Securing My Network Devices using Cisco Packet Tracer
Securing my Network Devices using Cisco Packet Tracer.
This project will explore creating a network topology using a Cisco packet tracer. Throughout the project, we will authenticate the switches and the router in the network topology, make PCs from different VLANs communicate with each other, and finally configure the DHCP protocol on the router and also be able to protect the switch ports from attackers.
Learning Objectives
· Create network topology using Cisco packet tracer.
· Apply authentication on the switches in the network topology
· Apply authentication on the router in the network topology.
· Make different PCs from different VLANs communicate with each other.
· Configure DHCP on the router and secure the ports of the switch from attackers
Project Structure
The project is divided into 5 tasks:
· Building the network topology
· Authenticate the switches
· Authenticate the router
· Communication between PCs from different VLANs
· Configuring DHCP on the router and securing the ports of the switch.
Task 1: Building the network topology
This is a simple network topology involving 2 PCs and a switch. First, we select 2 PCs from the end devices and then a switch from the network devices, we then select the connection cable which automatically connects the PCs to the switch as seen below:
This is the network topology we set out to build. We will create another topology now
Task 2: Authenticate the switches
In this task, we will apply authentication on the switches. Using the topology created in Task 1, we will first connect both switches using the connection cable
Now, we will authenticate, the switch, authentication is the process of providing access control for systems by checking to see if users’ credentials match the credentials in the database of authorized users. So let’s apply this to the topology by giving a password to the switch in the privilege EXEC mode because privilege EXEC mode is where all the dangerous commands are located.
To apply this to the switch, first, we click on the switch and then CLI, then click enter and write the following command:
Switch>en {to enter privilege exec mode}
Switch#Conf t {to enter configuration mode}
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#enable password password {to create our password}
Now to create the password and make it encrypted, first we exit from the current interface by typing exit to exit the configuration mode, then exit again to exit the privilege exec mode
Then type the below command:
Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#no enable password
Switch(config)#enable secret password
We can see the password is hidden and encrypted.
We will run the same command on the other switch as well.
Now we have learnt how to authenticate the switches in our topology.
Task 3: Authenticating the router
In this task, we will apply authentication on the router. From our last topology, we need a router, so first we delete the connection between both switches, then a router, from network devices, we will then connect the router to both switches using the connector cable.
Run the below command to enable authentication on the router
Router>en
Router#config t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#line console 0
Router(config-line)#login
% Login disabled on line 0, until ‘password’ is set
Router(config-line)#password password
Now to make the password encrypted we run the following command
Router#en
Router#config t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#anbale secret password
Task 4: Communications between PCs
In this task, we will make PCs from different VLANs communicate with each other. First, we assign IP addresses to the PCs, we assign the following IP addresses to the PCs:
To see if the PCs communicate with each other, we click on PC 0, the command line interface and run the below command: ping 10.10.10.2
Can see both PCs communicate, we now try a different PC, by running ping 10.10.20.1
The PCs are unable to communicate as shown in the above screenshot, we can fix this by configuring the port of the switches and the router.
First on switch 0, we run the below command:
Switch>en
Password:
Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#int fa0/1
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlan 10
% Access VLAN does not exist. Creating vlan 10
Switch(config-if)#int fa0/2
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlan 10
Switch(config-if)#int fa0/3
Switch(config-if)#switchport mode trunk
Switch(config-if)#
On Switch 1, we run the below:
Switch>en
Password:
Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#int fa0/3
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlan 20
% Access VLAN does not exist. Creating vlan 20
Switch(config-if)#int fa0/2
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlan 20
Switch(config-if)#int fa0/1
Switch(config-if)#switchport mode trunk
Switch(config-if)#
%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to up
And on the router, we run the below:
User Access Verification
Password:
Router>en
Password:
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#int gig 0/1
Router(config-if)#no shut
Router(config-if)#
%LINK-5-CHANGED: Interface GigabitEthernet0/1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to up
Router(config-if)#int gig0/1.20
Router(config-subif)#
%LINK-5-CHANGED: Interface GigabitEthernet0/1.20, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1.20, changed state to up
Router(config-subif)#encapsulation dot1q 20
Router(config-subif)#ip address 10.10.20.254 255.255.255.0
Router(config-subif)#
We can try communicating with the PC0 and PC2, we run, ping 10.10.20.1
Both PCs can now communicate despite being on different VLANs.
Task 5: Configuring DHCP on the router and secure the ports of the switch
In this task, we will configure the DHCP on the router and secure the ports of the switches.
There are 2 ways of assigning IP addresses, either statically or dynamically, static IP address means the IP address is assigned by the network admin, while dynamically uses DHCP 9dynamic host configuration protocol) to assign the IP address.
To dynamically configure the IP from our worksheet, we click on the router and run the below command:
Router>en
Password:
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#ip dhcp pool 1
Router(dhcp-config)#network 10.10.10.0 255.255.255.0
Router(dhcp-config)#exit
And we can confirm this, by clicking on any PC on the network, and select DHCP, we can see the IP is being assigned automatically
However, if an attacker access the network, using another device as shown below
We need to protect the network from such unauthorised access, to secure the network, we run the below command;
Switch>en
Password:
Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#int fa0/2
Switch(config-if)#switchport port-security (to enable port security on the interface)
Switch(config-if)#switchport port-security maximum 1 (means there must be only one PC on the interface).
Switch(config-if)#switchport port-security violation shutdown (which means if there is a violation to this port security, the culprit will be shutdown)
Switch(config-if)#switchport port-security mac-address sticky (which means that this interface will connect with this specific mac address of the PC.
Switch(config-if)#
We will now try connecting again with the unauthorised laptop
From the screenshot, we can see there is no response this time from PC0, which means that there is a frame coming from our known device, so there will be no connection between this attacker and the PC and our Network. We will configure the other ports as well to prevent unauthorised access to the network.