Section 9: Security (7 Points)

• You are concerned that you cannot trust some users on VLAN_25. Configure the interfaces for R1 and R5 to authenticate the routing protocol updates through the LAN with the best authentication method.

If you configured this correctly as shown in Example 6-52, you have scored 2 points.

Here we have an OSPF interface authentication configuration. The authentication is starting here intentionally to exercise with something that can break your network. This require-ment could be found also under the specific IGP section but has been left to this stage within the lab.

Example 6-52. R1 and R5 OSPF Interface Authentication

 R1#sh run int e0/1 Building configuration... Current configuration : 119 bytes ! interface Ethernet0/1  ip address 160.10.25.1 255.255.255.0  ip ospf message-digest-key 1 md5 ccie  half-duplex end R1# R1# R1#sh run | b router ospf router ospf 1  log-adjacency-changes  area 25 authentication message-digest ! R1# ! R5#sh run int fa0/1 Building configuration... Current configuration : 135 bytes ! interface FastEthernet0/1  ip address 160.10.25.5 255.255.255.0  ip ospf message-digest-key 1 md5 ccie  duplex auto  speed auto end R5# R5#sh run | b router ospf router ospf 1  log-adjacency-changes  area 25 authentication message-digest ! R5# ! 

• Configure R3, R5, and R6 to authenticate any routing updates on the IS-IS running on VLAN_22. Make this configuration on the interface level.

If you configured this correctly as shown in Example 6-53, you have scored 2 points.

Example 6-53. R3, R5, and R6 IS-IS Interface Authentication

 R3#sh run int fa0/0 Building configuration... Current configuration : 188 bytes ! interface FastEthernet0/0  ip address 160.10.22.3 255.255.255.0  ip router isis  isis password ccie end R3# ! ________________________________________________________________ R5#sh run int fa0/0 Building configuration... Current configuration : 188 bytes ! interface FastEthernet0/0  ip address 160.10.22.5 255.255.255.0  ip router isis isis password ccie end R5# ! ________________________________________________________________ R6#sh run int e0/0 Building configuration... Current configuration : 172 bytes ! interface Ethernet0/0  ip address 160.10.22.6 255.255.255.0  ip router isis  isis password ccie end R6# 

• Configure Sw2 to permit only Telnet access from R3 with source address of 160.10.3.3. Also make sure that both successful and failed Telnet connections are logged.

This is basically an access list configuration on Sw2.

If you configured this correctly as shown in Example 6-54, you have scored 2 points.

Example 6-54. Sw2 Access List Configuration to Permit R3-lo0 Address

 Sw2#sh run ! b line vty 0 4 Building configuration... Current configuration : 2633 bytes ! ! ! ip access-list standard ccie  permit 160.10.3.3 log deny any log ! ! line vty 0 4  access-class ccie in  exec-timeout 0 0  password cisco end Sw2# ________________________________________________________________ R3#telnet 160.10.33.10 /source-interface fastEthernet 0/0 Trying 160.10.33.10 ... % Connection refused by remote host R3# ! ________________________________________________________________ Sw2#  5d05h: %SEC-6-IPACCESSLOGS: list ccie denied 160.10.22.3 ! Sw2# ! ! ________________________________________________________________ R3#telnet 160.10.33.10 /source-interface loopback 0 Trying 160.10.33.10 ... Open User Access Verification Password: Sw2> ! ! ________________________________________________________________ Sw2# 5d05h: %SEC-6-IPACCESSLOGS: list ccie permitted 160.10.3.3 1 packet