Section 9: Security (8 Points)

Previous page
Table of content
Next page

  • The users on VLAN_33 belong to a development department and they are under strict supervision. They are not permitted to access e-mail (where the server is outside VLAN_33) between 08:00AM to 08:00PM, Monday through Friday. Configure an access list to accomplish this.

If you configured this correctly as shown in Example 4-44, you have scored 3 points.

NOTE

When configuring the time-range feature, do not forget to configure the clock on the router; otherwise, it will not work (the time-range will remain inactive). Use the clock set command from the router enable mode prompt.


The time-range feature shown on Example 4-44 is used to limit certain access or sessions to specific protocols in a certain period of time.

Example 4-44. R3 Access List and time-range Configuration
 R3#show run ! ! interface FastEthernet0/1  ip address 160.10.33.3 255.255.255.0  ip access-group NO-SMTP in ! ! ip access-list extended NO-SMTP  deny   tcp any any eq smtp time-range no-SMTP  permit ip any any ! time-range no-SMTP  periodic weekdays 8:00 to 20:00 ! R3#sh time-range time-range entry: no-SMTP (inactive)    periodic weekdays 8:00 to 20:00    used in: IP ACL entry R3#

  • Configure R2 fa0/0 to prioritize security options on packets coming to this interface. Leave the level and authority as the default values.

If you configured this correctly as shown in Example 4-45, you have scored 2 points.

Example 4-45 show the configuration to accomplish the question's requirements. To enable the IP security options, use the command ip security dedicated. Level "unclassified," and authority "genser" are the default values. To prioritize the packets, configure the ip security first command.

Example 4-45. R2 IP Security Option (IPSO) Configuration
 R2#show run int fa0/0 Building configuration... Current configuration : 160 bytes ! interface FastEthernet0/0  ip address 130.200.10.2 255.255.255.0  ip security dedicated unclassified genser  ip security first R2#

  • Configure Sw1 fa0/17 to allow only the host MAC address 0010.DE48.2223 to access the switch through this interface. If a security violation occurs, make the interface go to shutdown mode.

If you configured this correctly as shown in Example 4-46, you have scored 3 points.

The configuration in Example 4-46 is the minimum configuration needed to enable the port-security feature. Observe that to configure the shutdown option you do not need to configure any extra command as it is the default.

Example 4-46. Sw1 Port-Security Configuration
 Sw1#show run int fa0/17 Building configuration... Current configuration : 152 bytes ! interface FastEthernet0/17  switchport mode access  switchport port-security  switchport port-security mac-address 0010.de48.2223  no ip address end Sw1# ! ! Sw1#show port-security int fa0/17 Port Security : Enabled Port status : SecureUp Violation mode : Shutdown Maximum MAC Addresses : 1 Total MAC Addresses : 1 Configured MAC Addresses : 1 Sticky MAC Addresses : 0 Aging time : 0 mins Aging type : Absolute SecureStatic address aging : Disabled Security Violation count : 0 Sw1#



Previous page
Table of content
Next page
CCIE Routing and Switching Practice Labs
CCIE Routing and Switching Practice Labs
ISBN: 1587051478
EAN: 2147483647
Year: 2006
Pages: 268
Authors: Martin J. Duggan, Maurilio P. Gorito
BUY ON AMAZON
Database Modeling with MicrosoftВ® Visio for Enterprise Architects (The Morgan Kaufmann Series in Data Management Systems)
Adobe After Effects 7.0 Studio Techniques
Managing Enterprise Systems with the Windows Script Host
PostgreSQL(c) The comprehensive guide to building, programming, and administering PostgreSQL databases
Mastering Delphi 7
InDesign Type: Professional Typography with Adobe InDesign CS2
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy