foto

foto
foto

Rabu, 05 Januari 2011

CCNA Discovery 4 Chapter 1


Lab 1.3.4 Creating an ACL
Step 1: Analyze the traffic filtering requirements
a.       Determine the access and filtering requirements. For this lab:

1)    PC1 is a network administrator's workstation. This host must be permitted FTP and HTTP access to the network server, and telnet access to the router FC-CPE-1.
2)    PC2 is a general workstation that is to have HTTP access only. FTP services and Telnet access to the router is not permitted.

b.      Having determined specific requirements, decide if all other traffic is to be allowed or denied. List the benefits and potential problems to the following filtering scenarios:

Benefits of allowing all other traffic:
Jawab  :
layanan yang ada untuk ke depannya tidak dihalangi atau diblokir
           
Potential problems with allowing all other traffic:
Jawab  :
Trafik berbahaya dan tidak diinginkan tidak diblok

Benefits of denying all other traffic:
Jawab  :
Trafik yang berbahaya dan tidak diinginkan diblok secara otomatis

Potential problems with denying all other traffic:
Jawab  :
Layanan yang diimplementasikan ke depannya akan diblok secara otomatis.

Step 2: Design and create the ACL
.
When would it be best to permit specific traffic first and then deny general traffic?
Jawab  :
ACL tanpa banyak statement mengurangi paket latency
When would it be best to deny specific traffic first and then permit general traffic?

Jawab  :

When there is likely to be more traffic of the type to be denied - these packets are matched early in the ACL without having to traverse many statements, minimizing router latency.

c.       Select one approach and write the ACL statements that will meet the requirements of this lab.

Allow PC1 to access server http and ftp
access-list 101 permit tcp host 10.0.0.10 host 172.17.1.1 eq www log
access-list 101 permit tcp host 10.0.0.10 host 172.17.1.1 eq ftp log
Allow PC2 to access web server
access-list 101 permit tcp host 10.0.0.201 host 172.17.1.1 eq www log
Allow PC1 ftp access to router Fa0/0
access-list 101 permit tcp host 10.0.0.10 host 10.0.0.1 eq telnet log
Deny all other traffic
access-list 101 ip deny any any log
After an ACL is written and applied to an interface, it is useful to know if the ACL statements are having the desired effect. The number of packets that meet the conditions of each ACL statement can be logged by adding the option log at the end of each statement.

Why is it important to know to how many times packets that match an ACL statement are denied?
Jawab  :

This potentially shows the number of attempts at unauthorized access to denied services that may lead to further investigation of network usage.

Step 3: Cable and configure the given network

Step 4: Test the network services without ACLs

Perform the following tests on PC1:
a.       Open a web browser on PC1 and enter the URL http://172.17.1.1 at the address bar. What web page was displayed?
Jawab  :

Discovery Server Home Page

b.      Open a web browser on PC1 and enter the URL ftp://172.17.1.1 at the address bar. What web page was displayed?
Jawab  :
Discovery FTP Home Directory
c.       On the Discovery FTP Home Directory, open the Discovery 1 folder. Click and drag a Chapter file to the local Desktop. Did the file copy successfully?
Jawab  :
Ya

d.      From the PC1 command line prompt, issue the command telnet 10.0.0.1, or use a Telnet client (HyperTerminal or TeraTerm, for example) to establish a Telnet session to the router. What response did the router display?
Jawab  :

Prompt untuk password Telnet dan login ke router
e.       Exit the Telnet session.
Quit

Perform the following tests on PC2:

a.       Open a web browser on PC2 and enter the URL http://172.17.1.1 at the address bar. What web page was displayed?
Jawab  :
Discovery Server Home Page

b.      Open a web browser on PC2 and enter the URL ftp://172.17.1.1 at the address bar. What web page was displayed?
Jawab  :
Discovery FTP Home Directory
c.       On the Discovery FTP Home Directory, open the Discovery 1 folder. Click and drag a Chapter file to the local Desktop. Did the file copy successfully?
Jawab  :
Ya
d.      From the PC2 command line prompt, issue the command telnet 10.0.0.1, or use a Telnet client (HyperTerminal or TeraTerm, for example) to establish a Telnet session to the router. What response did the router display?
Jawab  :
Prompt untuk password Telnet dan login ke router
e.       Exit the Telnet session.
quit

Why was each of the above connections successful?
Jawab  :
There were no data access or filtering controls in place. Successful connection was expected.

If any of the above connections was not successful, troubleshoot the network and configurations and
establish each type of connection from each host.

Step 5: Configure the network services ACL

Step 6: Apply the ACLs

Step 7: Test the network services with ACLs

Perform the following tests on PC1:

a.       Open a web browser on PC1 and enter the URL http://172.17.1.1 at the address bar. What web page was displayed?
Jawab  :
Discovery Server Home Page

b.      Open a web browser on PC1 and enter the URL ftp://172.17.1.1 at the address bar. What web page was displayed?
Jawab  :
Discovery FTP Home Directory

c.       On the Discovery FTP Home Directory, open the Discovery 1 folder. Click and drag a Chapter file to the local Desktop. Did the file copy successfully?
Jawab  :
Ya

Why is this the outcome?
Jawab  :
Host ini memungkinkan akses FTP

d.      From the PC1 command line prompt, issue the command telnet 10.0.0.1, or use a Telnet client (HyperTerminal or TeraTerm, for example) to establish a Telnet session to the router. What response did the router display?
Jawab  :

Prompt untuk password Telnet dan login ke router

Why is this the outcome?
Jawab  :
Host ini memungkinkan akses Telnet

e.       Exit the Telnet session.

Perform the following tests on PC2:

a.       Open a web browser on PC2 and enter the URL http://172.17.1.1 at the address bar. What web page was displayed?
Jawab  :
Discovery Server Home Page

Why is this the outcome?
Jawab  :
Host ini memungkinkan akses web

b.      Open a web browser on PC2 and enter the URL ftp://172.17.1.1 at the address bar.
What web page was displayed?
Jawab  :
error page cannot be displayed

Why is this the outcome?
Jawab  :
Host ini tidak memungkinkan akses FTP

c.       From the PC2 command line prompt, issue the command telnet 10.0.0.1, or use a Telnet client (HyperTerminal or TeraTerm, for example) to establish a Telnet session to the router. What response did the router display?
Jawab  :
Telnet connection refused.

Why is this the outcome?
Jawab  :
Host tidak memungkinkan akses Telnet

If any of these transactions did not result in the expected outcome, troubleshoot the network and
configurations and retest the ACLs from each host.

Step 8: Observe the number of statement matches

Step 9: Clean up

Challenge
Rewrite the Server-Access ACL used in this lab so that:
1.       Administrator workstations are considered to be in the address range of 10.0.0.10 /24 to 10.0.0.15 /24 instead of a single host; and,
2.       The general workstations have the address range of 10.0.0.16 /24 to 10.0.0.254 /24 instead ofbeing a single host.

Jawab  :

ip access-list extended Server-Access
remark Allow PC1 to access any IP traffic
permit ip host 10.0.0.0 0.0.0.15 172.17.1.1 log
remark Allow PC2 to access web server
permit ip host 10.0.0.0 0.0.0.255 172.17.1.1 eq www log
remark Deny all other traffic
deny ip any any log.

Lab 1.4.3 Monitoring VLAN Traffic
Task 1: Demonstrate Broadcasts across a Single LAN

Step 1: Prepare the switch for configuration

Step 2: Configure the PCs

Step 3: Generate and examine ARP broadcasts

a.       Launch Wireshark on each PC and start the packet capture for the traffic seen by the NIC in each PC.
b.       From the command line of each PC, ping all connected devices.
c.        Monitor the operation of Wireshark. Note the ARP traffic registering on each PC.
d.      Stop the Wireshark capture on each PC.
e.        Examine the entries in the Wireshark Packet List (upper) Pane.

How many ARP captures occurred for each device?
ARP mengirim permintaan dan menbalas request uuntuk masing-masing perangkat yang di-ping

List the source IP addresses of the ARP request and replies:
Alamat IP asal adalah perangkat yang menerbitkan ping commans dan mereply dari perangkat yang sedang di-ping

Did each device receive an ARP request from every PC connected to the switch?
Ya
f.        Exit Wireshark
Task 2: Demonstrate Broadcasts within Multiple VLANs

Step 1: Configure the VLANs on the switch

Step 2: Prepare the PCs

Step 3: Generate ARP broadcasts
a.       Launch Wireshark on each PC and start the packet capture for the traffic seen by the NIC in each PC.
b.       From the command line of each PC, ping each of the other three devices connected to the switch.
c.       Monitor the operation of Wireshark. Note the ARP traffic registering on the two PCs.
d.       Stop the Wireshark capture on each PC.
e.        Examine the entries in the Wireshark Packet List (upper) Pane.

How many ARP captures occurred for each PC?
Satu ARP merequest dan satu ARP mereply perangkat VLAN pada komputer

List the source IP addresses:
Tergantung pada PC masing-masing

What is the difference between the captured ARP packets for each PC this time and those captured in Task 1?
Hanya permintaan ARP yang diterima dari perangkat pada VLAN yang sama.
How many Ethernet broadcast domains are present now?
2 broadcast termasuk VLAN 10 dan VLAN 20.

f.        Exit Wireshark.

Step 4: Clean up

Task 3: Reflection
a.       Discuss the use of VLANS in keeping data traffic separated. What are the advantages of doing this?
Jawab:
mengurani tekanan pada bandwidth dengan membatasi broadcast hanya pada host pada VLAN
menyediakan keamanan dan penyaringan trafik dengan membatasi akses pengguna pada satu VLAN

b.      When designing a network list different criteria that could be used to divide a network into VLANs.
Jawab:
 basis lokasi
organisasi
tipe trafik

Lab 1.4.5 Identifying Network Vulnerabilities
Step 1: Open the SANS Top 20 List

Step 2: Review common configuration weaknesses

1.       Click hyperlink N2. Network and Other Devices Common Configuration Weaknesses.
2.       List the four headings in this topic.
Deskripsi
Common Default Configuration Issues
Kerentanan pada printer
Bagaimana mengantisipasi kerentanan tersebut

Step 3: Review common default configuration issues

Step 4: Note the CVE references
Step 5: Investigate a topic and associated CVE hyperlink

Step 6: Record vulnerability information
Step 7: Record the vulnerability impact

Step 8: Record the solution

Step 9: Reflection
The number of vulnerabilities to computers, networks, and data, continues to increase. Many national governments have dedicated significant resources to coordinating and disseminating information about security vulnerability and possible solutions. It remains the responsibility of the end user to implement the
solution. Think of ways that users can help strengthen security. Write down some user habits that create security risks.
Jawab :

Penggunaan kata sandi yang lemah
Penulisan kata sandi
Tidak mengubah kata sandi secara teratur
Tidak mengamankan workstation ketika tidak dipakai
Tidak mengikuti prosedur ketika membocorkan informasi jaringan

Lab 1.4.6A Gaining Physical Access to the Network
Task 1: Access and Change the Router Passwords

Step 1: Attempt login to the router

a.       Referring to the Topology 1, connect the host PC NIC Ethernet port to the router Fa0/0 Ethernet port using a crossover cable. Ensure that power has been applied to both the host computer and router.

b.      Using the given preconfigured topology, attempt to telnet to the router from the PC command line. Which IP address is used to telnet to the router?
Jawab :
10.0.0.1
What does the message-of-the-day display?

ONLY AUTHORIZED ACCESS TO THIS DEVICE PERMITTED Unauthorized access will be penalized in accordance with the relevant laws
How many login attempts are allowed?
Jawab:
3

What message is displayed to indicate failure of the login attempts?
% Bad passwords

c.       When this attempt at remote login fails, establish a direct physical connection to the router by making the necessary console connections between the PC and router. Then establish a terminal session using HyperTerminal or TeraTerm. What does the message-of-the-day display?

ONLY AUTHORIZED ACCESS TO THIS DEVICE PERMITTED Unauthorized access will be penalized in accordance with the relevant laws

Attempt to log in by guessing the password.
How many login attempts are allowed?
jawab:
3

What message is displayed to indicate failure of the log-in attempts?
% Bad passwords

The configuration register needs to be changed so that the startup-configuration is not loaded. Normally,
this is this done from the global configuration mode, but because you cannot log in at all, the boot process
must first be interrupted so that the change can be made in the ROM Monitor mode.

Step 2: Enter the ROM Monitor mode

Step 3: Examine the ROM Monitor mode help

Step 4: Change the configuration register setting to boot without loading configuration file
From the ROM Monitor mode, enter confreg 0x2142 to change the config-register. rommon 2 > confreg 0x2142 NOTE: The ROMMON prompt increments when a command is issued – this is normal behavior. The increment does not mean a change of mode. The same ROMMON commands are still available. "0x" (zero- x) denotes that 2142 is a hexadecimal value. What is this value in binary?
Jawab :

0010 0001 0100 0010
Step 5: Restart router

Step 6: Enter Privileged EXEC mode and view and change passwords


Step 7: Change the configuration register setting to boot and load the configuration file

Step 8: Verify new password and configuration

Task 2: Access and Change the Switch Passwords

Step 1: Attempt login to the switch

a.       Referring to the Topology 2, connect the host PC NIC Ethernet port to the switch Fa0/1 Ethernet port using a straight-through cable. Ensure that power has been applied to both the host computer and switch.
b.       Using the given preconfigured topology, attempt to telnet to the router from the PC command line. Which IP address is used to telnet to the router?
Jawab:
10.0.0.2

What does the message-of-the-day display?
ONLY AUTHORIZED ACCESS TO THIS DEVICE PERMITTED Unauthorized access will be penalized in accordance with the relevant laws

How many login attempts are allowed?
Jawab :
3
What message is displayed to indicate failure of the login attempts?
% Bad passwords
Connection to host lost.

c.       When this attempt at remote login fails, establish a direct physical connection to the router by making the necessary console connections between the PC and switch. Then establish a terminal session using HyperTerminal or TeraTerm. What does the message-of-the-day display?

ONLY AUTHORIZED ACCESS TO THIS DEVICE PERMITTED Unauthorized access will be penalized in accordance with the relevant laws
Attempt to log in by guessing the password.
How many login attempts are allowed?
Jawab :
3
What message is displayed to indicate failure of the log-in attempts?
% Bad passwords

To prevent the configuration from loading, the config.txt file is renamed so that the switch IOS cannot
locate and load a valid configuration file. To rename the file, the boot process must be interrupted so that
the change can be made in the "switch:" mode.

Step 2: Enter the switch: mode

Step 3: Restart the switch

Step 4: Enter Privileged EXEC mode and view and change passwords

Step 5: Save the configuration file

Step 6: Verify new password and configuration

Step 7: Clean up

Task 3: Reflection

Consider the different methods of securing physical access to networking devices such as routers and
switches. List how only those people who require access can be identified and how this security can be
implemented.
jawab
Keamanan fisik termasuk mengunci riangan dan lemari yang berisi switch dan router. Jaringan perangkat ruang umum berbagi dengan layanan lainnya, seperti panel daya listrik, harus tertutup dalam kabinet yang terpisah dan dikunci. Kunci dan kode akses seharusnya hanya diberikan kepada petugas yang berwenang.

Lab 1.4.6B Implementing Port Security
Task 1: Configure and Test the Switch Connectivity

Step 1: Prepare the switch for configuration

Step 2: Configure the switch

Step 3: Configure the hosts attached to the switch

Step 4: Verify host connectivity

Step 5: Record the host MAC addresses

Determine and record the Layer 2 addresses of the PC network interface cards. (For Windows 2000, XP, or Vista, check by using Start > Run > cmd > ipconfig /all.)

PC1 MAC Address: jawab : e.g., 00-07-EC-93-3CD1
PC2 MAC Address: jawab:  e.g., 00-01-C7-E4-ED-E6

Step 6: Determine what MAC addresses the switch has learned

How were these MAC addresses and port associations learned?
Jawab :
Sumber alamat MAC dari ping echo permintaan dan balasan ping (gema) dicatat terhadap port masuk.
Task 2 Configure and Test the Switch for Dynamic Port Security

Step 1: Set port security options

Step 2: Verify the configuration
a.       Display the running configuration. What statements in the configuration directly reflect the security implementation?
Jawab:

interface FastEthernet0/4
switchport mode access
switchport port-security
switchport port-security mac-address sticky
Step 3: Verify the port security

a.       Connect PC1 to switch port Fa0/1 and PC2 to switch port Fa0/4.
b.      From the command prompt ping from PC1 to PC2. Was this successful? Ya
c.        From the command prompt ping from PC2 to PC1. Was this successful? Ya

Step 4: Test the port security

Ping from PC1 to PC2. Was this successful?  Tidak
Ping from PC2 to PC1. Was this successful? Tidak

Note the difference in entries recorded in Step 3 e.
Status port sekarang shutdown
Ada 1 security violation
Sumber terakhir diubah terhadap perangkat Linksys

What is the state of this interface?
FastEthernet0/4 is down and line protocol is down.

Step 5: Reactivate the port
a.       If a security violation occurs and the port is shut down, enter interface Fa0/4 configuration mode, disconnect the offending device, and use the shutdown command to temporarily disable the port.
b.      Disconnect the Linksys and reconnect PC2 to port Fa0/4. Issue the no shutdown command on the interface.
c.       Ping from PC1 to PC2. This may have to be repeated multiple times before success. List reasons why multiple ping attempts may be necessary before success is achieved.
Jawab:

Spanning Tree Protocol perlu dijalankan
Permintaan ARP harus dikirim dan diterima.
Switch harus mempelajari port asosiasi MAC address

Step 6: Discuss switch port security using dynamic MAC address assignment

Advantages:
Alamat Host pada MAC tidak harus dicatat dan ditulis ketika saklar dikonfigurasi.
Ada fleksibilitas saat menghubungkan sejumlah besar host, menyediakan port yang digunakan dalam VLAN yang benar.

Disadvantages:
Jika host yang salah dihubungkan ke switch sebelum host yang benar, keamanan jaringan masih bisa dilanggar.
Host dapat dihubungkan ke VLAN yang salah.
Ketika sebuah NIC berubah di PC, atau ketika PC diganti, administrator jaringan secara manual harus mereset keamanan p
ort.

Step 7: Clean up

Task 3: Reflection

When considering designing a typical enterprise network, it is necessary to think about points of security
vulnerability at the Access Layer. Discuss which Access Layer switches should have port security and those for which it may not be appropriate. Include possible future issues in regard to wireless and guest access to the network.

jawab :
• Jenis host yang dihubungkan ke switch.
• Jenis pengguna - karyawan atau tamu
• Di mana akses dilakukan - di kantor
yang aman atau di tempat umum
• Jenis akses - kabel atau nirkabel
• Investigasi keamanan fitur yang tersedia pada platform switch yang berbeda
• Bagaimana kebijakan keamanan
port dapat diimplementasikan dan dikelola.
• statis dinamis versus keamanan
port


Tidak ada komentar:

Posting Komentar