Solution

Configure Switch hostname as LOCAL-SWITCH

hostname LOCAL-SWITCH

Configure the message of the day as "Unauthorized access is

forbidden"
banner motd #
Unauthorized access is forbidden#

Configure the password for privileged mode access as "cisco". The

password must be md5 encrypted

enable secret cisco

Configure password encryption on the switch using the global

configuration command

service password-encryption

Configure CONSOLE access [...]

line con 0

password ciscoconsole
logging synchronous
login
history size 15
exec-timeout 6 45

Configure TELNET access [...]

line vty 0 15

exec-timeout 8 20
password ciscotelnet
logging synchronous
login
history size 15
Configure the IP address of the switch as 192.168.1.2/24 and it's
default gateway IP (192.168.1.1).

interface Vlan1

ip address 192.168.1.2 255.255.255.0

ip default-gateway 192.168.1.1

Packet Tracer lab 2 : Interfaces

configuration
3.645161290322611111 Rating 3.65 (62 Votes)

Last Updated: Friday, 22 July 2016 17:18

Lab instructions
This lab will test your ability to configure speed, duplex, and vlan settings on a
cisco switch interfaces.

1. Connect to Switch0 using console interface and configure each Switch0

fastethernet switchport for operation. Correct settings are :
- Port type : access port
- Speed : 100 Mbit/s
- Duplex mode : Full Duplex
- Autonegotiation disabled

2. PC "192.168.1.4" seems to be unable to ping other PCs in the network. Check

switch configuration.
TIP : How many broadcast domains are there in this network ?

3. Choose the right cable to connect :

- Switch0 gigabitethernet 1/1 to Switch1 gigabitethernet 1/1
- Switch1 gigabitethernet 1/2 to Switch2 gigabitethernet 1/2

4. Configure those two links as trunk lines without using trunk negotiation
between switches

Network diagram
Solution
Connect to Switch0 using console interface and configure each Switch0
fastethernet switchport for operation.

Switch(config)#interface FastEthernet0/1

switchport mode access

duplex full
speed 100

Switch(config)#interface FastEthernet0/2

switchport mode access

duplex full
speed 100

Switch(config)#interface FastEthernet0/3
switchport mode access
duplex full
speed 100

Switch(config)#interface FastEthernet0/4

switchport mode access

duplex full
speed 100

PC "192.168.1.4" seems to be unable to ping other PCs in the network.

Check switch configuration.
Switch(config)#interface FastEthernet0/4

Switch(config-if)#switchport mode access

Switch(config-if)#switchport access vlan 1

Choose the right cable to connect :

- Switch0 gigabitethernet 1/1 to Switch1 gigabitethernet 1/1
- Switch1 gigabitethernet 1/2 to Switch2 gigabitethernet 1/2
Configure those two links as trunk lines without using trunk
negotiation between switches

On every interface that has to be configured for trunk operation, configure the
following settings

Switch(config)#interface GigabitEthernet1/X

Switch(config-if)#switchport mode trunk

Verify interface operational mode using the "show interface GigabitEthernet1/X

switchport command" :

Name: Gig1/2

Switchport: Enabled
Administrative Mode: trunk

Operational Mode: trunk

Administrative Trunking Encapsulation: dot1q

Operational Trunking Encapsulation: dot1q

Negotiation of Trunking: On

Access Mode VLAN: 1 (default)

Trunking Native Mode VLAN: 1 (default)

Voice VLAN: none

Another usefull ios command is "show interfaces trunk" :

Switch#sh interfaces trunk

Port Mode Encapsulation Status Native vlan
Gig1/2 on 802.1q trunking 1

Port Vlans allowed on trunk

Gig1/2 1-1005

Port Vlans allowed and active in management domain

Gig1/2 1

Port Vlans in spanning tree forwarding state and not pruned

Gig1/2 1

Packet Tracer lab 3 : VLAN and

VTP
3.711111 Rating 3.70 (50 Votes)

Last Updated: Friday, 22 July 2016 17:18

Lab instructions
The aim of this lab is to check your ability to configure VTP and VLAN on a small
network of four switches. This lab will help you to prepare your ICND1 exam.

1.Configure the VTP-SERVER switch as a VTP server

2.Connect to the 3 other switches and configure them as VTP clients.

All links between swiches must be configured as trunk lines.

3.Configure VTP domain name as "TESTDOMAIN" and VTP password as "cisco"

4.Configure VLAN 10 with name "STUDENTS" and VLAN 50 with name

"SERVERS"

5. Check propagation on all switches of the VTP domain.

Network diagram

Solution
Configure the VTP-SERVER switch as a VTP server

VTP-SERVER(config)#vtp mode server

Verify the VTP configuration using the "show vtp status command"

VTP-SERVER#show vtp status

VTP Version :2
Configuration Revision :4
Maximum VLANs supported locally : 255
Number of existing VLANs :7
VTP Operating Mode : Server
VTP Domain Name : TESTDOMAIN
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0xAE 0x4F 0x3F 0xC5 0xD3 0x41 0x9C 0x11
Configuration last modified by 192.168.1.1 at 3-1-93 00:27:41
Local updater ID is 192.168.1.1 on interface Vl1 (lowest numbered VLAN
interface found)
Connect to the 3 other switches and configure them as VTP clients.
All links between swiches must be configured as trunk lines.

VTP-CLIENT3(config)#vtp mode client

Verify the VTP configuration using the "show vtp status command"

VTP-CLIENT3#sh vtp status

VTP Version :2
Configuration Revision :4
Maximum VLANs supported locally : 255
Number of existing VLANs :7
VTP Operating Mode : Client
VTP Domain Name : TESTDOMAIN
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0xAE 0x4F 0x3F 0xC5 0xD3 0x41 0x9C 0x11
Configuration last modified by 192.168.1.1 at 3-1-93 00:27:41

Configure VTP domain name as "TESTDOMAIN" and VTP password as

"cisco"

1. Configure each link between switches as a trunk line

interface GigabitEthernet1/1
switchport mode trunk

interface GigabitEthernet1/2
switchport mode trunk

2.On the server :

VTP-SERVER(config)#vtp domain TESTDOMAIN

VTP-SERVER(config)#vtp password cisco

3.On each client :

VTP-CLIENT1(config)#vtp password cisco

VTP-CLIENT1(config)#vtp domain TESTDOMAIN

Configure VLAN 10 with name "STUDENTS" and VLAN 50 with name

"SERVERS"

On the VTP server switch, configure the following commands

VTP-SERVER(config)#vlan 10

VTP-SERVER(config-vlan)#name STUDENTS

VTP-SERVER(config)#vlan 50

VTP-SERVER(config-vlan)#name SERVERS

Check propagation on all switches of the VTP domain.

Use the "show vlan brief" on each switch to check propagation of the 2 VLANS.

VTP-SERVER#show vlan brief

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4, [...]
10 STUDENTS active
50 SERVERS active
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active

Packet Tracer lab 4 : Port

security
2.823529411764711111 Rating 2.82 (34 Votes)

Last Updated: Friday, 22 July 2016 17:19

Introduction
A growing challenge for network administrators is to be able to control who is
allowed - and who isn't - to access the organization's internal network. This
access control is mandatory for critical infrastructure protection in your network.
It is not on public parts of the network where guest users should be able to
connect.

Port security is a Cisco feature implemented in Catalyst switches which will help
network engineers in implementing network security on network boundaries. In
its most basic form, the Port Security feature writes the MAC address of the
device connected to the switch edge port and allows only that MAC address to
be active on that port. If any other MAC address is detected on that port, port
security feature shutdown the switch port. The switch can be configured to send
a SNMP trap to a network monitoring solution to alert that the port is disabled
for security reasons.

Lab instructions
This lab will test your ability to configure port security on CiscoTM 2960 switch
interfaces.

1. Configure port security on interface Fa 0/1 of the switch with the following
settings :

- Port security enabled

- Mode : restrict

- Allowed mac addresses : 3

- Dynamic mac address learning.

2. Configure port security on interface Fa 0/2 of the switch with the following
settings :

- Port security enabled

- Mode : shutdown

- Allowed mac addresses : 3

- Dynamic mac address learning.

3. Configure port security on interface Fa 0/3 of the switch with the following
settings :

- Port security enabled

- Mode : protect

- Static mac address entry : 00E0.A3CE.3236

4. From LAPTOP 1 :

Try to ping 192.168.1.2 and 192.168.1.3. It should work.

Try to ping 192.168.1.4 and 192.168.1.5. It should work.

5. Connect ROGUE laptop to the hub.

Try to ping 192.168.1.1. It should work.

Try to ping 192.168.1.4. It should fail.

Network diagram

Solution
Coming soon

Trademark notice : This web site and/or material is not affiliated with, endorsed by, or
sponsored by Cisco Systems, Inc. Cisco, Cisco Systems, Cisco IOS, CCNA, CCNP,
Networking Academy, Linksys are registered trademarks of Cisco Systems, Inc. or its
affiliates in the U.S. o

Packet Tracer lab 11 : HDLC

configuration
411111 Rating 4.00 (9 Votes)

Last Updated: Friday, 22 July 2016 17:20

Lab instructions
This lab will test your ability to configure HDLC on a serial link. Practicing this
labs will help you to get ready for your CCNA certification exam.

1. Use the connected laptops to find the DCE and DTE routers. You can connect
to the routers using CLI.
2. Configure the routers with the following parameters :

- Clock : 250000
- HDLC link between the routers
- DCE IP : 192.168.10.5/30

- DTE IP : 192.168.10.6/30

3. Check IP connectivity between the two routers using the ping command.

Network diagram

Packet lab 12 : PPP

configuration
3.428571428571411111 Rating 3.43 (7 Votes)

Last Updated: Friday, 22 July 2016 17:20

Lab instructions
This lab will test your ability to configure PPP on a serial link. Practicing this labs
will help you to get ready for your CCNA certification exam.

1. Use the connected laptops to find the DCE and DTE routers. You can connect
to the routers using CLI.

2. Configure the routers with the following parameters :

- Clock : 250000
- PPP link between the routers
- DCE IP : 192.168.10.5/30

- DTE IP : 192.168.10.6/30

3. Check IP connectivity between the two routers using the ping command.
Network diagram

Trademark notice : This web site and/or material is not affiliated with, endorsed by, or
sponsored by Cisco Systems, Inc. Cisco, Cisco Systems, Cisco IOS, CCNA, CCNP,
Networking Academy, Linksys are registered trademarks of Cisco Systems,
Packet Tracer lab 16 :
Clientless SSL VPN
3.461538461538511111 Rating 3.46 (39 Votes)

Last Updated: Friday, 22 July 2016 17:21

Network diagram

Lab instructions
SSL VPN technology can be configured in three ways :

Thin Client VPN

SSL VPN Client
Clientless SSL VPN (WebVPN)
Clientless SSL VPN is a technology allowing limited but secure access to internal
network ressources from any location using a web browser. No specific VPN
client is needed, a remote user only needs an SSL-enabled web browser to
access http- or https-enabled web servers on the internal network. This
technology is available on ASA 5505 firewall and has been implemented in
Packet Tracer 6.1 network simulator.
Firewall configuration to apply in this lab:

Outside IP : 192.168.1.1/24
Inside IP : 192.168.2.1/24
User login : test
User password : test.test
Website IP : site 1

Solution
1. Create the bookmark site1 to the URL http://192.168.2.3 on the ASA 5505
firewall

2. Apply the following configuration to the firewall :

interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.1.1 255.255.255.0
!
webvpn
enable outside
object network LAN
subnet 192.168.2.0 255.255.255.0
!
object network LAN
nat (inside,outside) dynamic interface
!
group-policy group1 internal
group-policy group1 attributes
vpn-tunnel-protocol ssl-clientless
webvpn
url-list value site1
username test password D35rLrqYJOMRHDCX encrypted
username test attributes
vpn-group-policy group1
!
!

Trademark notice : This web site and/or material is not affiliated with, endorsed by, or
sponsored by Cisco
Packet Tracer lab 17 - Site to
site IPSEC VPN with ASA 5505
2.57511111 Rating 2.58 (40 Votes)

Last Updated: Friday, 22 July 2016 17:21

Network diagram

Lab download
Lab Lab 17 - Site to site IPSEC VPN with
name : ASA 5505
Difficulty : Medium
Price : Free
Link :

Lab instructions
This lab will show you how to configure site-to-site IPSEC VPN using the new
Packet Tracer 6.1 ASA 5505 firewall. By default, the ASA 5505 firewall denies the
traffic entering the outside interface if no explicit ACL has been defined to allow
the traffic. This default behaviour helps protecting the enterprise network from
the internet during the VPN configuration.

In this lab, a small branch office will be securely connected to the enterprise
campus over the internet using a broadband DSL connection. Not routing
protocol traffic is needed between the two sites.

Campus addressing scheme :

Campus IP addresses : 172.16.0.0/17

DC : 172.16.0.0/18
Users : 172.16.64.0/20
DMZ : 172.16.96.0/21
Network devices : 172.16.252.0/23
L3 P2p links : 172.16.254.0/24

Branch office 1 IP subnet : 172.16.129.0/24

Enterprise internet IP addresses : 134.95.56.16/28

IPSEC VPN configuration to apply :

ESP Encryption : AES-256

AH hash algorithm : SHA
Pre shared key : SHAREDSECRET

Solution
ASA configuration
Campus network - ASA 5505 IPSEC VPN headend device configuration .

interface Vlan1
nameif inside
security-level 100
ip address 172.16.254.254 255.255.255.252
!
interface Vlan2
nameif outside
security-level 0
ip address 134.95.56.17 255.255.255.240
!
object network BRANCH01_NETWORK
subnet 172.16.129.0 255.255.255.0
object network BRANCH_NETWORK
subnet 172.16.128.0 255.255.128.0
object network CAMPUS_NETWORK
subnet 172.16.0.0 255.255.128.0
object network PRIVATE_NETWORK
subnet 176.16.0.0 255.255.0.0
!
route outside 172.16.129.0 255.255.255.0 134.95.56.18 1
route inside 172.16.0.0 255.255.128.0 172.16.254.253 1
!
access-list BRANCH01_TRAFFIC extended permit tcp object CAMPUS_NETWORK object
BRANCH01_NETWORK
access-list BRANCH01_TRAFFIC extended permit icmp object CAMPUS_NETWORK object
BRANCH01_NETWORK
access-list ENTERPRISE_PRIVATE-TRAFFIC extended permit tcp object PRIVATE_NETWORK
object PRIVATE_NETWORK
access-list ENTERPRISE_PRIVATE-TRAFFIC extended permit icmp object BRANCH_NETWORK
object CAMPUS_NETWORK
!
!
access-group ENTERPRISE_PRIVATE-TRAFFIC out interface inside
!
crypto ipsec ikev1 transform-set L2L esp-aes 256 esp-sha-hmac
!
crypto map BRANCH1 1 match address BRANCH01_TRAFFIC
crypto map BRANCH1 1 set peer 134.95.56.18
crypto map BRANCH1 1 set security-association lifetime seconds 86400
crypto map BRANCH1 1 set ikev1 transform-set L2L
crypto map BRANCH1 interface outside
crypto ikev1 enable outside
crypto ikev1 policy 1
encr aes
authentication pre-share
group 2
!
tunnel-group 134.95.56.18 type ipsec-l2l
tunnel-group 134.95.56.18 ipsec-attributes
 ikev1 pre-shared-key SHAREDSECRET
!

The ENTERPRISE_PRIVATE-TRAFFIC access-group is important to allow the IP traffic

through the firewall from remote subnets to the inside subnets. The traffic wiill
be blocked by the ASA if this access-list is not configured and applied to the
inside vlan interface.

Branch office n1 - ASA 5505 remote device configuration

interface Vlan1
nameif inside
security-level 100
ip address 172.16.129.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 134.95.56.18 255.255.255.240
!
object network BRANCH01_NETWORK
subnet 172.16.129.0 255.255.255.0
object network BRANCH_NETWORK
subnet 172.16.128.0 255.255.128.0
object network CAMPUS_NETWORK
subnet 172.16.0.0 255.255.128.0
object network PRIVATE_NETWORK
subnet 176.16.0.0 255.255.0.0
!
route outside 172.16.0.0 255.255.128.0 134.95.56.17 1
!
access-list PRIVATE_TRAFFIC extended permit tcp object BRANCH01_NETWORK object
CAMPUS_NETWORK
access-list PRIVATE_TRAFFIC extended permit icmp object BRANCH01_NETWORK object
CAMPUS_NETWORK
access-list ENTERPRISE_PRIVATE-TRAFFIC extended permit tcp object PRIVATE_NETWORK
object PRIVATE_NETWORK
access-list ENTERPRISE_PRIVATE-TRAFFIC extended permit icmp object CAMPUS_NETWORK
object BRANCH_NETWORK
!
!
access-group ENTERPRISE_PRIVATE-TRAFFIC out interface inside
!
!
crypto ipsec ikev1 transform-set L2L esp-aes 256 esp-sha-hmac
!
crypto map BRANCH1 1 match address PRIVATE_TRAFFIC
crypto map BRANCH1 1 set peer 134.95.56.17
crypto map BRANCH1 1 set security-association lifetime seconds 86400
crypto map BRANCH1 1 set ikev1 transform-set L2L
crypto map BRANCH1 interface outside
crypto ikev1 enable outside
crypto ikev1 policy 1
encr aes
authentication pre-share
group 2
!
tunnel-group 134.95.56.17 type ipsec-l2l
tunnel-group 134.95.56.17 ipsec-attributes
ikev1 pre-shared-key SHAREDSECRET
!

Check the IPSEC tunnel establishment using

show commands
Use show crypto isakmp sa to shows the Internet Security Association
Management Protocol (ISAKMP) security associations (SAs) built between the
two firewalls. and show crypto ipsec sa to check IPSEC security associations
and monitor encrypted traffic statistics

ASA-CAMPUS-VPN#show crypto isakmp sa

IKEv1 SAs:

Active SA: 1

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1 IKE Peer: 134.95.56.18

Type : L2L Role : Initiator

Rekey : no State : QM_IDLE

There are no IKEv2 SAs

ASA-CAMPUS-VPN#show crypto ipsec sa

interface: outside

Crypto map tag: BRANCH1, seq num: 1, local addr 134.95.56.17

permit tcp object CAMPUS_NETWORK object BRANCH01_NETWORK

local ident (addr/mask/prot/port): (172.16.0.0/255.255.128.0/6/0)

remote ident (addr/mask/prot/port): (172.16.129.0/255.255.255.0/6/0)

current_peer 134.95.56.18

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 6, #pkts decrypt: 6, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors 0, #recv errors 0

local crypto endpt.: 134.95.56.17/0, remote crypto endpt.:134.95.56.18/0

path mtu 1500, ip mtu, ipsec overhead 78, media mtu 1500

current outbound spi: 0x6386132D(1669731117)

current inbound spi: 0x04B729EA(1669731117)

inbound esp sas:

spi: 0x04B729EA(79112682)

transform: esp-aes 256 esp-sha-hmac no compression

in use settings ={L2L, Tunnel, }

slot: 0, conn id: 2007, crypto map: BRANCH1

sa timing: remaining key lifetime (k/sec): (4525504/85906)

 IV size: 16 bytes

replay detection support: N

Anti replay bitmap:

0x00000000 0x0000001F

outbound esp sas:

spi: 0x6386132D(1669731117)

transform: esp-aes 256 esp-sha-hmac no compression

in use settings ={L2L, Tunnel, }

slot: 0, conn id: 2008, crypto map: BRANCH1

sa timing: remaining key lifetime (k/sec): (4525504/85906)

IV size: 16 bytes

replay detection support: N

Anti replay bitmap:

0x00000000 0x00000001

Crypto map tag: BRANCH1, seq num: 1, local addr 134.95.56.17

permit icmp object CAMPUS_NETWORK object BRANCH01_NETWORK

local ident (addr/mask/prot/port): (172.16.0.0/255.255.128.0/1/0)

remote ident (addr/mask/prot/port): (172.16.129.0/255.255.255.0/1/0)

current_peer 134.95.56.18

#pkts encaps: 7, #pkts encrypt: 7, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors 1, #recv errors 0

local crypto endpt.: 134.95.56.17/0, remote crypto endpt.:134.95.56.18/0

path mtu 1500, ip mtu, ipsec overhead 78, media mtu 1500
 current outbound spi: 0x6386132D(1669731117)

current inbound spi: 0x04B729EA(1669731117)

inbound esp sas:

spi: 0x04B729EA(79112682)

transform: esp-aes 256 esp-sha-hmac no compression

in use settings ={L2L, Tunnel, }

slot: 0, conn id: 2007, crypto map: BRANCH1

sa timing: remaining key lifetime (k/sec): (4525504/85906)

IV size: 16 bytes

replay detection support: N

Anti replay bitmap:

0x00000000 0x0000001F

outbound esp sas:

spi: 0x6386132D(1669731117)

transform: esp-aes 256 esp-sha-hmac no compression

in use settings ={L2L, Tunnel, }

slot: 0, conn id: 2008, crypto map: BRANCH1

sa timing: remaining key lifetime (k/sec): (4525504/85906)

IV size: 16 bytes

replay detection support: N

Anti replay bitmap:

0x00000000 0x00000001

Trademark notice : This web site and/or material is not affiliated with, endorsed by, or
sponsored by Cisco Systems, Inc. Cisco, Cisco Systems, Cisco IOS, CCNA, CCNP,
Networking Academy, Linksys are registered trademarks of Cisco Systems, Inc. or its
affiliates in the U.S. or certain ot

Packet Tracer lab 19 - DPI with

ASA 5505
3.166666666666711111 Rating 3.17 (18 Votes)

Last Updated: Friday, 22 July 2016 17:22

Network diagram

Lab instructions
Configure the ASA firewall to allow HTTP traffic from the laptop (inside network)
to the HTTP server located on the other side of the firewall. The traffic will be
deeply inspected by the firewall to make sure it contains real HTTP instead of
rogue traffic.

All the communication from the outside to the inside network have to remain
denied. Only the statefull sessions established from the inside network have to
be allowed by the firewall.

Interfaces and vlans default configuration is provided below. The default vlan
security levels have been manually added in the picture.
Lab Solution
The default ASA 5505 firewall behavior is to allow traffic to flow from interfaces
with higher security levels ("inside" interfaces) to interfaces with lower security
levels ("outside" interfaces, but to deny traffic on the other way. Access-lists
must be configured to allow the traffic flow from lower security levels to higher
security levels.

Default ASA 5505 security levels :

Inside vlan : Security level 100

Outside vlan : Security level 0
Despite this default behavior, the simulated ASA 5505 available in Packet Tracer
6.1 does not allow the laptop to establish a working TCP connection with the
HTTP server located in the outside network. The TCP SYN is allowed to flow from
the laptop to the server, but the TCP ACK is blocked by the firewall.

The following configuration has to be applied to the firewall to establish a

working TCP session between the laptop and the HTTP server. This configuration
uses the Modular Policy Framework available in Cisco PIX/ASA products :

Configure a class-map to define the traffic flow having to be inspected

Define a policy-map to define the particular policy having to be applied
to this traffic flow
 Assign the policy to a specific interface (inside interface in the lab)

class-map HTTP

match default-inspection-traffic

policy-map TestPolicy

class HTTP

inspect http

service-policy TestPolicy interface inside

Lab 20 - CBAC trafic

Inspection with ISR router
2.666666666666711111 Rating 2.67 (6 Votes)

Last Updated: Friday, 22 July 2016 17:22

CBAC tutorial
Cisco's Context-Based Access Control (CBAC) is a security component similar to
reflexive ACL available in ISR routers. This feature has been implemented in
Packet Tracer since version 5.3

CBAC enables dynamic modification of inbound access lists to allow some

incoming flows even if a "deny any any" ACL has been implemented by first
inspecting and recording flows initiated from the protected internal
network. The main difference with reflexive ACLs is that whereas
reflexive ACLs act solely on L2-L4 protocol attributes, CBAC is able to
inspect all the way to the application layer (layer 7), taking into
consideration characteristics of a flow on a per-protocol (or context) basis.

Lab Topology
Lab instructions
Coming soon

Lab Solution
Step 1 : Activate security license on ISR 2911
routers
Router>enable

Router#configure terminal

Router(config)#license boot module c2900 technology-package securityk9

PLEASE READ THE FOLLOWING TERMS CAREFULLY. INSTALLING THE LICENSE OR

LICENSE KEY PROVIDED FOR ANY CISCO PRODUCT FEATURE OR USING SUCH

PRODUCT FEATURE CONSTITUTES YOUR FULL ACCEPTANCE OF THE FOLLOWING

TERMS. YOU MUST NOT PROCEED FURTHER IF YOU ARE NOT WILLING TO BE BOUND

BY ALL THE TERMS SET FORTH HEREIN.

Use of this product feature requires an additional license from Cisco,

together with an additional payment. You may use this product feature

on an evaluation basis, without payment to Cisco, for 60 days. Your use

of the product, including during the 60 day evaluation period, is

subject to the Cisco end user license agreement

http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html

If you use the product feature beyond the 60 day evaluation period, you

must submit the appropriate payment to Cisco for the license. After the

60 day evaluation period, your use of the product feature will be

governed solely by the Cisco end user license agreement (link above),

together with any supplements relating to such product feature. The

above applies even if the evaluation license is not automatically

terminated and you do not receive any notice of the expiration of the

evaluation period. It is your responsibility to determine when the

evaluation period is complete and you are required to make payment to

Cisco for your use of the product feature beyond the evaluation period.

Your acceptance of this agreement for the software features on one

product shall be deemed your acceptance with respect to all such

software on all Cisco products you purchase which includes the same

software. (The foregoing notwithstanding, you must purchase a license

for each software feature you use past the 60 days evaluation period,

so that if you enable a software feature on 1000 devices, you must

purchase 1000 licenses for use past the 60 day evaluation period.)

Activation of the software command line interface will be evidence of

your acceptance of this agreement.

ACCEPT? [yes/no]: yes

% use 'write' command to make license boot config take effect on next boot
%IOS_LICENSE_IMAGE_APPLICATION-6-LICENSE_LEVEL: Module name = C2900 Next
reboot level = securityk9 and License = securityk9

%LICENSE-6-EULA_ACCEPTED: EULA for feature securityk9 1.0 has been accepted.

UDI=CISCO2911/K9:FTX1524PCPQ; StoreIndex=0:Evaluation License Storage

Router(config)#exit

Router#

%SYS-5-CONFIG_I: Configured from console by console

Router#write

Building configuration...

[OK]

Router#reload

Router>enable

Router#show license feature

Feature name Enforcement Evaluation Subscription Enabled RightToUse

ipbasek9 no no no yes no

securityk9 yes yes no yes yes

datak9 yes no no no yes

uck9 yes yes no no yes

Router#

Step 2 : Configure DHCP and NAT on Router 1

Router(config)#ip dhcp excluded-address 192.168.1.1 192.168.1.9

Router(config)#ip dhcp pool LAN

Router(dhcp-config)#network 192.168.1.0 255.255.255.0

Router(dhcp-config)#default-router 192.168.1.1

Router(config)#interface GigabitEthernet0/0

Router(config-if)#ip address 192.168.1.1 255.255.255.0

Router(config-if)#ip nat inside

Router(config)#interface GigabitEthernet0/2

Router(config-if)#ip address 46.20.146.1 255.255.255.252

Router(config-if)#ip nat outside

Router(config)#access-list 1 permit 192.168.1.0 0.0.0.255

Router(config)#ip nat inside source list 1 interface GigabitEthernet0/2 overload

Step 3 : Configure inbound ACL and CBAC on

outbound trafic
Configure and apply inbound ACL

Router(config)#ip access-list extended DENY_ANY

Router(config-ext-nacl)#deny ip any any

Router(config-ext-nacl)#exit

Router(config)#int gigabitEthernet 0/2

Router(config-if)#ip access-group DENY_ANY in

Configure CBAC

Router(config)#ip inspect name ALLOWED_TRAFIC http audit-trail on

Router(config)#interface gigabitEthernet 0/2

Router(config-if)#ip inspect ALLOWED_TRAFIC out

Verify CBAC (ip inspect) configuration

Router#show ip inspect all

Session audit trail is enabled

Session alert is enabled

one-minute (sampling period) thresholds are [unlimited : unlimited] connections

max-incomplete sessions thresholds are [unlimited : unlimited]

max-incomplete tcp connections per host is unlimited. Block-time 0 minute.

tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec

tcp idle-time is 3600 sec -- udp idle-time is 30 sec

tcp reassembly queue length 16; timeout 5 sec; memory-limit 1024 kilo bytes

dns-timeout is 5 sec

Inspection Rule Configuration

Inspection name ALLOWED_TRAFIC

http alert is on audit-trail is on timeout 3600

Interface Configuration

Interface GigabitEthernet0/2

Inbound inspection rule is not set

Outgoing inspection rule is ALLOWED_TRAFIC

http alert is on audit-trail is on timeout 3600

Inbound access list is DENY_ANY

Outgoing access list is not set

Router#

Trademark notice : This web site and/or material is not affiliated with, endorsed by, or
sponsored by Cisco Systems, Inc. Cisco, Cisco Systems, Cisco IOS, CCNA, CCNP,
Networking Academy, Linksys are registered trademarks of Cisco Systems, Inc. or its
affiliates in the U.S. or certain o