Kategoriarkiv: CCNA

Securing only SSH access is allowed

As all IT guys are aware of it is extremely important to secure the data that we are sending over the network. No matter if it is normal file transfer or management traffic to our network devices.

This configuration will have the goal of securing the management access will use SSH to communicate instead of telnet witch is sending the traffic in a non secure way.

First thing we need is a bit of basic configuration. hostname, domain name and a local admin user.

Hostname router
IP domain-name example.org
!
Username cisco privilege 15 secret cisco

Based on the hostname and domain name, we can tell the Cisco IOS unit to create a self-signed certificate. This is then used to secure managment traffic from the management PC to the unit.

crypto key generate rsa modulus 2048

Besides using SSH the goal is not to use the local admin user, so therefore it is necessary to create a AAA login method to ask a radius server to authenticate the management users. If the radius server is down the fallback should be the local user database

aaa new-model
!
aaa authentication login default local
aaa authentication login RWGROUP-Auth group radius local
!
aaa group server radius RWGROUP-Auth
 server name Server1
 server name Server2
!
radius server Server1
address ipv4 10.1.1.2 auth-port 1645 acct-port 1646
key xxxxx
!
radius server Server2
address ipv4 10.2.2.2 auth-port 1645 acct-port 1646
key xxxxx
!
ip radius source-interface Vlan500

Last thing witch is needed is the configuration of the VTY lines. This can be made even more secure by applying the access-class command to secure what networks are able to get access to the VTY lines.

line vty 0 4
 login authentication Radius-Auth
 transport input ssh
line vty 5 15
 login authentication Radius-Auth
 transport input ssh

To use the access-class, it is needed to create an ACL permitting the IP subnet from witch management traffic will come from. In this example there is only 1 class B subnet

access-list 10 permit 10.3.0.0 0.0.255.255

Under the VTY lines the access-class is then defined in an inbound definition.

line vty 0 4
access-class 10 in
line vty 5 15
access-class 10 in

Subnetting Sheet

During my studies for CCNA and CCNP I was introduced to the following table.
In the exams your time can be very limited, using this sheet will help you to answer the subnetting questions a lot faster.

NB! You should still be able to calculate subnets without this!

3rd octet 4th octet
Bits 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8
Mask 128 192 224 240 248 252 254 255 128 192 224 240 248 252 254 255
CIDR /17 /18 /19 /20 /21 /22 /23 /24 /25 /26 /27 /28 /29 /30 /31 /32
Boundary 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
Class B Subnets 2 4 8 16 32 64 128 256 512 1024 2048 4096 8192 16384
Class C Subnets 2 4 8 16 32 64
Available Host 32766 16382 8190 4094 2046 1022 510 254 126 62 30 14 6 2

DNS Subnet ordering

In bigger networks today there might be multiple VLAN’s.

Example:

VLAN ID   VLAN Name         IP Subnet
10        Server-VLAN-1     10.10.10.0 /24
11        Clients-VLAN-1    10.10.11.0 /24
12        Clients-VLAN-2    10.10.12.0 /24
13        WIFI-VLAN-1       10.10.13.0 /24

If a Windows Active Directory server is installed in the server VLAN, then by default it will serve the clients within it’s own subnet. Eg. when a client as for the domain itself through nslookup.

In order for getting the DNS server to server all the above subnets, it is needed to modify a registry key.
As we have 4 x class c subnets we can use the table below to find the needed value for the registry key. In this example it will be 0x000003FF.

The easy way to make the change is by opening a CMD as admin and write the command:

Dnscmd /Config /LocalNetPriorityNetMask 0x000003FF

After succesfull change it is needed for the server to reboot.

Dnscmd /Config /LocalNetPriorityNetMask **LocalPriorityNet**

NetMask           Binary                                CIDR    Comments                   LocalPriorityNet

255.255.255.255   11111111.11111111.11111111.11111111    /32      Host (single addr)       0x00000000
255.255.255.254   11111111.11111111.11111111.11111110    /31      Unuseable                0x00000001
255.255.255.252   11111111.11111111.11111111.11111100    /30      2  useable               0x00000003
255.255.255.248   11111111.11111111.11111111.11111000    /29      6  useable               0x00000007
255.255.255.240   11111111.11111111.11111111.11110000    /28     14  useable               0x0000000F
255.255.255.224   11111111.11111111.11111111.11100000    /27     30  useable               0x0000001F
255.255.255.192   11111111.11111111.11111111.11000000    /26     62  useable               0x0000003F
255.255.255.128   11111111.11111111.11111111.10000000    /25     126  useable              0x0000007F
255.255.255.0     11111111.11111111.11111111.00000000    /24     “Class C” 254 useable     0x000000ff

255.255.254.0     11111111.11111111.11111110.00000000    /23       2  Class C’s            0x000001FF
255.255.252.0     11111111.11111111.11111100.00000000    /22       4  Class C’s            0x000003FF 
255.255.248.0     11111111.11111111.11111000.00000000    /21       8  Class C’s            0x000007FF
255.255.240.0     11111111.11111111.11110000.00000000    /20      16  Class C’s            0x00000FFF
255.255.224.0     11111111.11111111.11100000.00000000    /19      32  Class C’s            0x00001FFF
255.255.192.0     11111111.11111111.11000000.00000000    /18      64  Class C’s            0x00003FFF
255.255.128.0     11111111.11111111.10000000.00000000    /17     128  Class C’s            0x00007FFF
255.255.0.0       11111111.11111111.00000000.00000000    /16      “Class B”                0x0000ffff
     
255.254.0.0       11111111.11111110.00000000.00000000    /15      2  Class B’s             0x0001FFFF
255.252.0.0       11111111.11111100.00000000.00000000    /14      4  Class B’s             0x0003FFFF
255.248.0.0       11111111.11111000.00000000.00000000    /13      8  Class B’s             0x0007FFFF
255.240.0.0       11111111.11110000.00000000.00000000    /12     16  Class B’s             0x000FFFFF
255.224.0.0       11111111.11100000.00000000.00000000    /11     32  Class B’s             0x001FFFFF
255.192.0.0       11111111.11000000.00000000.00000000    /10     64  Class B’s             0x003FFFFF
255.128.0.0       11111111.10000000.00000000.00000000    /9      128  Class B’s            0x007FFFFF
255.0.0.0         11111111.00000000.00000000.00000000    /8       “Class A”                0x00ffffff
  
254.0.0.0         11111110.00000000.00000000.00000000    /7                                0x01FFFFFF
252.0.0.0         11111100.00000000.00000000.00000000    /6                                0x03FFFFFF
248.0.0.0         11111000.00000000.00000000.00000000    /5                                0x07FFFFFF
240.0.0.0         11110000.00000000.00000000.00000000    /4                                0x0FFFFFFF
224.0.0.0         11100000.00000000.00000000.00000000    /3                                0x1FFFFFFF
192.0.0.0         11000000.00000000.00000000.00000000    /2                                0x3FFFFFFF
128.0.0.0         10000000.00000000.00000000.00000000    /1                                0x7FFFFFFF
0.0.0.0           00000000.00000000.00000000.00000000    /0    IP subnet definition        0xFFFFFFFF