I have good news (actually great news), and a little bad news for you.
Here's the bad news: The CCNA Security tutorial on this page was created for the 640-553 version, which expired on September 30, 2012.
SDM is obsolete - Cisco no longer supports it - and you won't see it on any future Cisco certification exams, including the new CCNA Security exam.
Speaking of that new exam....
Here's the good news: I have plenty of free resources ready to help you pass the new 640-554 exam, including videos and tutorials!
CCNA Security 640-554 Videos And Tutorials
I also have a free CCNA Security 640-554 Video Boot Camp preview on Udemy!
CCNA Security 640-554 Video Boot Camp Preview
Students in that course receive a 60% discount on the full course on October 29 - so it's well worth taking five minutes to sign up right now!
They'll also get the best possible price on my CCNP Security 640-554 Bulldog Boot Camp DVD!
Thanks for visiting and for making TBA part of your CCNA Security success story!
Chris Bryant
CCIE #12933
"The Computer Certification Bulldog"
chris@thebryantadvantage.com
Twitter: http://www.twitter.com/ccie12933 (@ccie12933)
Facebook: http://on.fb.me/gPq52d
Blog: http://thebryantadvantage.blogspot.com
YouTube: http://www.youtube.com/user/ccie12933
CCNA Security Certification Exam Tutorial
Part Two: Using SDM To Configure One-Step Lockdown
By Chris Bryant, CCIE #12933
In the first part of this CCNA Security Exam tutorial, we were in the process of using the Security Device Manager to put a router into lockdown - "one-step lockdown", that is!
Here's the last screen we saw in Part One:
Note that if this lockdown doesn't give us the results we're looking for, we can run the Security Audit wizard and undo the configuration.
I clicked "Yes", and after a few seconds, we're presented with a list of 31 lockdown settings that will be enforced if we click Deliver. It's a good idea to be familiar with these settings for both the CCNA Security exam and real-world networks, so here are two screen shots showing all 31 settings.
I have the Preview Commands option enabled in Preferences, the actual commands are shown in a separate window after clicking Deliver. We do need to click Deliver again to actually deliver the commands. I'll select Save To File and then Deliver.
The Delivery Status window shows that this lockdown takes 79 commands to enforce.
Clicking OK takes us back to the original Security Audit / One-Step Lockdown window.Let's take a look at that configuration file. Note the login banner SDM wrote.
Configuration commands for the router: 172.31.1.1
----------------------------------------------------------------------------
aaa authentication login local_authen local
aaa authorization exec local_author local
ip cef
line vty 0 4
login authentication local_authen
authorization exec local_author
no privilege level
transport input ssh
exit
line con 0
login authentication local_authen
exit
line aux 0
login authentication local_authen
exit
no service pad
service password-encryption
service tcp-keepalives-in
service tcp-keepalives-out
no ip bootp server
no ip source-route
service sequence-numbers
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
scheduler allocate 20000 1000
ip tcp synwait-time 10
no cdp run
security authentication failure rate 3 log
security passwords min-length 6
ip ssh time-out 60
ip ssh authentication-retries 2
banner login ~Authorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!
~
logging console critical
logging trap debugging
logging buffered 51200 debugging
interface Loopback0
no ip proxy-arp
no ip redirects
no ip unreachables
ip route-cache flow
exit
interface Serial0/0/0
no ip proxy-arp
no ip redirects
no ip unreachables
ip route-cache flow
exit
interface Null0
exit
default interface Null0
interface Null0
no ip unreachables
exit
interface Serial0/1/1
no ip proxy-arp
no ip redirects
no ip unreachables
ip route-cache flow
exit
interface FastEthernet0/1
no ip proxy-arp
no ip redirects
no ip unreachables
ip route-cache flow
no mop enabled
exit
interface Serial0/1/0
no ip proxy-arp
no ip redirects
no ip unreachables
ip route-cache flow
exit
! IP address / user account command
interface FastEthernet0/0
no ip proxy-arp
no ip redirects
no ip unreachables
ip route-cache flow
no mop enabled
exit
If you run One-Step Lockdown after the router's already been locked down, you'll see a series of check marks next to each configured feature and a message at the bottom of the screen that the router is already in lockdown.
At this point, the router's been secured!
However, you may need to go back and change one or more of these settings for your particular network's needs. We'll take a look at how to change some or all of these lockdown settings in the next installment of this CCNA Security Exam tutorial series!
I'm Paying It Forward - To You.
Get CCNA Security Certified Today - For $20.
Be sure to bookmark this page - I'll continue to post CCNA Security tutorials, videos, and practice exam question sets for you on this page. You'll also find free tutorials on the CCNA Voice exam and CCNA Wireless exam pages as well!
To your success,
Chris Bryant
CCIE #12933
chris@thebryantadvantage.com
|
