Training Cisco 200-125 CCNA v3.0. Day 9. The physical world of switches. Part 2
So, we looked at how to set up a network on a computer. As for the switch, let me remind you that it is a device of the 2nd level of the OSI model, and we have to configure the IP address that belongs to the 3rd level. To do this, we use IP address management and go to the VLAN1 interface. We will look at the VLAN in detail in one of the following video tutorials, for now just remember that with the new switch out of the box all ports are configured to use VLAN1. Therefore, in order to assign the IP address 10.1.1.10 to the switch, we are accessing this interface.
If we want to assign the IP address of the default gateway, then we must use the ip default gateway 10.1.1.100 command.
')
This is necessary so that our switch can connect to another network. If we go back to the working configuration of the switch interfaces, we will see that there are lines:
interface vlan1
ip-address 10.1.1.10 255.255.255.0
This means that any device whose first three octets of an IP address are 10.1.1. Will use the default gateway address 10.1.1.100 to connect to another network. This is how the default gateway address is assigned.
Consider how you can turn off any switch port. Now I made a mistake and try to derive benefit from it. If we have a router, then its designation begins with f0 / 0 or g0 / 0, and the designation of a switch always begins with f0 / 1 or g0 / 1 depending on whether FastEthernet or GigabitEthernet is used. In our case, this is FastEthernet, so we use the designation of the switch f0 / 1.
As you know, Cisco has invented routers, and it also decided that router numbers always start with f0 / 0. So, if I want to disable this port, I just type the shutdown command, and the FastEthernet 0/1 port is physically disabled. If I want to turn this port back on, I enter the no shutdown command. As you can see, in the first case we get a message that the state of the port is “administratively down”, in the second case - that the state of the port is “up”.
Now I will turn off the port again and give the command do sh ip interface br - this is one of my favorite commands, which allows you to quickly view the current status of all switch interfaces.
We see that the interface FastEthernet0 / 1 is administratively disabled. “Administratively” means that this interface has been disabled using the shutdown command. In the right column, we see that the protocol of this interface is also disabled and is in the down state; however, when traffic appears on this port, it will immediately switch to the up state.
The status of the interface FastEthernet0 / 4 is also shown as down, that is, at the moment it is in the open state, but does not work. The FastEthernet0 / 2 and FastEthernet0 / 3 interfaces are up up, because if you look at the logical topology of our network, you can see that PC2 and PC3 computers are connected to them. In the picture these ports of the switch are marked with green dots, and the administratively disconnected port connected to the hub is marked with a red dot.
Now I will enter the no shutdown command, and you will see how in a few seconds the red dot will change its color, indicating that the port is turned on. Thus, we made the settings Shutdown and Negating Command. We have the last item of settings - saving the configuration of the Saving Configuration switch. To do this, we enter the wr (wright) command and save the settings. Next we copy these settings to the switch configuration boot file.
Now let's go back to our network diagram, where we have one big problem. People who understand networks know the difference between a hub and a switch.
If PC2 is connected to a switch or establishes communication with PC3, traffic only flows between these two devices — PC2 and PC3. If PC0 connects to the hub or PC1 through the hub, then the traffic flows not only between these two computers, because the hub sends a copy of this traffic to the switch.
Suppose that you are a network administrator sitting at PC1 and you are trying to connect to a switch using a remote access protocol to a Telnet terminal through a hub. However, all the traffic that you send to the switch can be viewed by a hacker sitting at PC0 computer, because the hub will send a copy of this traffic to his computer.
Since you use a login and password to connect to the switch, a hacker can use the free software Wireshark, which allows you to analyze traffic and get your credentials. That is why we try not to use hubs when creating modern networks. Currently, almost all companies have replaced hubs with switches.
Using a different transmission technology based on the SSH protocol, or "secure shell", can be a way to prevent traffic leaking through the hub. This protocol is similar to Telnet and does the same thing, but in a more secure way using traffic encryption.
Consider this example. When the Ministry of Defense wants to transport some secret equipment to the other end of the country, it uses a truck for this. This truck must pass through the gate with a guard who asks the driver for documents. In our case, this is the username and password. As soon as the security guard receives the correct password, she will miss the truck. This is how the Telnet protocol works, however, our truck carries cargo in the open body and as it travels to its destination, anyone can see what is in it. However, we don’t want anyone to know what kind of cargo we are transporting, we need the truck to be closed. This means that anyone who sees him cannot find out what is in the back. This is what the SSH protocol does - it protects the contents of traffic from outsiders.
Telnet is good enough for trusted networks when you contact a destination you know, use authorization to log on to the network, to send and receive messages. But he cannot protect the contents of your messages from a hacker who can penetrate your network. SSH provides such a connection when messages can only be decrypted by two people - the sender and the recipient. Only those devices for which this message is intended can do this.
Thus, if we exchange messages between PC1 and a switch over the SSH protocol, the hub also copies it to other devices, but this does not help the hacker behind the PC0 computer in any way, because it cannot decrypt it. That is, he sees our truck, but cannot find out what kind of cargo is in the closed body. Let's take a look at what the SSH protocol is.
In order to use this protocol, you must perform 6 settings. The first is the setting of the host name, but since we have already done it for the switch, you can immediately proceed to the second setting - the setting of the domain name. To do this, you need to enter the ip domain-name Nwking.org command in the switch command line window, but you can use any other name. Then we need to secure the Secure Key, that is, enable encryption with the crypto key command and then use the crypto key generate command to activate the encryption key generation function.
I will talk in detail about the work of the SSH protocol in the following videos, so stay with us - so you can learn a lot of interesting things about Internet security. You can see that after I used this command, the message Generate RSA keys appeared in the line, where RSA is one of the most common encryption standards in the field of networking.
After I pressed “Enter”, a message appeared on the screen stating that you can select a session encryption key length from 360 to 2048 bits and that creating a 512-bit key may take several minutes. Let's assign a key size of 1024 bits, which is a fairly safe key.
I want to note that the 1024-bit key is many times safer than a 512-bit key, so don't be confused by the fact that it is only 2 times larger. This is just the number of source bits required to generate a session key, the key itself will have a size many times larger than this number.
So, we have a host name, a domain name and an encryption key, now we need to make SSH version 2, this second version of the security protocol, not compatible with the first version of SSH available. To do this, use the ip ssh version 2 command. This means that all traffic coming over the SSH protocol will use the second version.
Next we need to create users - Create Users. This can be done by entering a line of this type: username Imran password ssh123. Now you need to allow the switch to use SSH. We know that SSH and Telnet use the vty line, so we type the line vty 0 15 command, because we want to use all 16 communication lines.
To disable the SSH or Telnet protocols for this switch, you need to use the transport input command, after which the system will prompt you with 4 possible options:
all - the ability to use both protocols;
none - disable both protocols;
ssh — use SSH TCP / IP protocol;
telnet - use the telnet TCP / IP protocol.
If you enter the transport input none command, all traffic via the SSH and Telnet protocols will be disabled and all vty lines from 0 to 15 will be disabled.
If I return to the PC0 command line terminal again, exit the switch settings and try to connect via Telnet, I will see that the connection is closed. The reason is that we have banned the use of any communication protocols. Now, if I want to use Telnet, I will enter the transport input telnet command in the switch settings window.
If after this we try again to connect with the switch through the computer and type telnet 10.1.1.10 in the command line terminal, the connection will be established and we will see a welcome banner and a suggestion to enter a password to verify the user.
What did we do? As a security measure, we have banned the use of Telnet traffic by allowing only SSH traffic. If you now enter the transport input ssh command in the switch settings and try to log in through the computer, the system will refuse to provide access. In this case, in the command line window of PC0, you need to type ssh - this will mean that the user wants to establish an SSH connection.
After that, the command line will display the data format template that the user must enter: SSH - 1 username target.
I have to enter the protocol version, username and IP address of the device with which I want to communicate, so I type in the following line:
ssh -1 imran 10.1.1.10
After that, the message Open appears, indicating that the interface of the target device is open, with a suggestion to enter the Password Password. I enter the password ssh123, but for some reason it is not accepted. The fact is that I made one mistake, and this is good, because thanks to this I will be able to focus your attention on another necessary step.
Let's try to figure out what happened. I entered the password ssh123, which I had previously entered into the switch settings. Let's look again at the current configuration of the switch, which is to understand what kind of password I set.
We see that we have a vty 0 connection, and the password for this line is not ssh123, but telnet. If I enter this password in the command line of the computer, I can enter the switch settings. Why is ssh123 not accepted? It's all about the login command. It means that you can only log in with the password that was previously set, that is, you must use the word telnet above as the password. However, if we want to use a user password, then instead of the login command we must use the login local command.
Now we see that all our settings containing the login command have changed to login local, which means: “use local username and password”. And the local username and password are in the username Imran password ssh123 line. I want to check if Packet Tracer supports the local command and see what it supports - this command means checking the local password.
In the following video tutorials on Internet security issues, I’ll show that you can configure user logon settings much more easily by using special Cisco access control protocols. Even when using the Cisco Identity Services Engine (ISE), which is not used for routers and switches and is designed to operate other devices, we must be sure that these devices will be able to access the central database using a local username and password.
So, in the switch command line terminal, we used the login local command, which tells the system to use a local username and password. Now I will enter the Exit command in the command line of the computer and try again to connect to the switch using the ssh123 password. As you can see, now it worked.
Today we looked at how to use the SSH protocol in practice. I want to note that each of you, starting to work in a company, should first ask the manager if there is an opportunity to switch all devices to the SSH protocol mode in order to protect your traffic.
I think that today we have considered quite useful material. I advise you to take notes to better understand the issues at hand. If you do not understand something from today's video tutorial regarding the physical and logical network topology or switch settings, do not hesitate to ask questions, including in a group on Facebook www.facebook.com/NetworKingConsultant , and I will definitely answer them.
Thank you for staying with us. Do you like our articles? Want to see more interesting materials? Support us by placing an order or recommending to friends, 30% discount for Habr's users on a unique analogue of the entry-level servers that we invented for you: The Truth About VPS (KVM) E5-2650 v4 (6 Cores) 10GB DDR4 240GB SSD 1Gbps $ 20 or how to share the server? (Options are available with RAID1 and RAID10, up to 24 cores and up to 40GB DDR4).
Dell R730xd 2 times cheaper? Only we have 2 x Intel TetraDeca-Core Xeon 2x E5-2697v3 2.6GHz 14C 64GB DDR4 4x960GB SSD 1Gbps 100 TV from $ 199 in the Netherlands! Dell R420 - 2x E5-2430 2.2Ghz 6C 128GB DDR3 2x960GB SSD 1Gbps 100TB - from $ 99! Read about How to build an infrastructure building. class c using servers Dell R730xd E5-2650 v4 worth 9000 euros for a penny?
If we want to assign the IP address of the default gateway, then we must use the ip default gateway 10.1.1.100 command.
')
This is necessary so that our switch can connect to another network. If we go back to the working configuration of the switch interfaces, we will see that there are lines:
interface vlan1
ip-address 10.1.1.10 255.255.255.0
This means that any device whose first three octets of an IP address are 10.1.1. Will use the default gateway address 10.1.1.100 to connect to another network. This is how the default gateway address is assigned.
Consider how you can turn off any switch port. Now I made a mistake and try to derive benefit from it. If we have a router, then its designation begins with f0 / 0 or g0 / 0, and the designation of a switch always begins with f0 / 1 or g0 / 1 depending on whether FastEthernet or GigabitEthernet is used. In our case, this is FastEthernet, so we use the designation of the switch f0 / 1.
As you know, Cisco has invented routers, and it also decided that router numbers always start with f0 / 0. So, if I want to disable this port, I just type the shutdown command, and the FastEthernet 0/1 port is physically disabled. If I want to turn this port back on, I enter the no shutdown command. As you can see, in the first case we get a message that the state of the port is “administratively down”, in the second case - that the state of the port is “up”.
Now I will turn off the port again and give the command do sh ip interface br - this is one of my favorite commands, which allows you to quickly view the current status of all switch interfaces.
We see that the interface FastEthernet0 / 1 is administratively disabled. “Administratively” means that this interface has been disabled using the shutdown command. In the right column, we see that the protocol of this interface is also disabled and is in the down state; however, when traffic appears on this port, it will immediately switch to the up state.
The status of the interface FastEthernet0 / 4 is also shown as down, that is, at the moment it is in the open state, but does not work. The FastEthernet0 / 2 and FastEthernet0 / 3 interfaces are up up, because if you look at the logical topology of our network, you can see that PC2 and PC3 computers are connected to them. In the picture these ports of the switch are marked with green dots, and the administratively disconnected port connected to the hub is marked with a red dot.
Now I will enter the no shutdown command, and you will see how in a few seconds the red dot will change its color, indicating that the port is turned on. Thus, we made the settings Shutdown and Negating Command. We have the last item of settings - saving the configuration of the Saving Configuration switch. To do this, we enter the wr (wright) command and save the settings. Next we copy these settings to the switch configuration boot file.
Now let's go back to our network diagram, where we have one big problem. People who understand networks know the difference between a hub and a switch.
If PC2 is connected to a switch or establishes communication with PC3, traffic only flows between these two devices — PC2 and PC3. If PC0 connects to the hub or PC1 through the hub, then the traffic flows not only between these two computers, because the hub sends a copy of this traffic to the switch.
Suppose that you are a network administrator sitting at PC1 and you are trying to connect to a switch using a remote access protocol to a Telnet terminal through a hub. However, all the traffic that you send to the switch can be viewed by a hacker sitting at PC0 computer, because the hub will send a copy of this traffic to his computer.
Since you use a login and password to connect to the switch, a hacker can use the free software Wireshark, which allows you to analyze traffic and get your credentials. That is why we try not to use hubs when creating modern networks. Currently, almost all companies have replaced hubs with switches.
Using a different transmission technology based on the SSH protocol, or "secure shell", can be a way to prevent traffic leaking through the hub. This protocol is similar to Telnet and does the same thing, but in a more secure way using traffic encryption.
Consider this example. When the Ministry of Defense wants to transport some secret equipment to the other end of the country, it uses a truck for this. This truck must pass through the gate with a guard who asks the driver for documents. In our case, this is the username and password. As soon as the security guard receives the correct password, she will miss the truck. This is how the Telnet protocol works, however, our truck carries cargo in the open body and as it travels to its destination, anyone can see what is in it. However, we don’t want anyone to know what kind of cargo we are transporting, we need the truck to be closed. This means that anyone who sees him cannot find out what is in the back. This is what the SSH protocol does - it protects the contents of traffic from outsiders.
Telnet is good enough for trusted networks when you contact a destination you know, use authorization to log on to the network, to send and receive messages. But he cannot protect the contents of your messages from a hacker who can penetrate your network. SSH provides such a connection when messages can only be decrypted by two people - the sender and the recipient. Only those devices for which this message is intended can do this.
Thus, if we exchange messages between PC1 and a switch over the SSH protocol, the hub also copies it to other devices, but this does not help the hacker behind the PC0 computer in any way, because it cannot decrypt it. That is, he sees our truck, but cannot find out what kind of cargo is in the closed body. Let's take a look at what the SSH protocol is.
In order to use this protocol, you must perform 6 settings. The first is the setting of the host name, but since we have already done it for the switch, you can immediately proceed to the second setting - the setting of the domain name. To do this, you need to enter the ip domain-name Nwking.org command in the switch command line window, but you can use any other name. Then we need to secure the Secure Key, that is, enable encryption with the crypto key command and then use the crypto key generate command to activate the encryption key generation function.
I will talk in detail about the work of the SSH protocol in the following videos, so stay with us - so you can learn a lot of interesting things about Internet security. You can see that after I used this command, the message Generate RSA keys appeared in the line, where RSA is one of the most common encryption standards in the field of networking.
After I pressed “Enter”, a message appeared on the screen stating that you can select a session encryption key length from 360 to 2048 bits and that creating a 512-bit key may take several minutes. Let's assign a key size of 1024 bits, which is a fairly safe key.
I want to note that the 1024-bit key is many times safer than a 512-bit key, so don't be confused by the fact that it is only 2 times larger. This is just the number of source bits required to generate a session key, the key itself will have a size many times larger than this number.
So, we have a host name, a domain name and an encryption key, now we need to make SSH version 2, this second version of the security protocol, not compatible with the first version of SSH available. To do this, use the ip ssh version 2 command. This means that all traffic coming over the SSH protocol will use the second version.
Next we need to create users - Create Users. This can be done by entering a line of this type: username Imran password ssh123. Now you need to allow the switch to use SSH. We know that SSH and Telnet use the vty line, so we type the line vty 0 15 command, because we want to use all 16 communication lines.
To disable the SSH or Telnet protocols for this switch, you need to use the transport input command, after which the system will prompt you with 4 possible options:
all - the ability to use both protocols;
none - disable both protocols;
ssh — use SSH TCP / IP protocol;
telnet - use the telnet TCP / IP protocol.
If you enter the transport input none command, all traffic via the SSH and Telnet protocols will be disabled and all vty lines from 0 to 15 will be disabled.
If I return to the PC0 command line terminal again, exit the switch settings and try to connect via Telnet, I will see that the connection is closed. The reason is that we have banned the use of any communication protocols. Now, if I want to use Telnet, I will enter the transport input telnet command in the switch settings window.
If after this we try again to connect with the switch through the computer and type telnet 10.1.1.10 in the command line terminal, the connection will be established and we will see a welcome banner and a suggestion to enter a password to verify the user.
What did we do? As a security measure, we have banned the use of Telnet traffic by allowing only SSH traffic. If you now enter the transport input ssh command in the switch settings and try to log in through the computer, the system will refuse to provide access. In this case, in the command line window of PC0, you need to type ssh - this will mean that the user wants to establish an SSH connection.
After that, the command line will display the data format template that the user must enter: SSH - 1 username target.
I have to enter the protocol version, username and IP address of the device with which I want to communicate, so I type in the following line:
ssh -1 imran 10.1.1.10
After that, the message Open appears, indicating that the interface of the target device is open, with a suggestion to enter the Password Password. I enter the password ssh123, but for some reason it is not accepted. The fact is that I made one mistake, and this is good, because thanks to this I will be able to focus your attention on another necessary step.
Let's try to figure out what happened. I entered the password ssh123, which I had previously entered into the switch settings. Let's look again at the current configuration of the switch, which is to understand what kind of password I set.
We see that we have a vty 0 connection, and the password for this line is not ssh123, but telnet. If I enter this password in the command line of the computer, I can enter the switch settings. Why is ssh123 not accepted? It's all about the login command. It means that you can only log in with the password that was previously set, that is, you must use the word telnet above as the password. However, if we want to use a user password, then instead of the login command we must use the login local command.
Now we see that all our settings containing the login command have changed to login local, which means: “use local username and password”. And the local username and password are in the username Imran password ssh123 line. I want to check if Packet Tracer supports the local command and see what it supports - this command means checking the local password.
In the following video tutorials on Internet security issues, I’ll show that you can configure user logon settings much more easily by using special Cisco access control protocols. Even when using the Cisco Identity Services Engine (ISE), which is not used for routers and switches and is designed to operate other devices, we must be sure that these devices will be able to access the central database using a local username and password.
So, in the switch command line terminal, we used the login local command, which tells the system to use a local username and password. Now I will enter the Exit command in the command line of the computer and try again to connect to the switch using the ssh123 password. As you can see, now it worked.
Today we looked at how to use the SSH protocol in practice. I want to note that each of you, starting to work in a company, should first ask the manager if there is an opportunity to switch all devices to the SSH protocol mode in order to protect your traffic.
I think that today we have considered quite useful material. I advise you to take notes to better understand the issues at hand. If you do not understand something from today's video tutorial regarding the physical and logical network topology or switch settings, do not hesitate to ask questions, including in a group on Facebook www.facebook.com/NetworKingConsultant , and I will definitely answer them.
Thank you for staying with us. Do you like our articles? Want to see more interesting materials? Support us by placing an order or recommending to friends, 30% discount for Habr's users on a unique analogue of the entry-level servers that we invented for you: The Truth About VPS (KVM) E5-2650 v4 (6 Cores) 10GB DDR4 240GB SSD 1Gbps $ 20 or how to share the server? (Options are available with RAID1 and RAID10, up to 24 cores and up to 40GB DDR4).
Dell R730xd 2 times cheaper? Only we have 2 x Intel TetraDeca-Core Xeon 2x E5-2697v3 2.6GHz 14C 64GB DDR4 4x960GB SSD 1Gbps 100 TV from $ 199 in the Netherlands! Dell R420 - 2x E5-2430 2.2Ghz 6C 128GB DDR3 2x960GB SSD 1Gbps 100TB - from $ 99! Read about How to build an infrastructure building. class c using servers Dell R730xd E5-2650 v4 worth 9000 euros for a penny?
Source: https://habr.com/ru/post/455343/
All Articles