employee portal on rmksupplies.com using Chrome and the following credentials:Username: bjacksonPassword: $uper$ecret1 On IT-Laptop, copy the session ID detected in Ettercap. On Office2, navigate to rmksupplies.com and use the cookie editor plug-in in Chrome to inject the session ID cookie. Verify that you hijacked the session.
On IT-Laptop, open Terminal from the sidebar. At the prompt, type host office1 and press Enter to get the IP address of Office1. Type route and press Enter to get the gateway address. Use Ettercap to sniff traffic between Office1 and the gateway. From the Favorites bar, open Ettercap. Maximize the window for easier viewing. Select Sniff > Unified sniffing. From the Network Interface drop-down list, select enp2s0. Select OK. Select Hosts > Scan for hosts. Select Hosts > Host list. We want to target information between Office1 (192.168.0.33) and the gateway (192.168.0.5). Under IP Address, select 192.168.0.5. Select Add to Target 1. Select 192.168.0.33. Select Add to Target 2. Initiate a man-in-the-middle attack. Select Mitm > ARP poisoning. Select Sniff remote connections. Select OK. You are ready to capture traffic. On Office1, log in to the employee portal on rmksupplies.com. From the top navigation tabs, select Floor 1 Overview. Under Office 1, select Office1. From the taskbar, open Chrome. Maximize the window for easier viewing. In the URL field, enter rmksupplies.com. Press Enter. At the bottom of the page, select Employee Portal. In the Username field, enter bjackson. In the Password field, enter $uper$ecret1. Select Login. You are logged into the portal as Blake Jackson. On IT-Laptop, copy the session ID detected in Ettercap. From the top navigation tabs, select Floor 1 Overview. Under IT Administration, select IT-Laptop. In the Ettercap console, find bjackson's username, password, and session cookie (.login) captured in Ettercap. Highlight the session ID. Press Ctrl + C to copy. On Office2, go to rmksupplies.com and use the cookie editor plug-in to inject the session ID cookie. From the top navigation tabs, select Floor 1 Overview. Under Office 2, select Office2. From the taskbar, open Chrome. Maximize the window for easier viewing. In Chrome's URL field, enter rmksupplies.com. Press Enter. In the top right corner, select cookie to open the cookie editor. At the top, select the plus + sign to add a new session cookie. In the Name field, enter .login In the Value field, press Ctrl + V to paste in the session cookie you copied from Ettercap. Make sure rmksupplies.com is in the Domain field. Select the green check mark to save the cookie. Click outside the cookie editor to close the editor. At the bottom of the rkmsupplies page, select Employee Portal. You are now on Blake Jackson's web session.
You need to set passwords on the Branch1 switch and observe the results. With passwords: If the enable secret is set, that password is required to switch to privileged mode. If the enable secret does not exist, the enable password is used instead. If neither the secret or the password is set, no password is required. In this lab, your task is to: Set the enable secret to cisco. Set the enable password to cisco. When prompted, do not re-enter the password. Go to privileged mode. Type show run and view the configuration file. What is the enable password? Set the enable password to study. Go to privileged mode Switch to privileged mode using study for the password. Why doesn't this password work? Remove the enable secret password using no enable secret in global configuration mode. Exit global configuration mode and re-enter privileged mode. Which password did you use to gain privileged access? Change the following passwords:Enable password: 7y%pirtEnable secret: opo63!m@ Save your changes to the startup-config file.
Select Branch 1. Configure the enable secret password. Press Enter to get started. At the prompt, type enable and press Enter to go to privileged mode. Type configure terminal and press Enter. Type enable secret cisco and press Enter. In global configuration mode, type enable password cisco and press Enter to configure the enable password. As you can see, using the same password for the enable secret and the enable password is not recommended. Type exit and press Enter to go to privileged mode. Type show run and press Enter to view the configuration file. Change the enable password. Type configure terminal and press Enter. Type enable password study and press Enter. Go back to privileged mode. Type exit and press Enter. Type disable and press Enter. Switch to user mode using study for the password. Type enable and press Enter to switch to exec mode. Type study and press Enter as the password. This password does not work because the enable secret password is set and required. Remove the enable secret password. Type cisco and press Enter for the password. Type configure terminal and press Enter. Type no enable secret and press Enter. Exit global configuration mode and re-enter privileged mode. Type exit and press Enter. Type disable and press Enter. Type enable and press Enter. Type study and press Enter for the password because the cisco password was removed. Change the passwords. Type configure terminal and press Enter. Type enable password 7y%pirt and press Enter. Type enable secret opo63!m@ and press Enter. Save your changes. Type exit and press Enter. Type copy running-config startup-config and press Enter. Press Enter to begin building the configuration.
The Fiji router is already configured with a standard IP access list number 11. The access list is applied to the FastEthernet0/0 interface. The list should allow all traffic except traffic coming from hosts 55.44.33.22 and 99.88.77.66. You've noticed that it's preventing all traffic from being sent on FastEthernet0/0. You know that access lists contain an implied deny any statement. Any traffic not permitted by the list is denied. For this reason, access lists should contain at least one permit statement, or all traffic is blocked. In this lab, your task is to: Add a permit any statement to the access list 11 to allow all traffic other than the restricted traffic. Save your changes in the startup-config file.
Select Fiji. Press Enter to get started. At the Fiji> prompt, type enable and press Enter. At the Fiji# prompt, type config t and press Enter. At the Fiji(config)# prompt, type access-list 11 permit any and press Enter. Press Ctrl + Z. At the Fiji# prompt, type copy run start and press Enter. Press Enter to begin building the configuration.
You have a small business network connected to the internet through a single router as shown in the network diagram. Your private network is using a public network address of 177.12.30.128/26. You want to configure access lists on the Serial0/0/0 interface to accomplish the following: Only traffic sent from your private network should be forwarded. Only traffic sent to your private network should be received. To control traffic based on destination address, you need to use an extended access control list. You should also calculate the wildcard mask needed for the subnet as follows: A 26-bit mask uses a mask of 255.255.255.192. For the wildcard mask, subtract each octet from 255. For the last octet, the value will be 255 - 192 = 63. Use the following wildcard mask in the access list statements: 0.0.0.63. In this lab, your task is to: Create two access lists and apply them to the Serial0/0/0 interface using the following information:
Select Router. Press Enter to get started. At the Router> prompt, type enable and press Enter. At the Router# prompt, type config t and press Enter. At the Router(config)# prompt, type access-list 101 permit ip 177.12.30.128 0.0.0.63 any and press Enter. At the Router(config)# prompt, type access-list 102 permit ip any 177.12.30.128 0.0.0.63 and press Enter. At the Router(config)# prompt, type interface s0/0/0 and press Enter. At the Router(config)# prompt, type ip access-group 101 out and press Enter. At the Router(config)# prompt, type ip access-group 102 in and press Enter. Press Ctrl + Z. At the Router# prompt, type copy run start and press Enter. Press Enter to begin building the configuration.
You are going to practice creating multiple access list statements and calculating the appropriate wildcard mask value. In this lab, your task is to: Create an extended access list number 133 and add statements to do the following:Deny all IP traffic sent from network 192.168.12.32/28 to network 192.168.1.0/26.Deny all IP traffic sent from any host to network 192.168.17.128/25.Deny all IP traffic sent from network 192.168.1.48/29 to any destination.Deny all IP traffic sent from any host to networks 192.168.111.0/30, 192.168.111.4/30, 192.168.111.8/30, and 192.168.111.12/30. Use a single statement to prevent traffic from all four networks. Deny all IP traffic sent from network 172.16.32.0/19 to any destination. Allow all other traffic. Apply the access list to the Fa0/0 interface so that it filters traffic after routing decisions are made. When you're finished, save your changes. Before creating the access list, calculate the wildcard mask values that will be used for each access list statement: Identify the mask and wildcard value used to summarize networks 192.168.111.0/30, 192.168.111.4/30, 192.168.111.8/30, and 192.168.111.12/30 using the following steps: Convert the last significant octet of the first and the last subnet in the contiguous range to binary. For this example:0 = 0 0 0 0 0 0 0 012 = 0 0 0 0 1 1 0 0 Identify the last consecutive binary bit that is shared. In this case, the last shared bit is the fourth bit position. Convert all bits to the right of the shared bit to 0. In this example, this gives you the binary value of 00000000. This will be the subnet address of the summarized route. In this example, use 192.168.111.0. Convert all bits to the left of the shared bit to 1. In this example, this gives you the binary value of 11110000. This will be the mask value of the summarized route. In this example, use 255.255.255.240. To calculate the wildcard mask, subtract each octet from 255 (255 - 240 = 15). In this example, use the mask of 0.0.0.15 for the summarized network.
Select Router. Press Enter to get started. At the Router> prompt, type enable and press Enter. At the Router# prompt, type config t and press Enter. At the Router(config)# prompt, type access-list 133 deny ip 192.168.12.32 0.0.0.15 192.168.1.0 0.0.0.63 and press Enter. At the Router(config)# prompt, type access-list 133 deny ip any 192.168.17.128 0.0.0.127 and press Enter. At the Router(config)# prompt, type access-list 133 deny ip 192.168.1.48 0.0.0.7 any and press Enter. At the Router(config)# prompt, type access-list 133 deny ip any 192.168.111.0 0.0.0.15 and press Enter. At the Router(config)# prompt, type access-list 133 deny ip 172.16.32.0 0.0.31.255 any and press Enter. At the Router(config)# prompt, type access-list 133 permit ip any any and press Enter. At the Router(config)# prompt, type interface fa0/0 and press Enter. At the Router(config-if)# prompt, type ip access-group 133 out and press Enter. Press Ctrl + Z. At the Router# prompt, type copy run start and press Enter. Press Enter to begin building the configuration.
You have a router connected to the internet as shown in the diagram. The router is being used to create a screened subnet that holds all publicly accessible servers for your company. The screened subnet holds your FTP, SMTP, and DNS servers. You need to configure an access list that allows only traffic sent to the servers on the screened subnet and denies all other traffic. The access list should allow communication only to specific ports on each server that are necessary for that service to function. In this lab, your task is to: Create an extended access control list 175. Add eight statements to the access control list to allow the traffic specified in the following table: Apply the list to the Serial0/0/0 interface for incoming traffic. Save your changes.
Select Router. Press Enter to get started. At the Router> prompt, type enable and press Enter. At the Router# prompt, type config t and press Enter. At the Router(config)# prompt, type access-list 175 permit tcp any host 199.12.12.34 eq www and press Enter. At the Router(config)# prompt, type access-list 175 permit tcp any host 199.12.12.33 eq ftp and press Enter. At the Router(config)# prompt, type access-list 175 permit tcp any host 199.12.12.33 eq ftp-data and press Enter. At the Router(config)# prompt, type access-list 175 permit udp any host 199.12.12.33 eq tftp and press Enter. At the Router(config)# prompt, type access-list 175 permit udp any host 199.12.12.35 eq domain and press Enter. At the Router(config)# prompt, type access-list 175 permit tcp any host 199.12.12.35 eq domain and press Enter. At the Router(config)# prompt, type access-list 175 permit tcp any host 199.12.12.36 eq pop3 and press Enter. At the Router(config)# prompt, type access-list 175 permit tcp any host 199.12.12.36 eq smtp and press Enter. At the Router(config)# prompt, type interface s0/0/0and press Enter. At the Router(config-if)# prompt, type ip access-group 175 in and press Enter. Save your changes to the startup-config file Press Ctrl + Z. At the Router# prompt, type copy run start and press Enter. Press Enter to begin building the configuration.
You are in the process of configuring a new router. The router interfaces will connect to the following networks: Only Telnet and SSH access from these three networks should be allowed. In this lab, your task is to: Create a standard access list number 5 using the access-list command. Add a permit statement for each network to the access list. Apply the access list to VTY lines 0-4 using the access-class command. Use the in direction to filter incoming traffic. Save your changes in the startup-config file.
Select Router. Press Enter to get started. At the Router> prompt, type enable and press Enter. At the Router# prompt, type config t and press Enter. At the Router(config)# prompt, type access-list 5 permit 192.168.1.0 0.0.0.255 and press Enter. At the Router(config)# prompt, type access-list 5 permit 192.168.2.0 0.0.0.255 and press Enter. At the Router(config)# prompt, type access-list 5 permit 192.168.3.0 0.0.0.255 and press Enter. At the Router(config)# prompt, type line vty 0 4 and press Enter. At the Router(config-line)# prompt, type access-class 5 in and press Enter. Press Ctrl + Z. At the Router# prompt, type copy run start and press Enter. Press Enter to begin building the configuration.
You have a router connected to the internet through the Serial0/0/0 interface. You need to increase the security of your router by adding access control lists to prevent traffic that matches patterns of known internet attacks. You need to apply the access control lists to the internet-connected interface of your router. The access control lists will: Prevent the router from receiving packets from the internet with a source address within the private IP address ranges. Prevent the router from receiving packets from the internet with a source address from the 127.0.0.0 reserved address. Prevent the router from receiving packets from the internet with a source address that matches the IP address assigned to the interface. Prevent the router from sending packets to the internet with a destination address within the private IP address ranges. To help you with this, you should know the following wildcard mask values: A 16-bit mask uses a wildcard value of 0.0.255.255. A 12-bit mask uses a wildcard value of 0.15.255.255. An 8-bit mask uses a wildcard value of 0.255.255.255. In this lab, your task is to: Create an extended access list 110 as follows:Deny all IP traffic from network 192.168.0.0/16.Deny all IP traffic from network 172.16.0.0/12.Deny all IP traffic from network 10.0.0.0/8.Deny all IP traffic from network 127.0.0.0/8.Deny all IP traffic from host 168.70.50.33 (the IP address assigned to the Serial0/0/0 interface).Allow all other IP traffic.Apply the access list to Serial0/0/0 for inbound traffic to prevent the router from accepting packets from these networks. Create an extended access list 120 as follows:Deny all IP traffic sent to network 192.168.0.0/16.Deny all IP traffic sent to network 172.16.0.0/12.Deny all IP traffic sent to network 10.0.0.0/8.Allow all other IP traffic.Apply the access list to Serial0/0/0 for outbound traffic to prevent the router from sending packets to these destination networks. Save your changes.
Select Router. Press Enter to get started. At the Router> prompt, type enable and press Enter. At the Router# prompt, type config t and press Enter. Create an extended access list 110. At the Router(config)# prompt, type access-list 110 deny ip 192.168.0.0 0.0.255.255 any and press Enter. At the Router(config)# prompt, type access-list 110 deny ip 172.16.0.0 0.15.255.255 any and press Enter. At the Router(config)# prompt, type access-list 110 deny ip 10.0.0.0 0.255.255.255 any and press Enter. At the Router(config)# prompt, type access-list 110 deny ip 127.0.0.0 0.255.255.255 any and press Enter. At the Router(config)# prompt, type access-list 110 deny ip host 168.70.50.33 any and press Enter. At the Router(config)# prompt, type access-list 110 permit ip any any and press Enter. At the Router(config)# prompt, type interface s0/0/0 and press Enter. At the Router(config-if)# prompt, type ip access-group 110 in and press Enter. At the Router(config-if)# prompt, type exit and press Enter. Create an extended access list 120. At the Router(config)# prompt, type access-list 120 deny ip any 192.168.0.0 0.0.255.255 and press Enter. At the Router(config)# prompt, type access-list 120 deny ip any 172.16.0.0 0.15.255.255 and press Enter. At the Router(config)# prompt, type access-list 120 deny ip any 10.0.0.0 0.255.255.255 and press Enter. At the Router(config)# prompt, type access-list 120 permit ip any any and press Enter. At the Router(config)# prompt, type interface s0/0/0 and press Enter. At the Router(config-if)# prompt, type ip access-group 120 out and press Enter. Save your changes to the startup-config file. Press Ctrl + Z. At the Router# prompt, type copy run start and press Enter. Press Enter to begin building the configuration.
Your supervisor is concerned about unauthorized access to the router console. She asks you to implement policies on the SFO router to control access. Remember: The enable secret or enable password command requires a password to switch to privileged exec mode. Use the enable secret command to encrypt the password in the configuration file. The password cannot be read by using the show run or show start commands. Use the login command to require a password for the console or VTY lines. Remove a password while retaining the login line to prevent access through the VTY lines. The no login command identifies whether the password is required. If you type no login, access is granted without prompting for the password, even if one is set. Removing the password using the login command while requiring a password results in the following prompt:Password required but none set. Access is denied. In this lab, your task is to configure the following policies: Use the show start command to view the current configuration. Notice that a password is currently set for VTY lines 1-4, and no password is set for VTY 0. Configure the router to require te%56t as the password to enter privileged exec mode. Make sure this password is encrypted. Require yuw#m as the console password. Require yaba8&y as the password for VTY line 0. Remove the password from VTY 1-4. Save your changes to the startup-config file.
Select SFO. Press Enter to get started. At the SFO> prompt, type enable and press Enter. At the SFO> prompt, type show start and press Enter. At the SFO# prompt, type configure terminal and press Enter. At the SFO(config)# prompt, type enable secret te%56t and press Enter. At the SFO(config)# prompt, type line con 0 and press Enter. At the SFO(config-line)# prompt, type password yuw#m and press Enter. At the SFO(config-line)# prompt, type login and press Enter. At the SFO(config-line)# prompt, type line vty 0 and press Enter. At the SFO(config-line)# prompt, type password yaba8&y and press Enter. At the SFO(config-line)# prompt, type login and press Enter. At the SFO(config-line)# prompt, type line vty 1 4 and press Enter. At the SFO(config-line)# prompt, type no password and press Enter. At the SFO(config-line)# prompt, type exit and press Enter. At the SFO(config)# prompt, type exit and press Enter. At the SFO# prompt, type copy run start and press Enter. Press Enter to begin building the configuration.
You have a single switch with a DHCP server connected to Fa0/24. The DHCP snooping feature is already enabled on SwitchA. Now you want to configure DHCP snooping and dynamic ARP inspection on the switch. In this lab, your task is to: Enable DHCP snooping globally on SwitchA. Enable DHCP snooping for VLAN 1. Configure the port that the DHCP server is connected to as a trusted interface for DHCP snooping. Enable dynamic ARP inspection for VLAN 1. Save the changes to the startup-config file.
Select SwitchA. Press Enter to get started. At the Switch> prompt, type enable and press Enter. At the SwitchA# prompt, type config t and press Enter. At the SwitchA(config)# prompt, type ip dhcp snooping and press Enter. At the SwitchA(config)# prompt, type ip dhcp snooping vlan 1 and press Enter. At the SwitchA(config)# prompt, type int fa0/24 and press Enter. At the SwitchA(config-if)# prompt, type ip dhcp snooping trust and press Enter. At the SwitchA(config-if)# prompt, type exit and press Enter. At the SwitchA(config)# prompt, type ip arp inspection vlan 1 and press Enter. Press Ctrl + Z. At the SwitchA# prompt, type copy run start and press Enter. Press Enter to begin building the configuration.
You recently configured a switch that has three hosts attached to FastEthernet 0/2 through 0/4. All three hosts are part of a public kiosk display that allows guests to access the internet. You implemented port security to prevent guests from removing Ethernet cables from the hosts and connecting them to the Ethernet ports on their personal laptops. Now you will add an additional host to the kiosk display through FastEthernet 0/5. The additional host's MAC address is 5ab9.001d.b5ac. If guests attempt to connect through FastEthernet 0/5 to their personal laptops, you would like the switch to drop the frames. In this lab, your task is to: Configure FastEthernet 0/5 as an access port. Enable switch port security on the FastEthernet 0/5. Configure port security to retain 5ab9.001d.b5ac as the only allowed MAC address on the FastEthernet 0/5 interface. Configure the port security violation as protect on each applicable interface. Save your changes to the startup-config file.
Select the switch. Press Enter to get started. At the switch> prompt, type enable and press Enter. At the switch# prompt, type config t and press Enter. At the switch(config)# prompt, type interface fa 0/5 and press Enter. At the switch(config-if)# prompt, type switchport mode access and press Enter. At the switch(config-if)# prompt, type switchport port-security and press Enter. At the switch(config-if)# prompt, type switchport port-security mac-address sticky and press Enter. At the switch(config-if)# prompt, type switchport port-security mac-address sticky 5ab9.001d.b5ac and press Enter. At the switch(config-if)# prompt, type switchport port-security violation protect and press Enter. Press Ctrl + Z. At the switch# prompt, type copy run start and press Enter. Press Enter to begin building the configuration.
You are implementing port security within your network. You have two IP phone daisy chains connected to the switch's FastEthernet 0/5 and 0/6 interfaces. The interfaces are configured as access ports. Voice VLANs and the trusted boundary feature have already been configured on both of the interfaces. You need to configure the port security settings to have the switch interface accept the MAC addresses of the IP phone and the workstation. When you enable port security on an interface that is also configured with a voice VLAN, you must set the maximum allowed secure addresses on the port to two plus the maximum number of secure addresses allowed on the access VLAN. When the port is connected to a Cisco IP Phone, the phone requires up to two MAC addresses. The phone address is learned on the voice VLAN and might also be learned on the access VLAN. Connecting a PC to the phone requires additional MAC addresses. In this lab, your task is to: Configure FastEthernet 0/5 and 0/6 with port security to learn the MAC address of the IP phone and workstation. Set the maximum allowed MAC addresses to 3. Set the port security violation to restrict. Save your changes to the startup-config file.
Select the switch. Press Enter to get started. At the switch> prompt, type enable and press Enter. At the switch# prompt, type config t and press Enter. At the switch(config)# prompt, type interface range fa 0/5 - 6 and press Enter. At the switch(config-if-range)# prompt, type switchport mode access and press Enter. At the switch(config-if-range)# prompt, type switchport port-security and press Enter. At the switch(config-if-range)# prompt, type switchport port-security maximum 3 and press Enter. At the switch(config-if-range)# prompt, type switchport port-security mac-address sticky and press Enter. At the switch(config-if-range)# prompt, type switchport port-security violation restrict and press Enter. Press Ctrl + Z. Save your changes to the startup-config file At the switch# prompt, type copy run start and press Enter. Press Enter to begin building the configuration.
You are configuring a switch that has three hosts attached to FastEthernet 0/2 through 0/4. All three hosts are part of a public kiosk display that allows guests to access the internet. You would like to implement port security to prevent guests from removing Ethernet cables from the hosts and connecting them to the Ethernet ports on their personal laptops. If guests attempt to connect through their personal laptops, you want the switch to drop the frames. In this lab, your task is to: Configure FastEthernet 0/2 through 0/4 as access ports. On the FastEthernet 0/2 through 0/4, configure port security to sticky learning and retain the MAC addresses of the connected hosts. Set the port security violation to protect on each applicable interface. Save your changes to the startup-config file.
Select the switch. Press Enter to get started. At the switch> prompt, type enable and press Enter. At the switch# prompt, type config t and press Enter. At the switch(config)# prompt, type interface range fa0/2 - 4 and press Enter. At the switch(config-if-range)# prompt, type switchport mode access and press Enter. At the switch(config-if-range)# prompt, type switchport port-security and press Enter. At the switch(config-if-range)# prompt, type switchport port-security mac-address sticky and press Enter. At the switch(config-if-range)# prompt, type switchport port-security violation protect and press Enter. Press Ctrl + Z. Save your changes to the startup-config file At the switch# prompt, type copy run start and press Enter. Press Enter to begin building the configuration.
You're the IT security administrator for a small corporate network. You need to increase the security on the switch in the networking closet. The following table lists the used and unused ports: In this lab, your task is to: Shut down the unused ports. Configure the following Port Security settings for the used ports:Interface Status: LockLearning Mode: Classic LockAction on Violation: Discard
Shut down the unused ports. Under Initial Setup, select Configure Port Settings. Select the GE2 port. At the bottom, select Edit. Under Administrative Status, select Down. Scroll down and select Apply. Select Close. With the GE2 port selected, select Copy Settings at the bottom of the window. In the Copy configuration field, enter the remaining unused ports. Select Apply. In the Port Setting Table, you can see that all the ports are down now. Configure the Port Security settings. In the left menu, expand Security. Select Port Security. Select the GE1 port. At the bottom, select Edit. Under Interface Status, select Lock. Under Learning Mode, make sure Classic Lock is selected. Under Action on Violation, make sure Discard is selected. Select Apply. Select Close. At the bottom, select Copy Settings. Enter the remaining used ports. Select Apply.