4.4.7 Lab – Configure Secure Administrative Access Answers
Lab – Configure Secure Administrative Access (Answers Version)
Answers Note: Red font color or gray highlights indicate text that appears in the instructor copy only.
Topology
Addressing Table
Device |
Interface |
IP Address |
Subnet Mask |
Default Gateway |
Switch Port |
R1 |
G0/0/0 |
10.1.1.1 |
255.255.255.252 |
N/A |
N/A |
R1 |
G0/0/1 |
192.168.1.1 |
255.255.255.0 |
N/A |
S1 F0/5 |
R2 |
G0/0/0 |
10.1.1.2 |
255.255.255.252 |
N/A |
N/A |
R2 |
G0/0/1 |
10.2.2.2 |
255.255.255.252 |
N/A |
N/A |
R3 |
G0/0/0 |
10.2.2.1 |
255.255.255.252 |
N/A |
N/A |
R3 |
G0/0/1 |
192.168.3.1 |
255.255.255.0 |
N/A |
S3 F0/5 |
PC-A |
NIC |
192.168.1.3 |
255.255.255.0 |
192.168.1.1 |
S1 F0/6 |
PC-C |
NIC |
192.168.3.3 |
255.255.255.0 |
192.168.3.1 |
S3 F0/18 |
Blank Line, No additional information
Objectives
Part 1: Configure Basic Device Settings
Cable the network as shown in the topology.
Configure basic IP addressing for routers and PCs.
Configure OSPF routing.
Configure PC hosts.
Verify connectivity between hosts and routers.
Part 2: Configure and Encrypt Passwords on Routers R1 and R3
Configure encrypted password for console, auxiliary port, and virtual access lines.
Encrypt clear text passwords
Configure a warning message banner
Part 3: Configure Enhanced Username Password Security on Routers R1 and R3
Create new user accounts
Log in using the user accounts
Part 4: Configure the SSH Server on Routers R1 and R3
Configure a domain name
Generate RSA encryption key
Configure and verify SSH configurations
Background / Scenario
The router is a critical component in any network. It controls the movement of data into and out of the network and between devices within the network. It is particularly important to protect network routers because the failure of a routing device could make sections of the network, or the entire network, inaccessible. Controlling access to routers and enabling reporting on routers is critical to network security and should be part of a comprehensive security policy.
In this lab, you will build a multi–router network and configure the routers and hosts. Use various CLI tools to secure local and remote access to the routers, analyze potential vulnerabilities, and take steps to mitigate them. Enable management reporting to monitor router configuration changes.
Note: The routers used with hands-on labs are Cisco 4221 with Cisco IOS XE Release 16.9.6 (universalk9 image). The switches used in the labs are Cisco Catalyst 2960+ with Cisco IOS Release 15.2(7) (lanbasek9 image). Other routers, switches, and Cisco IOS versions can be used. Depending on the model and Cisco IOS version, the commands available and the output produced might vary from what is shown in the labs. Refer to the Router Interface Summary Table at the end of the lab for the correct interface identifiers.
Note: Before you begin, ensure that the routers and the switches have been erased and have no startup configurations.
Required Resources
3 Routers (Cisco 4221 with Cisco XE Release 16.9.6 universal image or comparable with a Security Technology Package license)
2 Switches (Cisco 2960+ with Cisco IOS Release 15.2(7) lanbasek9 image or comparable)
2 PCs (Windows OS with a terminal emulation program, such as PuTTY or Tera Term installed)
Console cables to configure Cisco networking devices
Ethernet cables as shown in the topology
Instructions
Part 1:Configure Basic Device Settings
In this part, set up the network topology and configure basic settings, such as interface IP addresses.
Step 1:Cable the network.
Attach the devices, as shown in the topology diagram, and cable as necessary.
Step 2:Configure basic settings for each router.
Open configuration window
- Console into the router and enable privileged EXEC mode.
Router> enable
Router# configure terminal
- Configure host names as shown in the topology.
R1(config)# hostname R1
- Configure interface IP addresses as shown in the IP Addressing Table.
R1(config)# interface g0/0/0
R1(config-if)# ip address 10.1.1.1 255.255.255.0
R1(config-if)# no shutdown
R1(config)# interface g0/0/1
R1(config-if)# ip address 192.168.1.1 255.255.255.0
R1(config-if)# no shutdown
- To prevent the router from attempting to translate incorrectly entered commands as though they were host names, disable DNS lookup. R1 is shown here as an example.
R1(config)# no ip domain-lookup
Step 3:Configure OSPF routing on the routers.
- Use the router ospf command in global configuration mode to enable OSPF on R1.
R1(config)# router ospf 1
- Configure the network statements for the networks on R1. Use an area ID of 0.
R1(config-router)# network 192.168.1.0 0.0.0.255 area 0
R1(config-router)# network 10.1.1.0 0.0.0.3 area 0
- Configure OSPF on R2 and R3.
R2(config)# router ospf 1
R2(config-router)# network 10.1.1.0 0.0.0.3 area 0
R2(config-router)# network 10.2.2.0 0.0.0.3 area 0
R3(config)# router ospf 1
R3(config-router)# network 10.2.2.0 0.0.0.3 area 0
R3(config-router)# network 192.168.3.0 0.0.0.255 area 0
- Issue the passive-interface command to change the G0/0/1 interface on R1 and R3 to passive.
R1(config)# router ospf 1
R1(config-router)# passive-interface g0/0/1
R3(config)# router ospf 1
R3(config-router)# passive-interface g0/0/1
Step 4:Verify OSPF neighbors and routing information.
- Issue the show ip ospf neighbor command to verify that each router lists the other routers in the network as neighbors.
R1# show ip ospf neighbor
Neighbor IDPriStateDead TimeAddressInterface
10.2.2.21FULL/BDR00:00:3710.1.1.2GigabitEthernet0/0/0
- Issue the show ip route command to verify that all networks display in the routing table on all routers.
R1# show ip route
Codes: L – local, C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route, H – NHRP, l – LISP
a – application route
+ – replicated route, % – next hop override, p – overrides from PfR
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
C10.1.1.0/30 is directly connected, GigabitEthernet0/0/0
L10.1.1.1/32 is directly connected, GigabitEthernet0/0/0
O10.2.2.0/30 [110/2] via 10.1.1.2, 00:01:11, GigabitEthernet0/0/0
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C192.168.1.0/24 is directly connected, GigabitEthernet0/0/1
L192.168.1.1/32 is directly connected, GigabitEthernet0/0/1
O192.168.3.0/24 [110/3] via 10.1.1.2, 00:01:07, GigabitEthernet0/0/0
Step 5:Configure PC host IP settings.
Configure a static IP address, subnet mask, and default gateway for PC-A and PC-C as shown in the IP Addressing Table.
Step 6:Verify connectivity between PC-A and PC-C.
- Ping from R1 to R3.
If the pings are not successful, troubleshoot the basic device configurations before continuing.
- Ping from PC-A, on the R1 LAN, to PC-C, on the R3 LAN.
If the pings are not successful, troubleshoot the basic device configurations before continuing.
Note: If you can ping from PC-A to PC-C you have demonstrated that OSPF routing is configured and functioning correctly. If you cannot ping but the device interfaces are up and IP addresses are correct, use the show run, show ip ospf neighbor, and show ip route commands to help identify routing protocol-related problems.
Step 7:Save the basic running configuration for each router.
Save the basic running configuration for the routers as text files on your PC. These text files can be used to restore configurations later in the lab.
Close configuration window
Part 2:Configure and Encrypt Passwords on Routers R1 and R3
In this part, you will:
Configure encrypted passwords.
Configure a login warning banner.
Configure enhanced username password security.
Configure enhanced virtual login security.
Note: Perform all tasks on both R1 and R3. The procedures and output for R1 are shown here.
Step 1:Configure encrypted passwords on routers R1 and R3.
Open configuration window
- Configure the enable secret encrypted password on both routers. Use the type 9 (SCRYPT) hashing algorithm.
R1(config)# enable algorithm-type scrypt secret cisco12345
Question:
How does configuring an enable secret password help to protect a router from being compromised by an attack?
Type your answers here.
The goal is to always prevent unauthorized users from accessing a device using Telnet, SSH, or via the console. If attackers are able to penetrate this first layer of defense, using an enable secret password prevents them from being able to alter the configuration of the device. Unless the enable secret password is known, a user cannot go into privileged EXEC mode where they can display the running config and enter various configuration commands to make changes to the router. This provides an additional layer of security.
- Use the security passwords command to set a minimum password length of 10 characters.
R1(config)# security passwords min-length 10
Step 2:Configure basic console, auxiliary port, and virtual access lines.
Note: Passwords in this task are set to a minimum of 10 characters but are relatively simple for the benefit of performing the lab. More complex passwords are recommended in a production network.
- Configure a console password and enable login for routers. For additional security, the exec-timeout command causes the line to log out after 5 minutes of inactivity. The logging synchronous command prevents console messages from interrupting command entry.
Note: To avoid repetitive logins during this lab, the exec-timeout command can be set to 0 0, which prevents it from expiring. However, this is not considered a good security practice.
R1(config)# line console 0
R1(config-line)# password ciscocon
R1(config-line)# exec-timeout 5 0
R1(config-line)# login
R1(config-line)# logging synchronous
Question:
When you configured the password for the console line, what message was displayed?
Type your answers here.
% Invalid Password length – must contain 10 to 25 characters. Password configuration failed.
- Configure a new password of ciscoconpass for the console.
- Configure a password for the AUX port for router R1.
R1(config)# line aux 0
R1(config-line)# password ciscoauxpass
R1(config-line)# exec-timeout 5 0
R1(config-line)# login
- Telnet from R2 to R1.
R2> telnet 10.1.1.1
Questions:
Were you able to login? Explain.
Type your answers here.
No. A password would need to be set before Telnet would be allowed.
What messages were displayed?
Type your answers here.
Trying 10.1.1.1 … Open
Password required, but none set
[Connection to 10.1.1.1 closed by foreign host]
- Configure the password on the vty lines for router R1.
R1(config)# line vty 0 4
R1(config-line)# password ciscovtypass
R1(config-line)# exec-timeout 5 0
R1(config-line)# transport input telnet
R1(config-line)# login
- Telnet from R2 to R1 again.
Question:
Were you able to login this time?
Type your answers here.
Yes. The vty lines have been configured to accept Telnet and a password has been set.
- Enter privileged EXEC mode and issue the show run command.
Question:
Can you read the enable secret password? Explain.
Type your answers here.
No. The enable secret password has been encrypted with the SCRYPT hash algorithm.
Can you read the console, aux, and vty passwords? Explain.
Type your answers here.
Yes. They are all in clear text.
Step 3:Encrypt clear text passwords.
- Use the service password-encryption command to encrypt the console, aux, and vty passwords.
R1(config)# service password-encryption
- Issue the show run command.
Questions:
Can you read the console, aux, and vty passwords? Explain.
Type your answers here.
No. The passwords are now encrypted.
At what level (number) is the default enable secret password encrypted?
Type your answers here.
9
At what level (number) are the other passwords encrypted?
Type your answers here.
7
Which level of encryption is harder to crack. Explain.
Type your answers here.
9, because the algorithm is stronger than 7. Type 9 (SCRYPT) is currently the strongest algorithm.
Step 4:Configure a warning message to display prior to login.
- Configure a warning to unauthorized users with a message-of-the-day (MOTD) banner using the banner motd command. When a user connects to one of the routers, the MOTD banner appears before the login prompt. In this example, the dollar sign ($) is used to start and end the message.
R1(config)# banner motd $Unauthorized access strictly prohibited!$
R1(config)# exit
- Issue the show run command.
Question:
What does the $ convert to in the output?
Type your answers here.
The $ is converted to ^C when the running-config is displayed.
- Telnet to R1 from R2 again. Notice the MOTD banner.
- Repeat the configuration portion of previous steps on router R3.
Close configuration window
Part 3:Configure Enhanced Username Password Security on Routers R1 and R3
Step 1:Investigate the options for the username command.
Open configuration window
In global configuration mode, enter the following command:
R1(config)# username user01 algorithm-type ?
Question:
What options are available?
Type your answers here.
md5Encode the password using the MD5 algorithm
scryptEncode the password using the SCRYPT hashing algorithm
sha256Encode the password using the PBKDF2 hashing algorithm
Step 2:Create a new user account with a secret password.
- Create a new user account with SCRYPT hashing to encrypt the password.
R1(config)# username user01 algorithm-type scrypt secret user01pass
- Exit global configuration mode and save your configuration.
- Display the running configuration.
Question:
Which hashing method is used for the password?
Type your answers here.
Type 9 (SCRYPT) hashing algorithm.
Step 3:Test the new account by logging in to the console.
- Set the console line to use the locally defined login accounts.
R1(config)# line console 0
R1(config-line)# login local
R1(config-line)# end
R1# exit
- Exit to the initial router screen which displays: R1 con0 is now available, Press RETURN to get started.
- Log in using the previously defined username user01 and the password user01pass.
Question:
What is the difference between logging in at the console now and previously?
Type your answers here.
You are prompted to enter a username as well as a password.
- After logging in, issue the show run command.
Question:
Were you able to issue the command? Explain.
Type your answers here.
No. It requires privileged EXEC level.
- Enter privileged EXEC mode using the enable command.
Question:
Were you prompted for a password? Explain.
Type your answers here.
Yes. Any new users that are created will still be required to enter the enable secret password to enter privileged EXEC mode.
Close configuration window
Part 4:Configure the SSH Server on Routers R1 and R3
In this part, use the CLI to configure the router to be managed securely using SSH instead of Telnet. Secure Shell (SSH) is a network protocol that establishes a secure terminal emulation connection to a router or other networking device. SSH encrypts all information that passes over the network link and provides authentication of the remote computer. SSH is rapidly replacing Telnet as the remote login tool of choice for network professionals.
Note: For a router to support SSH, it must be configured with local authentication, (AAA services, or username) or password authentication. In this task, you configure an SSH username and local authentication.
Step 1:Configure a domain name.
Open configuration window
Enter global configuration mode and set the domain name.
R1# conf t
R1(config)# ip domain-name netsec.com
Step 2:Configure a privileged user for login from the SSH client.
- Use the username command to create the user ID with the highest possible privilege level and a secret password.
R1(config)# username admin privilege 15 algorithm-type scrypt secret cisco12345
Note: Usernames are not case sensitive by default.
- Exit to the initial router login screen. Log in with the username admin and the associated password.
Question:
What was the router prompt after you entered the password?
Type your answers here.
The privileged EXEC (enable) prompt #. With a privilege level of 15, the login defaults to privileged EXEC mode.
Step 3:Configure the incoming vty lines.
Specify a privilege level of 15 so that a user with the highest privilege level (15) will default to privileged EXEC mode when accessing the vty lines. Other users will default to user EXEC mode. Use the local user accounts for mandatory login and validation and accept only SSH connections.
R1(config)# line vty 0 4
R1(config-line)# privilege level 15
R1(config-line)# login local
R1(config-line)# transport input ssh
R1(config-line)# exit
Note: The login local command should have been configured in a previous step. It is included here to provide all commands if you are doing this for the first time.
Note: If you add the keyword telnet to the transport input command, users can log in using Telnet as well as SSH, however, the router will be less secure. If only SSH is specified, the connecting host must have an SSH client installed.
Step 4:Erase existing key pairs on the router.
R1(config)# crypto key zeroize rsa
Note: If no keys exist, you might receive this message: % No Signature RSA Keys found in configuration.
Step 5:Generate the RSA encryption key pair for the router.
The router uses the RSA key pair for authentication and encryption of transmitted SSH data.
- Configure the RSA keys with 1024 for the number of modulus bits. The default is 512, and the range is from 360 to 2048.
R1(config)# crypto key generate rsa general-keys modulus 1024
The name for the keys will be: R1.netsec.com
% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be non-exportable…[OK]
R1(config)#
*Dec 16 21:24:16.175: %SSH-5-ENABLED: SSH 1.99 has been enabled
- Issue the ip ssh version 2 command to force the use of SSH version 2.
R1(config)# ip ssh version 2
R1(config)# exit
Note: The details of encryption methods are covered in later module.
Step 6:Verify the SSH configuration.
- Use the show ip ssh command to see the current settings.
R1# show ip ssh
- Fill in the following information based on the output of the show ip ssh command.
SSH version enabled:
Type your answers here.
Version 2.0
Authentication timeout:
Type your answers here.
Default is 120 seconds
Authentication retries:
Type your answers here.
Default is 3 tries
Step 7:Configure SSH timeouts and authentication parameters.
- The default SSH timeouts and authentication parameters can be altered to be more restrictive using the following commands.
R1(config)# ip ssh time-out 90
R1(config)# ip ssh authentication-retries 2
- Use the show ip ssh command to see the current settings.
- Save the running-config to the startup-config.
R1# copy running-config startup-config
- Repeat the configuration portion of previous steps on router R3.
Step 8:Verify SSH connectivity to R1 from PC-A.
- From PC-A, SSH into router R1 using the terminal emulation software by selecting the SSH option and providing the IP address of R1. Confirm that you will trust the host (R1) when prompted in the security alert.
- Enter the admin username and password cisco12345 when prompted.
- At the R1 privileged EXEC prompt, enter the show users command.
R1# show users
Question:
What users are connected to router R1 at this time?
Type your answers here.
You should see at least two users, one for your console connection and another for the SSH interface.
LineUserHost(s)IdleLocation
0 con 0adminidle00:00:00
*132 vty 0adminidle00:00:33192.168.1.3
- Close the SSH session window.
- Try to open a Telnet session to your router from PC-A. Were you able to open the Telnet session? Explain.
Type your answers here.
No. The Telnet session fails because only SSH is enabled for the vty lines.
- Open a PuTTY SSH session to the router from PC-A. Enter the user01 username and password user01pass in the PuTTY window to try connecting for a user who does not have privilege level of 15.
If you were able to login, what was the prompt?
Type your answers here.
Because user01 was not created with a privilege level of 15 (the default is level 1), the prompt is user EXEC (>).
- Use the enable command to enter privilege EXEC mode and enter the enable secret password cisco12345.
Close configuration window
Reflection
- Explain the importance of securing router access and monitoring network devices.
Type your answers here.
Answers will vary but it should be clear after this lab that there are many potential vulnerabilities for routers that can be exploited. Securing these devices is a very important part of a network administrator’s job and the security policy of an organization.
- What advantages does SSH have over Telnet?
Type your answers here.
SSH encrypts all data and is much more secure than Telnet. Telnet data is transmitted in clear text, so password information can easily be compromised.
Router Interface Summary Table
Router Model |
Ethernet Interface #1 |
Ethernet Interface #2 |
Serial Interface #1 |
Serial Interface #2 |
1900 |
Gigabit Ethernet 0/0 (G0/0) |
Gigabit Ethernet 0/1 (G0/1) |
Serial 0/0/0 (S0/0/0) |
Serial 0/0/1 (S0/0/1) |
2900 |
Gigabit Ethernet 0/0 (G0/0) |
Gigabit Ethernet 0/1 (G0/1) |
Serial 0/0/0 (S0/0/0) |
Serial 0/0/1 (S0/0/1) |
4221 |
Gigabit Ethernet 0/0/0 (G0/0/0) |
Gigabit Ethernet 0/0/1 (G0/0/1) |
Serial 0/1/0 (S0/1/0) |
Serial 0/1/1 (S0/1/1) |
4300 |
Gigabit Ethernet 0/0/0 (G0/0/0) |
Gigabit Ethernet 0/0/1 (G0/0/1) |
Serial 0/1/0 (S0/1/0) |
Serial 0/1/1 (S0/1/1) |
Blank Line, No additional information
Note: To find out how the router is configured, look at the interfaces to identify the type of router and how many interfaces the router has. There is no way to effectively list all the combinations of configurations for each router class. This table includes identifiers for the possible combinations of Ethernet and Serial interfaces in the device. The table does not include any other type of interface, even though a specific router may contain one. An example of this might be an ISDN BRI interface. The string in parenthesis is the legal abbreviation that can be used in Cisco IOS commands to represent the interface.
Device Configs
Router R1 after Part 1
R1# show run brief | exclude !
Building configuration…
Current configuration : 1498 bytes
version 16.9
service timestamps debug datetime msec
service timestamps log datetime msec
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
hostname R1
boot-start-marker
boot-end-marker
no aaa new-model
login on-success log
subscriber templating
multilink bundle-name authenticated
spanning-tree extend system-id
redundancy
mode none
interface GigabitEthernet0/0/0
ip address 10.1.1.1 255.255.255.252
negotiation auto
interface GigabitEthernet0/0/1
ip address 192.168.1.1 255.255.255.0
negotiation auto
router ospf 1
passive-interface GigabitEthernet0/0/1
network 10.1.1.0 0.0.0.3 area 0
network 192.168.1.0 0.0.0.255 area 0
ip forward-protocol nd
no ip http server
ip http secure-server
control-plane
line con 0
transport input none
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
end
Router R2 after Part 1
R2# show run brief | exclude !
Building configuration…
Current configuration : 1511 bytes
version 16.9
service timestamps debug datetime msec
service timestamps log datetime msec
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
hostname R2
boot-start-marker
boot-end-marker
no aaa new-model
no ip domain lookup
login on-success log
subscriber templating
multilink bundle-name authenticated
spanning-tree extend system-id
redundancy
mode none
interface GigabitEthernet0/0/0
ip address 10.1.1.2 255.255.255.252
negotiation auto
interface GigabitEthernet0/0/1
ip address 10.2.2.2 255.255.255.252
negotiation auto
router ospf 1
network 10.1.1.0 0.0.0.3 area 0
network 10.2.2.0 0.0.0.3 area 0
ip forward-protocol nd
no ip http server
ip http secure-server
control-plane
line con 0
transport input none
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
end
Router R3 after Part 1
R3# show run brief | exclude !
Building configuration…
Current configuration : 1585 bytes
version 16.9
service timestamps debug datetime msec
service timestamps log datetime msec
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
hostname R3
boot-start-marker
boot-end-marker
no aaa new-model
no ip domain lookup
login on-success log
subscriber templating
multilink bundle-name authenticated
spanning-tree extend system-id
redundancy
mode none
interface GigabitEthernet0/0/0
ip address 10.2.2.1 255.255.255.252
negotiation auto
interface GigabitEthernet0/0/1
ip address 192.168.3.1 255.255.255.0
negotiation auto
router ospf 1
passive-interface GigabitEthernet0/0/1
network 10.2.2.0 0.0.0.3 area 0
network 192.168.3.0 0.0.0.255 area 0
ip forward-protocol nd
no ip http server
ip http secure-server
control-plane
line con 0
transport input none
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
end
Router R1 after Part 2
R1# show run brief | exclude !
Building configuration…
Current configuration : 1921 bytes
version 16.9
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
hostname R1
boot-start-marker
boot-end-marker
security passwords min-length 10
enable secret 9 $9$KECGFvnZJ4Qfj8$cKUwHk0IWltx.wt90N5U0EJNfzrAcpC6Xb6qF/HhFLs
no aaa new-model
login on-success log
subscriber templating
multilink bundle-name authenticated
spanning-tree extend system-id
redundancy
mode none
interface GigabitEthernet0/0/0
ip address 10.1.1.1 255.255.255.252
negotiation auto
interface GigabitEthernet0/0/1
ip address 192.168.1.1 255.255.255.0
negotiation auto
router ospf 1
passive-interface GigabitEthernet0/0/1
network 10.1.1.0 0.0.0.3 area 0
network 192.168.1.0 0.0.0.255 area 0
ip forward-protocol nd
no ip http server
ip http secure-server
control-plane
line con 0
exec-timeout 5 0
password 7 0822455D0A1606181C1B0D1739
logging synchronous
login
transport input none
stopbits 1
line aux 0
exec-timeout 5 0
password 7 1511021F07252A313023343100
login
stopbits 1
line vty 0 4
exec-timeout 5 0
password 7 070C285F4D060F110E020A1F17
login
transport input telnet
end
Router R3 after Part 2
R3# show run brief | exclude !
Building configuration…
Current configuration : 1895 bytes
version 16.9
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
hostname R3
boot-start-marker
boot-end-marker
security passwords min-length 10
enable secret 9 $9$tiUrw96y6v2DGR$GnhgIjfkK5HCBztHNm9Qn4yDFeX1hLS9scIzQ3pZoZ6
no aaa new-model
no ip domain lookup
login on-success log
subscriber templating
diagnostic bootup level minimal
spanning-tree extend system-id
redundancy
mode none
interface GigabitEthernet0/0/0
ip address 10.2.2.1 255.255.255.252
negotiation auto
interface GigabitEthernet0/0/1
ip address 192.168.3.1 255.255.255.0
negotiation auto
router ospf 1
passive-interface GigabitEthernet0/0/1
network 10.2.2.0 0.0.0.3 area 0
network 192.168.3.0 0.0.0.255 area 0
ip forward-protocol nd
no ip http server
ip http secure-server
control-plane
line con 0
exec-timeout 5 0
password 7 070C285F4D061A0A19020A1F17
logging synchronous
login
transport input none
stopbits 1
line aux 0
exec-timeout 5 0
password 7 094F471A1A0A1607131C053938
login
stopbits 1
line vty 0 4
exec-timeout 5 0
password 7 0822455D0A1613030B1B0D1739
login
transport input telnet
end
Router R1 after Part 3
R1# show run brief | exclude !
Building configuration…
Current configuration : 2036 bytes
version 16.9
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
hostname R1
boot-start-marker
boot-end-marker
security passwords min-length 10
enable secret 9 $9$KECGFvnZJ4Qfj8$cKUwHk0IWltx.wt90N5U0EJNfzrAcpC6Xb6qF/HhFLs
no aaa new-model
login on-success log
subscriber templating
multilink bundle-name authenticated
spanning-tree extend system-id
username user01 secret 9 $9$dgnWduKTwqY1I8$6j5mE3WJMPISy7B6.S4KkmBaxtRLskeXszGGa9nlvaU
redundancy
mode none
interface GigabitEthernet0/0/0
ip address 10.1.1.1 255.255.255.252
negotiation auto
interface GigabitEthernet0/0/1
ip address 192.168.1.1 255.255.255.0
negotiation auto
router ospf 1
passive-interface GigabitEthernet0/0/1
network 10.1.1.0 0.0.0.3 area 0
network 192.168.1.0 0.0.0.255 area 0
ip forward-protocol nd
no ip http server
ip http secure-server
control-plane
line con 0
exec-timeout 5 0
password 7 0822455D0A1606181C1B0D1739
logging synchronous
login local
transport input none
stopbits 1
line aux 0
exec-timeout 5 0
password 7 1511021F07252A313023343100
login local
stopbits 1
line vty 0 4
exec-timeout 5 0
password 7 070C285F4D060F110E020A1F17
login local
transport input telnet
end
Router R3 after Part 3
R3# show run brief | exclude !
Building configuration…
Current configuration : 2000 bytes
version 16.9
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
hostname R3
boot-start-marker
boot-end-marker
security passwords min-length 10
enable secret 9 $9$tiUrw96y6v2DGR$GnhgIjfkK5HCBztHNm9Qn4yDFeX1hLS9scIzQ3pZoZ6
no aaa new-model
no ip domain lookup
login on-success log
subscriber templating
spanning-tree extend system-id
username user01 secret 9 $9$E4mfEy0R/2wJzh$kSgmrzX7YjkSUeeGuC7T8Svps144Xzjw280PQSjykdM
redundancy
mode none
interface GigabitEthernet0/0/0
ip address 10.2.2.1 255.255.255.252
negotiation auto
interface GigabitEthernet0/0/1
ip address 192.168.3.1 255.255.255.0
negotiation auto
router ospf 1
passive-interface GigabitEthernet0/0/1
network 10.2.2.0 0.0.0.3 area 0
network 192.168.3.0 0.0.0.255 area 0
ip forward-protocol nd
no ip http server
ip http secure-server
control-plane
line con 0
exec-timeout 5 0
password 7 070C285F4D061A0A19020A1F17
logging synchronous
login local
transport input none
stopbits 1
line aux 0
exec-timeout 5 0
password 7 094F471A1A0A1607131C053938
login local
stopbits 1
line vty 0 4
exec-timeout 5 0
password 7 0822455D0A1613030B1B0D1739
login local
transport input telnet
end
Router R1 after Part 4
R1# show run brief | exclude !
Building configuration…
Current configuration : 2218 bytes
version 16.9
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
hostname R1
boot-start-marker
boot-end-marker
security passwords min-length 10
enable secret 9 $9$KECGFvnZJ4Qfj8$cKUwHk0IWltx.wt90N5U0EJNfzrAcpC6Xb6qF/HhFLs
no aaa new-model
no ip domain-lookup
ip domain name netsec.com
login on-success log
subscriber templating
multilink bundle-name authenticated
spanning-tree extend system-id
username user01 secret 9 $9$dgnWduKTwqY1I8$6j5mE3WJMPISy7B6.S4KkmBaxtRLskeXszGGa9nlvaU
username admin privilege 15 secret 9 $9$4gjCCLObziYZe8$qjpi0INkv/DPb/N2cmobTemrwctCMbua0WO.UpCeBsk
redundancy
mode none
interface GigabitEthernet0/0/0
ip address 10.1.1.1 255.255.255.252
negotiation auto
interface GigabitEthernet0/0/1
ip address 192.168.1.1 255.255.255.0
negotiation auto
router ospf 1
passive-interface GigabitEthernet0/0/1
network 10.1.1.0 0.0.0.3 area 0
network 192.168.1.0 0.0.0.255 area 0
ip forward-protocol nd
no ip http server
ip http secure-server
ip ssh time-out 90
ip ssh authentication-retries 2
ip ssh version 2
control-plane
line con 0
exec-timeout 5 0
password 7 0822455D0A1606181C1B0D1739
logging synchronous
login local
transport input none
stopbits 1
line aux 0
exec-timeout 5 0
password 7 1511021F07252A313023343100
login local
stopbits 1
line vty 0 4
exec-timeout 5 0
privilege level 15
password 7 070C285F4D060F110E020A1F17
login local
transport input ssh
end
Router R3 after Part 4
R3# show run brief | exclude !
Building configuration…
Current configuration : 2192 bytes
version 16.9
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
hostname R3
boot-start-marker
boot-end-marker
security passwords min-length 10
enable secret 9 $9$tiUrw96y6v2DGR$GnhgIjfkK5HCBztHNm9Qn4yDFeX1hLS9scIzQ3pZoZ6
no aaa new-model
no ip domain-lookup
ip domain name netsec.com
login on-success log
subscriber templating
spanning-tree extend system-id
username user01 secret 9 $9$E4mfEy0R/2wJzh$kSgmrzX7YjkSUeeGuC7T8Svps144Xzjw280PQSjykdM
username admin privilege 15 secret 9 $9$UtiVxpwb7F6HhR$2WkaYjFvhKOqd4clfnqFiQhgd/uvwspi12c1HmJvOU2
redundancy
mode none
interface GigabitEthernet0/0/0
ip address 10.2.2.1 255.255.255.252
negotiation auto
interface GigabitEthernet0/0/1
ip address 192.168.3.1 255.255.255.0
negotiation auto
router ospf 1
passive-interface GigabitEthernet0/0/1
network 10.2.2.0 0.0.0.3 area 0
network 192.168.3.0 0.0.0.255 area 0
ip forward-protocol nd
no ip http server
ip http secure-server
ip ssh time-out 90
ip ssh authentication-retries 2
ip ssh version 2
control-plane
line con 0
exec-timeout 5 0
password 7 070C285F4D061A0A19020A1F17
logging synchronous
login local
transport input none
stopbits 1
line aux 0
exec-timeout 5 0
password 7 094F471A1A0A1607131C053938
login local
stopbits 1
line vty 0 4
exec-timeout 5 0
privilege level 15
password 7 0822455D0A1613030B1B0D1739
login local
transport input ssh
end