Labsim 6 Labs

6.9.5 Scan for Vulnerabilities 1 You are the IT security administrator for a small corporate network. You are performing vulnerability scans on your network. Mary is the primary administrator for the network and the only person authorized to perform local administrative actions. The company network security policy requires complex passwords for all users. It is also required that Windows Firewall is enabled on all workstations. Sharing personal files is not allowed. In this lab, your task is to perform the following: • Run a vulnerability scan for the Office2 workstation using the Security Evaluator feature on the taskbar. • Remediate the vulnerabilities found in the vulnerability report on Office2.

Task Summary Remediate the Administrator account Disable the Guest account Remediate the Mary account Hide Details Set a strong password (12 characters or more) for the Mary account Remove Password Never Expires from the Mary account Remediate the Susan account Hide Details Unlock the Susan account Remove Susan from the Administrators group Turn on the Windows Firewall feature for all profiles Remove the C:\\MyMusic folder share Explanation In this lab, you perform the following: • Run a vulnerability scan for the Office2 workstation using the Security Evaluator feature on the taskbar. • Remediate the vulnerabilities found in the vulnerability report on Office2: o Rename the Administrator account o Disable the Guest account o Set the password for the Mary account to expire o Enforce a strong password for the Mary account o Unlock the Susan account o Remove the Susan account from the Administrators group o Turn on Windows Firewall for all profiles o Remove the file share on the MyMusic folder Complete this lab as follows: 1. Run a Security Evaluator report as follows: a. From the taskbar, open Security Evaluator. b. Next to Local Machine, select the Target icon to select a new target. c. Select Workstation. d. From the Workstation drop-down list, select Office2 as the target. e. Click OK. f. Select the Status refresh icon to run the security evaluation. g. Review the results to determine which issues you need to resolve on Office2. 2. From the top menu, select Floor 1. 3. Select Office2. 4. On Office2, right-click Start and select Computer Management. 5. Expand Local Users and Groups. 6. Select Users. 7. Rename a user account as follows: a. Right-click Administrator and select Rename. b. Enter a new name and press Enter. 8. Disable the Guest account as follows: a. Right-click Guest and select Properties. b. Select Account is disabled; then click OK. 9. Set a new password as follows: a. Right-click Mary and select Set Password. b. Select Proceed. c. Enter a new password (12 characters or more). d. Click OK. e. Confirm the new password; then click OK. f. Click OK. Ideally, you should have created a policy that requires passwords with 12 characters or more. 10. Set a password to expire as follows: a. Right-click Mary and select Properties. b. Deselect Password never expires. c. Select User must change password at next logon; then click OK. 11. Unlock a user account and remove the user from a group as follows: a. Right-click Susan and select Properties. b. Deselect Account is locked out; then click Apply. c. Select the Member of tab. d. Select the group. e. Select Remove. f. Click OK. 12. Enable Windows Firewall for all profiles as follows: a. Right-click Start and select Control Panel. b. Select System and Security. c. Select Windows Firewall. d. Select Turn Windows Firewall on or off. e. Under Domain network settings, select Turn on Windows Firewall. f. Under Private network settings, select Turn on Windows Firewall. g. Under Public network settings, select Turn on Windows Firewall. h. Click OK. 13. Remove a file share as follows: a. From the taskbar, open File Explorer. b. Browse to C:\\MyMusic. c. Right-click the folder and select Properties. d. Select the Sharing tab. e. Select Advanced Sharing. f. Deselect Share this folder. g. Click OK. h. Click Close. 14. Use the Security Evaluator feature to verify that all of the issues on the ITAdmin computer were resolved as follows: a. From the top menu, select Floor 1. b. Select ITAdmin. c. In Security Evaluator, select Status refresh to rerun the security evaluation. d. If you still see unresolved issues, select Floor 1, navigate to the Office2 workstation, and remediate any remaining issues.

6.7.6 Permit Traffic The Fiji router is already configured with standard IP access list number 11. The access list is applied to the FastEthernet0/0 interface. The list should allow all traffic except traffic coming from hosts 55.44.33.22 and 99.88.77.66. However, you have noticed that it is preventing all traffic from being sent on FastEthernet0/0. Access lists contain an implied deny any statement. Any traffic not permitted by the list will be denied. For this reason, access lists should contain at least one permit statement. In this lab, your task is to perform the following: • Add a permit any statement to the access list to allow all traffic other than the restricted traffic. • Save your changes.

Task Summary Add permit any to access list 11 Hide Details Add the permit any statement Make the statement the last in the list Save the changes Hide Details Save the permit statement Save the statement as the last in the list Explanation In this lab, you perform the following: • Add a permit any statement to the access list to allow all traffic other than the restricted traffic. • Save your changes. Complete this lab as follows: 1. Select the Fiji icon. 2. Press Enter to obtain a prompt. 3. At the prompt, enter the following commands: Fiji>enable Fiji#config t Fiji(config)#access-list 11 permit any 4. Press Ctrl + Z. 5. At the router prompt, enter Fiji#copy run start 6. Press Enter twice.

6.9.7 Scan for Vulnerabilities 3 You are the IT security administrator for a small corporate network. You perform regular vulnerability scans on your network. Recently, you added a new network security appliance (NSA) to the network. You use the ITAdmin workstation when configuring the NSA. In this lab, your task is to perform the following: • Run a vulnerability scan for the network security appliance (NSA) (198.28.56.18) using Security Evaluator on the taskbar. • Remediate the vulnerabilities found in the vulnerability report on the NSA. • Re-run a vulnerability scan to make sure all of the issues are resolved. Access the NSA management console through Internet Explorer on http://198.28.56.18 using the username cisco and the password cisco. You must re-run the vulnerability scan to receive credit for this lab.

Task Summary Change the default Admin username Change the default Admin password Change the idle timeout for the Admin user to 15 minutes or less Limit administrative access for the Admin user to LAN only Limit administrative access for the Admin user to only the ITAdmin computer Explanation In this lab, you perform the following: • Rename the cisco user account according to the following parameters: o Username: your choice o Password: your choice o Idle timeout: 15 minutes or less o Set for LAN access only (no WAN access) for your user. o Allow access to your user only from the ITAdmin workstation (192.168.0.31). Complete this lab as follows: 1. Run a Security Evaluator report as follows: a. From the taskbar, open Security Evaluator. b. Next to Local Machine, select the Target icon to select a new target. c. Select IPv4 Address. d. Enter the IP address of the Network Security Appliance. e. Click OK. f. Select the Status refresh icon to run the security evaluation. g. Review the results to determine which issues you need to resolve on the NSA. 2. From the taskbar, open Internet Explorer. 3. Maximize Internet Explorer. 4. In the URL field, type 198.28.56.18 and press Enter. 5. In the Security Appliance Configuration utility, enter cisco as the username. 6. Enter cisco as the password. 7. Click Log In. 8. Rename the cisco user account as follows: a. From the Getting Started (Basic) page, select Change Default Admin Password and Add Users. b. Select Edit for the cisco username. c. In the User Name field, enter the username you chose d. Select Check to Edit Password. e. In the Enter Current Logged in Administrator Password enter, enter cisco. f. In the New Password field, enter the password you choose. g. Re-enter the new password to confirm the new password. h. Enter the idle timeout. i. Click Apply. 9. Edit user policies as follows: a. Under Edit User Policies, select Login to configure a login policy. b. Select Deny Login from WAN Interface. c. Click Apply. 10. Define network access as follows: a. Under Edit User Policies, select By IP to configure IP address restrictions for login. b. Select Add. c. In the Source Address Type field, make sure IP Address is selected. d. In the Network Address/IP Address field, enter the IP address for ITAdmin. e. Click Apply. f. Select Allow Login only from Defined Addresses. g. Click Apply to close the dialog. 11. Re-run the security evaluator to confirm the remediation of reported vulnerabilities.

6.9.8 Scan for Vulnerabilities 4 You are the IT security administrator for a small corporate network. You are performing vulnerability scans on your network. You would like to verify the security of your wireless network and your Ruckus Wireless Access Controller. In this lab, your task is to perform the following: • Run a vulnerability scan for the wireless access controller (192.168.0.6) using Security Evaluator on the taskbar. • Remediate the vulnerabilities found in the vulnerability report for the wireless access controller. • Re-run a vulnerability scan to make sure all of the issues are resolved. Access the wireless controller console through Internet Explorer on http://192.168.0.6 with the admin name admin and the password password.

Task Summary Change the default Admin username and password Enable Intrusion Detection Explanation In this lab, your task is to perform the following: • Change the admin username and password for the Zone Director controller to the following: o Admin Name: your choice o Password: your choice • Enable reporting of rogue devices for intrusion prevention. Configure the security features on your wireless controller as follows: 1. Run a Security Evaluator report as follows: a. From the taskbar, open Security Evaluator. b. Next to Local Machine, select the Target icon to select a new target. c. Select IPv4 Address. d. Enter the IP address of the wireless access controller. e. Click OK. f. Select the Status refresh icon to run the security evaluation. g. Review the results to determine which issues you need to resolve on the wireless access controller. 2. Change the admin username and password as follows: a. From the taskbar, open Internet Explorer. b. Maximize Internet Explorer. c. Type 192.168.0.6 and press Enter. d. Enter the admin name. e. Enter the password. f. Select Login. g. From the top, select the Administer tab. h. Make sure Authenticate using the admin name and password is selected. i. In the Admin Name field, enter the username you choose. j. In the Current Password field, enter the password. k. In the New Password field, enter the password you choose. l. In the Confirm New Password field, enter the new password. m. On the right, click Apply. 3. Enable intrusion prevention as follows: a. Select the Configure tab. b. On the left, select WIPS. c. Under Intrusion Detection and Prevention, select Enable report rogue devices. d. Click Apply. 4. Re-run the security evaluator to confirm the remediation of reported vulnerabilities.

6.5.6 Secure Access to a Switch You are the IT security administrator for a small corporate network. You need to increase the security on the switch in the networking closet by restricting access management and by updating the switch's firmware. In this lab, your task is to perform the following: • Create an access profile called MgtAccess and configure it with the following settings: Setting Value Access Profile Name MgtAccess Rule Priority 1 Management Method All Action Deny Applies to Interface All Applies to Source IP address All • Add a profile rule to the MgtAccess profile with the following settings: Setting Value Rule Priority 2 Management Method HTTP Action Permit Applies to interface All Applies to Source IP address User defined IP Version: Version 4 IP Address: 192.168.0.10 Network Mask: 255.255.255.0 • Set the MgtAccess profile as the active access profile. • Save the changes to the switch's startup configuration file. • Update the firmware

Task Summary Create an access profile to restrict management access Hide Details Create the MgtAccess profile Create the deny rule Add a profile rule Hide Details Create the allow rule Set the active access profile Save changes to the startup configuration Upgrade the firmware Explanation In this lab, you perform the following: • Create an Access Profile called MgtAccess and configure it with with the following settings: Setting Value Access Profile Name MgtAccess Rule Priority 1 Management Method All Action Deny Applies to Interface All Applies to Source IP address All • Add a Profile Rule to the MgtAccess profile with the following settings: Setting Value Rule Priority 2 Management Method HTTP Action Permit Applies to interface All Applies to Source IP address User defined IP Version: Version 4 IP Address: 192.168.0.10 Network Mask: 255.255.255.0 • Set the MgtAccess profile as the active access profile. • Save the changes to the switch's startup configuration file. • Update the firmware image to the latest version by downloading the firmware files found inC:\Sx300_Firmware\Sx300_FW-1.2.7.76.ros. Complete this lab as follows: 1. Create an access profile as follows: a. From the left menu, expand Security. b. Expand Mgmt Access Method. c. Select Access Profiles. d. Under Access Profile Table, select Add. e. Enter the access profile name. f. Enter the rule priority. g. Under Management Method, make sure All is selected. h. Enter the action. i. Under Applies to Interface, make sure All is selected. j. Under Applies to Source IP Address, make sure All is selected. k. Click Apply. l. Click Close. 2. Add a profile rule as follows: a. From the left menu, select Profile Rules under Mgmt Access Method. b. Select the MgtAccess profile. c. Select Add. d. Enter the rule priority. e. Select the management method. f. Under Action, make sure Permit is selected. g. Under Applies to Interface, make sure All is selected. h. Under Applies to Source IP Address, select User Defined. i. Under IP Version, make sure Version 4 is selected. j. Enter the IP address. k. Enter the network mask. l. Click Apply. m. Click Close. 3. Set the MgtAccess profile as the active access profile as follows: a. From the left menu, select Access Profiles. b. From the Active Access Profile drop-down list, select MgtAccess. c. Click Apply. d. Click OK. 4. Save the changes to the switch's startup configuration file as follows: a. From the top, select Save. b. Under Source File Name, make sure Running configuration is selected. c. Under Destination File Name, make sure Startup configuration is selected. d. Click Apply. e. Click OK. 5. Upgrade the firmware image to the latest version as follows: a. From the left menu, select Getting Started. b. Select Upgrade Device Software. c. Under File Name, select Choose File. d. Browse to and select C:\Sx300_Firmware\Sx300_FW-1.2.7.76.ros. e. Select Open. f. Click Apply. g. Click OK. h. Under File Management in the left menu, select Active Image. i. Under Active Image After Reboot, select Image 2 from the drop-down list. j. Click Apply. k. From the left menu under Administration, select Reboot. l. Click Reboot. m. Click OK. n. Log back in as user ITSwitchAdmin with the password Admin$0nly2017 (0 is zero). o. Select Log In.

6.2.5 Secure a Switch You are the IT security administrator for a small corporate network. You need to secure access to your switch, which is still configured with the default settings. Access the switch management console through Internet Explorer on http://192.168.0.2 with the username cisco and password cisco. In this lab, your task is to perform the following: • Create a new user account with the following settings: o User Name: ITSwitchAdmin o Password: Admin$0nly2017 (0 is zero) o User Level: Read/Write Management Access (15) • Edit the default user account as follows: o Username: cisco o Password: CLI$0nly2017 (0 is zero) o User Level: Read-Only CLI Access (1) • Save the changes to the switch's startup configuration file.

Task Summary Create the new user account Hide Details Set the user name to ITSwitchAdmin Set the password to Admin$0nly2017 Set the user level to Read/Write Management Access (15) Edit the default user account Hide Details Change the password to CLI$0nly2017 Change the user level to: Read-Only CLI Access (1) Save the changes to the switch's startup configuration file Explanation In this lab, you perform the following: • Create a new user account with the following settings: o User Name: ITSwitchAdmin o Password: Admin$0nly2017 (0 is zero) o User Level: Read/Write Management Access (15) • Edit the default user account as follows: o Username: cisco o Password: CLI$0nly2017 (0 is zero) o User Level: Read-Only CLI Access (1) • Save the changes to the switch's startup configuration file. Secure the switch as follows: 1. From the taskbar, open Internet Explorer. 2. In the URL field, enter 192.168.0.2 and press Enter. 3. Enter the username. 4. Enter the password. 5. Select Log In. 6. From Getting Started, select Change Device Password. 7. Create a new user account as follows: a. Select Add. b. Enter the username. c. Enter the password. d. In the Confirm Password field, enter the password. e. Under User Level, make sure Read/Write Management Access (15) is selected. f. Click Apply. g. Click Close. 8. Edit the default user account as follows: a. Select the default user. b. Select Edit. c. Enter the username. d. Enter the password. e. In the Confirm Password field, enter the password. f. Under User Level, make sure Read-Only CLI Access (1) is selected. g. Click Apply. h. Click Close. 9. Save the configuration as follows: a. From the top of the window, select Save. b. Under Source File Name, make sure Running configuration is selected. c. Under Destination File Name, make sure Startup configuration is selected. d. Click Apply. e. Click OK.

6.5.5 Harden a Switch You are the IT security administrator for a small corporate network. You need to increase the security on the switch in the networking closet. The following table lists the used and unused ports: Unused Ports Used Ports GE2 GE7 GE9-GE20 GE25 GE27-GE28 GE1 GE3-GE6 GE8 GE21-GE24 GE26 In this lab, your task is to perform the following: • Disable (shut down) the unused ports. • Configure the following Port Security settings for the used ports: o Interface Status: Lock o Learning Mode: Classic Lock o Action on Violation: Discard

Task Summary Disable the unused ports Hide Details Disable port 2 Disable port 7 Disable port 9 Disable port 10 Disable port 11 Disable port 12 Disable port 13 Disable port 14 Disable port 15 Disable port 16 Disable port 17 Disable port 18 Disable port 19 Disable port 20 Disable port 25 Disable port 27 Disable port 28 Configure Port Security settings for the used ports Hide Details Configure Port Security settings for port 1 Configure Port Security settings for port 3 Configure Port Security settings for port 4 Configure Port Security settings for port 5 Configure Port Security settings for port 6 Configure Port Security settings for port 8 Configure Port Security settings for port 21 Configure Port Security settings for port 22 Configure Port Security settings for port 23 Configure Port Security settings for port 24 Configure Port Security settings for port 26 Explanation In this lab, your task is to perform the following: • Disable (shut down) the unused ports. • Configure the following Port Security settings for the used ports: o Interface Status: Lock o Learning Mode: Classic Lock o Action on Violation: Discard Complete this lab as follows: 1. Under Initial Setup, select Configure Port Settings. a. Select the GE2 port. b. At the bottom, select Edit. c. Under Administrative Status, select Down. d. Scroll down and select Apply; then click Close. e. With the GE2 port selected, scroll down and select Copy Settings. f. In the Copy configuration field, enter the remaining unused ports. g. Click Apply. 2. Configure the Port Security settings as follows: a. Expand Security. b. Select Port Security. c. Select the GE1 port. d. At the bottom, select Edit. e. Under Interface Status, select Lock. f. Under Learning Mode, make sure Classic Lock is selected. g. Under Action on Violation, make sure Discard is selected. h. Select Apply; then select Close. i. From the bottom, select Copy Settings. j. Enter the remaining used ports. k. Click Apply.

6.8.7 Practice Questions Exam Information • No time limit. • 15 questions • 80% passing score. Exam Features • Questions are presented in original order. • You can skip questions and return to previous questions. After Finishing the Exam • You can view your score in the exam report. • You can receive feedback for all questions by clicking "View results by: Individual Responses" in the exam report screen. • If you did not feel comfortable with the concepts and tasks in the test, consider re-studying the prerequisite material.

Task Summary Enable IPS Hide Details Enable IPS for the LAN Enable IPS for the DMZ Update signature manually with SBIPS000018.bin Set to update signature automatically Hide Details Automatically Update Signatures selected User Name: mary.r.brown Password: Upd@teN0w Set IPS Policies to Detect and Prevent Hide Details Set Backdoor to Detect and Prevent Set DOS to Detect and Prevent Set Exploit to Detect and Prevent Set FTP to Detect and Prevent Set LDAP to Detect and Prevent Set Shellcode to Detect and Prevent Set SQL-DB to Detect and Prevent Set TrojanVirus to Detect and Prevent Set WebServer to Detect and Prevent Explanation In this lab, you perform the following: • Enable the IPS on the LAN and DMZ interface. • Manually update the IPS signature using C:\signatures\sbips000018.bin • Configure the NSA to automatically update the signature in the future. o User name: mary.r.brown o Password: Upd@teN0w (0 is zero) • Set the IPS policy to detect and prevent all known threats. Complete this lab as follows: 1. Enable the IPS as follows: a. In the Security Appliance Configuration utility, select IPS. b. Under IPS Enable, select Enable IPS Protection for LAN. c. Select Enable IPS Protection for DMZ, and then click Apply. 2. Update the IPS signature as follows: a. Under Manual Signature Updates, select Browse. b. Browse to and select C:\Signatures\SBIPS000018.bin. c. Click Open. d. Select Upload. e. Refresh the page to update the IPS Signatures status. f. Select Automatically Update Signatures. g. Enter the user name. h. Enter the password; then click Apply. 3. Configure IPS Policy as follows: a. In the left menu, select IPS Policy. b. Select Detect and Prevent for each IPS Category. c. Click Apply.

6.9.6 Scan for Vulnerabilities 2 You are the IT security administrator for a small corporate network. You are performing vulnerability scans on your network. Use the Security Evaluator tool to run a vulnerability scan on the CorpDC domain controller. In this lab, your task is to perform the following: • Run a vulnerability scan for the CorpDC domain controller using the Security Evaluator on the taskbar. • Remediate the vulnerabilities in the Default Domain Policy using Group Policy Management on CorpDC.

Task Summary Reset account lockout counter after 60 minutes Minimum password length 14 characters Minimum password age 1 day Enforce password history for 24 passwords Event log retention set not to overwrite events Hide Details Application log Security log System log DCOM Server Process Launcher service disabled Task Scheduler service disabled Explanation In this lab, you use Group Policy Management to configure the default domain policy with the following settings to remediate the issues identified in the vulnerability report: Policy Setting Reset account lockout counter after 60 Minutes Minimum password length 14 Characters Minimum password age 1 Day Enforce password history 24 Passwords Retention method for application log Do not overwrite events (clear log manually) Retention method for security log Do not overwrite events (clear log manually) Retention method for system log Do not overwrite events (clear log manually) DCOM Server Process Launcher Disabled Task Scheduler Disabled Complete this lab as follows: 1. Run a Security Evaluator report as follows: a. From the taskbar, open Security Evaluator. b. Next to Local Machine, select the Target icon to select a new target. c. Select Domain Controller. d. From the Domain Controller drop-down list, select CorpDC as the target. e. Click OK. f. Select the Status refresh icon to run the security evaluation. g. Review the results to determine which issues you need to resolve on CorpDC. 2. From the top menu, select Floor 1. 3. Select CorpDC. 4. Remediate password issues in Account Policies as follows: a. From Server Manager, select Tools > Group Policy Management. b. Expand Forest: CorpNet.com > Domains > CorpNet.com. c. Right-click Default Domain Policy and select Edit. d. Under Computer Configuration, expand Policies > Windows Settings > Security Settings > Account Policy. e. Select Account Lockout Policy. f. In the right pane, right-click the policy and select Properties. g. Select Define this policy setting. h. Enter 60 minutes; then click OK. i. In the left pane, select Password Policy. j. In the right pane, right-click the policy and select Properties. k. Select Define this policy setting. l. Enter the password setting; then click OK. m. Repeat steps 4j-4l for each additional policy. 5. Remediate Event Log issues as follows: a. In the left pane, select Event Log. b. In the right pane, right-click the policy and select Properties. c. Select Define this policy setting. d. Select the retention method; then select OK. e. Repeat steps 5b-5d for each additional policy. 6. Remediate System Services issues as follows: a. In the left pane, select System Services. b. In the right pane, right-click the policy and select Properties. c. Select Define this policy setting. d. Make sure Disabled is selected; then click OK. e. Repeat steps 6b-6d for each additional policy. 7. Verify that all the issues were resolved using the Security Evaluator feature on the ITAdmin computer as follows: a. From the top menu, select Floor 1. b. Select ITAdmin. c. In Security Evaluator, select Status refresh to rerun the security evaluation. d. If you still see unresolved issues, select Floor 1, navigate to CorpDC, and remediate any remaining issues.

6.12.6 Configure Kerberos Policy Settings You are the IT security administrator for a small corporate network that has a single Active Directory domain named CorpNet.com. You are working on increasing the authentication security of the domain. In this lab, your task is to configure the Kerberos policy settings in the Default Domain Policy using Group Policy Management with the following settings: Security Setting Value Maximum lifetime for service ticket 180 minutes Maximum lifetime for user ticket 3 hours Maximum lifetime for user ticket renewal 3 days Maximum tolerance for computer clock synchronization 1 minute Score Report

Task Summary Set the maximum lifetime for service tickets to 180 minutes Set the maximum lifetime for user tickets to 3 hours Set the maximum lifetime for user ticket renewal to 3 days Set the maximum tolerance for computer clock synchronization to 1 minute Explanation In this lab, you configure the Kerberos policy settings in the Default Domain Policy using Group Policy Management with the following settings: Security Setting Value Maximum lifetime for service ticket 180 minutes Maximum lifetime for user ticket 3 hours Maximum lifetime for user ticket renewal 3 days Maximum tolerance for computer clock synchronization 1 minute Complete this lab as follows: 1. From Server Manager, select Tools > Group Policy Management. 2. Expand Forest: CorpNet.com > Domains > CorpNet.com. 3. Right-click Default Domain Policy and select Edit. 4. Under Computer Configuration, expand Policies > Windows Settings > Security Settings > Account Policies. 5. Select Kerberos Policy. 6. In the right pane, double-click the policy you want to edit. 7. Select the policy setting; then click OK. 8. Repeat steps 6-7 for each policy setting

6.6.4 Explore VLANs from the CLI In this lab, you will explore how VLAN membership affects device communications. Use Exhibits for IP address and port interface information. Use CTRL+ P to print these instructions and record your answers as you complete each step. When you are finished, read the feedback in the score report to compare your answers. Complete this lab as follows: 1. Select the ITAdmin workstation to open the command prompt. 2. At the command prompt, type the following ping commands to verify that the workstation can communicate with the other workstations through the switch: a. ping 192.168.0.20 (Office1) b. ping 192.168.0.21 (Office2) c. ping 192.168.0.23 (Lobby) 3. In the exhibit, select Switch to open the Switch console. 4. Press Enter. 5. Enter the following commands to enter configuration mode for the switch: a. enable b. config term 6. Type vlan 12 to create a new VLAN. 7. Type the following commands to assign the FastEthernet 0/6 interface to VLAN 12: a. interface fa 0/6 b. switchport access vlan 12 8. Press Ctrl + Z to exit configuration mode on the switch. 9. Return to the ITAdmin window and ping each of the workstations again. a. ping 192.168.0.20 (Office1) b. ping 192.168.0.21 (Office2) c. ping 192.168.0.23 (Lobby) d. What happens? e. Why? 10. Return to the Switch console and use the following commands to modify the FastEthernet 0/1 port's VLAN membership: a. config term b. interface fa 0/1 c. switchport access vlan 12 11. Press Ctrl + Z to exit configuration mode on the switch. 12. Return to the ITAdmin window and ping each of the workstations again. a. ping 192.168.0.20 (Office1) b. ping 192.168.0.21 (Office2) c. ping 192.168.0.23 (Lobby) d. What happens? e. Why?

Task Summary Create VLAN 12 Assign FastEthernet 0/1 to VLAN 12 Assign FastEthernet 0/6 to VLAN 12 Explanation In this lab, you explore how VLAN membership affects device communications. Complete this lab as follows: 1. Select the ITAdmin workstation to open the command prompt. 2. At the command prompt, type the following ping commands to verify that the workstation can communicate with the other workstations through the switch: a. ping 192.168.0.20 (Office1) b. ping 192.168.0.21 (Office2) c. ping 192.168.0.23 (Lobby) 3. In the exhibit, select Switch to open the Switch console. 4. Press Enter. 5. Enter the following commands to enter configuration mode for the switch: a. enable b. config term 6. Type vlan 12 to create a new VLAN. 7. Type the following commands to assign the FastEthernet 0/6 interface to VLAN 12: a. interface fa 0/6 b. switchport access vlan 12 8. Press Ctrl + Z to exit configuration mode on the switch. 9. Return to the ITAdmin window and ping each of the workstations again. a. ping 192.168.0.20 (Office1) b. ping 192.168.0.21 (Office2) c. ping 192.168.0.23 (Lobby) d. What happens? You can no longer ping any of the workstations. e. Why? The ITAdmin workstation was placed on a separate network,VLAN12, so it no longer sees any of the workstations. 10. Return to the Switch console and use the following commands to modify the FastEthernet 0/1 port's VLAN membership: a. config term b. interface fa 0/1 c. switchport access vlan 12 11. Press Ctrl + Z to exit configuration mode on the switch. 12. Return to ITAdmin and ping each of the workstations again. a. ping 192.168.0.20 (Office1) b. ping 192.168.0.21 (Office2) c. ping 192.168.0.23 (Lobby) d. What happens? You can now ping the Office1 workstation, but not Office2 or Lobby. e. Why? The Office1 workstation is now on the same network (VLAN12) as the ITAdmin workstation, so they can see each other.

6.7.7 Block Source Hosts You have a small business network connected to the Internet through a single router (as shown in the network diagram). You have noticed that three hosts on the Internet have been flooding your router with unwanted traffic. As a temporary measure, you want to prevent all communication from these three hosts until the issue is resolved. In this lab, your task is as follows: • Create a standard access list and assign it number 25. • Add statements to the access list to block traffic from the following hosts: o 199.68.111.199 o 202.177.9.1 o 211.55.67.11 • Add a statement to allow all other traffic from all other hosts. • Apply access list 25 to the Serial0/0/0 interface to filter incoming traffic. Because this will be a temporary solution, you do not need to save your changes.

Task Summary Create standard access list and assign it number 25 Deny host 199.68.111.199 Deny host 202.177.9.1 Deny host 211.55.67.11 Permit all other hosts Hide Details Add the permit any statement Make the statement last in the list Apply access list 25 to the s0/0/0 interface Explanation In this lab, you perform the following tasks: • Create a standard access list and assign it number 25. • Add statements to the access list to block traffic from the following hosts: o 199.68.111.199 o 202.177.9.1 o 211.55.67.11 • Add a statement to allow all other traffic from all other hosts. • Apply access list 25 to the Serial0/0/0 interface to filter incoming traffic. Complete this lab as follows: 1. Select the Router icon. 2. Press Enter to obtain a prompt. 3. At the prompt, enter the following commands: Router>enable Router#config t Router(config)#access-list 25 deny host 199.68.111.199 Router(config)#access-list 25 deny host 202.177.9.1 Router(config)#access-list 25 deny host 211.55.67.11 Router(config)#access-list 25 permit any Router(config)#int s0/0/0 Router(config-if)#ip access-group 25 in 4. Press Ctrl + Z. To identify a specific host, you can also use 199.68.111.199 0.0.0.0 without the host parameter. Use 0.0.0.0 255.255.255.255 to identify any host.

6.7.5 Restrict Telnet and SSH Access You are in the process of configuring a new router. The router interfaces will connect to the following networks: Interface Network FastEthernet0/0 192.168.1.0/24 FastEthernet0/1 192.168.2.0/24 FastEthernet0/1/0 192.168.3.0/24 Only Telnet and SSH access from these three networks should be allowed. In this lab, your task is to perform the following: • Create a standard access list and assign it number 5. • Add a permit statement for each network to the access list. • Apply the access list to VTY lines 0-4. • Save your changes in the startup-config file. Use the access-list command to create the list statements, and then use the access-class command to apply the list to the VTY lines. Use the in direction to filter incoming traffic.

Task Summary Create standard access list and assign it number 5 Permit network 192.168.1.0 0.0.0.255 Permit network 192.168.2.0 0.0.0.255 Permit network 192.168.3.0 0.0.0.255 Apply access list 5 to VTY lines 0-4 Hide Details Apply to VTY 0 for inbound traffic Apply to VTY 1 for inbound traffic Apply to VTY 2 for inbound traffic Apply to VTY 3 for inbound traffic Apply to VTY 4 for inbound traffic Save the changes Hide Details Save the permit192.168.1.0 0.0.0.255 statement Save the permit192.168.2.0 0.0.0.255 statement Save the permit192.168.3.0 0.0.0.255 statement Apply access list 5 to VTY lines 0-4 Explanation In this lab, your perform the following tasks: • Create a standard access list and assign it number 5. • Add a permit statement for each network to the access list. • Apply the access list to VTY lines 0-4. • Save your changes in the startup-config file. Complete this lab as follows: 1. Select the Router icon. 2. Press Enter to obtain a prompt. 3. At the prompt, enter the following commands: Router>enable Router#config t Router(config)#access-list 5 permit 192.168.1.0 0.0.0.255 Router(config)#access-list 5 permit 192.168.2.0 0.0.0.255 Router(config)#access-list 5 permit 192.168.3.0 0.0.0.255 Router(config)#line vty 0 4 Router(config-line)#access-class 5 in 4. Press Ctrl + Z. 5. At the prompt, enter Router#copy run start 6. Press Enter twice.

6.5.7 Secure Access to a Switch 2 You are the IT security administrator for a small corporate network. You need to increase the security on the switch in the networking closet by creating an access control list. You have been asked to prevent video game consoles from connecting to the switch. In this lab, your task is to perform the following: • Create a MAC-based ACL named GameConsoles. • Configure the GameConsoles MAC-based access control entry (ACE) settings as follows: Priority Action Destination MAC Address Source MAC Address 1 Deny Any Value: 00041F111111 Mask: 000000111111 2 Deny Any Value: 005042111111 Mask: 000000111111 3 Deny Any Value: 000D3A111111 Mask: 000000111111 4 Deny Any Value: 001315111111 Mask: 000000111111 5 Deny Any Value: 0009BF111111 Mask: 000000111111 6 Deny Any Value: 00125A111111 Mask: 000000111111 • Bind the GameConsoles ACL to all interfaces. • Save the changes to the switch's startup configuration file.

Task Summary Create the GameConsoles ACL Create MAC-based access control Hide Details Create priority 1 entry Create priority 2 entry Create priority 3 entry Create priority 4 entry Create priority 5 entry Create priority 6 entry Bind the GameConsoles ACL to all of the interfaces Hide Details Bind the GameConsoles ACL to GE1 Bind the GameConsoles ACL to GE2 Bind the GameConsoles ACL to GE3 Bind the GameConsoles ACL to GE4 Bind the GameConsoles ACL to GE5 Bind the GameConsoles ACL to GE6 Bind the GameConsoles ACL to GE7 Bind the GameConsoles ACL to GE8 Bind the GameConsoles ACL to GE9 Bind the GameConsoles ACL to GE10 Bind the GameConsoles ACL to GE11 Bind the GameConsoles ACL to GE12 Bind the GameConsoles ACL to GE13 Bind the GameConsoles ACL to GE14 Bind the GameConsoles ACL to GE15 Bind the GameConsoles ACL to GE16 Bind the GameConsoles ACL to GE17 Bind the GameConsoles ACL to GE18 Bind the GameConsoles ACL to GE19 Bind the GameConsoles ACL to GE20 Bind the GameConsoles ACL to GE21 Bind the GameConsoles ACL to GE22 Bind the GameConsoles ACL to GE23 Bind the GameConsoles ACL to GE24 Bind the GameConsoles ACL to GE25 Bind the GameConsoles ACL to GE26 Bind the GameConsoles ACL to GE27 Bind the GameConsoles ACL to GE28 Save the configuration Explanation In this lab, you perform the following: • Create a MAC-based ACL named GameConsoles. • Configure the GameConsoles MAC-based access control entry (ACE) settings as follows: Priority Action Destination MAC Address Source MAC Address 1 Deny Any Value: 00041F111111 Mask: 000000111111 2 Deny Any Value: 005042111111 Mask: 000000111111 3 Deny Any Value: 000D3A111111 Mask: 000000111111 4 Deny Any Value: 001315111111 Mask: 000000111111 5 Deny Any Value: 0009BF111111 Mask: 000000111111 6 Deny Any Value: 00125A111111 Mask: 000000111111 • Bind the GameConsoles ACL to all interfaces. • Save the changes to the switch's startup configuration file. Complete this lab as follows: 1. Create the GameConsoles ACL as follows: a. Under Getting Started, select Create MAC-Based ACL. b. Select Add. c. Enter the ACL name. d. Click Apply; then click Close. 2. Create MAC-based access control as follows: a. Select MAC-Based ACE Table. b. Select Add. c. Enter the priority. d. Select the action. e. Under Destination MAC Address, make sure Any is selected. f. Under Source MAC Address, select User Defined. g. Enter the destination MAC address value. h. Enter the destination MAC address mask. i. Click Apply. j. Repeat steps 2c-2i for additional ACE entries. k. Click Close. 3. Bind the GameConsoles ACL to all of the interfaces as follows: a. Under Access Control, select ACL Binding. b. Select GE1. c. At the bottom of the window, select Edit. d. Click Select MAC-Based ACL. e. Select Apply; then click Close. f. Select Copy Settings. g. In the Copy configuration to field, enter GE2-GE30. h. Click Apply. 4. Save the Configuration as follows: a. At the top of the window, select Save. b. Under Source File Name, make sure Running configuration is selected. c. Under Destination File Name, make sure Startup configuration is selected. d. Click Apply. e. Click OK.

6.14.6 Create Virtual Switches You have installed Hyper-V on the CorpServer server. You want to use the server to create virtual machines. Prior to creating the virtual machines, you are experimenting with virtual switches. In this lab, your task is to create virtual switches as follows: • Create Switch 1 as a private switch. Within a private switch, virtual machines can communicate with each other, but cannot communicate with the management operating system or access the physical network. • Create Switch 2 as an internal switch. Within an internal switch, virtual machines can communicate with one another and with the management operating system, but cannot access the physical network.

Task Summary Create the Switch 1 virtual switch Hide Details Create the virtual switch Use Private as the switch type Create the Switch 2 virtual switch Hide Details Create the virtual switch Use Internal as the switch type Explanation In this lab, you perform the following tasks: • Create Switch 1 as a private switch. Within a private switch, virtual machines can communicate with each other, but cannot communicate with the management operating system or access the physical network. • Create Switch 2 as an internal switch. Within an internal switch, virtual machines can communicate with one another and with the management operating system, but cannot access the physical network. Create a virtual switch as follows: 1. In Hyper-V Manager, right-click CORPSERVER and select Virtual Switch Manager. 2. Select New virtual network switch. 3. In the right pane, select the type of virtual switch you want to create. 4. Select Create Virtual Switch. 5. In the Name field, enter the name of the virtual switch; then click Apply. 6. Click OK. 7. Repeat steps 1-6 to create a second virtual switch.

6.6.6 Explore VLANs You are the IT security administrator for a small corporate network. You need to increase the networking closet's security by implementing a CCTV system with IP cameras. As part of this task, you need to separate the CCTV data traffic on the network using a separate VLAN on the switch. The patch panel connections for the networking closet, lobby, and IT administration office are installed and ready for use (ports 18-20). A DHCP server is already configured to provide the IP cameras and the laptop in the IT administration office with the correct TCP/IP settings (port 21). For an easier implementation, create the logical VLAN first. Then establish the physical connections of the IP cameras and the laptop. In this lab, your task is to perform the following: • Access the switch management console from ITAdmin using the following credentials: o Address: http://192.168.0.2 o Username: ITSwitchAdmin o Password: Admin$0nly (0 is zero) • Create a VLAN on the switch as follows: o VLAN ID: 2 o VLAN Name: IPCameras o Ports: 18, 19, 20, 21 • In the networking closet and lobby, perform the following: o Connect a Cat5e cable to the RJ-45 ports on the IP camera and the IP camera wall plate. o Mount the IP camera on the wall plate. • In the networking closet, connect the DHCP server to the VLAN using a Cat5e cable from switch port 21 to patch panel port 21 in the rack. • In the IT administration office, connect a Cat5e cable to the laptop's network port and the open port on the wall plate. • On ITAdmin-Lap, verify the VLAN configuration and IP camera installation as follows: 1. Select Start > All Apps > IP Cameras. 2. Verify that the program detects the IP cameras on the VLAN 2 network.

Task Summary Create the VLAN Hide Details Use 2 as the VLAN number (ID) Use IPCameras as the name Include ports 18, 19, 20, and 21 Connect the IP cameras to the VLAN and mount the IP cameras to the wall Hide Details Make the connections in the lobby Make the connections in the networking closet Connect the laptop to the VLAN Launch the IP camera monitoring software and confirm that the IP cameras are online Explanation In this lab, you perform the following: • Access the switch management console from ITAdmin using the following credentials: o Address: http://192.168.0.2 o Username: ITSwitchAdmin o Password: Admin$0nly (0 is zero) • Create a VLAN on the switch as follows: o Number (ID): 2 o Name: IPCameras o Ports: 18, 19, 20, 21 • In the networking closet and lobby, perform the following: o Connect a Cat5e cable to the RJ-45 ports on the IP camera and the IP camera wall plate. o Mount the IP camera on the wall plate. • In the networking closet, connect the DHCP server to the VLAN using a Cat5e cable from switch port 21 to patch panel port 21 in the rack. • In the IT administration office, connect a Cat5e cable to the laptop's network port and the open port on the wall plate. • On ITAdmin-Lap, verify the VLAN configuration and IP camera installation as follows: 1. Select Start > All Apps > IP Cameras. 2. Verify that the program detects the IP cameras on the VLAN 2 network. Complete this lab as follows: 1. Configure a VLAN as follows: a. From the taskbar, open Internet Explorer. b. Maximize Internet Explorer. c. In the URL field, enter 192.168.0.2 and press Enter. d. In the Username field, enter ITSwitchAdmin. e. In the Password field, enter Admin$0nly (0 is zero). f. Click Log In. g. From the Getting Started page, select Create VLAN. h. Click Add. i. Enter the VLAN ID. j. Enter the VLAN name. k. Click Apply. l. Click Close. m. From the left menu, select Port to VLAN under VLAN Management. n. From the VLAN ID equals to drop-down list, select 2. o. Click Go. p. For ports 18, 19, 20, and 21, select Untagged. q. Click Apply. 2. Connect the IP camera in the lobby to the VLAN and mount the IP cameras as follows: a. From the top menu, select Floor 1. b. Under Lobby, select Hardware. c. Under Shelf, expand CCTV Cameras. d. Drag the IP camera (Lobby) to the workspace. e. Under Workspace for the IP camera, select Back to switch to the back view of the IP camera. f. Under Shelf, expand Cables. g. Drag a Cat5e Cable to the RJ-45 port on the IP Camera mount wall plate. h. From the wall plate's Partial Connections list, drag the other connector to the RJ-45 port on the back of the IP camera. Connect the IP camera to the IP camera wall plate. i. To mount the IP camera, drag the IP camera to the IP camera wall plate. 3. Connect the IP camera in the networking closet to the VLAN and mount the IP cameras as follows: a. From the top menu, select Floor 1. b. Under Networking Closet, select Hardware. c. Under Shelf, expand CCTV Cameras. d. Drag the IP camera (Networking Closet) to the workspace. e. Under Workspace for the IP camera, select Back to switch to the back view of the IP camera. f. Under Shelf, expand Cables. g. Drag a Cat5e Cable to the RJ-45 port on the IP Camera mount wall plate. h. From the wall plate's Partial Connections list, drag the other connector to the RJ-45 port on the back of the IP camera. i. To mount the IP camera, drag the IP camera to the IP camera wall plate. 4. Connect the DHCP server and laptop to the VLAN as follows: a. In the networking closet, expand Cables under Shelf. b. Drag a Cat5e Cable to port 21 on the switch. c. Drag the Cat5e Cable from the rack's Partial Connections list to port 21 on the patch panel. d. From the top menu, select Floor 1 to connect the laptop to the VLAN. e. Under IT Administration, select Hardware. f. Above the laptop, select Back to switch to the back view of the laptop. g. Expand Shelf. h. Expand Cables on the Shelf. i. Drag a Cat5e Cable to the RJ-45 port on the laptop. j. Drag the Cat5e Cable from the laptop's Partial Connections list to the open RJ-45 port on the wall plate. To verify that all components are connected, you can change location to the Network Closet hardware view. You should see green link/activity lights on ports 18 - 21 of the switch. You should also see amber Power Over Ethernet (POE) lights on ports 19 and 20, which are connected to the IP cameras. 5. Launch the IP camera monitoring software as follows: a. From the top menu, select Floor 1. b. Under IT Administration, select ITAdmin-Lap. c. Select Start. d. Select All Apps. e. Select IP Cameras. f. Verify that both cameras are detected on the network.